How to create a process to ensure you capture products in or out of scope for the PSTI Act
By following this business process, organisations can effectively review if products are in scope for the PSTI Act and take appropriate actions to ensure compliance with relevant security requirements and regulations.
Initial Product Assessment:Gather information about the product and its capabilities.
Determine if the product falls within the scope of the PSTI Act based on the following criteria:
Determine if the product is internet-connectable or network-connectable.
Assess if the product can send and receive data through electrical or electromagnetic transmission.
Identify if the product can connect directly to an internet-connectable product using an internet protocol suite communication protocol.
Determine if the product can connect directly to two or more products simultaneously using a non-internet protocol suite communication protocol.
Check if the product only connects to one device using a protocol that does not belong to the internet protocol suite.
Classification Decision:
Classify the product based on the assessment results into one of the following categories:
In scope for the PSTI Act: Products that meet the criteria outlined in the PSTI Act and require compliance with security requirements.
Out of scope for the PSTI Act: Products that do not meet the criteria outlined in the PSTI Act and are exempt from compliance requirements.
Documentation and Reporting:
Document the assessment findings, including the criteria and the classification decision for each product.
Generate a report summarising the assessment results and the rationale behind the classification decision for each product.
Review and Approval:
Review the assessment findings and classification decisions with relevant stakeholders, such as compliance officers, legal advisors, and product managers.
Obtain approval for the classification decisions and any further actions required based on the assessment results.
Compliance Planning (if applicable):
For products classified as in scope for the PSTI Act, develop a compliance plan outlining the necessary security requirements and measures to ensure compliance with the PSTI Act.
Allocate resources and establish timelines for implementing the required security measures and achieving compliance.
Continuous Monitoring:
Implement a process for ongoing monitoring and review of products to ensure continued compliance with the PSTI Act.
Regularly reassess products to account for any changes in functionality, technology, or regulatory requirements that may affect their classification under the PSTI Act.
Documentation Retention:
Maintained detailed records of product assessments, classification decisions, compliance plans, and any related documentation for auditing and regulatory purposes.