The IT Policy of the Nepal Telecommunications Authority (NTA), 2080 (2023)

The IT Policy of the Nepal Telecommunications Authority (NTA), 2080 (2023) is a comprehensive framework that governs how information technology resources are to be used, protected, and managed within the organisation. It was adopted under Decision no. 5046 on 15 Shrawan 2080 (July/August 2023) and came into force immediately.

Objectives and scope

The policy’s primary aim is to ensure the confidentiality, integrity, and availability of NTA’s information systems and data. It applies to all members, employees, contractors, vendors, consultants, and any authorised users of NTA’s IT resources. It also establishes ethical and responsible usage while setting legal and technical safeguards in line with Nepal’s Data Protection Standards.

Key provisions

The policy is divided into thematic chapters:

• Acceptable use and prohibitions: All NTA proprietary data remains the sole property of the Authority. Unauthorised access, hacking, malware injection, intellectual property violations, and offensive use of technology are strictly prohibited.
• Domain and email rules: The official domain is nta.gov.np. Subdomains require approval, and a wildcard SSL certificate must protect all. Email accounts under this domain are divided into functional, personal, and group emails, with clear creation and usage procedures.
• User management and access control: User accounts follow the principle of least privilege and role-based access control. Accounts must be deactivated when no longer needed, and access to systems is logged and monitored. Remote access requires prior authorisation and cryptographic safeguards.
• Identification and authentication: Strong, unique passwords and multifactor authentication are mandated. Password reuse is prohibited, and password managers are encouraged.
• Hardware and software policies: Devices must meet NTA standards, be registered, and safely maintained. Software installation is restricted to an approved list, managed by the IT Division, and the use of pirated software is forbidden.
• Website and system development: Only authorised personnel may update or manage web content. The policy also integrates security considerations throughout system development and acquisition, including vendor risk management and security testing.
• Vendor management: Vendors must sign a Non-Disclosure Agreement (NDA), undergo regular risk assessments, and follow strict reporting and compliance rules. Contracts can be terminated if security or performance standards are not met.
• Physical and environmental safeguards: Physical access to IT facilities is controlled and monitored. Provisions cover visitor records, power backup, fire suppression, and water-damage prevention.
• Governance and training: An IT Coordination Committee oversees implementation, while mandatory awareness and training programs ensure that employees understand their responsibilities

Annexes

The policy includes annexes with templates for incident reporting, records for subdomains and emails, and a standard Non-Disclosure Agreement for vendors