Your browser has JavaScript turned off.
You must turn it on to proceed.










NORS -- CSRIC Best Practices Result

CSRIC Best Practices Result

Network Type(s):
Industry Role(s):
Keyword(s):

1022 Best Practices are found.

*Press Best Practice number to get detailed information.

Number Priority Description
9-5-0511 Highly Important Network Operators and Service Providers should provide training for their operations personnel on network-level trouble shooting.
9-5-0514 Highly Important When available, Network Operators and Service Providers should utilize a management system capability (e.g., CORBA, SNMP) providing a single interface with access to alarms and monitoring information from all critical network elements.
9-5-0524 Highly Important Network Operators and Service Providers should operate a route database. That database should provide the routing advertisement source from the Network Operator’s perspective. The database should be accessible by peers, customers and other users. The access can be via a web interface similar to the looking glass server’s or just telnet access. The database is informational only and can not be used to effect or impact the actual routing table. The need to provide security and isolation to such a database is high.
9-5-0526 Highly Important Network Operators and Service Providers should operate a route registry database of all the routes advertised by their network with the source of that advertisement. This database might be used as the source for interface configurations as well as troubleshooting problems. If an entity decides to operate a central route registry for a region or globally, the individual Service Provider database can communicate with that central repository forming a robust and efficient hierarchical system.
9-5-0531 Highly Important Network Operators and Service Providers should require staff to use grounding straps when working with equipment where appropriate.
9-5-0540 Important Equipment Suppliers should share countermeasures resulting from analysis of an outage with Network Operators using the same equipment.
9-5-0620 Important Equipment Supplier's should endeavor to meet requirements outlined in the GR-63 01 Network Equipment-Building System (NEBS) Requirements for Power and Communication Cables (e.g., power, fire, temperature, humidity, vibration).
9-6-0761 Important Network Operators and Service Providers should conduct periodic verification of the office synchronization plan and the diversity of timing links, power feeds and alarms.
9-6-0763 Highly Important Service Providers implementing DNS servers in support of VoIP applications such as ENUM should provision those servers per the IETF Best Current Practices for operation of DNS nameservers: BCP 40 (RFC 2182) and BCP 16 (RFC 2870).
9-6-0764 Highly Important Network Operators and Service Providers implementing protocols for the transport of VoIP data on IP networks should implement congestion control mechanisms such as those described by RFC 2309, RFC 2914, and RFC 3155.
9-6-0767 Highly Important Service Providers implementing a SIP-signaled VoIP network should consider using media gateway controllers according to IETF RFC 3372 BCP 63, "Session Initiation Protocol for Telephones (SIP-T): Context and Architectures," in order to achieve interoperability with SS7/ISUP-signaled TDM voice networks.
9-6-0768 Highly Important Service Providers implementing a SIP-signaled VoIP network should consider using media gateway controllers that map ISUP-to-SIP and SIP-to-ISUP messages according to IETF RFC 3398, "Integrated Services Digital Network (ISDN) User Part (ISUP) to Session Initiation Protocol (SIP) Mapping" in order to achieve a consistent interpretation of ISUP-to-SIP messaging industrywide.
9-6-0769 Highly Important Service Providers implementing a BICC-signaled network should consider implementing ITU-T Recommendation Q.1912.5, “Interworking between Session Initiation Protocol (SIP) and Bearer Independent Call Control Protocol or ISDN User Part,” or 3GPP TS 29.163, “Interworking between the IP Multimedia (IM) Core Network (CN) subsystem and Circuit Switched (CS) networks,” to achieve interoperability between an SS7/ISUPsignaled TDM voice network and a SIP-signaled VoIP network.
9-6-0770 Highly Important Wireless Service Providers who have deployed IS-41 or GSM Mobility Application Part (MAP) signaling networks should consider implementing and using the network management controls of SS7 within their networks.
9-6-0810 Important Service Providers should make available meaningful information about expected performance with respect to upstream and downstream throughput and any limitations of the service; best effort services “up to” or unspecified bit rate services should be specified as such in a clearly identifiable manner.
9-6-1006 Highly Important Network Operators, Service Providers and Equipment Suppliers should consider establishing a designated Emergency Operations Center. This center should contain tools for coordination of service restoral including UPS, alternate means of communications, maps, and documented procedures to manage business interruptions and/or disasters.
9-6-1007 Highly Important Network Operators, Service Providers and Equipment Suppliers should consider establishing a geographically diverse back-up Emergency Operations Center.
9-6-1013 Important Service Providers, Network Operators and Equipment Suppliers should review their insurance requirements in order to maintain business continuity in the event of massive property damage or loss, incapacitation of senior officers, and other interruptive situations.
9-6-1016 Critical Network Operators and Service Providers should develop processes or plans to quickly account for all employees (e.g. field techs) in or near the impact area of a disaster.
9-6-1041 Highly Important Equipment Suppliers should consider providing a "Disaster Information Checklist" to all of the Service Providers they support. The checklist should provide a set of questions which the Service Provider would address immediately after a disaster and then promptly inform the Equipment Supplier to facilitate equipment delivery.
9-6-1043 Important Equipment Suppliers should consider, during their response to major disasters, editing the support "hotline" calling tree by adding a specific entry for disaster events.
9-6-1044 Important Equipment Suppliers should consider providing a "Disaster Recovery Services Checklist" to all of the Service Providers they support. The checklist would provide a listing of the Equipment Supplier's professional services which the Service Provider may require during an event.
9-6-1051 Important Network Operators and Service Providers should work with Equipment Suppliers and Government entities to identify criteria and procedures for handling network elements affected by nuclear attack or nuclear accidents (e.g., shock wave, Electro-magnetic Pulse (EMP), Thermal, Fallout, fiber darkening of phosphorous based fiber cable).
9-6-3203 Important Service Providers should consider developing options that allow for call delivery from Emergency Notification Services to subscribers with call blocking/screening services in order to assist in the effectiveness of Emergency Notification Systems (Public Safety Mass Calling) and return calls from PSAPs.
9-6-5023 Important Network Operators, Service Providers and Equipment Suppliers should establish and enforce a policy that requires all individuals to properly display company identification (e.g., photo ID, visitor badge) while on company property. Individuals not properly displaying a badge should be challenged and/or reported to security.
9-6-5024 Highly Important Network Operators, Service Providers and Equipment Suppliers should include security as an integral part of the strategic business planning and decision making process to ensure that security risks are properly identified and appropriately mitigated.
9-6-5025 Important Network Operators, Service Providers and Equipment Suppliers should include security as an integral part of the merger, acquisition and divestiture process to ensure that security risks are proactively identified and appropriate plans are developed to facilitate the integration and migration of organizational functions (e.g., Due Diligence investigations, integration of policy and procedures).
9-6-5049 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should consider a strategy of using technology (e.g., access control, CCTV, sensor technology, person traps, turnstiles) to supplement the guard force.
9-6-5050 Important When guard services are utilized by Network Operators, Service Providers, Equipment Suppliers and Property Managers, a supervision plan should be established that requires supervisory checks for all posts.
9-6-5051 Important When guard services are utilized by Network Operators, Service Providers and Equipment Suppliers, consider establishing incentives and recognition programs to increase morale and reduce turnover.
9-6-5054 Important When guard services are utilized by Network Operators, Service Providers, Equipment Suppliers or Property Managers, a process should be developed to quickly disseminate information to all guard posts. This process should be documented and should clearly establish specific roles and responsibilities.
9-6-5055 Critical Network Operators, Service Providers and Equipment Suppliers should establish and maintain (or contract for) a 24/7 emergency call center for internal communications. Ensure staff at this center has access to all documentation pertinent to emergency response and up to date call lists to notify appropriate personnel. The number to this call center should be appropriately published so personnel know where to report information.
9-6-5069 Important For Network Operators, Service Providers collocation sites, the Property Manager should require all tenants to adhere to the security standards set for that site.
9-6-5081 Highly Important Equipment Suppliers should provide serial numbers on critical network components (e.g., circuit packs, field replaceable units).
9-6-5086 Important Equipment Suppliers should consider electronically encoding a unique identifier into non-volatile memory of critical elements (e.g., Field Replaceable Units, FRUs) for integrity and tracking.
9-6-5097 Highly Important Network Operators, Service Providers and Equipment Suppliers should establish and implement corporate security standards and requirements in consideration of the best practices of the communications industry (e.g., NRIC Best Practices).
9-6-5098 Important Network Operators, Service Providers and Equipment Suppliers should ensure that all network infrastructure equipment meets the minimum requirements of ANSI T1.319 (fire resistance).
9-6-5106 Important Equipment Suppliers should consider participating in and complying with an industry organization that develops standards in their security, logistics and transportation practices.
9-6-5119 Highly Important Equipment Suppliers of critical network elements should document the technical specifications of their electronic hardware, including characteristics such as tolerance limitations to electromagnetic energy, vibration, voltage spikes and temperature. Access to such documentation should be restricted to those having a need to know.
9-6-5142 Highly Important Network Operators, Service Providers and Equipment Suppliers should work together to deploy safeguards to protect the software (i.e. generic or upgrade releases) being loaded to network elements through assured communications protocols in order to prevent sabotage.
9-6-5143 Critical Network Operators and Service Providers (e.g., Satellite Operators) should maintain access to a back-up or secondary 'uplink site' to provide tracking, telemetry and control (T.T.&C.) support for all operational communications spacecraft. The back-up or secondary site must be geographically diverse from the primary uplink facility, active and tested on some regular schedule to insure readiness and timely response.
9-6-5144 Important Network Operators should manage and maintain a current database of all satellite transmit and receive sites (i.e. uplink and downlink facilities) that are operational and/or support their services and networks. The database information should list location (i.e. street address, latitude and longitude), service provider and phone number, site manager contact and phone number, control point if remotely controlled, and equipment type used at the site.
9-6-5146 Highly Important Network Operators and Service Providers should develop and manage recovery plans to ensure the timely restoration of services in the event of transponder loss, satellite payload failure, and satellite failure.
9-6-5149 Important Network Operators, Service Providers and Equipment Suppliers should, where feasible, ensure that intentional emissions (e.g., RF and optical) from network equipment and transmission facilities are secured sufficiently to ensure that monitoring from outside the intended transmission path or beyond facility physical security boundaries cannot lead to the obtaining of critical network operations information.
9-6-5165 Highly Important Network Operators, Service Providers and Equipment Suppliers should ensure that teleworkers (e.g., remote software developers) have the equipment and support necessary to secure their computing platforms and systems to the equivalent level of those on-site. Security software, firewalls and locked file cabinets are all considerations.
9-6-5168 Important Equipment Suppliers should periodically review personnel background information and assess changes in personnel, departmental, or corporate environment as they affect the security posture of R&D and manufacturing areas and processes.
9-6-5169 Important Equipment Suppliers should establish and implement an information protection process to control and manage the distribution of critical R&D documentation and the revisions thereto (e.g., serialize physical and electronic documentation to maintain audit trails).
9-6-5170 Critical Network Operators, Service Providers and Equipment Suppliers should control or disable all administrative access ports (e.g., manufacturer) into R&D or production systems (e.g., remap access ports, require callback verification, add second level access gateway).
9-6-5171 Highly Important Equipment Suppliers should design network equipment to reduce the likelihood of malfunction due to failure of the connected devices (i.e. in order to reduce the potential for cascade failures).
9-6-5172 Highly Important Network Operators, Service Providers and Equipment Suppliers should not permit unsecured wireless access points for the distribution of data or operating system upgrades.
9-6-5173 Highly Important Network Operators and Equipment Suppliers should design wireless networks (e.g., terrestrial microwave, free-space optical, satellite, point-to-point, multi-point, mesh) to minimize the potential for interception.
9-6-5179 Important Network Operators, Service Providers and Equipment Suppliers should establish policies and procedures that mitigate workplace violence.
9-6-5185 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should ensure the inclusion of fire stair returns in their physical security designs. Further, they should ensure that there are no fire tower or stair re-entries into areas of critical infrastructure, where permitted by code.
9-6-5194 Highly Important Equipment Suppliers should design electronic hardware to minimize susceptibility to electrostatic discharge.
9-6-5195 Highly Important Equipment Suppliers should keep track of network product identification (e.g., circuit pack serial number), repair, modification and decommissioning records.
9-6-5210 Important Network Operators, Service Providers and Property Managers should discourage use of Emergency Power Off (EPO) switches between the primary battery supplies and the main power distribution board. EPO switches are not recommended for use in traditional -48V DC battery plants.
9-6-5235 Important Network Operators, Service Providers and Equipment Suppliers should ensure that impacted alarms and monitors associated with critical utility vaults are operational after a disaster event.
9-6-5239 Important Property Managers for multi-tenant facility should maintain a crisis management plan for restoration following an incident.
9-6-5243 Important Network Operators, Service Providers and Equipment Suppliers should restrict visits and tours at the affected areas during the restoration period following a major incident.
9-6-5244 Important Network Operators, Service Providers and Equipment Suppliers should make all employees, contractors, and others with access to critical infrastructure during restoration aware of changes to security posture resulting from the incident, and increased vigilance should be encouraged.
9-6-5248 Highly Important Network Operators, Service Providers and Equipment Suppliers should perform risk assessment on significant network changes, both temporary and permanent, resulting from restoration efforts.
9-6-5249 Highly Important Network Operators should consider geographic separation of network redundancy during restoration, and address losses of redundancy and geographic separation following restoration.
9-6-5250 Highly Important Network Operators should consider intra-office diversity of all critical resources during restoration, and address losses of diversity following restoration.
9-6-5253 Highly Important Network Operators, Service Providers and Equipment Suppliers should use lessons learned from restoration efforts to update recovery plans for transponder loss, satellite payload failure and satellite failure.
9-6-5254 Important During restoration efforts, Network Operators and Service Providers should not permit unsecured wireless access points for the distribution of critical data or operating system upgrades.
9-6-5255 Important Network Operators, Service Providers and Equipment Suppliers should ensure that temporary wireless networks (e.g., terrestrial microwave, free-space optical, satellite, point-to-point, multi-point, mesh) used during an incident are subsequently disabled or secured.
9-6-5264 Highly Important Satellite Operators should maintain an alternate recovery facility that would duplicate operations and Tracking, Telemetry, Control and Monitoring (TTC&M). The alternate recovery facility should be geographically diverse from the primary facility, maintained and tested on a regular schedule to ensure readiness and timely response.
9-6-5265 Important Network Operators’, Service Providers’, Equipment Suppliers’ and Property Managers' senior management should actively support compliance with established corporate security policies and procedures.
9-6-5274 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should, in facilities using automated access control systems, install one mechanical lock to permit key override access to the space(s) secured by the access control system in the event the system fails in the locked mode. An appropriate procedure should be followed to track and control the keys.
9-6-8021 Important Switched Hubs for OAM&P Networks: In critical networks for Operations, Administration, Management, and Provisioning (OAM&P), Network Operators, Service Providers and Equipment Suppliers should use switched network hubs so that devices in promiscuous mode are less likely to be able to see/spoof all of the traffic on that network segment.
9-6-8023 Critical Scanning Operations, Administration, Management and Provisioning (OAM&P) Infrastructure: Network Operators and Service Providers should regularly scan infrastructure for vulnerabilities/exploitable conditions. Operators should understand the operating systems and applications deployed on their network and keep abreast of vulnerabilities, exploits, and patches.
9-6-8028 Critical Distribution of Encryption Keys: When Network Operators, Service Providers and Equipment Suppliers use an encryption technology in the securing of network equipment and transmission facilities, cryptographic keys must be distributed using a secure protocol that: a) Ensures the authenticity of the recipient, b) Does not depend upon secure transmission facilities, and c) Cannot be emulated by a non-trusted source.
9-6-8059 Highly Important Protect Cellular Data Channel: Network Operators and Service Providers should encourage the use of IPsec VPN, wireless TLS, or other end-to-end encryption services over the cellular/wireless network. Also, Network Operators should incorporate standards based data encryption services and ensure that such encryption services are enabled for end users. (Data encryption services are cellular/wireless technology specific).
9-6-8078 Highly Important Protect User IDs and Passwords During Network Transmission: Network Operators, Service Providers and Equipment Suppliers should not send user IDs and passwords in the clear, or send passwords and user IDs in the same message/packet.
9-6-8093 Critical Validate Source Addresses: Service Providers should validate the source address of all traffic sent from the customer for which they provide Internet access service and block any traffic that does not comply with expected source addresses. Service Providers typically assign customers addresses from their own address space, or if the customer has their own address space, the service provider can ask for these address ranges at provisioning. (Network Operators may not be able to comply with this practice on links to upstream/downstream providers or peering links, since the valid source address space is not known).
9-6-8102 Important Discourage Use of Personal Equipment for Corporate Activities: Network Operators, Service Providers and Equipment Suppliers should discourage the use of personal equipment for telecommuting, virtual office, remote administration, etc.
9-7-0404 Important Network Performance: Service Providers, Network Operators and Equipment Suppliers should incorporate methodologies that continually improve network or equipment performance.
9-7-0407 Highly Important NOC Communications: Network Operators and Service Providers should establish processes for NOC-to-NOC (Network Operations Center) peer communications for critical network activities (e.g., scheduled maintenance, upgrades and outages).
9-7-0408 Highly Important Ingress Filtering: Network Operators and Service Providers should, where feasible, implement RFC 3704 (IETF BCP84) ingress filtering.
9-7-0409 Highly Important Routing Resiliency: Service Providers should use virtual interfaces (i.e. a router loopback address) for routing protocols and network management to maintain connectivity to the network element in the presence of physical interface outages.
9-7-0410 Highly Important Security Services and Procedures: Network Operators and Service Providers should, as appropriate, review, understand, and implement "Internet Service Provider Security Services and Procedures" (RFC3013/BCP46).
9-7-0411 Highly Important Cable Management: Network Operators and Services Providers should consider developing and implementing cable labeling standards.
9-7-0419 Highly Important Capacity Management Systems: Service Providers should design and capacity-manage EMSs (Element Management Systems) and OSSs (Operational Support Systems) to accommodate changes in network element capacity.
9-7-0420 Highly Important Management Systems Performance: Network Operators should periodically measure EMS (Element Management System), NMS (Network Management System) and OSS (Operational Support System) performance and compare to a benchmark or applicable requirements to verify that performance objectives and expectations (e.g., internal performance criteria, system vendor specifications) are being met.
9-7-0421 Highly Important Fast Failover of Redundancies: Equipment Suppliers should design network elements intended for critical hardware and software recovery mechanisms to minimize restoration times.
9-7-0424 Important Electrical Safety Standards: Network Operators should identify and require applicable safety standards for network elements that they plan to purchase, procure or implement. Recognized standards should be used wherever possible, with specific requirements cited rather than statements such as UL Listed or NEC compliant.
9-7-0426 Highly Important Software Change Control: Equipment Suppliers should use software change control to manage changes to source material used in the production of their products.
9-7-0427 Highly Important Software Documentation: Equipment Suppliers should maintain software documentation including revision change history and associated release notes.
9-7-0429 Highly Important Crash Diagnostics: Equipment Suppliers should provide appropriate storage and retrieval mechanisms for diagnostics after a hardware or software crash.
9-7-0430 Highly Important Software Configurations: Equipment Suppliers should be able to recreate supported software from source and, where feasible, software obtained from third parties.
9-7-0431 Highly Important Capacity and Performance Data: Equipment Suppliers should provide capacity and performance data for network elements.
9-7-0432 Highly Important Standardized MIBs: Equipment Suppliers should support standardized MIBs (Management Information Bases) and maintain documentation of private and enterprise MIBs.
9-7-0433 Highly Important MIB Environment Variables: Equipment Suppliers should support, clearly define and document environmental variables in Management Information Bases (MIB).
9-7-0434 Important Employee Training: Network Operators, Service Providers, Equipment Suppliers and Property Managers should provide appropriate training and periodic refresher courses for their employees.
9-7-0435 Critical ID Network Reliability Functions: Network Operators, Service Providers, Equipment Suppliers and Property Managers should assess the functions of their organization and identify those critical to ensure network reliability.
9-7-0436 Highly Important Problem Handling Continuity: Service Providers should have a process to ensure smooth handling and clear ownership of problems that transition shifts or organizational boundaries.
9-7-0437 Highly Important Route Aggregation: Network Operators and Service Providers should aggregate routes where appropriate (e.g., singly-homed downstream networks) in order to minimize the size of the global routing table.
9-7-0438 Important CIDR Use: Network Operators and Service Providers should enable CIDR (Classless Inter-Domain Routing) by implementing classless route prefixes on routing elements.
9-7-0439 Critical BGP Authentication: Network Operators and Service Providers should authenticate BGP sessions (e.g., using TCP MD5) with their own customers and other providers.
9-7-0440 Highly Important Route Exchange Limits: Network Operators and Service Providers should set and periodically review situation-specific limits on numbers of routes imported from peers and customers in order to lessen the impact of misconfigurations.
9-7-0441 Highly Important Unicast RPF: Network Operators and Service Providers should, where feasible, implement Unicast RPF (Reverse Path Forwarding) to help minimize DOS attacks that use source address spoofing.
9-7-0448 Highly Important Equipment Suppliers should, where feasible, provide a memory management capability to reconfigure or expand memory without impacting stable calls or other critical processes (e.g., billing).
9-7-0450 Highly Important Property Managers should maintain current documentation that ensures that the tower loading is consistent with the engineering design (e.g., antenna loading, feedline loading, ice or wind loading).
9-7-0451 Highly Important Network Operators, Service Providers and Property Managers should conduct a periodic physical site audit to update and maintain accurate antenna and tower engineering documentation in order to positively identify every item on the tower structure (e.g., identifying rogue antennas).
9-7-0452 Highly Important Network Operators, Service Providers and Property Managers should post emergency contact number(s) and unique site identification in an externally visible location at unmanned communication facilities (e.g., towers, cell sites, Controlled Environment Vault (CEV), satellite earth stations). This signage should not reveal additional information about the facility, except when necessary.
9-7-0453 Important Network Operators and Service Providers should prepare for HVAC or cabinet fan failures by ensuring that conventional fans are available to cool heat-sensitive equipment, as appropriate.
9-7-0454 Highly Important Network Operators and Service Providers should consider establishing technical and managerial escalation policies and procedures based on the service impact, restoration progress and duration of the issue.
9-7-0455 Highly Important Equipment Suppliers should consider a program to remove cards or modules from circulation that have a history of failure even if tests indicate "No Trouble Found."
9-7-0457 Highly Important Network Operators and Service Providers should develop a process to identify RF dead spots and, where feasible, provide a solution to fill the dead spot with RF coverage.
9-7-0458 Highly Important Network Operator should verify when a new cell site is added to the network that calls handoff between cells.
9-7-0459 Highly Important Equipment Suppliers should design outdoor equipment (e.g., base station) to operate in expected environmental conditions (e.g., weather, earthquakes).
9-7-0460 Important Network Operators should ensure that equipment is installed in accordance with equipment suppliers' stated environmental specifications.
9-7-0461 Highly Important Equipment Suppliers should provide the capability to test failover routines of redundant network elements.
9-7-0462 Important Network Operators should work in conjunction with local municipalities to anticipate RF capacity needs driven by changes in vehicle traffic patterns or other demographics.
9-7-0463 Important Network Operators and Service Providers should consider establishing agreements so that mobile customers can roam on other providers' networks.
9-7-0464 Important Network Operators and local municipalities should cooperate on zoning issues that affect reliability of communication networks serving the public good (e.g., noise from emergency backup power generators, aesthetics of tower placement, public safety and health concerns).
9-7-0465 Important Network Operators should, during the initial design and periodic reviews of cell site coverage, account for the effects of environmental changes (e.g., new buildings, tree growth, construction materials) that result in attenuation, shadowing, and multipath.
9-7-0466 Highly Important Network Operators should, when planning network coverage, take into account link budget impacts due to propagation differences between various spectrum (e.g., 850 MHz vs. 1800/1900 MHz).
9-7-0467 Important Network Operators should give consideration to the degree of balance between RF channels on uplinks and downlinks, for both control and traffic.
9-7-0468 Important Network Operators and Property Managers should consider agreements to share in-building antenna infrastructure between multiple service providers in order to make it more feasible to deploy in-building systems.
9-7-0469 Important Network Operators and Property Managers should consider the use of cable support (e.g., H-Frames, Ice Bridges) in tower and shelter designs.
9-7-0470 Important Network Operators and Property Managers should consider tower and antenna designs that do not attract bird and animal nesting (e.g., no platforms, flush mounted panels, smooth radome).
9-7-0471 Important Network Operators and Property Managers should consider remote, electronic antenna aiming and utilize tower-mounted equipment that minimizes the need for tower top maintenance where conditions prevent climbs (e.g., osprey nest, weather conditions).
9-7-0473 Highly Important Property Managers should consider maintaining a list of authorized climbers and a log of authorized tower climbs.
9-7-0474 Important Network Operators and Property Managers should periodically perform grounds maintenance at cell site facilities (e.g., pest control, mow grass, fence maintenance, snow removal).
9-7-0475 Highly Important Network Operators and Property Managers should have agreements in place to ensure necessary and timely access to cell sites.
9-7-0477 Highly Important Network Operators, when designing cell sites with high voltage FAA beacons, should consider the potential of electromagnetic coupling into the receivers and, if present, take appropriate steps to mitigate the interference (e.g., squelch, physical separation, shielding).
9-7-0478 Important Network Operators, when designing cell sites, should allow for deviation in elevation angle and azimuth resulting from deflection of the supporting structure (e.g., sun, load distribution, wind).
9-7-0479 Highly Important Network Operators should take into consideration fundamental technology differences when operating multiple RF technologies in an existing system. Radio Frequency Interference (RFI) sources (e.g., intermodulation, out of band emissions, receiver overload), link budgets, and performance metrics (e.g., data rates, latency, capacity) should be evaluated.
9-7-0480 Highly Important Network Operators and Property Managers should periodically inspect antennas, waveguide, and ancillary hardware to insure physical integrity and the absence of physical movement which can create intermittent and localized intermodulation interference generators (e.g., rusty joints) and/or alter predicted antenna radiation patterns (e.g., antennas swinging around in the wind) potentially creating interference.
9-7-0481 Important Network Operators and Property Managers should ensure appropriate spacing between all antennas at a cell site in order to avoid interference, intermodulation, or other detrimental effects.
9-7-0482 Highly Important Network Operators should utilize RF propagation and other modeling tools to analyze and optimize designs to avoid interference and improve network performance.
9-7-0483 Highly Important Network Operators should have a master cell site database with configuration parameters, connectivity, and performance statistics that can be used to analyze and audit cell site performance.
9-7-0484 Highly Important Network Operators should have a program (e.g., automated drive test equipment, network probes) to monitor and detect network performance anomalies.
9-7-0485 Important Network Operators should optimize cell sites, including relationships between neighboring cells, using a combination of drive testing and network statistics.
9-7-0486 Important Network Operators should have an ongoing RF performance improvement process to reduce blocks, drops, and access failures.
9-7-0487 Highly Important Network Operators should have procedures in place to identify and correct degradations in cell site performance resulting from defects in feedlines and antennas (e.g., moisture, bullets, kinking).
9-7-0488 Important Network Operators and Service Providers should ensure that critical wireless circuits (e.g., high priority cells, SS7 circuits, 911 circuits) are registered with Telecom Service Priority (TSP).
9-7-0489 Important Network Operators, Service Providers and Equipment Suppliers should consider provisions in labor contracts to provide for cooperation between union and non-union personnel during disaster recovery situations.
9-7-0490 Important Network Operators and Service Providers should consult National Fire Prevention Association Standards (e.g., NFPA 75 and 76) for guidance in the design of fire suppression systems. When zoning regulations require sprinkler systems, an exemption should be sought for the use of non-destructive systems.
9-7-0491 Critical Network Operators, Service Providers and Equipment Suppliers should, where programs exist, coordinate with local, state and/or federal emergency management and law enforcement agencies for pre-credentialing to help facilitate access by technicians to restricted areas during an event.
9-7-0492 Critical Network Operators should provide back-up power (e.g., some combination of batteries, generator, fuel cells) at cell sites and remote equipment locations, consistent with the site specific constraints, criticality of the site, the expected load and reliability of primary power.
9-7-0493 Critical Network Operators and Property Managers should consider placing fixed power generators at cell sites, where feasible.
9-7-0494 Highly Important Network Operators and Property Managers should consider including a provision in cell-site contracts for back-up power.
9-7-0495 Critical Network Operators and Property Managers should consider pre-arranging contact information and access to restoral information with local power companies.
9-7-0496 Highly Important Network Operators and Property Managers should consider storing their portable generators at critical sites that are not otherwise equipped with stationary generators.
9-7-0497 Highly Important Network Operators and Property Managers should consider connecting the power load to portable generators where they are stored, and configuring them for auto-engage in the event of a failover.
9-7-0498 Highly Important Network Operators and Property Managers should consider alternative measures for cooling network equipment facilities (e.g., powering HVAC on generator, deploying mobile HVAC units) in the event of a power outage.
9-7-0499 Critical Network Operators and Service Providers should consider ensuring that the back-haul facility equipment located at the cell site is provided with backup power duration is equal to that provided for the other equipment at the cell site.
9-7-0501 Important Network Operators and Service Providers should report problems discovered from their operation of network equipment to the Equipment Supplier whose equipment was found to be the cause of problem.
9-7-0508 Important Network Operators and Service Providers should establish company-specific interconnection agreements, and where appropriate, utilize existing interconnection templates and existing data connection trust agreement.
9-7-0512 Important Network Operators, Service Providers and Property Managers should perform periodic inspections of fire and water stopping where cable ways pass through floors and walls (e.g., sealing compounds).
9-7-0515 Important Role-based Mailbox: Network Operators and Service Providers should, for easy communication with subscribers and other operators and providers, use specific role-based accounts (e.g., abuse@provider.net, ip-request@provider.net) versus general accounts (e.g., noc@provider.net) which will help improve organizational response time and also reduce the impact of Spam.
9-7-0516 Highly Important Route Flapping: Network Operators and Service Providers should manage the volatility of route advertisements in order to maintain stable IP service and transport. Procedures and systems to manage and control route flapping at the network edge should be implemented.
9-7-0517 Highly Important Equipment Control Mechanisms: Equipment Suppliers should design network elements and associated network management elements with the combined capability to dynamically handle peak load and overload conditions gracefully and queue or shed traffic as necessary (e.g., flow control).
9-7-0518 Important Capacity Monitoring: Network Operators should design and implement procedures for traffic monitoring, trending and forecasting so that capacity management issues may be understood.
9-7-0520 Highly Important Network Operators and Service Providers should have a route policy that is available, as appropriate. A consistent route policy facilitates network stability and inter-network troubleshooting.
9-7-0521 Highly Important Industry Standards: Network Operators, Service Providers and Equipment Suppliers should work toward implementing industry standards for interconnection points.
9-7-0522 Highly Important Industry Forum Participation: Network Operators, Service Providers, and Equipment Suppliers should participate in standards development organizations and industry forums.
9-7-0538 Highly Important Equipment Suppliers' network element (including OSS) software should be backward compatible.
9-7-0539 Important Equipment Suppliers should share trend information (availability, etc.) with their Network Operators and Service Providers.
9-7-0542 Highly Important Equipment Supplier processes (e.g., software upgrade) should include prevention and detection of malicious code insertion from Original Equipment Manufacturers (OEMs), contractors, and disgruntled employees.
9-7-0543 Critical Service Providers should establish agreements with Property Managers for both regular and emergency power.
9-7-0549 Highly Important Network Operators should develop an engineering design for critical network elements and inter-office facilities that addresses diversity, and utilize management systems to provision, track and maintain that inter-office and intra-office diversity.
9-7-0552 Highly Important Equipment Suppliers' software fault insertion testing (including simulating network faults such as massive failures) should be performed as a standard part of an Equipment Supplier's development process.
9-7-0553 Highly Important Equipment Suppliers hardware fault insertion testing (including simulating network faults such as massive failures) should be performed as a standard part of an Equipment Supplier's development process. Hardware failures and data errors should be tested and/or simulated to stress fault recovery software.
9-7-0554 Important Equipment Suppliers hardware and software fault recovery design processes should converge early in the development cycle.
9-7-0555 Important Equipment Suppliers should continually enhance their software development methodology to ensure effectiveness by employing modern processes of assessment.
9-7-0557 Highly Important Equipment Suppliers should make efforts to minimize the possibility of having a silent failure on any system component, especially critical components. Equipment Suppliers should also constantly review the level of inspection and surveillance on critical components so silent failures are not able to manifest throughout the life of the product.
9-7-0559 Highly Important Service Providers and Network Operators should consider validating upgrades, new procedures and commands in a lab or other test environment that simulates the target network and load prior to the first application in the field.
9-7-0561 Important Equipment Providers should provide timely documentation that is complete and easy-to-use. The availability of electronic media to customers for documentation is essential.
9-7-0562 Important Equipment Suppliers should use a change control and release planning process to keep track of the changes to the product and the corresponding documentation.
9-7-0564 Important Equipment Suppliers should develop and update training for their products with a clear understanding of customer needs and human factors.
9-7-0565 Important Equipment Suppliers should establish and use metrics to identify key areas and measure progress in improving quality, reliability, and security during product development and field life cycle.
9-7-0582 Highly Important Public Safety authorities should use 911 as the standard access code for emergency services (e.g., law enforcement, fire, EMS, hazardous materials).
9-7-0583 Highly Important Network Operators, Service Providers and Equipment Suppliers should adopt an industry uniform method of reporting and tracking significant service outages (e.g., TL-9000 standard outage template).
9-7-0588 Highly Important Network Operators, Service Providers and Equipment Suppliers should provide awareness training that stresses the services impact of network failure, the risks of various levels of threatening conditions and the roles components play in the overall architecture. Training should be provided for personnel involved in the direct operation, maintenance, provisioning, security and support of network elements.
9-7-0589 Highly Important Network Operators, Service Providers, and Equipment Suppliers should establish a minimum set of work experience and training courses which must be completed before personnel may be assigned to perform maintenance activities on production network elements, especially when new technology is introduced in the network.
9-7-0597 Highly Important Network Operator and Service Provider network technicians should be trained in (1) detection of conditions requiring intervention, (2) escalation procedures, and (3) manual recovery techniques.
9-7-0604 Highly Important Network Operators and Service Providers should establish synchronization coordinator(s) who has responsibility for the network synchronization. The synchronization coordinator(s) should be accessible to their Network Operations Centers.
9-7-0607 Highly Important Inter-Provider Fault Isolation: Network Operators and Service Providers should ensure that bilateral technical agreements between interconnecting networks address the issue of fault isolation.
9-7-0609 Highly Important Network Operators and Service Providers should provide and maintain the contact information for mutual aid coordination for inclusion in mutual aid processes.
9-7-0611 Important Equipment Suppliers should provide secure electronic distribution of documentation and software, where feasible.
9-7-0614 Important Equipment Identification: Network Operators, Service Providers and Equipment Suppliers should position the equipment designation information (e.g., location, labels, RFID tags) so that they are securely affixed. The equipment designation should not be placed on removable parts such as covers, panels, doors, or vents that can be removed and mistakenly installed on a different network element.
9-7-0618 Highly Important Network Operators and Service Providers should establish mutually agreed upon reliability thresholds with Equipment Suppliers for new hardware (e.g., routers, switches, call servers, signaling servers) brought into service on the network.
9-7-0621 Important Network Operators and Service Providers should consider abandoning and / or removing existing cable that does not meet NEBS standards, if it is economically feasible and safe to do so.
9-7-0623 Important Network Operators and Service Providers using Valve Regulated Lead Acid (VRLA) batteries should perform annual maintenance by performing a discharge test or by using an ohmic test instrument.
9-7-0624 Important Network Operators, Service Providers, and Property Managers are encouraged to establish case history files, by equipment category for rectifiers, to facilitate decisions to replace such equipment with more efficient equipment based on failure trends.
9-7-0625 Important Network Operators, Service Providers and Property Managers should consider placing electric utility transformers external to buildings.
9-7-0626 Important Network Operators, Service Providers and Property Managers should regularly inspect building mechanical equipment (e.g., air handling fans, air compressors, pumps)
9-7-0627 Important Network Operators, Service Providers and Property Managers should exercise, service, and calibrate AC circuit breakers per manufacturers' recommendations.
9-7-0628 Important Network Operators and Service Providers should develop and implement defined procedures for removal of unused equipment and cable (e.g., cable mining) if this work can be economically justified without disrupting existing service.
9-7-0629 Highly Important Network Operators, Service Providers and Property Managers should implement a training program for contractors working in critical equipment locations to ensure they understand the need for protecting the continuity of service and all fire safety requirements applicable to the facility.
9-7-0631 Important Network Operators, Service Providers, Equipment Suppliers, and Property Managers should develop a comprehensive Site Management and/or Building Certification Program to ensure that every critical equipment location has carefully documented procedures to ensure fire safety. These procedures should include, among other things, guidance for the safe operation of all electrical appliances at this facility, including space heaters which are a frequent source of fires.
9-7-0634 Critical Network Operators, Service Providers and Property Managers together with the Power Company and other tenants in the location, should verify that aerial power lines are not in conflict with hazards that could produce a loss of service during high winds or icy conditions.
9-7-0640 Important Network Operators, Service Providers and Property Managers should ensure proper air filtration.
9-7-0645 Important HVAC Maintenance: Network Operators, Service Providers and Property Managers should inspect and maintain heating, venting, air conditioning (HVAC) areas.
9-7-0648 Important Network Operators, Service Providers and Property Managers should ensure certified inspection of boilers & fuel storage units.
9-7-0650 Critical Network Operators, Service Providers and Property Managers should place strong emphasis on human activities related to the operation of power systems (e.g., maintenance procedures, alarm system operation, response procedures, and training) for operations personnel.
9-7-0651 Critical Network Operators, Service Providers and Property Managers should consider providing diversity within power supply and distribution systems so that single point failures (SPOF) are not catastrophic. For large battery plants in critical offices, consider providing dual AC feeds (odd/even power service cabinets for rectifiers). Transfer switches should be listed to a UL standard for Transfer Switch Equipment. When transfer breaker systems are used, they must be mechanically and electrically interlocked.
9-7-0652 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should adhere to the following applicable power engineering design standards; Telcordia GR-513-CORE (Power - LSSGR section 13), Telcordia GR-63-CORE (NEBS), Telcordia GR-295-CORE (Isolated Ground Planes), Telcordia GR-1089-CORE (Electromagnetic Compatibility), and ATIS-0600311.2007 (DC Power Systems - Telecommunications Environment Protection).
9-7-0672 Critical Network Operators and Service Providers should provide a minimum of 3 hours battery reserve for central offices equipped with fully automatic standby systems.
9-7-0673 Important Network Operators and Service Providers should provide temperature compensation on the rectifiers (or some method to detect/prevent thermal runaway), when valve regulated batteries are used.
9-7-0675 Important Network Operators, Service Providers and Property Managers should, for new installations, consider using multiple small battery plants in place of single very large plants, and consider using multiple battery strings in each plant.
9-7-0676 Important Network Operators and Service Providers should not use low voltage disconnects or battery disconnects at central office battery plants.
9-7-0677 Important Network Operators, Service Providers and Property Managers should only use rectifier sequence controllers where necessary to limit load on the backup power generator.
9-7-0680 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should provide protective covers on vulnerable circuit breakers which power critical equipment.
9-7-0681 Important Network Operators, Equipment Suppliers and Property Managers should ensure that fuses and breakers meet quality Level III reliability per Technical Reference (SR-332), "Reliability Prediction Procedure for Electronic Equipment."
9-7-0682 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should ensure that power wire, cable, and signaling cables used in communications locations meet NEBS.
9-7-0683 Important Network Operators, Service Providers and Equipment Suppliers should not mix DC power cables, AC power cables and telecommunications cables wherever possible.
9-7-0684 Important Network Operators, Service Providers and Property Managers should verify DC fusing levels throughout the power supply and distribution system, especially at the main primary distribution board, to ensure that fuses and breakers are not loaded at more than 80% of their rated ampacity. Diode OR'ed arrangements require additional special overcurrent protection considerations. In addition, protector size should never exceed cable ampacity.
9-7-0685 Important Network Operators should have detailed methods and procedures to identify protection required around energized DC buses.
9-7-0686 Important Network Operators, Service Providers and Equipment Suppliers should verify front and rear stenciling on equipment during installation for accurate identification.
9-7-0692 Important Network Operators, Service Providers and Equipment Suppliers should consider using fail-safe, normally closed contacts that open for an alarm, for critical alarms produced by single contacts (one on one).
9-7-0696 Important Network Operators, Service Providers and Property Managers should use infrared thermography to check power connections and cabling in central offices when trouble shooting, during installation test and acceptance, and every 5 years.
9-7-0702 Important Network Operators and Service Providers should minimize dependence on equipment requiring AC power feeds in favor of DC-powered components.
9-7-0703 Important Network Operators and Service Providers and Property Managers should secure remote power maintenance systems to prevent unauthorized use.
9-7-0705 Important Network Operators should use warning tape on buried facilities - place tape 12 in. above the cable system.
9-7-0706 Important Network Operators should use visible cable markings on buried facilities (unless prone to vandalism).
9-7-0707 Important Network Operators should ensure timely response once received from the One Call Center for all locate requests.
9-7-0708 Important Network Operators should use appropriate technologies for locating buried facilities and consider upgrading as technologies evolve.
9-7-0709 Highly Important Network Operators should compare outside plant drawings relative to marking cable route maps when locating buried facilities and resolve any discrepancies.
9-7-0710 Highly Important Network Operators should use 'dig carefully' concepts and utilize guidance from industry sources for the protection of underground facilities when excavation is to take place within the specified tolerance zone. (See Reference/Comment field for additional information)
9-7-0715 Important Network Operators should proactively communicate with land owners regarding rights-of-way or easements near critical buried facilities to prevent accidental service interruption.
9-7-0716 Important Network Operators should encourage employees to become proactive in preventing buried facilities damages.
9-7-0719 Important Network Operators should use 'dig carefully' concepts and utilize guidance from industry sources when installing underground facilities.
9-7-0722 Important Network Operators, Service Providers and Property Managers should consider pest control measures to protect cables where appropriate.
9-7-0725 Important Network Operators and Government should increase stakeholder coordination and cooperation to improve the effectiveness of state one-call legislation efforts.
9-7-0726 Important Network Operators should consider partnering with excavators, locators, and municipalities in a cable damage prevention program.
9-7-0728 Important Network Operators should use industry standard markings for outside plant cables.
9-7-0729 Important Network Operators should establish training, qualification and performance standards for internal utility locators and establish performance standards with external utility locators.
9-7-0733 Important Network Operators, when relocating buried facilities in a common right-of-way, should coordinate activities with other right-of-way occupants to minimize the potential for damage.
9-7-0735 Important Network Operators should evaluate the performance of their contracted excavators and internal excavators to foster improved network reliability.
9-7-0738 Important Network Operators and Service Providers should track and analyze facility outages taking action if any substantial negative trend arises or persists.
9-7-0740 Important Network Operators should implement internal processes needed to support the One-Call Notification legislation.
9-7-0741 Important Network Operators and Service Providers should review, and adopt as appropriate, best practices aimed at reducing damage to underground facilities that are maintained by the Common Ground Alliance (www.commongroundalliance.com).
9-7-0744 Important Equipment Suppliers should periodically review the results of root cause analysis to ensure that the least impacting methods for fault recovery are being used.
9-7-0746 Important Equipment Suppliers should emphasize human factors during design and development to reduce human errors and the impact of these errors. Automated systems should be considered to reduce operating errors.
9-7-0747 Important Network Operators, Service Providers and Equipment Suppliers should work together to establish reliability and performance objectives in the field environment.
9-7-0748 Important Equipment Suppliers should provide troubleshooting job aids, with updates as appropriate, to assist operations support personnel during fault isolation and recovery.
9-7-0749 Critical Equipment Suppliers should prevent critical systems from accepting or allowing service affecting activity without appropriate confirmation.
9-7-0751 Important Equipment Suppliers should provide clear and specific engineering guidelines, ordering procedures, and installation documentation in support of their products.
9-7-0752 Important Network Operators and Service Providers should evaluate support documentation as an integral part of the equipment selection process.
9-7-0753 Important Network Operators and Service Providers should be familiar with support documentation provided with the equipment.
9-7-0754 Important Network Operators, Service Providers and Property Managers should have documented installation guidelines for equipment deployment in their network or buildings.
9-7-0756 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should consider including a quality review based on the installation guidelines as part of the on-site installation acceptance.
9-7-0757 Important Network Operators, Service Providers and Equipment Suppliers should have procedures for pre-qualification or certification of installation vendors.
9-7-0765 Highly Important Network Operators should configure their TCP algorithm parameters according to RFC 3481 in order to optimize the performance of TCP/IP data transport for VoIP over 2.5G and 3G wireless networks.
9-7-0771 Highly Important Network Operators, Service Providers and Equipment Suppliers should consider a procedure for pre-notification of visits to critical facilities.
9-7-0772 Highly Important Collocated Service Providers should coordinate with Network Operators and Property Managers on equipment moves, adds or changes (MACs) which could impact other occupants.
9-7-0776 Highly Important Network Operators, Service Providers and Equipment Suppliers should conduct and periodically re-validate physical security assessments on critical network facilities.
9-7-0777 Important Equipment Suppliers should optimize equipment initializations to minimize service impact.
9-7-0778 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should ensure that handling installation/interconnection of circuit and signal paths continues to be performed by qualified communications technicians.
9-7-0779 Important Network Operators, Service Providers and Equipment Suppliers should establish a means to allow for coordination between cyber and physical security teams supporting preparedness, response, investigation and analysis.
9-7-0781 Important Network Operators, Service Providers, and Property Managers should evaluate the use of automatic notification mechanisms to the local fire department at critical facilities.
9-7-0804 Important Service Providers should consider appropriate means for providing their customers with information about their traffic policies so that users may be informed when planning and utilizing their applications.
9-7-0814 Highly Important For the deployment of Residential Internet Access Service, Broadband Network Operators should design in the ability to take active measures to detect and restrict or inhibit any network activity that adversely impacts performance, security, or usage policy.
9-7-0815 Important For the deployment of Residential Internet Access Service, Broadband Network Operators should select and properly install hardware that is designed for the expected environmental conditions.
9-7-0816 Important For the deployment of Residential Internet Access Service, in a shared media environment, Service Providers should design Broadband systems that provide appropriate privacy and access restriction to the data packet information (e.g., DOCSIS, PON).
9-7-0817 Highly Important For the deployment of Residential Internet Access Service, Broadband Network Operators should select, implement and locate equipment within the operator’s architecture to provide residential internet access to the most users where economically and technically feasible.
9-7-0818 Highly Important For the deployment of Residential Internet Access Service, Broadband Network Operators should deploy equipment that can report alarms.
9-7-0820 Important For the deployment of Residential Internet Access Service, Network Operators should deploy networks in a manner to mitigate the effects of harmful interference from other sources, and to mitigate harmful interference into other services.
9-7-0821 Highly Important For the deployment of Residential Internet Access Service, a Broadband Network Operator should ensure that network deployment and equipment installation does not physically impair the operation of other collocated communications networks/equipment in the connection network (e.g., shared space in the outside plant).
9-7-0822 Highly Important For the deployment of Residential Internet Access Service, a Broadband Network Operator should incorporate multilevel security schemes for network data integrity, as applicable, in the network design to prevent user traffic from interfering with network operations, administration, and management use.
9-7-1002 Important Network Operators, Service Providers and Equipment Suppliers should consider establishing a business continuity executive steering committee (composed of executive managers and business process owners) to ensure executive support and oversight.
9-7-1008 Important Network Operators, Service Providers, and Equipment Suppliers should use the Incident Command System for incident coordination and control in the emergency operations center and at the incident site.
9-7-1025 Highly Important Network Operators and Service Providers should consider using a team to quickly determine appropriate actions both pro-active or re-active to address potential or real threats.
9-7-1036 Important Network Operators should determine in advance if they will use line of sight systems (microwave radio, free space optics, and satellite communications systems) to re-establish communications. If these technologies are to be deployed it is recommended that path designs be developed for each critical area in advance with personnel trained to install and optimize the systems.
9-7-1039 Highly Important Equipment Suppliers should develop support processes that include interfaces with those internal organizations (e.g., sales, logistics, manufacturing) that have a potential role in assisting Network Operators and Service Providers in disaster response efforts.
9-7-1040 Important Network Operators, Service Providers and Equipment Suppliers should consider using lab, demonstration or training equipment if replacement equipment is unavailable in disaster situations.
9-7-1045 Important Network Operators and Service Providers should use their escalation process, as needed, to address resource issues identified through damage and resource assessments.
9-7-1047 Highly Important Network Operators and Service Providers should develop a process to routinely archive critical system backups and provide for storage in a "secure off-site" facility which would provide geographical diversity.
9-7-1048 Highly Important Network Operators and Service Providers should consider supplementing media backup storage with full system restoral media and documented restoration procedures that can be utilized at an alternate "hot site", in case of total failure of the primary service site.
9-7-1049 Highly Important Service Providers should consider utilizing multiple network carriers for internet backbone connectivity to prevent isolation of service nodes.
9-7-1050 Critical Network Operators and Service Providers should consider tertiary carrier/transport methods such as satellite, microwave or wireless to further reduce point of failures or as "hot transport" backup facilities.
9-7-1052 Highly Important Network Operators and Service Providers should periodically assess the functionality of business critical systems during a disaster exercise.
9-7-1054 Highly Important Network Operators, Service Providers and Property Managers should install fire detection systems and consider the use of suppression systems or devices at buildings supporting network functionality.
9-7-1061 Important Service Provider, Network Operators and Equipment Suppliers should ensure that Telecommunication Service Priority (TSP) records and data bases are reconciled annually.
9-7-1064 Highly Important Network Operators, Service Providers and Equipment Suppliers should implement minimum network management controls in order to promote reliability of the interconnected network.
9-7-1065 Important Network Operators and Service Providers should identify and manage critical network elements and architecture that are essential for network connectivity and subscriber services considering security, functional redundancy and geographical diversity.
9-7-3201 Highly Important Service Providers and Public Safety organizations should jointly develop a response plan to notify the public, through the broadcast media, of alternate means of contacting emergency services during a 911 outage.
9-7-3209 Important CATV Service Providers, shall where practical, receive signals from local broadcasters via fiber as the primary source with automatic fail over to the off-air signal as the secondary source, to support public notification in disasters or emergencies.
9-7-3210 Important Emergency Operations Centers and PSAPs should consider obtaining connections to provide video (for viewing local weather and news information and monitoring distribution of information over EAS), and utilize that connection to provide diverse access to the Internet and telecommunications.
9-7-3232 Important Handsets that use a Global Positioning System (GPS) algorithm for E9-1-1: Equipment Suppliers should ensure that the Phase II handsets commence Global Positioning System (GPS) acquisition before the GPS satellite location identification information is received so that GPS acquisition time is minimized and to reduce the number of database query rebids.
9-7-5001 Highly Important Network Operators, Service Providers and Equipment Suppliers should establish additional access control measures that provide two factor identification (e.g., cameras, PIN, biometrics) in conjunction with basic physical access control procedures at areas of critical infrastructure, as appropriate, to adequately protect the assets.
9-7-5002 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should develop and implement periodic physical inspections and maintenance as required for all critical security systems.
9-7-5003 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should periodically audit compliance with physical security policies and procedures.
9-7-5005 Highly Important Network Operators, Service Providers and Equipment Suppliers should conduct electronic surveillance (e.g., CCTV, access control logs, alarm monitoring) at critical access points and preserve the data for investigation.
9-7-5006 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should have policies and procedures that address tailgating (i.e. following an authorized user through a doorway or vehicle gateway). At critical sites, consider designing access points to minimize tailgating.
9-7-5009 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should ensure that access control records are retained in conjunction with company standards.
9-7-5010 Highly Important Network Operators, Service Providers and Equipment Suppliers should deploy security measures in proportion to the criticality of the facility or area being served.
9-7-5011 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should alarm and monitor critical facility access points to detect intrusion or unsecured access (e.g., doors being propped open).
9-7-5013 Important In facilities where master key systems are used, Network Operators, Service Providers, Equipment Suppliers and Property Managers should consider establishing hierarchical key control system(s) (e.g., Master Key Control systems) with record keeping data bases and implemented so that keys are distributed only to those with need for access into the locked space (e.g., perimeter doors, offices, restricted areas).
9-7-5014 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should establish and maintain inventory control measures to protect all media associated with Master Key Control (MKC) systems and access control systems.
9-7-5015 Highly Important Network Operators, Service Providers and Equipment Suppliers should establish separation policies and procedures that require the return of all corporate property and invalidate access to all corporate resources (physical and logical) to coincide with the separation of employees, contractors and vendors.
9-7-5018 Important Network Operators, Service Providers and Equipment Suppliers should periodically conduct reviews to ensure that proprietary information is protected in accordance with established policies and procedures.
9-7-5019 Important Network Operators, Service Providers and Equipment Suppliers should consider establishing an employee awareness training program to inform employees who create, receive or transfer proprietary information of their responsibilities for compliance with proprietary information protection policies and procedures.
9-7-5020 Important Network Operators, Service Providers and Equipment Suppliers should consider establishing corporate standards and practices to drive enterprise-wide access control to a single card and single system architecture to mitigate the security risks associated with administering and servicing multiple platforms.
9-7-5021 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should establish and enforce access control and identification procedures for all individuals (including visitors, contractors, and vendors) that provide for the issuing of ID badges, and the sign-in and escorting procedures where appropriate.
9-7-5022 Highly Important Network Operators, Service Providers and Equipment Suppliers should internally identify and document areas of critical infrastructure as part of security and emergency response planning. This documentation should be kept current and protected as highly sensitive proprietary information.
9-7-5026 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should include security as an integral part of the facility construction process to ensure that security risks are proactively identified and appropriate solutions are included in the design of the facility. Where appropriate, this review may include elements such as facility location selection, security system design, configuration of the lobby, limitation of outside access points (both doors and windows), location of mailroom, compartmentalization of loading docks, design of parking setbacks, placement and protection of air handling systems and air intakes, structural enhancements, and ramming protection. Consider sign off authority for security and safety on all construction projects.
9-7-5027 Highly Important Security and Human Resources (for Network Operators, Service Providers or Equipment Suppliers) should partner on major issues to ensure that security risks are identified and plans are developed to protect the company's personnel and assets (e.g., hiring, downsizing, outsourcing, labor disputes, civil disorder).
9-7-5028 Highly Important Network Operators, Service Providers and Equipment Suppliers should establish policies and procedures related to access control to provide exception access (e.g., emergency repair or response, forgotten credential, etc.).
9-7-5029 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should facilitate the availability of security related hardware and media (e.g., spare hardware) and/or a contingency plan for its availability in the event of a disaster.
9-7-5030 Highly Important Network Operators, Service Providers and Equipment Suppliers should provide a level of security protection over critical inventory (i.e., spares) that is proportionate to the criticality of the equipment.
9-7-5031 Highly Important Network Operators, Service Providers and Equipment Suppliers should establish a role for the security function (i.e., physical and cyber) in business continuity planning, including emergency response plans and periodic tests of such plans.
9-7-5032 Important Network Operators, Service Providers and Equipment Suppliers should establish a procedure governing the assignment of facility access levels.
9-7-5033 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should consider establishing and implementing background investigation policies that include criminal background checks of employees. The policy should detail elements of the background investigation as well as disqualification criteria.
9-7-5034 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should consider establishing contractual obligations requiring contractors, subcontractors and vendors to conduct background investigations of all personnel who require unescorted access to areas of critical infrastructure or who require access to sensitive information related to critical infrastructure.
9-7-5040 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should install environmental emergency response equipment (e.g., fire extinguishers, high rate automatically activated pumps) where appropriate, and periodically inspect the equipment.
9-7-5041 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should establish and implement policies and procedures to secure and restrict access to power, environmental, security, and fire protection systems.
9-7-5042 Important Network Operators, Service Providers and Property Managers should establish and implement policies and procedures to secure and restrict access to fuel supplies.
9-7-5043 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should comply with security standards for perimeter lighting.
9-7-5044 Important Network Operators, Service Providers, Equipment Suppliers or Property Managers should plan and maintain landscaping at facilities to enhance the overall level of building security wherever possible. Landscaping at critical facilities should not obstruct necessary security lighting or camera views of ingress and egress areas, and landscaping should also avoid creating fire hazards or hiding places.
9-7-5046 Highly Important Network Operators and Property Managers should ensure critical infrastructure utility vaults are secured from unauthorized access.
9-7-5048 Important Network Operators, Service Providers and Equipment Suppliers should establish and implement a policy that requires approval by senior member(s) of the security department for security related goods and services contracts.
9-7-5052 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers using guard services should ensure that each post has written detailed post orders including site specific instructions, up to date emergency contact information and ensure that on the job training occurs.
9-7-5053 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should periodically audit guard services to ensure satisfactory performance, and compliance with organizational contractual requirements.
9-7-5057 Highly Important Network Operators, Service Providers and Equipment Suppliers should consider an enhanced level of emergency response for locations supporting critical functions.
9-7-5058 Critical Back-up Power: Network Operators, Service Providers, Equipment Suppliers and Property Managers should ensure that all critical infrastructure facilities, including the security equipment, devices and appliances protecting it, are supported by backup power systems (e.g., batteries, generators, fuel cells).
9-7-5061 Important Equipment Suppliers should consider ergonomics and human-centric factors when designing user interfaces (e.g., hardware labeling, software, documentation).
9-7-5062 Highly Important Network Operators, Service Providers and Equipment Suppliers should staff critical functions at appropriate levels, considering human factors such as workload and fatigue.
9-7-5064 Highly Important Network Operators, Service Providers and Property Managers should alarm and monitor critical electronic equipment areas to detect parameters that are outside operating specifications (e.g., temperature, humidity).
9-7-5066 Highly Important Network Operators, Service Providers, Equipment Suppliers, and Property Managers should ensure that sensitive information pertaining to critical infrastructure is considered proprietary and access is restricted appropriately, both internally and externally. Appropriate markings are required to qualify for exemption from disclosure under FOIA.
9-7-5068 Important Network Operators, Service Providers and Property Managers should establish standards, policies and procedures that, where feasible, separate Inter-connector equipment and personnel access from ILEC floor space.
9-7-5070 Highly Important Network Operators, Service Providers and Equipment Suppliers should consider establishment of a senior management function for a chief security officer (CSO) or functional equivalent to direct and manage both physical and cyber security.
9-7-5071 Critical In order to prepare for contingencies, Network Operators, Service Providers and Property Managers should maintain liaison with local law enforcement, fire department and other security and emergency agencies to exchange critical information related to threats, warnings and mutual concerns.
9-7-5072 Highly Important Network Operators, Service Providers and Equipment Suppliers should perform risk assessments on key network facilities and control areas on a regular basis. Assessments should address natural disasters and unintentional or intentional acts of people on facility or nearby structures.
9-7-5074 Critical Network Operators, Service Providers, and Equipment Suppliers should document in a Disaster Recovery Plan the process for restoring physical security control points for critical infrastructure facilities.
9-7-5075 Highly Important Network Diversity: Network Operators and Service Providers should ensure that networks built with redundancy are also built with geographic separation where feasible (e.g., avoid placing mated pairs in the same location and redundant logical facilities in the same physical path).
9-7-5076 Highly Important Network Operators and Service Providers should ensure and periodically review intra-office diversity of critical resources including power, timing source and signaling leads (e.g., SS7).
9-7-5078 Highly Important Network Operators and Service Providers should be automatically notified upon the loss of alarm data and react accordingly.
9-7-5079 Highly Important Network Operators and Service Providers should, where feasible, provide both physical and logical diversity of critical facilities links (e.g., nodal, network element). Particular attention should be paid to telecom hotels and other concentration points.
9-7-5080 Highly Important Network Operators should identify and track critical network equipment, location of spares, and sources of spares to ensure the long term continuity and availability of communication service.
9-7-5083 Highly Important Network Operators, Service Providers and Equipment Suppliers should maintain the availability of spares for critical network systems.
9-7-5084 Critical Hardware & Software Quality Assurance: Network Operators, Service Providers and Equipment Suppliers should consider ensuring that outsourcing of hardware and software includes a quality assessment, functional testing and security testing by an independent entity.
9-7-5088 Important Equipment Suppliers should ensure appropriate physical security controls are designed and tested into new products and product upgrades (e.g., tamper resistant enclosures).
9-7-5089 Important Service Providers, Network Operators and Equipment Suppliers should establish, implement and enforce appropriate procedures for the storage and movement of equipment and material, including trash removal, to deter theft.
9-7-5091 Important Network Operators, Service Providers and Equipment Suppliers should develop and implement, as appropriate, travel security awareness training and briefings before traveling internationally.
9-7-5092 Important Network Operators, Service Providers and Equipment Suppliers should establish an incident reporting mechanism and investigations program so that security or safety related events are recorded, analyzed, and investigated as appropriate.
9-7-5095 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should implement a tiered security response plan for communications facilities that recognizes the threat levels identified in the Homeland Security Advisory System.
9-7-5096 Highly Important Network Operators, Service Providers and Equipment Suppliers should require compliance with corporate security standards and programs for contractors, vendors and others, as appropriate. This requirement should be included as part of the terms and conditions of the contract that the contractor or vendor has with the company, and should also be made to apply to their subcontractors.
9-7-5099 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should consider keeping centralized trash collection outside the building to reduce the potential for fire and access to the building. Dumpsters should be located away from the buildings where feasible.
9-7-5100 Important Network Operators, Service Providers and Equipment Suppliers should interact as needed with federal, state, and local agencies to identify and address potential adverse security impacts of new laws and regulations (e.g., exposing vulnerability information, required security measures, fire codes).
9-7-5105 Important Network Operators and Equipment Suppliers should consider the security implications of equipment movement both domestically and internationally, including movement across borders and through ports of entry.
9-7-5107 Critical Network Operators, Service Providers and Equipment Suppliers should evaluate and manage risks (e.g., alternate routing, rapid response to emergencies) associated with a concentration of infrastructure components.
9-7-5110 Highly Important Network Operators should not share information pertaining to the criticality of individual communication facilities or the traffic they carry, except with trusted entities for justified specific purposes with appropriate protections against further disclosure.
9-7-5111 Highly Important Network Operators should not share information regarding the location, configuration or composition of the telecommunication infrastructure where this information would be aggregated at an industry level without proper protection measures acceptable to the information provider.
9-7-5114 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should establish, implement and enforce mailroom and delivery procedures that recognize changes in threat conditions.
9-7-5115 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should provide and reinforce as appropriate mail screening procedures to relevant employees and contractors to increase attention to security.
9-7-5116 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should provide periodic briefings and/or make available industry/Government guidance for identifying suspicious letters or parcels, to personnel (employees or contractors) involved in shipping, receiving or mailroom activities at major locations or critical sites. Protocols for handling any suspicious items should be established in advance and implemented upon the receipt of any suspicious letter or parcel.
9-7-5117 Highly Important Equipment Suppliers of critical network elements should consider designing electronic hardware to industry requirements (e.g. NEBS) to minimize susceptibility to electromagnetic energy, shock, vibration, voltage spikes, and temperature.
9-7-5118 Highly Important Equipment Suppliers of critical network elements should test electronic hardware to ensure its compliance with design criteria for tolerance to electromagnetic energy, shock, vibration, voltage spikes, and temperature.
9-7-5120 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should evaluate the potential benefits and security implications when making decisions about building and facility signage, both internally and externally.
9-7-5121 Important Network Operators, Service Providers and Equipment Suppliers should develop and consistently implement software delivery procedures that protect the integrity of the delivered software in order to prevent software loads from being compromised during the delivery process.
9-7-5123 Highly Important Network Operators should maintain and control access to accurate location information of critical network facilities in order to identify physical locations hosting critical infrastructure assets.
9-7-5129 Important Network Operators and Service Providers who are required by the government to file outage reports for major network outages should ensure that such reports do not unnecessarily contain information that discloses specific network vulnerabilities, in order to prevent such information from being unnecessarily available in public access.
9-7-5134 Important Network Operators, Service Providers and Equipment Suppliers should consider establishing a policy to manage the risks associated with key personnel traveling together.
9-7-5135 Important Network Operators, Service Providers and Equipment Suppliers should participate in the Communications Security, Reliability and Interoperability Council (CSRIC) and its focus groups in order to develop industry Best Practices for addressing and mitigating public communications infrastructure vulnerabilities.
9-7-5138 Highly Important Network Operators should plan for the possibility that impacted network nodes cannot be accessed by company personnel for an extended period of time and define the corporate response for restoration of service.
9-7-5141 Important Network Operators, Service Providers and Equipment Suppliers should consider restricting, supervising, and/or prohibiting tours of critical network facilities, systems and operations.
9-7-5145 Important Network Operators should establish plans to perform interference analysis and mitigation to ensure timely resolution of all cases of interference (e.g., caused by equipment failure, intentional act/sabotage or frequency overlap). Where feasible, analysis should enable identification of type and general location of interference source.
9-7-5151 Important Network Operators, Service Providers and Property Managers located in the same facility should coordinate security matters and include all tenants in the overall security and safety notification procedures, as appropriate.
9-7-5152 Important Network Operators, Service Providers and Equipment Suppliers should consider performing targeted sweeps of critical infrastructures and network operations centers for listening devices when suspicion warrants.
9-7-5153 Important Network Operators, Service Providers and Equipment Suppliers should ensure that critical information being provided to other companies as part of bid processes is covered under non-disclosure agreements and limited to a need to know basis.
9-7-5158 Important Network Operators, Service Providers and Equipment Suppliers should consider unannounced internal security audits at random intervals to enforce compliance with company security policies.
9-7-5163 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should consider establishing procedures for video equipment and recording, where utilized (e.g., storage, accurate time/date stamping and regular operational performance checks).
9-7-5164 Highly Important Network Operators, Service Providers and Equipment Suppliers should establish and enforce a policy to immediately report stolen or missing company vehicles and trailers to the appropriate authorities.
9-7-5166 Important Equipment Suppliers should, wherever feasible, isolate R&D and software manufacturing of Network Elements from general office systems to prevent unauthorized access.
9-7-5167 Important Network Operators, Service Providers and Equipment Suppliers should provide secured methods, both physical and electronic, for the internal distribution of software development and production materials.
9-7-5174 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should utilize a coordinated physical security methodology that incorporates diverse layers of security in direct proportion to the criticality of the site.
9-7-5187 Highly Important Property Managers of collocation and telecom hotel facilities should be responsible and accountable for common space, critical shared areas (e.g., cable vault, power sources) and perimeter security for the building with consideration of industry standards and best practices.
9-7-5188 Important Network Operators and Service Providers in multi-tenant communications facilities (e.g., telecom hotels) should provide or arrange security for their own space with consideration of CSRIC Best Practices and in coordination with the existing security programs for the building.
9-7-5191 Important Network Operators, Service Providers that are tenants within telecom hotels should plan accordingly to protect their own facilities from potential risks within the building complex (e.g., fire suppression system, plumbing, hazardous materials).
9-7-5192 Important Network Operators and Service Providers tenants of a telecom hotel should provide a current list of all persons authorized for access to the Property Manager, provide periodic updates to this list, and provide instructions for exceptions (e.g., emergency restoration personnel).
9-7-5197 Critical Network Operators, Service Providers, and Property Managers should periodically inspect, or test as appropriate, the grounding systems in critical network facilities.
9-7-5198 Important Equipment Suppliers should design their products to take into consideration protection against the effects of corrosion and contamination.
9-7-5199 Highly Important Network Operators and Service Providers should provide appropriate protection for outside plant equipment (e.g., Controlled Environmental Vault, remote terminals) against tampering and should consider monitoring certain locations against intrusion.
9-7-5203 Critical Network Operators, Service Providers, and Property Managers should develop, maintain and administer a comprehensive program to sustain a reliable power infrastructure.
9-7-5209 Highly Important Network Operators, Service Providers and Property Managers should restrict access to the AC transfer switch housing area, ensure that scheduled maintenance of the transfer switch is performed, and ensure that spare parts are available.
9-7-5211 Important Network Operators, Service Providers and Property Managers should disable power equipment features that allow switching off of power equipment from a remote location (i.e. dial up modem). During severe service conditions, such features may be activated to allow a degree of remote control.
9-7-5212 Highly Important Network Operators, Service Providers and Property Managers should consider placing generator sets and fuel supplies for critical sites within a secured area to prevent unauthorized access, reduce the likelihood of damage and/or theft, and to provide protection from explosions and weather.
9-7-5213 Highly Important Network Operators, Service Providers and Property Managers should, where feasible, place fuel tanks in a secured and protected area. Access to fill pipes, fuel lines, vents, manways, etc. should be restricted (e.g., containment by fencing, walls, buildings, buried) to reduce the possibility of unauthorized access.
9-7-5214 Highly Important Network Operators, Service Providers and Property Managers should consider placing all power and network equipment in a location to increase reliability in case of disaster (e.g., floods, broken water mains, fuel spillage). In storm surge areas, consider placing all power related equipment above the highest predicted or recorded storm surge levels.
9-7-5216 Important Network Operators, Service Providers and Property Managers should consider providing secure pre-constructed exterior wall pathways for mobile generator connections or tap box connections.
9-7-5217 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should raise awareness of appropriate personnel regarding possible secondary events immediately after an incident and promptly report any suspicious conditions.
9-7-5218 Highly Important Equipment Suppliers should implement a comprehensive security program for protecting hardware, firmware and software from malicious code insertion or tampering during development and delivery, taking into consideration that some developmental environments around the world present a higher risk level than others.
9-7-5220 Highly Important Network Operators, Service Providers and Equipment Suppliers who utilize foreign sites should establish and implement a comprehensive physical security program for protecting corporate assets, including personnel, at those sites.
9-7-5221 Important Network Operators, Service Providers and Equipment Suppliers should consider limiting the dissemination of information relating to future locations of key leadership.
9-7-5222 Highly Important Network Operators, Service Providers and Equipment Suppliers should consider providing trouble call centers with a physically diverse back-up capability that can quickly be configured to receive the incoming traffic and take appropriate action.
9-7-5226 Highly Important Network Operators, Service Providers and Property Managers should maintain liaison with local law enforcement, fire department, other utilities and other security and emergency agencies to ensure effective coordination for emergency response and restoration.
9-7-5229 Highly Important Network Operators, Service Providers and Property Managers should have controlled access to comprehensive facility cabling documentation (e.g., equipment installation plans, network connections, power, grounding and bonding) and keep a backup copy of this documentation at a secured off-site location.
9-7-5233 Important Network Operators, Service Providers and Equipment Suppliers should verify proper functioning of electronic surveillance equipment (e.g., CCTV, access control logs, alarm monitoring) at critical access points after any incident that may impact such equipment.
9-7-5236 Important Property Managers should take the lead in restoration efforts of the base building infrastructure from an incident at a multi-tenant facility. Tenants should provide points of contact to the Property Manager to allow for coordination, support and additional resources as necessary.
9-7-5238 Important Network Operators, Service Providers who are tenants in multi-tenant facilities (e.g., telecom hotels) should coordinate security and restoration efforts with the Property Manager.
9-7-5242 Highly Important Network Operators, Service Providers and Equipment Suppliers should reassess the criticality of associated facilities following a catastrophic incident (i.e. loss of one facility may make others more critical).
9-7-5245 Important Network Operators, Service Providers and Equipment Suppliers should document the use of non-standard equipment during restoration to review and/or replace those devices as appropriate.
9-7-5256 Important Network Operators, Service Providers and Equipment Suppliers should monitor temporary connections of network test equipment that are established for restoration to prevent access by unauthorized personnel.
9-7-5261 Highly Important Network Operators, Service Providers and Property Managers should identify carrier interconnection points and coordinate restoral plans, as appropriate.
9-7-5262 Important Network Operators, Service Providers and Equipment Suppliers should evaluate the vulnerability of storage locations in an effort to protect critical spares.
9-7-5263 Important Network Operators, Service Providers and Equipment Suppliers should use cables with adequate reliability and cable signal integrity. Such properties as flammability, strain reliefs and signal loss should be considered. If non-standard cables are used because of an emergency restoration, they should be marked as temporary and should be replaced with standard cables as soon as practical.
9-7-5267 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should ensure that operating procedures are clearly defined, and followed by personnel during emergency situations in order to avoid degradation of cyber and physical security due to a diversion.
9-7-5269 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should incorporate various types of diversionary tactics into exercises to assess the security response.
9-7-5270 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers personnel should be aware that terrorists or malicious groups may use 0 information to cause heightened public or employee awareness to divert attention and resources to other areas away from their intended physical or cyber target. Where feasible, information (e.g., news sources, e-mail) should be authenticated and cross-verified to ensure accuracy of information.
9-7-5271 Important Network Operators and Service Providers should consider physical and cyber security issues in Mutual Aid Agreements (e.g., authorization, access control, badging).
9-7-5272 Highly Important Network Operators, Service Providers and Equipment Suppliers should include security considerations in disaster recovery plans for critical infrastructure sites.
9-7-5275 Critical Network Operators, Service Providers and Equipment Suppliers should consider backup power capabilities for Command and Control (Crisis Teams) so that communications and access to critical systems can be maintained in the event of a significant disruption to commercial power.
9-7-5277 Highly Important Network Operators, Service Providers and Equipment Suppliers who develop hardware, software or firmware should ensure that appropriate security programs are in place for protecting the product from theft or industrial espionage, taking into consideration that some developmental environments around the world present a higher risk level than others.
9-7-5279 Highly Important Network Operators, Service Providers and Equipment Suppliers should consider site specific (e.g., location, region, country) threat information during security program development.
9-7-5280 Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should instruct security personnel to confirm the authenticity of directions to supersede existing security processes or procedures.
9-7-5282 Important Service Providers should coordinate with Property Managers to ensure adequate growth space.
9-7-5283 Important Equipment Suppliers should provide network element thermal specifications or other special requirements in order to properly size Heating, Ventilation, and Air Conditioning (HVAC) systems.
9-7-8027 Important Source, Object, and Binary Code Integrity: Network Operators and Service Providers should use software change management systems that control, monitor, and record access to master source of software. Ensure network equipment and network management code consistency through checks such as digital signatures, secure hash algorithms, and periodic audits.
9-7-8029 Critical Network Access to Critical Information: Network Operators and Service Providers and Equipment Suppliers should carefully control and monitor the networked availability of sensitive security information for critical infrastructure by: Periodic review public and internal website, file storage sites HTTP and FTP sites contents for strategic network information including but not limited to critical site locations, access codes. Documenting sanitizing processes and procedures required before uploading onto public internet or FTP site. Ensuring that all information pertaining to critical infrastructure is restricted to need-to-know and that all transmission of that information is encrypted. Screening, limiting and tracking remote access to internal information resources about critical infrastructure.
9-7-8062 Highly Important IR (Incident Response) Team: Network Operators and Service Providers should identify and train a Computer Security Incident Response (CSIRT) Team. This team should have access to the CSO (or functional equivalent) and should be empowered by senior management. The team should include security, networking, and system administration specialists but have the ability to augment itself with expertise from any division of the organization. Organizations that establish part-time CSIRTs should ensure representatives are detailed to the team for a suitable period of time bearing in mind both the costs and benefits of rotating staff through a specialized team.
9-7-8067 Highly Important Evidence Collection Guidelines: Network Operators, Service Providers should develop a set of processes detailing evidence collection and preservation guidelines. Procedures should be approved by management/legal counsel. Those responsible for conducting investigations should test the procedures and be trained according to their content. Organizations unable to develop a forensic computing capability should establish a relationship with a trusted third party that possesses a computer forensics capability. Network Administrators and System Administrators should be trained on basic evidence recognition and preservation and should understand the protocol for requesting forensic services.
9-7-8076 Highly Important Denial of Service (DoS) Attack - Vendor: Equipment Suppliers should develop effective DoS/DDoS survivability features for their product lines.
9-7-8077 Highly Important Compensating Control for Weak Authentication Methods: For Network Operators and Service Providers legacy systems without adequate access control capabilities, access control lists (ACLs) should be used to restrict which machines can access the device and/or application. In order to provide granular authentication, a bastion host that logs user activities should be used to centralize access to such devices and applications, where feasible.
9-7-8084 Highly Important Create Trusted PKI Infrastructure When Using Generally Available PKI Solutions: When using digital certificates, Network Operators, Service Providers and Equipment Suppliers should create a valid, trusted PKI infrastructure, using a root certificate from a recognized Certificate Authority or Registration Authority. Assure your devices and applications only accept certificates that were created from a valid PKI infrastructure. Configure your Certificate Authority or Registration Authority to protect it from denial of service attacks.
9-7-8089 Critical Conduct Risk Assessments to Determine Appropriate Security Controls: Network Operators, Service Providers and Equipment Suppliers should perform a risk assessment of all systems and classify them by the value they have to the company, and the impact to the company if they are compromised or lost. Based on the risk assessment, develop a security policy which recommends and assigns the appropriate controls to protect the system.
9-7-8091 Highly Important Protect Cached Security Material: Network Operators, Service Providers and Equipment Suppliers should evaluate cache expiration and timeouts of security material (such as cryptographic keys and passwords) to minimize exposure in case of compromise. Cached security material should be immediately deleted from the cache when the cached security material expires.
9-7-8104 Important Proper Wireless LAN/MAN Configurations: Network Operators and Service Providers should secure Wireless WAN/LAN networks sufficiently to ensure that a) monitoring of RF signals cannot lead to the obtaining of proprietary network operations information or customer traffic and that b) Network access is credibly authenticated.
9-7-8109 Critical Automated Patch Distribution Systems: Network Operators, Service Providers and Equipment Suppliers should ensure that patching distribution hosts properly sign all patches. Critical systems must only use Operating Systems and applications which employ automated patching mechanisms, rejecting unsigned patches.
9-7-8110 Important News Disinformation: Information from news sources may be spoofed, faked, or manipulated by potential attackers. Network Operators, Service Providers and Equipment Suppliers should ensure news sources are authenticated and cross-verified to ensure accuracy of information, especially when not from a trusted source.
9-7-8123 Important Handle Policy Violations Consistently: Network Operators, Service Providers and Equipment Suppliers should handle violations of policy in a manner that is consistent , and, depending on the nature of the violation, sufficient to either deter or prevent a recurrence. There should be mechanisms for ensuring this consistency.
9-7-8137 Important Notification Diversity Equipment Suppliers (hardware and software) should support diverse notification methods, such as using both e-mail, websites, and tech support in order to properly notify users of newly discovered relevant vulnerabilities, viruses, or other threats.
9-7-8521 Important Recover from Misuse of Equipment for Remote Access of Corporate Resources: In the event of misuse or unauthorized use in a remote access situation contrary to the AUP (Acceptable Use Policy), Network Operators and Service Providers should terminate the VPN (Virtual Private Network) connection and issue a warning in accordance with the employee code of conduct. If repeated, revoke employee VPN remote access privileges.
9-7-8526 Highly Important Recover from Interior Routing Table Corruption: If the interior routing has been corrupted, Network Operators and Service Providers should implement policies that filters routes imported into the routing table. The same filtering methods used in NRIC 8045 can be applied more aggressively. The malicious routes will expire from the table, be replaced by legitimate updates, or in emergencies, can be manually deleted from the tables. If needed, the authentication mechanism/crypto keys between IGP neighbors should also be changed.
9-7-8548 Important Incident Response (IR) Procedures: When a service outage or security incident occurs, Network Operators and Service Providers should follow processes similar to Appendix X.
9-7-8565 Highly Important Recovery from Authentication System Failure: In the event an authentication system fails, Network Operators, Service Providers and Equipment Suppliers should make sure the system being supported by the authentication system is in a state best suited for this failure condition. If the authentication system is supporting physical access, the most appropriate state may be for all doors that lead to outside access be unlocked. If the authentication system supporting electronic access to core routers fails, the most appropriate state may be for all access to core routers be prohibited.
9-7-8567 Important News Disinformation after Recovery: Network Operators, Service Providers and Equipment Suppliers should ensure that actions taken due to a spoofed, faked or distorted news item should be cross-correlated against other sources. Any actions taken should be 'backed out' and corrective measures taken to restore the previous state. News source authentication methods should be implemented to ensure future accuracy.
9-8-0472 Important Network Operators and Equipment Suppliers should consider connector choices and color coding to prevent inappropriate combinations of cables.
9-8-0507 Highly Important Attack Trace Back: Service Providers, Network Operators and Equipment Suppliers should have the processes and/or capabilities to analyze and determine the source of malicious traffic, and then to trace-back and drop the packets at, or closer to, the source. The references provide several different possible techniques. (Malicious traffic is that traffic such as Distributed Denial of Service (DDoS) attacks, smurf and fraggle attacks, designed and transmitted for the purpose of consuming resources of a destination of network to block service or consume resources to overflow state that might cause system crashes).
9-8-0551 Important SS7 Network Design: Network Operators should design their SS7 network components and interfaces consistent with the base security guidelines of the NIIF Reference document Part 3, Appendix I. This document provides guidance for desirable security features for any network element (call agent, feature server, soft switch, cross connect, gateway, database) to reduce the risk of potentially service affecting security compromises of the signaling networks supporting the public telephone network. It identifies security functionality, which should be in place by design, device or procedure. It includes an assessment framework series of checklists.
9-8-0590 Important Network Operators, Service Providers, and Equipment Suppliers should develop Methods of Procedure (MOP) for core infrastructure hardware and software growth and change activities and periodically review and update as appropriate.
9-8-0731 Highly Important Network Operators and Service Providers should provide physical diversity on critical inter-office and wireless backhaul routes when justified by a risk or value analysis.
9-8-0755 Important Network Operators, Service Providers and Property Managers should document and communicate their installation and maintenance guidelines (e.g., MOP) and the expectation of compliance by all involved parties.
9-8-0782 Highly Important Network Operators and Service Providers should detect DS3 simplex events and restore the duplex protective path expeditiously by executing appropriate incident response and escalation processes.
9-8-0784 Important Cable Management: Network Operators and Service Providers should utilize appropriate fiber/cable management equipment or racking systems to provide cable strain relief and ensure that bend radius is maintained to avoid micro-bends (e.g., pinched fibers).
9-8-0785 Critical Network Operation Center (NOC) Communications Remote Access: Network Operators and Service Providers should consider secured remote access to critical network management systems for network management personnel working from distributed locations (e.g., back-up facility, home) in the event of a situation where the NOC cannot be staffed (e.g., pandemic).
9-8-0787 Important Back-Up Power Fuel Supply: Network Operators, Service Providers, and Property Managers should consider the use of fixed alternate fuel generators (e.g., natural gas) connected to public utility supplies to reduce the strain on refueling.
9-8-0789 Important Travel Guidelines: Network Operators, Service Providers, and Equipment Suppliers should consider modifying travel guidelines/policies for use during a pandemic or other crisis situations.
9-8-0790 Important Personal Protective Equipment: Network Operators, Service Providers, and Equipment Suppliers should consider providing personal protective equipment barriers to infection (e.g., masks, disposable gloves, and sanitizers) in locations where multiple employees are located.
9-8-0791 Important Personal Protective Equipment Training: Network Operators, Service Providers, and Equipment Suppliers should consider providing personnel training in the use of personal protective equipment specific to a pandemic or other crisis situations and the employee's particular job.
9-8-0792 Important Attendance Guidelines: Network Operators, Service Providers, and Equipment Suppliers should consider modifying attendance guidelines during a pandemic, or other crisis situations.
9-8-0793 Important Telecommuting: Network Operators, Service Providers, and Equipment Suppliers should, as part of business continuity planning, identify employees that can perform their tasks from alternate locations and consider provisions for enabling them to do so.
9-8-0794 Important Telecommuting Infrastructure: Network Operators, Service Providers, and Equipment Suppliers should plan for elevated utilization of remote access capabilities by employees during a pandemic, or other crisis situations.
9-8-0795 Important Virtual Collaboration: Network Operators, Service Providers, and Equipment Suppliers should plan for elevated utilization of virtual collaboration and remote meetings during pandemics or other crisis situations.
9-8-0796 Important Deferral of Operations Activities: Network Operators, Service Providers, and Equipment Suppliers should consider developing guidelines for the deferral of specific maintenance or provisioning activities during certain situations (e.g., pandemic, holiday, National Special Security Event).
9-8-0798 Important Transportation and Delivery Delay Contingencies: Network Operators, Service Providers, and Equipment Suppliers should consider alternate transportation and delivery methods for equipment, spares, and personal protective equipment to prepare for situations where transportation and delivery may be delayed (e.g., pandemic, other crisis situations).
9-8-0799 Important Cell Site & Remote Location Power Backup: Service Providers, Network Operators and Property Managers should periodically evaluate the need for and feasibility of providing back up power at cell sites and remote locations taking into consideration the criticality of the site or location, as well as local zoning laws, statutes, and contractual obligations.
9-8-0806 Critical Service Policies: Service Providers should establish policies and develop internal controls to ensure that the infrastructure supporting high speed broadband is protected from external threats, insider threats and threats from customers. These policies should cover protocol and port filtering as well as general security best practices.
9-8-0807 Critical Service Policies: Service Providers should establish policies and develop internal controls to ensure that individual users have availability, integrity, and confidentiality and are protected from external threats, insider threats and threats from other customers. These policies should cover protocol and port filtering as well as general security best practices.
9-8-0808 Important Release Filtering Information/Policies to Customers: Service Providers and Network Operators should make information available to customers about traffic filtering (both static and dynamic), where required by law.
9-8-0811 Important Specified Rate Services: Service Providers should make available meaningful information about expected performance with respect to upstream and downstream throughput and any limitations of the service. Specified rate services (such as those covered by QoS or similar systems) should be handled by an SLA between the parties.
9-8-0813 Critical Service Awareness: Service Providers should encourage users to take steps to maintain the availability, integrity and confidentiality of their systems and to protect their systems from unauthorized access. Service Providers should enable customers to get the tools and expertise to secure their systems.
9-8-5067 Important Cybersecurity Awareness: Network Operators, Service Providers and Equipment Suppliers should make security an ongoing priority and implement an annual compliance requirement for the completion of a security awareness program.
9-8-8000 Important Disable Unnecessary Services: Service Providers and Network Operators should establish a process, during design/implementation of any network/service element or management system, to identify potentially vulnerable, network-accessible services (such as Network Time Protocol (NTP), Remote Procedure Calls (RPC), Finger, Rsh-type commands, etc.) and either disable, if unneeded, or provided additional compensating controls, such as proxy servers, firewalls, or router filter lists, if such services are required for a business purpose.
9-8-8001 Important Strong Encryption Algorithms and Keys: Service Providers, Network Operators, and Equipment Suppliers should use industry-accepted algorithms and key lengths for all uses of encryption, such as 3DES or AES.
9-8-8003 Important Control Plane Reliability: Service Providers and Network Operators should minimize single points of failure in the control plane architecture (e.g., Directory Resolution and Authentications services). Critical applications should not be combined on a single host platform. All security and reliability aspects afforded to the User plane (bearer) network should also be applied to the Control plane network architecture.
9-8-8004 Important Harden Default Configurations: Equipment Suppliers should work closely and regularly with customers to provide recommendations concerning existing default settings and to identify future default settings which may introduce vulnerabilities. Equipment Suppliers should proactively collaborate with network operators to identify and provide recommendations on configurable default parameters and provide guidelines on system deployment and integration such that initial configurations are as secure as allowed by the technology.
9-8-8006 Highly Important Protection of Externally Accessible Network Applications: Service Providers and Network Operators should protect servers supporting externally accessible network applications by preventing the applications from running with high-level privileges and securing interfaces between externally accessible servers and back-office systems through restricted services and mutual authentication.
9-8-8007 Important Define Security Architecture(s): Service Providers and Network Operators should develop formal written Security Architecture(s) and make the architecture(s) readily accessible to systems administrators and security staff for use during threat response. The Security Architecture(s) should anticipate and be conducive to business continuity plans.
9-8-8010 Important OAM&P Product Security Features: Equipment Suppliers should implement current industry baseline requirements for Operations, Administration, Management, and Provisioning (OAM&P) security in products -- software, network elements, and management systems.
9-8-8011 Important Request OAM&P Security Features: Service Providers and Network Operators should request products from vendors that meet current industry baseline requirements for Operations, Administration, Management, and Provisioning (OAM&P) security.
9-8-8012 Important Secure Communications for OAM&P Traffic: To prevent unauthorized users from accessing Operations, Administration, Management, and Provisioning (OAM&P) systems, Service Providers and Network Operators should use strong authentication for all users. To protect against tampering, spoofing, eavesdropping, and session hijacking, Service Providers and Network Operators should use a trusted path for all important OAM&P communications between network elements, management systems, and OAM&P staff. Examples of trusted paths that might adequately protect the OAM&P communications include separate private-line networks, VPNs or encrypted tunnels. Any sensitive OAM&P traffic that is mixed with customer traffic should be encrypted. OAM&P communication via TFTP and Telnet is acceptable if the communication path is secured by the carrier. OAM&P traffic to customer premises equipment should also be via a trusted path.
9-8-8013 Important Controls for Operations, Administration, Management, and Provisioning (OAM&P) Management Actions: Service Providers and Network Operators should authenticate, authorize, attribute, and log all management actions on critical infrastructure elements and management systems. This especially applies to management actions involving security resources such as passwords, encryption keys, access control lists, time-out values, etc.
9-8-8014 Highly Important OAM&P Privilege Levels: For OAM&P systems, Service Providers and Network Operators should use element and system features that provide "least-privilege" for each OAM&P user to accomplish required tasks using role-based access controls where possible.
9-8-8015 Critical Segmenting Management Domains: For OAM&P activities and operations centers, Service Providers and Network Operators should segment administrative domains with devices such as firewalls that have restrictive rules for traffic in both directions and that require authentication for traversal. In particular, segment OAM&P networks from the Network Operator's or Service Provider's intranet and the Internet. Treat each domain as hostile to all other domains. Follow industry recommended firewall policies for protecting critical internal assets.
9-8-8016 Important OAM&P Security Architecture: Service Providers and Network Operators should design and deploy an Operations, Administration, Management, and Provisioning (OAM&P) security architecture based on industry recommendations.
9-8-8017 Important OAM&P Protocols: Service Providers, Network Operators, and Equipment Suppliers should use Operations, Administration, Management and, Provisioning (OAM&P) protocols and their security features according to industry recommendations. Examples of protocols include SNMP, SOAP, XML, and CORBA.
9-8-8020 Critical Expedited Security Patching: Service Providers, Network Operators, and Equipment Suppliers should have special processes and tools in place to quickly patch critical infrastructure systems when important security patches are made available. Such processes should include determination of when expedited patching is appropriate and identifying the organizational authority to proceed with expedited patching. This should include expedited lab testing of the patches and their affect on network and component devices.
9-8-8022 Critical Remote Operations, Administration, Management and Provisioning (OAM&P) Access: Service Providers and Network Operators should have a process by which there is a risk assessment and formal approval for all external connections. All such connections should be individually identified and restricted by controls such as strong authentication, firewalls, limited methods of connection, and fine-grained access controls (e.g., granting access to only specified parts of an application). The remote party's access should be governed by contractual controls that ensure the provider's right to monitor access, defines appropriate use of the access, and calls for adherence to best practices by the remote party.
9-8-8024 Important Limited Console Access: Service Providers, Network Operators, and Equipment Suppliers should not permit users to log on locally to the Operation Support Systems or network elements. System administrator console logon should require as strong authentication as practical.
9-8-8025 Critical Protection from SCADA Networks: Telecom/Datacomm OAM&P networks for Service Providers and Network Operators should be isolated from other OAM&P networks, e.g., SCADA networks, such as for power, water, industrial plants, pipelines, etc.
·         Isolate the SCADA network from the OAM&P network (segmentation)
·         Put a highly restrictive device, such as a firewall, as a front-end interface on the SCADA network for management access.
·         Use an encrypted or a trusted path for the OAM&P network to communicate with the SCADA "front-end."
9-8-8031 Critical LAES Interfaces and Processes: Service Providers, Network Operators, and Equipment Providers should develop and communicate Lawfully Authorized Electronic Surveillance (LAES) policy. They should:
·         Limit the distribution of information about LAES interfaces
·         Periodically conduct risk assessments of LAES procedures
·         Audit LAES events for policy compliance
·         Limit access to those who are authorized for LAES administrative functions or for captured or intercepted LAES content
·         Promote awareness of all LAES policies among authorized individuals
9-8-8033 Important Software Development: Service Providers, Network Operators, and Equipment Suppliers should adopt internationally accepted standard methodologies, such as ISO 15408 (Common Criteria) or ISO 17799, to develop documented Information Security Programs that include application security development lifecycles that include reviews of specification and requirements designs, code reviews, threat modeling, risk assessments, and training of developers and engineers.
9-8-8036 Critical Exceptions to Patching: Service Provider and Network Operator systems that are not compliant with the patching policy should be noted and these particular elements should be monitored on a regular basis. These exceptions should factor heavily into the organization's monitoring strategy. Vulnerability mitigation plans should be developed and implemented in lieu of the patches. If no acceptable mitigation exists, the risks should be communicated to management.
9-8-8040 Important Mitigate Control Plane Protocol Vulnerabilities: Service Providers and Network Operators should implement architectural designs to mitigate the fundamental vulnerabilities of many control plane protocols (eBGP, DHCP, SS7, DNS, SIP, etc): 1) Know and validate who you are accepting information from, either by link layer controls or higher layer authentication, if the protocol lacks authentication, 2) Filter to only accept/propagate information that is reasonable/expected from that network element/peer.
9-8-8041 Important Prevent Network Element Resource Saturation: Equipment Suppliers for layer 3 switches/routers, with interfaces that mix user and control plane data, should provide filters and access lists on the header fields to protect the control plane from resource saturation by filtering out untrusted packets destined to for control plane. Measures may include: 1) Allowing the desired traffic type from the trusted sources to reach the control-data processor and discard the rest, 2) separately rate-limiting each type of traffic that is allowed to reach the control-data processor, to protect the processor from resource saturation.
9-8-8042 Critical BGP (Border Gateway Protocol) Validation: Service Providers and Network Operators should validate routing information to protect against global routing table disruptions. Avoid BGP peer spoofing or session hijacking by applying techniques such as: 1) eBGP hop-count (TTL) limit to end of physical peering link, 2) MD5 session signature to mitigate route update spoofing threats (keys should be changed periodically where feasible).
9-8-8043 Critical Prevent BGP (Border Gateway Protocol) Poisoning: Service Providers and Network Operators should use existing BGP filters to avoid propagating incorrect data. Options include: 1) Avoid route flapping DoS by implementing RIPE-229 to minimize the dampening risk to critical resources, 2) Stop malicious routing table growth due to de-aggregation by implementing Max-Prefix Limit on peering connections, 3) Employ ISP filters to permit customers to only advertise IP address blocks assigned to them, 4) Avoid disruption to networks that use documented special use addresses by ingress and egress filtering for "Martian" routes, 5) Avoid DoS caused by unauthorized route injection (particularly from compromised customers) by egress filtering (to peers) and ingress filtering (from customers) prefixes set to other ISPs, 6) Stop DoS from un-allocated route injection (via BGP table expansion or latent backscatter) by filtering "bogons" (packets with unauthorized routes), not running default route or creating si holes to advertise "bogons", and 7) Employ "Murphy filter" (guarded trust and mutual suspicion) to reinforce filtering your peer should have done.
9-8-8044 Important BGP (Border Gateway Protocol) Interoperability Testing: Service Providers and Network Operators should conduct configuration interoperability testing during peering link set-up; Encourage Equipment Suppliers participation in interoperability testing forums and funded test-beds to discover BGP implementation bugs.
9-8-8045 Critical Protect Interior Routing Tables: Service Providers and Network Operators should protect their interior routing tables with techniques such as 1) Not allowing outsider access to internal routing protocol and filter routes imported into the interior tables 2) Implementing MD5 between IGP neighbors.
9-8-8046 Critical Protect DNS (Domain Name System) Servers Against Compromise: Service Providers and Network Operators should protect against DNS server compromise by implementing protection such as physical security, removing all unnecessary platform services, monitoring industry alert channels for vulnerability exposures, scanning DNS platforms for known vulnerabilities and security breaches, implementing intrusion detection on DNS home segments, not running the name server as root user/minimizing privileges where possible, and blocking the file system from being compromised by protecting the named directory.
9-8-8047 Highly Important Protect Against DNS (Domain Name System) Denial of Service: Service Providers and Network Operators should provide DNS DoS protection by implementing protection techniques such as: 1) increase DNS resiliency through redundancy and robust network connections, 2) Have separate name servers for internal and external traffic as well as critical infrastructure, such as OAM&P and signaling/control networks, 3) Where feasible, separate proxy servers from authoritative name servers, 4) Protect DNS information by protecting master name servers with appropriately configured firewall/filtering rules, implement secondary masters for all name resolution, and using Bind ACLs to filter zone transfer requests.
9-8-8048 Highly Important Protect DNS (Domain Name System) from Poisoning: Service Providers, Network Operators, and Equipment Suppliers should mitigate the possibility of DNS cache poisoning by using techniques such as 1) Preventing recursive queries, 2) Configure short (2 day) Time-To-Live for cached data, 3) Periodically refresh or verify DNS name server configuration data and parent pointer records. Service Providers, Network Operators, and Equipment Suppliers should participate in forums to define an operational implementation of DNSSec.
9-8-8049 Highly Important Protect DHCP (Dynamic Host Configuration Protocol) Server from Poisoning: Service Providers and Network Operators should employ techniques to make it difficult to send unauthorized DHCP information to customers and the DHCP servers themselves. Methods can include OS Hardening, router filters, VLAN configuration, or encrypted, authenticated tunnels. The DHCP servers themselves must be hardened, as well. Mission critical applications should be assigned static addresses to protect against DHCP-based denial of service attacks.
9-8-8050 Critical MPLS (Multi-Protocol Label Switching) Configuration Security: Service Providers and Network Operators should protect the MPLS router configuration by 1) Securing machines that control login, monitoring, authentication and logging to/from routing and monitoring devices, 2) Monitoring the integrity of customer specific router configuration provisioning, 3) Implementing (e)BGP filtering to protect against labeled-path poisoning from customers/peers.
9-8-8051 Important Network Access Control for SS7: Network Operators should ensure that SS7 signaling interface points that connect to the IP Private and Corporate networks interfaces are well hardened, protected with packet filtering firewalls; and enforce strong authentication. Similar safeguards should be implemented for e-commerce applications to the SS7 network. Network Operators should implement rigorous screening on both internal and interconnecting signaling links and should investigate new, and more thorough screening capabilities. Operators of products built on general purpose computing products should proactively monitor all security issues associated with those products and promptly apply security fixes, as necessary. Operators should be particularly vigilant with respect to signaling traffic delivered or carried over Internet Protocol networks. Network Operators that do employ the Public Internet for signaling, transport, or maintenance communications and any maintenance access to Network Elements should employ authentication, authorization, accountability, integrity, and confidentiality mechanisms (e.g., digital signature and encrypted VPN tunneling).
9-8-8052 Highly Important SS7 Authentication: Network Operators should mitigate limited SS7 authentication by enabling logging for SS7 element security related alarms on SCPs and STPs, such as: unauthorized dial up access, unauthorized logins, logging of changes and administrative access logging. Network operators should implement rigorous screening on both internal and interconnecting signaling links and should investigate new and more thorough screening capabilities. Operators of products built on general purpose computing products should proactively monitor all security issues associated with those products and promptly apply security fixes, as necessary. Operators should establish login and access controls that establish accountability for changes to node translations and configuration. Operators should be particularly vigilant with respect to signaling traffic delivered or carried over Internet Protocol networks. Network operators that do employ the Public Internet for signaling, transport or maintenance communications and any maintenance access to Network Elements shall employ authentication, authorization, accountability, integrity and confidentiality mechanisms (e.g. digital signature and encrypted VPN tunneling). Operators making use of dial-up connections for maintenance access to Network Elements should employ dial-back modems with screening lists. One-time tokens and encrypted payload VPNs should be the minimum.
9-8-8053 Important SS7 DoS Protection: Network Operators should establish thresholds for various SS7 message types to ensure that DoS conditions are not created. Also, alarming should be configured to monitor these types of messages to alert when DoS conditions are noted. Rigorous screening procedures can increase the difficulty of launching DDoS attacks. Care must be taken to distinguish DDoS attacks from high volumes of legitimate signaling messages. Maintain backups of signaling element data.
9-8-8054 Highly Important Anonymous Use of SS7 Services or Services Controlled by SS7: Network Operators should have defined policies and process for addition and configuration of SS7 elements to the various tables. Process should include the following: personal verification of the request (e.g., one should not simply go forward on a faxed or emailed request without verifying that it was submitted legitimately), approval process for additions and changes to SS7 configuration tables (screening tables, call tables, trusted hosts, calling card tables, etc.) to ensure unauthorized elements are not introduced into the network. Companies should also avoid global, non-specific rules that would allow unauthorized elements to connect to the network. Screening rules should be provisioned with the greatest practical depth and finest practical granularity in order to minimize the possibility of receiving inappropriate messages. Network operators should log translation changes made to network elements and record the user login associated with each change. These practices do not mitigate against the second threat mentioned below, the insertion of inappropriate data within otherwise legitimate signaling messages. To do so requires the development of new capabilities, not available in today's network elements.
9-8-8055 Important Voice over IP (VoIP) Device Masquerades: Network Operators and Equipment Suppliers supplied VoIP CPE devices need to support authentication service and integrity services as standards based solutions become available. Network Operators need to turn-on and use these services in their architectures.
9-8-8056 Important Operational Voice over IP (VoIP) Server Hardening: Network Operators should ensure that network servers have authentication, integrity, and authorization controls in place in order to prevent inappropriate use of the servers. Enable logging to detect inappropriate use.
9-8-8057 Important Voice over IP (VoIP) Server Product Hardening: Equipment Suppliers should provide authentication, integrity, and authorization mechanisms to prevent inappropriate use of the network servers. These capabilities must apply to all levels of user, general, control, and management.
9-8-8058 Important Protect Cellular Service from Anonymous Use: Service Providers and Network Operators should prevent theft of service and anonymous use by enabling strong user authentication as per cellular/wireless standards. Employ fraud detection systems to detect subscriber calling anomalies (e.g. two subscribers using same ID or system access from a single user from widely dispersed geographic areas). In cloning situation remove the ESN to disable user thus forcing support contact with service provider. Migrate customers away from analog service if possible due to cloning risk.
9-8-8060 Important Protect Against Cellular Network Denial of Service: Service Providers & Network Operators should ensure strong separation of data traffic from management/signaling/control traffic, via firewalls. Network operators should ensure strong cellular network backbone security by employing operator authentication, encrypted network management traffic and logging of security events. Network operators should also ensure operating system hardening and up-to-date security patches are applied for all network elements, element management system and management systems.
9-8-8063 Highly Important Intrusion Detection/Prevention Tools (IDS/IPS): Service Providers and Network Operators should install and actively monitor IDS/IPS tools. Sensor placement should focus on resources critical to the delivery of service.
9-8-8066 Important Sharing Information with Industry & Government: Service Providers, Network Operators, and Equipment Suppliers should participate in regional and national information sharing groups such as the National Coordinating Center for Telecommunications (NCC), Telecom-ISAC, and the ISP-ISAC (when chartered). Formal membership and participation will enhance the receipt of timely threat information and will provide a forum for response and coordination. Membership will also afford access to proprietary threat and vulnerability information (under NDA) that may precede public release of similar data.
9-8-8069 Important Monitoring Requests: Service Providers and Network Operators should identify a Point of Contact (POC) for handling requests for the installation of lawfully approved intercept devices. Once a request is reviewed and validated, the primary POC should serve to coordinate the installation of any monitoring device with the appropriate legal and technical staffs.
9-8-8070 Important Abuse Reporting: Service Providers and Network Operators should have Abuse Policies and processes posted for customers (and others), instructing them where and how to report instances of service abuse. Service Providers, Network Operators, and Equipment Suppliers should support the email IDs listed in rfc 2142 “MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS.”
\\
9-8-8072 Critical Intrusion Detection/Prevention Tools (IDS/IPS) Maintenance: Service Provider and Network Operator should maintain and update IDS/IPS tools regularly to detect current threats, exploits, and vulnerabilities.
9-8-8075 Important Identity Administration: Network Operators and Service Providers should have procedures for verifying identity of users to IT department and IT personnel to users (secret PINs, callback procedures, etc.).
9-8-8085 Important Expiration of Digital Certificates: Service Providers, Network Operators, and Equipment Suppliers, certificates should have a limited period of validity, dependent upon the risk to the system, and the value of the asset.
If there are existing certificates with unlimited validity periods, and it is impractical to replace certificates, consider the addition of passwords that are required to be changed on a periodic basis.
9-8-8087 Important Use Time-Specific Access Restrictions: Service Providers and Network Operators should restrict access to specific time periods for high risk users (e.g., vendors, contractors, etc.) for critical assets (e.g., systems that cannot be accessed outside of specified maintenance windows due to the impact on the business). Assure that all system clocks are synchronized.
9-8-8088 Important Develop Regular Access Audit Procedures: Service Providers, Network Operators, and Equipment Suppliers should charter an independent group (outside of the administrators of the devices) to perform regular audits of access and privileges to systems, networks, and applications. The frequency of these audits should depend on the criticality or sensitivity of the associated assets.
9-8-8090 Highly Important Restrict Use of Dynamic Port Allocation Protocols: Service Providers, Network Operators, and Equipment Suppliers should restrict dynamic port allocation protocols such as Remote Procedure Calls (RPC) and some classes of Voice-over-IP protocols (among others) from usage, especially on mission critical assets, to prevent host vulnerabilities to code execution. Dynamic port allocation protocols should not be exposed to the internet. If used, such protocols should be protected via a dynamic port knowledgeable filtering firewall or other similar network protection methodology.
9-8-8092 Important Adopt and Enforce Acceptable Use Policy: Service Providers and Network Operators should adopt a customer-directed policy whereby misuse of the network would lead to measured enforcement actions up to and including termination of services.
9-8-8094 Important Strong Encryption for Customer Clients: Service Providers should implement customer client software that uses the strongest permissible encryption appropriate to the asset being protected.
9-8-8095 Important Establish System Resource Quotas: Service Providers and Network Operators should establish, where technology allows, limiters to prevent undue consumption of system resources (e.g., system memory, disk space, CPU consumption, network bandwidth) in order to prevent degradation or disruption of performance of services.
9-8-8096 Highly Important Users Should Employ Protective Measures: Service Providers and Network Operators should educate service customers on the importance of, and the methods for, installing and using a suite of protective measures (e.g., strong passwords, anti-virus software, firewalls, IDS, encryption) and update as available.
9-8-8097 Important Create Policy on Information Dissemination: Service Providers, Network Operators, and Equipment Suppliers should create an enforceable policy clearly defining who can disseminate information, and what controls should be in place for the dissemination of such information. The policy should differentiate according to the sensitivity or criticality of the information.
9-8-8098 Critical Create Policy on Removal of Access Privileges: Service Providers, Network Operators, and Equipment Suppliers should have policies on changes to and removal of access privileges upon staff members status changes such as terminations, exits, transfers, and those related to discipline or marginal performance.
9-8-8099 Important Create Policy on Personnel Hiring Merits: Service Providers, Network Operators, and Equipment Suppliers should perform background checks that are consistent with the sensitivity of the position's responsibilities and that align with HR policy. These checks could include those that verify employment history, education, experience, certification, and criminal history.
9-8-8100 Important Training for Security Staff: Service Providers, Network Operators, and Equipment Suppliers should establish security training programs and requirements for ensuring security staff knowledge and compliance. This training could include professional certifications in cyber security.
9-8-8105 Critical Protection of Cellular User Voice Traffic: Service Providers and Network Operators should incorporate cellular voice encryption services and ensure that such encryption services are enabled for end users. (Voice encryption services depend on the wireless technology used, and are standards based).
9-8-8106 Critical Protect Wireless Networks from Cyber Security Vulnerabilities: Service Providers, Network Operator, and Equipment Suppliers should employ operating system hardening and up-to-date security patches for all accessible wireless servers and wireless clients. Employ strong end user authentication for wireless IP connections. Employ logging of all wireless IP connections to ensure traceability back to end user. Employ up-to-date encryption capabilities available with the devices. In particular, vulnerable network and personal data in cellular clients must be protected if the handset is stolen.
9-8-8108 Critical Authentication System Failure: In the event of an authentication system failure, Service Providers and Network Operators should determine how the system requiring support of the authentication system responds (i.e., determine what specific effect(s) the failure caused). The system can either be set to open or closed in the event of a failure. This will depend on the needs of the organization. For instance, an authentication system supporting physical access may be required to fail OPEN in the event of a failure so people will not be trapped in the event of an emergency. However, an authentication system that supports electronic access to core routers may be required to fail CLOSED to prevent general access to the routers in the event of authentication system failure.
In addition, it is important to have a means of alternate authenticated access to a system in the event of a failure. In the case of core routers failing CLOSED, there should be a secondary means of authentication (e.g., use of a one-time password) reserved for use only in such an event; this password should be protected and only accessible to a small key-contingent of personnel.
9-8-8112 Highly Important Protect Management of Externally Accessible Systems: Service Providers and Network Operators should protect the systems configuration information and management interfaces for Web servers and other externally accessible applications, so that it is not inadvertently made available to 3rd parties. Techniques, at a minimum, should include least privilege for external access, strong authentication, application platform hardening, and system auditing.
9-8-8113 Important Limited Local Logon: Service Providers, Network Operators, and Equipment Suppliers should not permit local logon of users other than the system administrator. Local logon of a system administrator should be used only for troubleshooting or maintenance purposes. Some systems differentiate a local account database and network-accessible, centralized account database. Users should be authenticated via a network-accessible, centralized account database, not a local accounts database.
9-8-8114 Important SNMP Community String Vulnerability Mitigation: Service Providers, Network Operators, and Equipment Suppliers should use difficult to guess community string names, or current SNMP version equivalent.
9-8-8115 Critical Mitigate Control Plane Protocol Vulnerabilities in Suppliers Equipment: Equipment Suppliers should provide controls to protect network elements and their control plane interfaces against compromise and corruption. Vendors should make such controls and filters easy to manage and minimal performance impacting
9-8-8116 Important Participate in Industry Forums to Improve Control Plane Protocols: Network Operators, Service Providers, and Equipment Suppliers should participate in industry forums to define secure, authenticated control plane protocols and operational, business processes to implement them.
9-8-8117 Important DNS Servers Disaster Recovery Plan: Service Providers and Network Operators should prepare a disaster recovery plan to implement upon DNS server compromise.
9-8-8118 Critical Protect Against DNS (Domain Name System) Distributed Denial of Service: Service Providers and Network Operators should provide DNS DDoS protection by implementing protection techniques such as: 1) Rate limiting DNS network connections 2) Provide robust DNS capacity in excess of maximum network connection traffic 3) Have traffic anomaly detection and response capability 4) Provide secondary DNS for back-up 5) Deploy Intrusion Prevention System in front of DNS.
9-8-8119 Critical Security-Related Data Correlation: Service Providers and Network Operators should correlate data from various sources, including non-security related sources, (i.e., syslogs, firewall logs, IDS alerts, remote access logs, asset management databases, human resources information, physical access logs, etc.) to identify security risks and issues across the enterprise.
9-8-8120 Critical Revocation of Digital Certificates: Service Providers, Network Operators, and Equipment Suppliers should use equipment and products that support a central revocation list and revoke certificates that are suspected of having been compromised.
9-8-8125 Critical Policy Acknowledgement: Service Providers, Network Operators, and Equipment Suppliers should ensure that employees formally acknowledge their obligation to comply with their corporate Information Security policies.
9-8-8126 Highly Important Use Risk-Appropriate Authentication Methods: Service Providers, Network Operators, and Equipment Suppliers should employ authentication methods commensurate with the business risk of unauthorized access to the given network, application, or system. For example, these methods would range from single-factor authentication (e.g., passwords) to two-factor authentication (e.g., token and PIN) depending on the estimated criticality or sensitivity of the protected assets. When two-factor authentication generates one-time passwords, the valid time-duration should be determined based on an assessment of risk to the protected asset(s).
9-8-8127 Important Verify Audit Results Through Spot-Checking: Service Providers, Network Operators, and Equipment Suppliers should validate any regular auditing activity through spot-checking to validate the competency, thoroughness, and credibility of those regular audits.
9-8-8128 Important Promptly Address Audit Findings: Service Providers, Network Operators, and Equipment Suppliers should promptly verify and address audit findings assigning an urgency and priority commensurate with their implied risk to the business. The findings as well as regular updates to those findings should be reported to management responsible for the affected area.
9-8-8129 Critical Staff Training on Technical Products and Their Controls: To remain current with the various security controls employed by different technologies, Service Providers, Network Operators, and Equipment Suppliers should ensure that technical staff participate in ongoing training and remain up-to-date on their certifications for those technologies.
9-8-8130 Highly Important Staff Trained on Incident Reporting: Service Providers, Network Operators, and Equipment Suppliers should provide procedures and training to staff on the reporting of security incidents, weaknesses, and suspicious events.
9-8-8133 Important Consistent Security Controls for DR Configurations: A Service Provider's or Network Operator's disaster recovery or business continuity solutions should adhere to the same Information Security best practices as the solutions used under normal operating conditions.
9-8-8135 Important Protection of Devices Beyond Scope of Control: Equipment Suppliers should implement techniques such as tamper-proof cryptochips/authentication credentials and authentication for (service provider) configuration controls, in customer premises equipment.
9-8-8138 Highly Important Renewal of Digital Certificates: Service Providers, Network Operators, and Equipment Suppliers should establish a procedure to track the expiration date for digital certificates used in services and critical applications, and start the process to renew such certificates in sufficient time to prevent disruption of service.
9-8-8500 Critical Recovery from Digital Certificate Key Compromise: In the event the key in a digital certificate becomes compromised, Service Providers, Network Operators, and Equipment Suppliers should immediately revoke the certificate, and issue a new one to the users and/or devices requiring it. Perform Forensics and Post-mortem, as prescribed in NRIC BP 8061, to review for additional compromise as soon as business processes allow.
9-8-8501 Critical Recovery from Root Key Compromise: In the event the root key in a digital certificate becomes compromised, Service Providers, Network Operators, and Equipment Providers should secure a new root key, and rebuild the PKI (Public Key Infrastructure) trust model. Perform Forensics and Post-mortem, as prescribed in NRIC BP 8061, to review for additional compromise as soon as business processes allow.
9-8-8503 Critical Recovery from Encryption Key Compromise or Algorithm Failure. When improper use of keys or encryption algorithms is discovered, or a breach has occurred, Service Providers and Network Operators should conduct a forensic analysis to assess the possibility of having potentially compromised data and identify what may have been compromised and for how long it has been in a compromised state; implement new key (and revoke old key if applicable), or encryption algorithm, and ensure they are standards-based and implemented in accordance with prescribed procedures of that standard, where possible. When using wireless systems, ensure vulnerabilities are mitigated with proper and current security measures.
9-8-8505 Highly Important Roll-out of Secure Service Configuration, or Vulnerability Recovery Configurations: When new default settings introduce vulnerabilities or the default configuration is found to be vulnerable, Service Providers and Network Operators should work with the Equipment Supplier to resolve the inadequacies of the solution, using a pre-deployment, staging area, where hardened configurations can be tested.
9-8-8507 Highly Important Enforce Least-Privilege-Required Access Levels During Recovery: When it is discovered that a system is running with a higher level of privilege than necessary, Service Providers and Network Operators should consider which systems/services the affected system could be disconnected from to minimize access and connectivity while allowing desired activities to continue; conduct a forensic analysis to assess the possibility of having potentially compromised data and identify what may have been compromised and for how long it has been in a compromised state; and reconnect system to back-office with appropriate security levels implemented.
9-8-8513 Critical Recovery from Not Having and Enforcing an Acceptable Use Policy: In the event that an Acceptable Use Policy is not in place, or an event occurs that is not documented within the AUP, Service Providers and Network Operators should consult with legal counsel. Consulting with legal counsel, develop and adapt a policy based on lessons learned in the security incident and redistribute the policy when there are changes.
9-8-8514 Critical Recovery from Network Misuse via Invalid Source Addresses: Upon discovering the misuse or unauthorized use of the network, Service Providers should shut down the port in accordance with AUP (Acceptable Use Policy) and clearance from legal counsel. Review ACL (Access Control List) and temporarily remove offending address pending legal review and reactivate the port after the threat has been mitigated.
9-8-8515 Critical Recovery from Misuse or Undue Consumption of System Resources: If a misuse or unauthorized use of a system is detected, Service Providers and Network Operators should perform forensic analysis on the system, conduct a post-mortem analysis and enforce system resource quotas.
9-8-8517 Critical Recovery from Unauthorized Information Dissemination: If information has been leaked or the release policy has not been followed, Service Providers, Network Operators, and Equipment Suppliers should review audit trails; Change passwords, review permissions, and perform forensics as needed; Inform others at potential risk for similar exposure; and include security responsibilities in performance improvement programs that may include security awareness refresher training.
9-8-8519 Important Recover from Failure of Hiring Procedures: When it is discovered that there has been a failure in the hiring process and the new employee does not in fact have the proper capabilities or qualifications for the job, Service Providers, Network Operators, and Equipment Suppliers should undertake one or more of the following: 1) Provide additional employee training. 2) Reassign, dismiss, or discipline the employee.
9-8-8525 Critical Recovery from BGP (Border Gateway Protocol) Poisoning: If the routing table is under attack from malicious BGP updates, Service Providers and Network Operators should apply the same filtering methods used in NRIC BP 8043 more aggressively to stop the attack. When under attack, the attack vector is usually known and the performance impacts of the filter are less of an issue than when preventing an attack. The malicious routes will expire from the table, be replaced by legitimate updates, or in emergencies, can be manually deleted from the tables. Contact peering partner to coordinate response to attack.
9-8-8527 Critical Recover from Compromised DNS (Domain Name System) Servers or Name Record Corruption: If the DNS (Domain Name System) server has been compromised or the name records corrupted, Service Providers and Network Operators should first flush the DNS cache and, failing that, implement the pre-defined disaster recovery plan. Elements may include but are not limited to: 1) bring-on additional hot or cold spare capacity, 2) bring up a known good DNS server from scratch on different hardware, 3) Reload and reboot machine to a know good DNS server software (from bootable CD or spare hard drive), 4) Reload name resolution records from a trusted back-up. After the DNS is again working, conduct a post-mortem of the attack/response.
9-8-8528 Critical Recover from DNS (Domain Name Server) Denial of Service Attack: If the DNS server is under attack, Service Providers and Network Operators should consider one or more of the following steps 1) Implement reactive filtering to discard identified attack traffic, if possible, 2) Rate-limiting traffic to the DNS server complex, 3) Deploy suitable Intrusion Prevention System in front of DNS servers, 4) Deploy additional DNS server capacity in a round-robin architecture, 5) Utilize DoS/DDoS tracking methods to identify the source(s) of the attack, or 6) Move name resolution service to a 3rd party provider.
9-8-8530 Critical Recover from DHCP-based DoS Attack: If a DHCP ((Dynamic Host Configuration Protocol) attack is underway, Service Provider and Network Operators should isolate the source to contain the attack. Plan to force all DHCP clients to renew leases in a controlled fashion at planned increments. Re-evaluate architecture to mitigate similar future incidents.
9-8-8531 Critical Recover from MPLS (Multi-Protocol Label Switching) Misconfiguration: If a customer MPLS-enabled trusted VPN (Virtual Private Network) has been compromised by mis-configuration of the router configuration, Service Provider and Network Operators should 1) restore customer specific routing configuration from a trusted copy, 2) notify customer of potential security breach, 3) Conduct an investigation and forensic analysis to understand the source, impact and possible preventative measures for the security breach.
9-8-8532 Critical Recover from SCP Compromise: No prescribed standard procedures exist for Service Providers and Network Operators to follow after the compromise of an SCP (Signaling Control Point). It will depend on the situation and the compromise mechanism. However, in a severe case, it may be necessary to disconnect it to force a traffic reroute, then revert to known good, back-up tape/disk and cold boot.
9-8-8533 Critical Recover from SS7 DoS Attack: If an SS7 Denial of Service (DoS) attack is detected, Service Provider and Network Operators should more aggressively apply the same thresholding and filtering mechanism used to prevent an attack (NRIC BP 8053). The alert/alarm will specify the target of the attack. Isolate, contain and, if possible, physically disconnect the attacker. If necessary, isolate the targeted network element and disconnect to force a traffic reroute.
9-8-8534 Important Recover from Anonymous SS7 Use: If logs or alarms determine an SS7 table has been modified without proper authorization, Service Provider and Network Operators should remove invalid records, or in the event of a modification, rollback to last valid version of record. Investigate the attack to identify required security changes.
9-8-8535 Critical Recover from Voice over IP (VoIP) Device Masquerades or Voice over IP (VoIP) Server Compromise: If a Voice over IP (VoIP) server has been compromised, Service Provider and Network Operators should disconnect the server; the machine can be rebooted and reinitialized. Redundant servers can take over the network load and additional servers can be brought on-line if necessary. In the case of VoIP device masquerading, if the attack is causing limited harm, logging can be turned on and used for tracking down the offending device. Law enforcement can then be involved as appropriate. If VoIP device masquerading is causing significant harm, the portion of the network where the attack is originating can be isolated. Logging can then be used for tracking the offending device.
9-8-8537 Critical Recover from Cellular Service Anonymous Use or Theft of Service: If anonymous use or theft of service is discovered, Service Providers and Network Operators should 1) disable service for attacker, 2) Involve law enforcement as appropriate, since anonymous use is often a platform for crime. If possible, triangulate client to identify and disable. If the wireless client was cloned, remove the ESN (Electronic Serial Number) to disable user thus forcing support contact with service provider.
9-8-8539 Critical Recover from Cellular Network Denial of Service Attack: If the attack is IP based, Service Provider and Network Operators should reconfigure the Gateway General Packet Radio Service Support Node (GGSN) to temporarily drop all connection requests from the source. Another approach is to enforce priority tagging. Triangulate the source(s) to identify and disable. (It is easier to recover from a cellular network denial of service attack if the network is engineered with redundancy and spare capacity).
9-8-8549 Critical Lack of Business Recovery Plan: When a Business Recovery Plan (BRP) does not exist, Service Providers and Network Operators should bring together an ad-hoc team to address the current incident. The team should have technical, operations, legal, and public relations representation. Team should be sponsored by senior management and have a direct communication path back to management sponsor. If situation exceeds internal capabilities consider contracting response/recovery options to 3rd party security provider.
9-8-8551 Critical Responding to New or Unrecognized Event: When responding to a new or unrecognized event, Service Providers and Network Operators should follow processes similar to Appendix Y of the NRIC VII, Focus Group 2B Report Appendices.
9-8-8555 Critical Recovery from Lack of an Incident Communications Plan: If an incident occurs and a communications plan is not in place, Service Providers, Network Operators, and Equipment Suppliers should, depending on availability of resources and severity of the incident, assemble a team as appropriate:
·         In person
·         Conference Bridge
·         Other (Email, telephonic notification lists)
Involve appropriate organizational divisions (business and technical)
·         Notify Legal and PR for all but the most basic of events
·         PR should be involved in all significant events
·         Develop corporate message(s) for all significant events – disseminate as appropriate
If not already established, create contact and escalation procedures for all significant events.
9-8-8556 Highly Important Recovery from the Absence of a Monitoring Requests Policy: In the absence of a monitoring request policy, Service Providers and Network Operators should refer all communications intercept requests to corporate counsel.
9-8-8557 Critical Recovery from Lack of Security Reporting Contacts: If an abuse incident occurs without reporting contacts in place, Service Providers and Network Operators should: 1) Ensure that the public-facing support staff is knowledgeable of how both to report incidents internally and to respond to outside inquiries. 2) Ensure public facing support staff (i.e, call/response center staff) understands the security referral and escalation procedures. 3) Disseminate security contacts to industry groups/coordination bodies where appropriate. 4) Create e-mail IDs per rfc2142 and disseminate.
9-8-8559 Critical Recovery from Lack of IDS/IPS Maintenance: In the event of a security threat, Service Providers and Network Operators should upload current IDS/IPS signatures from vendors and re-verify stored data with the updated signatures. Evaluate platform's ability to deliver service in the face of evolving threats and consider upgrade/replacement as appropriate. Review Incident Response Post-Mortem Checklist (NRIC BP 8564).
9-8-8561 Critical Recovery from Denial of Service Attack - Target: If a network element or server is under DoS attack, Service Providers and Network Operators should evaluate the network and ensure issue is not related to a configuration/hardware issue. Determine direction of traffic and work with distant end to stop inbound traffic. Consider adding more local capacity (bandwidth or servers) to the attacked service. Where available, deploy DoS/DDoS specific mitigation devices and/or use anti-DoS capabilities in local hardware. Coordinate with HW vendors for guidance on optimal device configuration. Where possible, capture hostile code and make available to organizations such as US-CERT and NCS/NCC for review.
9-8-8562 Critical Recovery from Denial of Service Attack - Unwitting Agent: If an infected (zombie) device is detected, Service Providers and Network Operators should isolate the box and check integrity of infrastructure and agent. Adjust firewall settings, patch all systems and restart equipment. Consider making system or hostile code available for analysis to 3rd party such as US-CERT, NCC, or upstream provider's security team if hostile code does not appear to be known to the security community. Review Incident Response Post-Mortem Checklist (NRIC BP 8548).
9-8-8563 Critical Recovery from Denial of Service Attack – Equipment Vulnerability: When a denial of service vulnerability or exploit is discovered, Equipment Suppliers should work with clients to ensure devices are optimally configured. Where possible, analyze hostile traffic for product improvement or mitigation/response options, disseminate results of analysis.
9-8-8566 Highly Important Recovery from Unauthenticated Patching Systems: Service Providers, Network Operators, and Equipment Suppliers should assure that patching distribution hosts properly sign all patches. Critical systems must only use OSs and applications which employ automated patching mechanisms, rejecting unsigned patches. If a patch fails or is considered bad, restore OS and applications from known good backup media.
9-8-8600 Critical Ad-hoc Wifi Policies: Service Providers and Network Operators should implement policies and practices that prohibit ad-hoc wireless networks. An ad-hoc wireless network is a peer-to-peer style network connecting multiple computers with no core infrastructure. They are not considered secure and are commonly associated with malicious activity.
9-8-8601 Critical Wifi Policies: Service Providers and Network Operators should establish policies to ensure only authorized wireless devices approved by the network managing body or network security are allowed on the network. Unauthorized devices should be strictly forbidden.
9-8-8602 Critical Wifi Standards: Service Providers and Network Operators, should implement applicable industry standards for wireless authentication, authorization, and encryption (e.g. WPA2 should be considered a minimum over WEP which is no longer considered secure).
9-8-8603 Critical Wifi Standards: Service Providers and Network Operators should implement applicable industry standards to ensure all devices on the Wireless LAN (WLAN) network enforce network security policy requirements.
9-8-8604 Highly Important Wifi Intrusion Prevention/Detection: Network Operators should consider installation of a Wireless Intrusion System at all locations to detect the presence of unauthorized wireless systems. At a minimum, routine audits must be undertaken at all sites to identify unauthorized wireless systems.
9-8-8605 Important WiFI Signal Strength: Service Providers and Network Operators should minimize wireless signal strength exposure outside of needed coverage area.
9-8-8606 Important Blue Tooth Interfaces: Network Operators should turn off Bluetooth interfaces when not in use and disable Bluetooth's discovery feature, whereby each device announces itself to all nearby devices.
9-8-8607 Important Blue tooth Power: Network Operators should configure Bluetooth devices to use the lowest power that meets business needs. Class 3 (encrypts all traffic) devices transmit at 1 mW and cannot communicate beyond 10 meters, while class 1 devices transmit at 100 mW to reach up to 100 meters. For best results, use mode 3 to enforce link authentication and encryption for all Bluetooth traffic, and discourage business use of devices that support only mode 1 (no encryption).
9-8-8608 Important Bluetooth Passwords: Network Operators should password protect both devices to prevent use of lost / stolen units. If possible, do not permanently store the pairing PIN code on Bluetooth devices.
9-8-8609 Important Awareness: Service Providers and Government should promote education for the safe use of all Bluetooth-capable devices and define security policies that impact business.
9-8-8610 Important Bluetooth Paring: Network Operators should pair devices in a private location using a long random PIN code. Avoid default PIN codes, easily guessed PIN codes ("000") and devices that do not support configurable PIN Codes.
9-8-8611 Important Bluetooth Authentication: Network Operators should require authentication on both devices. Configure Bluetooth products so that users must accept incoming connection requests.
9-8-8612 Important Bluetooth Scanning: Network Operators and Government should scan the airwaves (where possible) inside your business to locate all Bluetooth capable devices. Inventory all discovered devices with Bluetooth interfaces, including hardware model, OS, and version. Perform searches on Bluetooth vulnerability and exposure databases to determine whether the devices are impacts.
9-8-8613 Important Awareness: Service providers should educate their Enterprise customers on the importance of establishing a mobile device security policy to reduce threats without overly restricting usability.
9-8-8614 Highly Important Mobility Handset Passwords: Service Providers and Network Operators should enforce strong passwords for mobile device access and network access. Automatically lock out access to the mobile device after a predetermined number of incorrect passwords (typically five or more).
9-8-8615 Highly Important Mobility Handset Wipe: Service Providers and Network Operators should perform a remote wipe (i.e. reset the device back to factory defaults) when an employee mobile device is lost, stolen, sold, or sent to a third party for repair. Organizations need to have a procedure set for users who have lost their devices.
9-8-8616 Important Mobility Handset Encryption: Network Operators should encrypt local storage (where possible), including internal and external memory.
9-8-8617 Important Mobility Handset VPN: Network Operators should enforce the use of virtual private network (VPN) connections between the employee mobile device and enterprise servers.
9-8-8618 Important Mobility Handset Upgrades: Network Operators should perform centralized configuration and software upgrades "over the air" rather than relying on the user to connect the device to a laptop / PC for local synchronization.
9-8-8619 Important Mobility Handset Security: Network Operators should ensure that mobile applications remove all enterprise information from the device.
9-8-8620 Important Mobility Handeset Security Education: Service Providers and Network Operators should provide a program of employee education that teaches employees about mobile device threats and enterprise mobile device management and security policies.
9-8-8621 Important Mobility Handset Applications: Network Operators should limit the installation of unsigned third party applications to prevent outside parties from requisitioning control of your devices.
9-8-8622 Important Mobility Handset Firewalls: Network Operators, where possible, should setup unique firewall policies specifically for traffic coming from smart phones.
9-8-8623 Important Mobility Handset Intrusion Detection: Network Operators, where possible, should have intrusion prevention software examine traffic coming through mobile devices.
9-8-8624 Important Mobility Handset Antivirus: Network Operators, where possible, should utilize anti-virus software for the mobile devices.
9-8-8625 Highly Important Femtocell Security: Service Providers and Network Operators should ensure connections between Femtocell and Femto Gateway follow industry standardized IPSec protocol. Connection between Femtocell and Femto OAM system must be based on TLS/SSL protocol while management traffic flow is outside of the IPSec tunnel. Optionally, the management traffic may also be transported through Secure Gateway over IPSec once the IPSec tunnel between Femtocell and Secure Gateway is established.
9-8-8626 Highly Important Femtocell Security: Service Providors should ensure that enterprise Femtocell Hardware authentication must be certificate based.
9-8-8627 Important Femtocell Security: Equipment Suppliers should ensure enterprise Femtocell hardware shall be tamper-proof.
9-8-8628 Important Femtocell Security: Service Providers should ensure all security relevant events, e.g. apparent security violations, completion status of operations, invalid or unsuccessful logon attempts, userid, logon time, etc are to be recorded.
9-8-8630 Important Femtocell Security: Service Providers and Network Operators should ensure Femtocell access control is flexible to be based on: individual Femtocell; or group of Femtocells; and/or entire Enterprise Femto System. The access control list administration, where feasible should be web GUI based, and userid / password authenticated.
9-8-8631 Important Wireless Encryption: Service Providers and Equipment Suppliers should establish application support for cryptography that are based on open and widely reviewed and implemented encryption algorithms and protocols. Examples of acceptable algorithms and protocols include AES, Blowfish, RSA, RC5, IDEA, SSH2, SSLv3, TLSv1, and IPSEC. Products should not rely on proprietary or obscure cryptographic measures for security.
9-8-8632 Important Wireless Encryption: Equipment Suppliers in order to secure all key exchange applications, algorithms with strengths similar to 2,048-bit RSA or Diffie-Hillman algorithms with a prime group of 2,048 bits should be used. Anonymous Diffie-Hillman must not be supported.
9-8-8633 Important Wireless Policies and Standards: Service Providers, Network Operators, and Equipment Suppliers should design passwords used for an application login to be consistent with applicable industry security guidelines and policies. Whether between the client and the server or among servers, passwords must not be transmitted “in the clear.” SSL should be used for any transaction involving authentication. The transmission of session IDs should be similarly protected with SSL.
9-8-8634 Important Wireless Encryption: Service Providers and Network Operators should implement for all symmetric secure data integrity applications, algorithms with strengths similar to HMAC-MD5-96 with 128-bit keys, HMAC-SHA-1-96 with 160-bit keys, or AES-based randomized message authentication code (RMAC) being the standard used.
9-8-8635 Highly Important Wireless Encryption: Service Providers and Network Operators should implement Authenticated Key Agreement (AKA) protocol to provide user and network with a session specific random shared-key that can be used for confidential communication.
9-8-8636 Highly Important Protection from eavesdropping: Service Providers and Network operators should take steps to protect user data from evasdropping and/or being tampered in transit; Ensure user has the correct credentials; Accuracy and efficiency of accounting.
9-8-8637 Highly Important Wireless Encryption: Service Providers and Network Operators should take steps to ensure all traffic on a 4G network is encrypted using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) which uses AES for transmission security and data integrity authentication.
9-8-8638 Important Wireless Encryption: Service Providers and Network Operators should enable the Mobile MiMAX system to provide secure communications by encrypting data traffic and use PKM (Privacy Key Management) Protocol that allows for the Base Station to authenticate the MS/CPE and not vice versa.
9-8-8639 Important Wireless Authentication: Service Providers and Network Operators should use strong certificate-based authentication ensuring network access, digital content and software services can be secured from unauthorized access.
9-8-8640 Highly Important Wireless Encryption: Service Providers, Network Operators, and Equipment Suppliers should use NSA approved encryption and authentication for all Satcom command uplinks; downlink data encrypted as applicable depending on sensitivity/classification.
9-8-8641 Important Mitigation Strategies: Service Providers and Network Operators should implement mitigation strategies against physical threat vectors that affect the satellite, the availability of communications, the integrity and confidentiality of satellite, and the performance of communications.
9-8-8642 Important Wireless Standards: Service Providers and Network Operators should consider integration of open standardized protocols to meet communication-level performance and security goals.
9-8-8643 Important Mobility Handset Standards: Network Operators should sanitize employee mobile devices when removed from service. Mobile devices and other electronic equipment that contain or access sensitive information, or have been used to access sensitive information in the past, should be processed to ensure all data is permanently removed in a manner that prevents recovery before they are disposed of as surplus equipment or returned to the vendor.
9-8-8644 Important Mobility Handset Standards: Network Operators should required Data Encryption for all employee mobile devices that contain sensitive data. If sensitive information must reside on a mobile device, it should be encrypted. The decryption key should be entered manually; this step should not be automated. A means should exist to recover encrypted data when the decryption key is lost. Require the use of laptop encryption and password-protection.
9-8-8645 Important Mobility Handset Standards: Network Operators should set policy that requires any sensitive information transmitted to or from the employee mobile device be encrypted and/or transferred with a secure data transfer utility. Use of a secure connection or protocol, such as SSL, that guarantees end-to-end encryption of all data sent or received should be included in policy. Devices with wireless capability pose an additional risk of unauthorized access and tampering. These capabilities should be disabled, secured, or protected with a firewall.
9-8-8646 Important Wireless Tethering: Service providers should devise a means of enforcing security over tethered connections. When Tethering via a mobile device for data communication, an encryption methodology, such as IPSEC or SSL/VPN should be utilized to ensure session security.
9-8-8649 Important General: Service Providers should classify their cloud service against one of the defined industry cloud service architecture models (e.g., software as a service [SaaS], platform as a service [PaaS] or infrastructure as a service [IaaS]) and the deployment model being utilized (e.g., private cloud, community cloud, public cloud or hybrid cloud) to determine the general “security” posture of the specific cloud service, how it relates to asset’s assurance and security protection requirements, and define the needed security architecture to mitigate security risks.
9-8-8650 Important Risk Management and Governance in the Cloud: Service Providers should periodically conduct risk assessments of their information security governance structure and processes, security controls, information security management processes, and operational processes.
9-8-8651 Highly Important Cloud Business Continuity Planning and Disaster Recovery: Service Provider should have a documented Business Continuity and Disaster Recovery Plan.
9-8-8652 Highly Important General: Service Provider and Network Operators should implement access controls (firewalls, access control lists, etc.) to administrative interfaces as well as those normally carrying customer traffic.
9-8-8653 Highly Important General: Service Providers and Network Operators should test current equipment for IPv4/IPv6 compatibility for the specific network deployment.
9-8-8654 Important Routing Integrity: Service Providers and Network Operators should use explicit static configuration of addresses, routing protocols and parameters at peering point interfaces rather than neighbor discovery or defaults.
9-8-8655 Important Routing Integrity: Service Providers and Network Operators should employ protocol-specific mechanisms or IPSec as applicable.
9-8-8656 Important Routing Integrity: Service Provider and Network Operators should use static neighbor entries rather than neighbor discovery for critical systems
9-8-8657 Important Routing Integrity: Service Provider and Network Operators should use BGP ingress and egress prefix filtering, TCP MD5 or SHA-1 authentication.
9-8-8658 Important Routing Integrity: Service Providers and Network Operators should use IPv6 BOGON lists to filter un-assigned address blocks at Network boundaries.
9-8-8659 Important Packet Filtering: Service Providers and Network Operators should apply IPv6 and IPv4 anti-spoofing and firewall rules as applicable, wherever tunnel endpoints decapsulate packets.
9-8-8660 Important Packet Filtering: Service Providers and Network Operators should have access control lists for IPv6 that are comparable to those for IPv4, and that also block new IPv6 multicast addresses that ought not to cross the administrative boundary.
9-8-8661 Important Packet Filtering: Service Providers and Network Operators should block tunneling protocols (for example, IP protocol 41 and UDP port 3544) at points where they should not be used. Tunnels can bypass firewall/perimeter security. Use static tunnels where the need for tunneling is known in advance.
9-8-8662 Important Packet Filtering: Service Providers and Network Operators should filter internal-use IPv6 addresses at provider edge and network perimeter.
9-8-8663 Important VOIP Standards: Service Providers and Network Operators should use dedicated VoIP servers for the VOIP service, if possible
9-8-8664 Important Packet Filtering: Service Providers and Network Operators should block protocols meant for internal VoIP call control use at the VoIP perimeter.
9-8-8665 Important Packet Filtering: Service Providers and Network Operators should proxy remote HTTP access to the VoIP perimeter firewalls.
9-8-8666 Important Administration: Service Providers and Network Operators should block VoIP firewall administrative/management traffic at the perimeter or Tunnel/encrypt this traffic using VPN technology or administer/manage this traffic out of band.
9-8-8667 Important VOIP Standards: Service Providers and Network Operators should route HTTP access from the VoIP environment through the data environment and use HTTPS if at all possible.
9-8-8668 Important Use continuity management to protect information: Service Providers and Network Operators should establish a business continuity process for information, identify the events that can classified as business interuption, test and update the business continuity plan.
9-8-8669 Highly Important Network Connection Control: Service Providers and Network Operators should ensure that access to shared networks, including those that cross organizational boundaries, as well as internal network and customer management infrastructures, is restricted, as per the Company's access control policy. These restrictions apply to systems, applications, and users, and is enforced via a router, firewall,or similar device allowing for rule-based traffic filtering, thereby ensuring a logical separation of networks.
9-8-8670 Important Protect exchange of information: Service Providers, Network Operators, and Equipment Suppliers should consider establishing information exchange policies and procedures, establish information and software exchange agreements, safeguard transportation of physical media.
9-8-8671 Important Protect Unattended Workstations: Service Providers and Network Operators should have policies and enforce that unattended workstations should be protected from unathorized access 1) Individual Username/Password authentication must be required to access resources. 2) Physical access must be restricted to workstations. 3) Where possible idle workstations must default to password protected screensaver after an established time lapse (e.g. 15 minutes).
9-8-8672 Important Spam: Network Operators should block incoming email file attachments with specific extensions know to carry infections, or should filter email file attachment based on content properties.
9-8-8673 Important Spam: Network Operators should establish inbound connection limits on all services.
9-8-8674 Important Spam: Service Providers and Network Operators should stop all access attempts from IP Addresses with no reverse DNS at the connection level.
9-8-8675 Important Spam: Network Operators should stop all SMTP traffic that has reverse DNS, which reflects home PC connections (i.e. 0.0.127.mydialup.bigisp.com).
9-8-8676 Important Spam: Network Operators should employ Optical Character Recognition techniques which allow the ability to read text even when it appears as a graphic image.
9-8-8677 Important Spam: Network Operators should perform content analysis of In-bound e-mails.
9-8-8678 Important Spam: Network Operators and Service Providers should apply URL detection techniques to detect the domain name of spammers.
9-8-8679 Important Spam: Network Operators and Service Providers should avoid acting as a backup MX for other companies.
9-8-8680 Important Spam: Network Operators should avoid quarantining email as much as possible.
9-8-8681 Important Spam: Network Operators and Service Providers should consider employing IP Reputation Services.
9-8-8682 Important Spam: Network Operators and Service Providers should enforce SMTP authentication.
9-8-8683 Important Spam: Network Operators and Service Providers should not allow default catch all addresses.
9-8-8684 Important Spam: Network Operators and Service Providers should not routinely bounce email wherever possible (valid user checking and virus scanning).
9-8-8685 Important Spam: Network Operators should check sender authentication
9-8-8686 Important Spam: Network Operators and Service Providers should employ DNS lookup techniques which are able to determine if the sending e-mail is legitimate and has a valid host name.
9-8-8687 Important Spam: Network Operators and Service Providers should establish an Internal Email Address to which Spam can be forwarded by Employees.
9-8-8688 Important Spam: Network Operators and Service Providers should use Anti-Relay Systems to Protect Mail servers from being hijacked.
9-8-8689 Critical Network Access Control for Signaling: Network Operators should ensure that signaling interface points that connect to IP Private and Corporate networks interfaces are well hardened and protected with firewalls that enforce strong authentication policies.
9-8-8690 Important Protect Network/Management Infrastructure from Unexpected File System Changes: Service Providers and Network Operators should deploy tools to detect unexpected changes to file systems on Network Elements and Management Infrastructure systems where feasible and establish procedures for reacting to changes. Use techniques such as cryptographic hashes.
9-8-8691 Important Cybersecurity Awareness: Network Operators, Service Providers and Equipment Suppliers should develop employee education programs that emphasize the need to comply with security policies.
9-8-8692 Important Customer Acceptable Use Policy: Network Operators and Service Providers should develop an acceptable use policy for customers of their services and enforce it.
9-8-8693 Important Cybersecurity Awareness: Network Operators, Service Providers and Equipment Suppliers should create a security awareness strategy that includes communicating to everyone from new hires to human resources to senior management. Utilize multiple channels and target each audience specifically.
9-8-8694 Important Threat Management: Network Operators, Service Providers and Equipment Suppliers should keep their programs flexible. What is considered a security best practice today might be obsolete tomorrow. Changing factors include new technologies, changing business models, emerging threats and growth of the network and the user base.
9-8-8695 Important Management Support: Network Operators, Service Providers and Equipment Suppliers should obtain senior management approval and support for a corporate wide People/Awareness/Security Awareness program. This will help to lead to behavior and policy changes.
9-8-8696 Important Employment: Network Operators, Service Providers and Equipment Suppliers should work with their HR departments to consider making acknowledgement and agreement regarding information security a condition of employment.
9-8-8697 Important Social Engineering Vulnerability Assessment: Network Operators and Service Providers should consider conducting Social Engineering Audits such as tests for vulnerabilities or unauthorized access to systems, networks and information. Systems range from computer networks to physical access to locations.
9-8-8698 Important Firewall Protection: Service Providers & Network Operators should utilize firewall protection on all computing devices.: Whenever available for a mobile communications device, firewall software should be installed and utilized.
9-8-8699 Important Data Leakage: Service Providers and Network Operators should develop employee education programs that emphasize the need to comply with policies and the DLP program.
9-8-8700 Important Data Leakage: Service Providers and Network Operators should have and enforce disciplinary programs for employees who do not follow Data Loss Prevention (DLP) Guidelines.
9-8-8701 Important Security Maturity and Metrics: Network Operators, Service Providers and Equipment Suppliers should measure the effectiveness of their Security programs.
9-8-8702 Important Security Policy: Network Operators and Service Providers should develop a detailed security policy addressing social engineering issues and enforce it throughout the company.
9-8-8703 Important Security Policy: Network Operators, Service Providers and Equipment Suppliers should establish and enforce policy to lock up paperwork and magnetic media containing confidential information and destroy it when it is no longer needed.
9-8-8704 Important Security Policy: Network Operators, Service Providers and Equipment Suppliers should establish and enforce policy to physically secure the computers and network devices.
9-8-8705 Important Identity Administration: Network Operators and Service Providers should have procedures for verifying identity of users to IT department and IT personnel to users (secret PINs, callback procedures, etc.).
9-8-8706 Important Identity Administration: Network Operators and Service Providers should establish and enforce policy to prohibit disclosing passwords, to whom (if anyone) passwords can be disclosed and under what circumstances, procedure to follow if someone requests disclosure of passwords.
9-8-8707 Important Physical Security: Network Operators and Service Providers should establish and enforce policy to require users to log off, to use password protected screensavers when away from the computer, enable screenlock upon activity timeout, cautionary instructions on ensuring that no one is watching when you type in logon information, etc. Physical security measures to prevent visitors and outside contractors from accessing systems to place key loggers, etc.
9-8-8708 Important Security Policy: Network Operators and Service Providers should establish clear guidelines and policy on the corporate use of Social Media outlets. Before utilizing social media in any capacity, stop and consider the motivation of those that you are interacting with or targeting.
9-8-8709 Important Identity Administration: Network Operators and Service Providers should establish policies governing destruction (shredding, incineration, etc.) of paperwork, disks and other media that hold information a hacker could use to breach security.
9-8-8710 Important Third Party and Supply Chain Management: Service Providers, Network Operators, and Equipment Suppliers should ensure supply chain security by having security language in their contracts and periodic risk assessments on their 3rd party verifing the outside party's security practices.
9-8-8711 Important Media Gateway Availability: Network Operators and Service Providers should engineer networks to provide redundant and highly available application layer services. (e.g., DNS and other directory services, SIP, H.323).
9-8-8712 Important Media Gateway Interoperability: Network Operators and Service Providers should implement applicable industry standards governing protocol (e.g., IP Protocols from the IETF) and established policies and procedures to maintain currency within these publications to ensure interoperability.
9-8-8713 Important Media Gateway Interoperability With Legacy Networks: Network Operators and Service Providers implementing a signaling gateway should consider using media gateway controllers that map gateway responses to SS7 in an anticipated and predictable fashion (e.g., RFC 3398 for SIP-to-SS7 mapping).
9-8-8714 Important Media Gateway Codecs: Network Operators and Service Providers should use a minimum interworking subset for encoding standards (e.g., a fallback to G.711) in a PSTN gateway configuration in order to achieve interoperability and support all types of voice band communication (e.g., DTMF tones, facsimile, TTY/TDD).
9-8-8715 Important CALEA Distribution: Network Operators and Service Providers should establish policies and procedures to limit the distribution of CALEA information, requests, and network documents regarding CALEA interfaces to those operationally involved with CALEA activities.
9-8-8716 Important CALEA Risk Assessment: Network Operators and Service Providers should establish policies and procedures to periodically conduct risk assessments of CALEA procedures and policies.
9-8-8717 Important CALEA Access and Authorization: Network Operators and Service Providers should establish policies and procedures to limit access to captured or intercepted CALEA content to those who are authorized.
9-8-8718 Important CALEA Awareness: Network Operators and Service Providers should establish policies and procedures to promote awareness of appropriate CALEA policies among network employees and equipment vendors.
9-8-8719 Important GSM MAP Signaling and Network Management: Wireless Service Providers and Network Operators who have deployed IS-41 (ANSI-41) or GSM Mobility Application Part (MAP) signaling networks should consider equipping their networks with network management and congestion controls.
9-8-8720 Important Signaling Policies: Network Operators should implement rigorous screening and/or filtering on both internal and interconnecting signaling links and establish policies to review and improve screening capabilities.
9-8-8721 Important Signaling on General Purpose Computers: Network Operators and Equipment Vendors of products built on general purpose computing products should proactively monitor all security issues associated with those products and cooperatively identify and apply security fixes, as necessary.
9-8-8722 Important Signaling Over Public IP: Network Operators should be particularly vigilant with respect to signaling traffic delivered by or carried over Internet Protocol networks. Network Operators that utilize the Public Internet for signaling, transport, or maintenance communications should employ authentication, authorization, accountability, integrity, and confidentiality mechanisms (e.g., digital signature and encrypted VPN tunneling).
9-8-8723 Important Signaling Authentication: Network Operators should consider enabling logging for element security related alarms on network elements, (e.g., unauthorized access, unauthorized logins, logging of changes (i.e. configuration and translation), administrative access logging), and establish review policies for these records to mitigate network element authentication vulnerabilities.
9-8-8724 Important Network Element Access: Network Operators utilizing dial-up connections for maintenance access to Network Elements should consider implementing dial-back modems with screening lists, communication encryptions (i.e. VPN's) and token based access control.
9-8-8726 Important Signaling Network Design: Network Operators should design their signaling network elements and interfaces consistent with applicable industry security guidelines and policies (e.g. ATIS-300011).
9-8-8728 Important Maintaining Logical Link Diversity: Network Operators who deploy next generation signaling networks should consider industry guidelines for logical diversity (e.g. multi-homing), and perform network diversification validation on a scheduled basis (e.g., twice a year). Processes and procedures should exist for tracking discrepancies and maintaining a historical record.
9-8-8730 Highly Important Logging of Requested Changes: Network Operators should log changes made to network elements and consider recording the user login, time of day, IP address, associated authentication token, and other pertinent information associated with each change. Policies should be established to audit logs on a periodic bases and update procedures as needed.
9-8-8731 Important Non-Repudiation: Network Operators should establish policies and procedures to ensure that actions taken on the network can be positively attributed to the person or entity that initiated the action. This may include, but is not limited to electronic logging, access control, physical records, or tickets.
9-8-8732 Important General: Service Providers should classify identity management services against the service architecture and deployment model being utilized to determine the general “security” posture of the identity services, how it relates to asset’s assurance and security protection requirements, and define the needed security architecture to mitigate security risks.
Specifically, if identity related functions are distributed among multiple parties, all parties involved should be clearly identified (e.g., relying parties such as users and service providers, credential providers, verifier or authentication providers, or federation members) with clearly defined roles, responsibilities, and accountability for the security of the identity service and all associated assets.
9-8-8733 Important Federated Identity: If identity is being federated (i.e., for use among members of a federation), Service Providers should clearly define and enforce rules, policies and trust model for the federated identity services.
9-8-8734 Important Identity Data Security – Service providers creating, maintaining, using or disseminating individually identifiable information should take appropriate measures to assure its reliability and should take reasonable precautions to protect it from loss, misuse or alteration. Organizations should take reasonable steps to assure that third parties to which they transfer such information are aware of these security practices, and that the third parties also take reasonable precautions to protect any transferred information.
9-8-8735 Important Identity Data Quality and Access: Service Providers creating, maintaining, using or disseminating individually identifiable information should take reasonable steps to assure that the data are accurate, complete and timely for the purposes for which they are to be used. Organizations should establish appropriate processes or mechanisms so that inaccuracies in material individually identifiable information, such as account or contact information, may be corrected. These processes and mechanisms should be simple and easy to use, and provide assurance that inaccuracies have been corrected. Other procedures to assure data quality may include use of reliable sources and collection methods, reasonable and appropriate access and correction, and protections against accidental or unauthorized alteration.
9-8-8736 Critical Identity Information Access Control: Service Providers should ensure that identity information is only be accessible to authorized entities subject to applicable regulation and policy. Specifically,
(a) an entity (e.g., relying party or requesting party) requesting identity data should be authenticated, and its authorization to obtain the requested information verified before access to the information is provided or the requesting identity data is exchanged.
(b) policy and rules for requesting and exchanging identity data among multiple parties involved (e.g., users, relying party and identity provider) should be clearly defined and enforced.
9-8-8737 Important SAML Privacy: Service Providers should analyze each of the steps in the interaction (and any subsequent uses of data obtained from the transactions) of a Security Assertion Markup Language (SAML) transaction to ensure that information that should be kept confidential is actually being kept so.
9-8-8738 Highly Important Password Management Policy: Service Providers and Network Operators should define, implement, and maintain password management policies as well as the documented process to reduce the risk of compromise of password-based systems.
9-8-8739 Highly Important Recovery from Password Management System Compromise: When a password management system or other source of passwords has been compromised, the Service Provider should act swiftly to mitigate the weaknesses that allowed the compromise, restore the compromised system to a secure state, and require all users to change their passwords immediately. Procedures should be in place to notify all affected users that their passwords have been reset or need to be changed immediately.
9-8-8740 Critical Protect Sensitive Data in Transit for Externally Accessible Applications: Service Providers and Network Operators should encrypt sensitive data from web servers, and other externally accessible applications, while it is in transit over any networks they do not physically control.
9-8-8741 Important Protection of Devices Beyond Scope of Control: Equipment Suppliers should implement techniques such as tamper-proof crypto-chips/authentication credentials and (remote) authentication for (service provider) configuration controls, in customer premises equipment. Additionally, capabilities to remotely access or delete sensitive information on these devices is encouraged.
9-8-8742 Important General: Service Providers should use encryption to separate data in rest from data in motion.
9-8-8743 Important Key Management: Service providers should segregate key management from the cloud provider hosting the data, creating a chain of separation. This protects both the cloud provider and customer from conflicts when compelled to provide data due to a legal mandate.
9-8-8744 Important Management: Service providers should provide documentation and enforce role management and separation of duties.
9-8-8745 Critical Key Management: In cases where the cloud provider must perform key management, service providers should define processes for key management lifecycle: how keys are generated, used, stored, backed up, recovered, rotated, and deleted. Further, understand whether the same key is used for every customer or if each customer has its own key set.
9-8-8746 Important Public Key Infrastructure (PKI): For environments where traditional PKI infrastructures are problematic, service providers should use an alternate approach such as a "web of trust" for public key validation / authenticaton.
9-8-8747 Important Layered Encryption: Where possible, service providers should use layered VPN and encryption strategies to mitigate device vulnerabilities. Traditionally a single layer of cryptography has stood between the data being protected and that of the attacker. While the cryptography itself is rarely the weak link, many times implementation or other originating or terminating cryptographic device vulnerabilities places that information in jeopardy.
9-8-8749 Important Risk Assessment Process: Service providers and network operators should have documented processes in place for reviewing new vulnerabilities as they are announced.
9-8-8750 Important Risk Assessments: Service providers and network operators should have assigned risk ratings for vulnerabilities and definitions of those risk ratings (i.e. What does a High risk vulnerability mean to the general user public?, etc.) Finally the security team should have access to an accurate and readily available asset inventory (See Step 1: Asset Inventory) (including the asset owners, and patch levels) and network diagrams.
9-8-8751 Highly Important Vulnerability Assessment Scans: Service Providers and Network Operators should test new tools in a lab to identify any 0 positives and 0 negatives and use a change control system in case there is a network disruption. They should use a tool that causes minimal disruptions to the network
9-8-8752 Critical Vulnerability Assessment Policies: Service providers, network operators, and equipment vendors should use custom policies created by OS, device, or by industry standard (SANS Top 20, Windows Top 10 Vulnerabilities, OWASP Top 10) and specific to your environment. Organizations should identify what scanning methods and operating procedures are best for their company, and document how they would proceed in a standard operating procedure.
9-8-8753 Important Reporting and Remediation Tracking Tools: Service Providers and Network Operators should ensure the tools they use are capable of notifying the asset owners that they have vulnerabilities to be fixed. They should be able to provide high-level dashboard type reports to senior management and detailed host reports to system administrators.
9-8-8754 Critical Vulnerability Reporting and Remediation: Service providers, network operators, and equipment vendors should focus on the highest risk vulnerabilities by ranking them by the vulnerability risk rating.
9-8-8758 Important Post DoS Practice: Network Operators and Service Providers should establish policies, and procedures to support early recognition and isolation of potential bad actors to minimize impact to the network.
9-8-8760 Critical Recover from Voice over IP (VoIP) Compromise: If a Voice over IP (VoIP) server has been compromised, Service Provider and Network Operators should remove the device from the network until remediated.
9-8-8761 Critical Recover from Voice over IP (VoIP) Device Masquerades or Voice over IP (VoIP) Server Compromise: If a VoIP masquerading event is occuring the service provider or network operator should attempt to collect data via log files or other means to aid law enforcement investigations If VoIP device masquerading is causing significant harm, the portion of the network where the attack is originating can be isolated.
9-8-8763 Critical Recovery from Password Management System Compromise: When a password management system or other source of passwords has been compromised, the Network Operator should act swiftly to mitigate the weaknesses that allowed the compromise, restore the compromised system to a secure state, and require all users to change their passwords immediately. Procedures should be in place to notify all affected users that their passwords have been reset or need to be changed immediately.
9-8-8764 Important Identity Lifecycle Management: Service Providers should clearly define and enforce policies for identity lifecycle management. This includes processes, procedures and policies for the proofing, enrolling, issuing and revoking of identity information (e.g., identifiers, credentials and attributes) to be used for a specific context (e.g., for specific transactions ranging from commercial to social activities).
9-8-8765 Critical Identity Enrollment and Issuance: Service Providers should only issue the identity information (e.g., identifiers, credentials and attributes) associated with an identity after successful identity proofing of the entity. An entity requesting enrollment should be verified and validated according to the requirements of the context (i.e., in which the identity will be used) before enrolling or issuing any associated identifiers, credentials or attributes. The proofing process and policies should be based on the value of the resources (e.g., services, transactions, information and privileges) allowed by the identity and the risks associated with an unauthorized entity obtaining and using the identity. Specifically, measures to ensure the following is recommended:
(a) An entity (e.g., person, organization or legal entity) with the claimed attributes exists, and those attributes are suitable to distinguish the entity sufficiently according to the needs of the context.
(b) An applicant whose identity is recorded is in fact the entity to which the identity is bound;
(c) It is difficult for an entity which has used the recorded identity and credentials to later repudiate the registration/enrolment and dispute an authentication.
9-8-8766 Critical Identity Maintenance and Updates: Service Providers should ensure secure management and maintenance of the identity data and the status of data (e.g., identifiers, credentials, attributes) by logging updates or changes to an identity, provide notifications about the updates or changes to an identity(s) or any of the data associated with the identity(s) to the systems and network elements that needs to be aware of the updates or changes, and by periodically validating the status of an identity.
9-8-8767 Critical Identity Revocation: Service Providers should have applicable policies and enforcement for revoking an identity. Specifically,
(a) Enforce policies and terminate or destroy the credentials associated (e.g., digital certificates or tokens) with an identity when it is no longer valid or has a security breach.
(b) Provide notifications about the revocation or termination of an identity(s) or any of the data associated with the identity to the entity and to the systems and network elements that needs to be aware (i.e., All systems and processes with which the identity can be used for access have to be notified that the identity is no longer valid).
9-8-8768 Highly Important Multi-factor Authentication: Service Providers and Network Operators should support multi-factor authentication to increase confidence in the identity of an entity. Multi-factor authentication involves validating the authenticity of the identity of a entity by verifying multiple identifiers and attributes associated with the entity. The data for multi-factor authentication capabilities should be organized based something you are (e.g., physical of behavioral characteristics of a end user or customer's characteristic or attribute that is being compared such as typing patterns, voice recognition), something you have (e.g., a driver's license, or a security token) and something you know (e.g., a password, pin number, security image).
9-8-8769 Highly Important Protection of Personally Identifiable Information (PII): Service Providers should protect Personally Identifiable Information by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
Policies for PII protection should be clearly identified and enforced. Specifically,
(a) Organizations should identify all PII residing in their environment.
(b) Organizations should minimize the use, collection, and retention of PII to what is strictly necessary to reduce the likelihood of harm caused by a breach involving PII. Also, an organization should regularly review its holdings of previously collected PII to determine whether the PII is still relevant and necessary for meeting the organization‘s business purpose and mission. For example, organizations could have an annual PII purging awareness day.
(c) Organizations should categorize their PII based on confidentiality impact levels. For example, PII confidentiality impact level—low, moderate, or high should be used to indicate the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.
(d) Organizations should apply the appropriate safeguards for PII based on the PII confidentiality impact level. Specifically, operational safeguards, privacy-specific safeguards, and security controls should be used.
(e) Organizations should develop an incident response plan to handle breaches involving PII. The plan should include elements such as determining when and how individuals should be notified, how a breach should be reported.
(f) Organizations should establish processes for coordination and addressing issues related to PII when multiple parties are involved (e.g., users, relying parties and identity providers or members of a federation).
9-8-8770 Important SAML Communications: Service Providers should use secure network protocols such as TLS or IPsec should be used to provide integrity and confidentiality protection of SAML communications. In addition, the following measures should be implemented to counter replay, denial of service and other forms of attacks:
(a) Clients should be required to authenticate at some level below the SAML protocol level (for example, using the SOAP over HTTP binding, with HTTP over TLS/SSL, and with a requirement for client-side certificates that have a trusted Certificate Authority at their root) to provide traceability and counter DOS attacks.
(b) Use of the XML Signature element [ds:SignatureProperties] containing a timestamp should be required to determine if a signature is recent to counter replay attacks.
(c) Maintaining state information concerning active sessions, and validate correspondence.
(d) Correlation of request and response messages.
9-8-8900 Highly Important Stay Informed about Botnet/Malware Techniques: ISPs should stay informed about the latest botnet/malware techniques so as to be prepared to detect and prevent them.
9-8-8901 Highly Important ISP Provision of Educational Resources for Computer Hygiene / Safe Computing:
ISPs should provide or support third-party tutorial, educational, and self-help resources for their customers to educate them on the importance of and help them practice safe computing. ISPs’ users should know to protect end user devices and networks from unauthorized access through various methods, including, but not limited to:

• Use legitimate security software that protects against viruses and spywares;
• Ensure that any software downloads or purchases are from a legitimate source;
• Use firewalls;
• Configure computer to download critical updates to both the operating system and installed applications automatically;
• Scan computer regularly for spyware and other potentially unwanted software;
• Keep all applications, application plug-ins, and operating system software current and updated and use their security features;
• Exercise caution when opening e-mail attachments;
• Be careful when downloading programs and viewing Web pages;
• Use instant messaging wisely;
• Use social networking sites safely;
• Use strong passwords;
• Never share passwords.
9-8-8902 Critical Prevention 3 - ISP Provision of Anti-Virus/Security Software:
ISPs should make available anti-virus/security software and/or services for its end-users. If the
ISP does not provide the software/service directly, it should provide links to other software/services through its safe computing educational resources.
9-8-8903 Critical Protect DNS Servers:
ISPs should protect their DNS servers from DNS spoofing attacks and take steps to ensure that compromised customer systems cannot emit spoofed traffic (and thereby participate in DNS amplification attacks). Defensive measures include:

(a) managing DNS traffic consistent with industry accepted procedures;
(b) where feasible, limiting access to recursive DNS resolvers to authorized users;
(c) blocking spoofed DNS query traffic at the border of their networks, and
(d) routinely validating the technical configuration of DNS servers by, for example, utilizing available testing tools that verify proper DNS server technical configuration.
9-8-8904 Critical Utilize DNSSEC:
ISPs should use Domain Name System (DNS) Security Extensions (DNSSEC) to protect the DNS. ISPs should consider, at a minimum, the following:
• sign and regularly test the validity of their own DNS zones,
• routinely validate the DNSSEC signatures of other zones;
• employ automated methods to routinely test DNSSEC-signed zones for DNSSEC signature validity.
9-8-8905 Critical Encourage Use of Authenticated SMTP/Restrict Outbound Connections to Port 25:
ISPs should encourage users to submit email via authenticated SMTP on port 587, requiring Transport Layer Security (TLS) or other appropriate methods to protect the username and password. In addition, ISPs should restrict or otherwise control inbound and outbound connections from the network to port 25 (SMTP) of any other network, either uniformly or on a case by case basis, e.g., to authorized email servers.
9-8-8906 Critical Authentication of Email:
ISPs should authenticate all outbound email using DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). Authentication should be checked on inbound emails; DKIM signatures should be validated and SPF policies verified.
9-8-8907 Critical Immediately Reject Undeliverable Email:
ISPs should configure their gateway mail servers to immediately reject undeliverable email, rather than accepting it and generating non-delivery notices (NDNs) later, in order to avoid sending NDNs to forged addresses.
9-8-8908 Critical Share Dynamic Address Space Information:
ISPs should share lists of their dynamic IP addresses with operators of DNS Block Lists (DNSBLs) and other similar tools. Further, such lists should be made generally available, such as via a public website.
9-8-8909 Critical Share Dynamic Address Space Information:
ISPs should share lists of their dynamic IP addresses with operators of DNS Block Lists (DNSBLs) and other similar tools. Further, such lists should be made generally available, such as via a public website.
9-8-8910 Critical Make Dynamic IPv4 Space Easily Identifiable by Reverse DNS Pattern:
ISPs should make IPv4 dynamic address space under their control easily identifiable by reverse DNS pattern, preferably by a right-anchor string with a suffix pattern chosen so that one may say that all reverse DNS records ending in *.some.text.example.com are those that identify dynamic space.
9-8-8911 Critical Make Dynamic Address Space Easily Identifiable by WHOIS:
ISPs should make all dynamic address space under their control easily identifiable by WHOIS or RWHOIS lookup.
9-8-8912 Highly Important Communicate Implementation of Situational Awareness and Protective Measures with Other ISPs:
ISPs should make reasonable efforts to communicate with other operators and security software providers, by sending and/or receiving abuse reports via manual or automated methods. These efforts could include information such as implementation of "protective measures" such as reporting abuse (e.g., spam) via feedback loops (FBLs) using standard message formats such as Abuse Reporting Format (ARF). Where feasible, ISPs should engage in efforts with other industry participants and other members of the internet ecosystem toward the goal of implementing more robust, standardized information sharing in the area of botnet detection between private sector providers.
9-8-8913 Critical Maintain Methods to Detect Bot/Malware Infection:
ISPs should maintain methods to detect likely malware infection of customer equipment.
Detection methods will vary widely due to a range of factors. Detection methods, tools, and processes may include but are not limited to: external feedback, observation of network conditions and traffic such as bandwidth and/or traffic pattern analysis, signatures, behavior techniques, and forensic monitoring of customers on a more detailed level.
9-8-8914 Highly Important Use Tiered Bot Detection Approach:ISPs should use a tiered approach to botnet detection that first applies behavioral characteristics of user traffic (cast a wide net), and then applies more granular techniques (e.g., signature detection) to traffic flagged as a potential problem.
9-8-8915 Critical Do Not Block Legitimate Traffic: ISPs should ensure that detection methods do not block legitimate traffic in the course of conducting botnet detection, and should instead employ detection methods which seek to be non-disruptive and transparent to their customers and their customers’ applications.
9-8-8916 Critical Bot Detection and the Corresponding Notification Should Be Timely: ISPs should ensure that bot detection and the corresponding notification to end users be timely, since such security problems are time-sensitive. If complex analysis is required and multiple confirmations are needed to confirm a bot is indeed present, then it is possible that the malware may cause some damage, to either the infected host or remotely targeted system (beyond the damage of the initial infection) before it can be stopped. Thus, an ISP must balance a desire to definitively confirm a malware infection, which may take an extended period of time, with the ability to predict the strong likelihood of a malware infection in a very short period of time. This 'definitive-vs.-likely' challenge is difficult and, when in doubt, ISPs should err on the side of caution by communicating a likely malware infection while taking reasonable steps to avoid 0 notifications.
9-8-8917 Critical Notification to End Users:
ISPs should develop and maintain critical notification methods to communicate with their customers that their computer and/or network has likely been infected with malware. This should include a range of options in order to accommodate a diverse group of customers and network technologies. Once an ISP has detected a likely end user security problem, steps should be undertaken to inform the Internet user that they may have a security problem. An ISP should decide the most appropriate method or methods for providing notification to their customers or internet users, and should use additional methods if the chosen method is not effective. The range of notification options may vary by the severity and/or criticality of the problem.
Examples of different notification methods may include but are not limited to: email, telephone call, postal mail, instant messaging (IM), short messaging service (SMS), and web browser notification.
9-8-8918 Important Notification Information to End Users:
ISPs should ensure that botnet notifications to subscribers convey critical service information rather than convey advertising of new services or other offers.
9-8-8919 Critical Mitigation 1 - Industry Cooperation During Significant Cyber Incidents:
ISPs should maintain an awareness of cyber security threat levels and, when feasible, cooperate with other organizations during significant cyber incidents, helping to gather and analyze information to characterize the attack, offer mitigation techniques, and take action to deter or defend against cyber attacks as authorized by applicable law and policy.
9-8-8920 Critical Temporarily Quarantine Bot Infected Devices:
ISPs may temporarily quarantine a subscriber account or device if a compromised device is detected on the subscribers’ network and the network device is actively transmitting malicious traffic. Such quarantining should normally occur only after multiple attempts to notify the customer of the problem (using varied methods) have not yielded resolution. In the event of a severe attack or where an infected host poses a significant present danger to the healthy operation of the network, then immediate quarantine may be appropriate. In any quarantine situation and depending on the severity of the attack or danger, the ISP should seek to be responsive to the needs of the customer to regain access to the network. Where feasible, the ISP may quarantine the attack or malicious traffic and leave the rest unaffected.
9-8-8921 Highly Important Provide a Web Site to Assist with Malware Remediation:
ISPs should, either directly or indirectly, provide a web site to assist customers with malware remediation. Remediation of malware on a host means to remove, disable, or otherwise render a malicious bot harmless. For example, this may include but is not limited to providing a special web site with security-oriented content that is dedicated for this purpose, or suggesting a relevant and trusted third-party web site. This should be a security-oriented web site to which a user with a bot infection can be directed to for remediation. This security web site should clearly explain what malware is and the threats that it may pose. Where feasible, there should be a clear explanation of the steps that the user should take in order to attempt to clean their host, and there should be information on how users can strive to keep the host free of future infections. The security web site may also have a guided process that takes non technical users through the remediation process, on an easily understood, step-by-step basis. The site may also provide recommendations concerning free as well as for-fee remediation services so that the user understands that they have a range of options, some of which can be followed at no cost.
9-8-8922 Critical Privacy Considerations in Botnet Detection, Notification, and Remediation:
Because technical measures to (a) detect compromised end-user devices, (b) notify end-users of the security issue, and (c) assist in addressing the security issue, may result in the collection of customer information (including possibly “personally identifiable information” and other sensitive information, as well as the content of customer communications), ISPs should ensure that all such technical measures address customers’ privacy, and comply and be consistent with all applicable laws and corporate privacy policies.
9-8-8923 Critical Measures to Protect Privacy in Botnet Response:
In designing technical measures for identification, notification, or other response to compromised end-user devices (“technical measures”), ISPs should pursue a multi-prong strategy to protect the privacy of customers’ information, including but not limited to the following:
a) ISPs should design technical measures to minimize the collection of customer information;
b) In the event that customer information is determined to not be needed for the purpose of responding to security issues, the information should promptly be discarded;
c) Any access to customer information collected as a result of technical measures should at all times be limited to those persons reasonably necessary to implement the botnet-response security program of the ISP, and such individuals’ access should only be permitted as needed to implement the security program;
d) In the event that temporary retention of customer information is necessary to identify the source of a malware infection, to demonstrate to the user that malicious packets are originating from their broadband connection, or for other purposes directly related to the botnet-response security program, such information should not be retained longer than reasonably necessary to implement the security program (except to the extent that law enforcement investigating or prosecuting a security situation, using appropriate procedures, has requested that the information be retained); and
e) The ISP’s privacy compliance officer, or another person not involved in the execution of the security program, should verify compliance by the security program with appropriate privacy practices.
9-9-0400 Highly Important Network Operators, Service Providers, and Public Safety should establish measurements to monitor their network performance.
9-9-0401 Critical Network Operators, Service Providers, and Public Safety should monitor their network to enable quick response to network issues.
9-9-0402 Critical Network Operators, Service Providers, and Public Safety should, where appropriate, design networks (e.g., Time Division Multiplexing (TDM) or Internet Protocol (IP)) to minimize the impact of a single point of failure (SPOF).
9-9-0403 Important Network Operators, Service Providers, and Public Safety should communicate maintenance windows to appropriate entities so proper methods of procedures can be invoked.
9-9-0405 Highly Important Network Operators, Service Providers, and Public Safety should periodically examine and review their networks to ensure that they meet the current design specifications.
9-9-0406 Highly Important Network Operators, Service Providers, and Public Safety should, where appropriate, establish a process to ensure that spares inventory is kept current to at least a minimum acceptable release (e.g., hardware, firmware or software version).
9-9-0412 Important Network Operators, Services Providers, and Public Safety to enhance security, should, by default, disable ICMP (Internet Control Message Protocol) redirect messages and IP source routing.
9-9-0414 Highly Important Network Operators, Service Providers, and Public Safety should establish plans for internal communications regarding maintenance activities and events that impact customers.zzzz
9-9-0415 Highly Important Network Operators, Service Providers, and Public Safety should test the restoral process associated with critical data back-up, as appropriate. zzzz.
9-9-0416 Highly Important Network Operators, Service Providers, and Public Safety should design and implement procedures for traffic monitoring, trending and forecasting so that capacity management issues may be addressed.
9-9-0417 Critical Network Operators, Service Providers, and Public Safety should design and implement procedures to evaluate failure and emergency conditions affecting network capacity.
9-9-0418 Highly Important Back-out MOPs: Network Operators and Service Providers should, where appropriate, have a documented back-out plan as part of a Method of Procedure (MOP) for scheduled and unscheduled maintenance activities.
9-9-0422 Highly Important Network Operators, Service Providers, and Public Safety should collect failure-related data to perform cause analysis, impact and criticality analysis and failure trending.
9-9-0423 Highly Important Cable Management: Equipment Suppliers should provide cable management features and installation instructions for network elements that maintain cable bend radius, provide strain relief to prevent cable damage, ensure adequate cable connector spacing for maintenance activities, and provide clear access for cable rearrangement (i.e. moves/add/deletes) and FRU (Field Replaceable Unit) swaps.
9-9-0425 Highly Important Network Operators, Service Providers, and Public Safety should maintain software version deployment records, as appropriate.
9-9-0428 Highly Important Service Providers, Network Operators, and Public Safety should monitor software and hardware vulnerability reports and take the recommended action(s) to address problems, where appropriate. Reports and recommendations are typically provided by equipment suppliers and Computer Emergency Response Teams (CERTs).
9-9-0442 Highly Important Service Providers and Public Safety should consider measuring end-to-end path performance and path validity for both active and alternate routes.
9-9-0447 Important Network Operators and Service Providers should consider establishing a customer advocacy function to take part in the development and scheduling of changes in order to minimize impact.
9-9-0449 Critical Network Operators and Service Providers should, where feasible, deploy SPAM controls in relevant nodes (e.g., message centers, email gateways) in order to protect critical network elements and services.
9-9-0456 Critical Network Operators should maintain records of pertinent information related to a cell site for its prioritization in disaster recovery and key coverage areas (e.g., emergency services, government agencies, proximity to hospitals).
9-9-0476 Critical Network Operators, Public Safety, and Property Managers should consider conducting physical site audits after a major event (e.g., weather, earthquake, auto wreck) to ensure the physical integrity and orientation of hardware has not been compromised.zzzz
9-9-0504 Highly Important Network Operators, Service Providers, and Public Safety, in order to facilitate asset management and increase the likelihood of having usable spares in emergency restorations, should consider maintaining "hot spares" (e.g., circuit packs electronically plugged in and interfacing with any element management system) as opposed to being stored in a cabinet for mission critical elements.
9-9-0505 Highly Important Network Operators, Service Providers, and Public Safety should have procedures in place to process court orders and subpoenas for wire taps or other information.
9-9-0510 Critical Network Operators, Service Providers, Public Safety and Equipment Suppliers should, by design and practice, manage critical Network Elements (e.g., Domain Name Servers, Signaling Servers, Gateway Servers) that are essential for network connectivity and subscriber service as critical systems (e.g., secure, redundant, alternative routing).
9-9-0513 Highly Important Network Operators and Service Providers should maintain a 24x7x365 contact list of other providers and operators for service restoration of inter-connected networks and as appropriate share with Public Safety and Support providers.
9-9-0519 Highly Important Capacity Monitoring: Network Operators and Service Providers should engineer and monitor networks to ensure that operating parameters are within capacity limits of their network design (e.g., respect limitations of deployed packet switches, routers and interconnects, including "managed networks" and "managed CPE"). These resource requirements should be re-evaluated as services change or grow.
9-9-0529 Highly Important Network Operators, Service Providers and Equipment Suppliers should support sharing of appropriate information pertaining to outages as an effort to decrease the potential of further propagation (e.g., ATIS NIIF reference document).
9-9-0530 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should participate in interoperability testing (including services), as appropriate, to maintain reliability across connected networks.
9-9-0532 Highly Important Network Operators and Public Safety should periodically audit the physical and logical diversity called for by network design of their network segment(s) and take appropriate measures as needed.
9-9-0536 Highly Important As appropriate, Network Operators and Service Providers should deploy security and reliability related software updates (e.g., patches, maintenance releases, dot releases) when available between major software releases. Prior to deployment, appropriate testing should be conducted to ensure that such software updates are ready for deployment in live networks. Equipment Suppliers should include such software updates in the next generic release and relevant previous generic releases.
9-9-0541 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should store multiple software versions for critical network elements and be able to fallback to earlier versions.
9-9-0546 Critical Network Operators and Service Providers should minimize single points of failure (SPOF) in paths linking network elements deemed critical to the operations of a network (with this design, two or more simultaneous failures or errors need to occur at the same time to cause a service interruption).
9-9-0547 Highly Important Network Operators and Service Providers should place critical network databases (e.g., directory server, feature server, Service Control Point (SCP)) in a secure environment across distributed locations to provide service assurance (e.g., maintainability, connectivity, security, reliability) consistent with other critical network elements.
9-9-0548 Highly Important Post Mortem Review: Network Operators and Service Providers should have an internal post mortem process to complete root cause analysis of major network events with follow-up implementation of corrective and preventive actions to minimize the probability of recurrence. Network Operators and Service Providers should engage Equipment Suppliers and other involved parties, as appropriate, to assist in the analysis and implementation of corrective measures.
9-9-0550 Highly Important Network Operators, Public Safety, and Equipment Suppliers should implement procedures to ensure synchronization and security of databases.
9-9-0566 Critical Network Operators, Service Providers and Public Safety should consider placing and maintaining 9-1-1 TDM or IP based networks over diverse interoffice transport facilities (e.g., geographically diverse facility routes, automatically invoked standby routing, diverse digital cross-connect system services, self-healing fiber ring topologies, or any combination thereof).
9-9-0567 Important Network Operators, Service Providers, and Public Safety should spread 9-1-1 and Next Generation 9-1-1 access connections across similar equipment to avoid single points of failure and clearly mark plug-in level components and termination points as critical essential services that are to be treated with a high level of care.
9-9-0568 Critical Network Operators, Service Providers and Public Safety should establish a routing plan so that in the case of lost connectivity or disaster impact affecting a Public Safety Answering Point (PSAP), 9-1-1 calls are routed to an alternate PSAP answering point.
9-9-0569 Highly Important Network Operators, Service Providers, and Public Safety should consider using the Public Switch Telephone Network (PSTN) as a backup to dedicated trunks for the 9-1-1 network during periods of network failure. In cases where the ability to deliver 9-1-1 calls to the Public Safety Answering Point (PSAP) through normal routing is interrupted by a failure (not all trunks busy conditions) consider forwarding the call over the PSTN to a telephone number specified and answered by Public Safety authorities. It is desirable for that specified telephone number to be a type that can provide the original Caller ID/Automatic Number Identification (ANI).
9-9-0570 Important Network Operators, Service Providers, and Public Safety should implement procedures that allow for 9-1-1 traffic to be rerouted to an alternate 9-1-1 answering location such as a fixed, mobile, or temporary PSAP (automatically, based on policy rules or with minimal manual intervention). For example situations where a network condition causes 9-1-1 call delivery to be disrupted or PSAP personnel must be evacuated for safety reasons.
9-9-0571 Critical Network Operators and Public Safety should consider deploying dual active 9-1-1 selective routing architectures to enable circuits from the serving end office to be split between two selective routers or Emergency Service Routing Proxies (ESRP) in order to eliminate single points of failure (SPOF) taking diversity between Selective Routers (SR) or ESRP and PSAP into consideration.
9-9-0574 Critical Network Operators, Service Providers, and Public Safety should actively monitor and manage the 9-1-1 network components using network management controls, where available, to quickly restore 9-1-1 service and provide priority repair during network failure events. When multiple interconnecting providers and vendors are involved, they will need to cooperate to provide end-to-end analysis of complex call-handling problems.
9-9-0575 Critical Network Operators, Service providers, and Public Safety should deploy location identification systems used by Public Safety in a redundant, geographically diverse manner (i.e., two identical ALI/Mobile Positioning Center (MPC) Gateway Mobile Location Center (GMLC)/VPC/LIS database systems with mirrored data located in geographically diverse locations).
9-9-0576 Highly Important Network Operators and Service Providers should minimize impact from pre-planned high volume call events by invoking network management and congestion controls for affected end offices to maximize 9-1-1 call throughput.
9-9-0577 Critical Network Operators, Service Providers and Public Safety responsible for Public Safety Answering Point (PSAP) operations should jointly and periodically test and verify that critical components (e.g., automatic re-routes, PSAP Make Busy keys) included in contingency plans work as designed.
9-9-0578 Highly Important Network Operators, Service Providers and Public Safety should actively engage in public education efforts aimed at informing the public of the capabilities and proper use of 9-1-1.
9-9-0579 Critical Network Operators, Service Providers and Public Safety should routinely team to develop, implement, test, evaluate and update, as needed, plans for managing 9-1-1 disruptions (e.g., share information about network and system security and reliability where appropriate).
9-9-0580 Critical Network Operators and Public Safety Authorities should apply redundancy and diversity where feasible, to all network links considered vital to a community's ability to respond to emergencies.
9-9-0581 Critical Network Operators and Service Providers should include Automatic Location Identification (ALI) data for both traditional and alternate providers (e.g., Private Switch, Competitive Local Exchange Carrier (CLEC), Voice over Internet Protocol (VoIP)) in the ALI systems, where required.
9-9-0584 Important Service Providers, Network Operators and Equipment Suppliers and Government representatives [of the National Security and Emergency Preparedness (NS/EP) community] should work together to support appropriate industry and international organizations to develop and implement NS/EP standards in networks.
9-9-0587 Important Government, Network Operators and Service Providers of critical services to National Security and Emergency Preparedness (NS/EP) users should avail themselves of the Telecommunications Service Priority (TSP) program and support / promote as applicable.
9-9-0592 Highly Important Network Operators and Service Providers should provide duplicated, non-co-located maintenance administration, surveillance and support for network elements. Monitoring and administration locations should be minimized to provide consistency of operations and overall management.
9-9-0594 Highly Important Maintaining SS7 Link Diversity: Network Operators and Service Providers should follow industry guidelines for validating SS7 link diversity. SS7 link diversification validation should be performed at a minimum of twice a year, and at least one of those validations should include a physical validation of equipment compared to the recorded documentation of diversity.
9-9-0595 Highly Important Network Operators and Service Providers should be aware of the dynamic nature of peak traffic periods and should consider scheduling potentially service-affecting procedures (e.g., maintenance, high risk procedures, growth activities) so as to minimize the impact on end-user services.
9-9-0596 Highly Important Network Operators and Service Providers should carefully review all re-home procedures, undertake meticulous pre-planning before execution, and ensure that re-home procedures are carefully followed.
9-9-0599 Highly Important Network Operators, Service Providers, and Public Safety should conduct exercises periodically to test a network's operational readiness for various types of events (e.g., hurricane, flood, nuclear, biological, and chemical), through planned, simulated exercises being as authentic as practical including scripts prepared in advance with team members playing their roles as realistically as possible.
9-9-0600 Highly Important Network Operators and Service Providers should establish and document a process to plan, test, evaluate and implement major change activities onto their network.
9-9-0601 Important Network Operators and Service Providers should restrict commands available to technicians to ensure authorized access and use, and maintain, manage and protect an audit trail.
9-9-0602 Important Network Operators and Service Providers should establish procedures to reactivate alarms after provisioning or maintenance activities (when alarms are typically deactivated).
9-9-0603 Highly Important Network Operators, Service Providers and Public Safety should establish policies and procedures that outline how critical network element databases will be backed up onto a storage medium (e.g., tapes, optical diskettes) on a scheduled basis.
9-9-0605 Highly Important Network Operators and Service Providers should assess the synchronization needs of the network elements and interfaces that comprise their networks to develop and maintain a detailed synchronization plan.
9-9-0608 Highly Important Network Operators and Service Providers should utilize network surveillance and monitoring to keep overflow traffic conditions from adversely affecting networks. Interconnecting companies should address the control of overflow conditions in their bilateral agreements.
9-9-0612 Critical Network Operators and Service Providers should verify both local and remote alarms and remote network element maintenance access on all new critical equipment installed in the network, before it is placed into service.
9-9-0615 Highly Important Network Operators and Service Providers should test complex configuration changes before and after the change to ensure the appropriate and expected results.
9-9-0616 Highly Important Network Operators and Service Providers should design and implement procedures to evaluate failure and emergency conditions affecting network capacity.
9-9-0617 Highly Important Route Controls: Network Operators and Service Providers should ensure that routing controls are implemented and managed to prevent adverse routing conditions.
9-9-0619 Highly Important Network Operators, Service Providers, Property Managers and Public Safety Providers should coordinate with fire agencies in emergency response preplanning efforts for communications equipment locations.
9-9-0622 Highly Important Network Operators, Service Providers, Property Managers and Public Safety should use approved industry standards for Telecommunications Environmental Protection, DC Power Systems for key equipment locations (e.g., routers, central office switches, and other critical network elements) to reduce fires associated with DC power equipment.
9-9-0630 Highly Important Network Operators, Service Providers, Equipment Suppliers and Property Managers should develop and execute standard Method of Procedure (MOP) for all vendor work in or external to equipment locations with emphasis on service continuity and safety precautions.
9-9-0635 Important Network Operators, Service Providers, Property Managers and Public Safety should ensure that AC surge protection is provided at the power service entrance to minimize the effects caused by lightning or extremely high voltages.
9-9-0644 Critical Network Operators, Service Providers, Property Managers and Public Safety should use over-current protection devices and fusing.
9-9-0649 Highly Important Network Operators and Service Providers and Property Managers should ensure critical network facilities have appropriate fire detection and alarm systems.
9-9-0653 Highly Important Network Operators, Service Providers and Property Managers should retain complete authority about when to transfer from the electric utility and operate standby generators.
9-9-0654 Important Network Operators, Service Providers and Property Managers should not normally enter into power curtailment or load sharing contracts with electric utilities.
9-9-0655 Critical Network Operators, Service Providers, Property Managers and Public Safety should coordinate hurricane and other disaster restoration work with electrical and other utilities as appropriate.
9-9-0656 Highly Important Network Operators and Service Providers should establish a general requirement for power conditioning, monitoring and protection for sensitive equipment.
9-9-0657 Critical Network Operators, Service Providers, Property Managers and Public Safety should design standby generator systems for fully automatic operation and for ease of manual operation, when required.
9-9-0658 Critical Network Operators, Service Providers, Property Managers and Public Safety should ensure generator life support systems (e.g., radiator fan, oil cooler fan, water transfer pumps, fuel pumps, engine start battery chargers) are on the essential Alternating Current (AC) buss of the generator they serve.
9-9-0660 Highly Important Network Operators, Service Providers, Property Managers and Public Safety should have a plan that is periodically verified for providing portable generators to offices with and without stationary engines.
9-9-0662 Critical Network Operators, Service Providers, Property Managers and Public Safety should exercise power generators on a routine schedule in accordance with manufacturer's specifications. For example, a monthly 1 hour engine run on load, and a 5 hour annual run.
9-9-0663 Important Network Operators, Service Providers and Property Managers should coordinate scheduled power generator tests with all building occupants to avoid interruptions.
9-9-0664 Important Network Operators, Service Providers and Equipment Suppliers should provide indicating type control fuses on the front of the power panels, including smaller distribution panels.
9-9-0665 Highly Important Network Operators, Service Providers and Property Managers should provide and maintain accurate single line drawings of AC switch equipment on-site.
9-9-0667 Highly Important Network Operators, Service Providers and Property Managers should keep circuit breaker racking/ratchet tools, spare fuses, fuse pullers, etc. readily available.
9-9-0668 Important Network Operators, Service Providers, Equipment Suppliers, Property Managers and Public Safety should clearly label the equipment served by each circuit breaker and fuse.
9-9-0669 Highly Important Network Operators, Service Providers, Property Managers and Public Safety should develop and/or provide appropriate emergency procedures for Alternating Current (AC) transfer.
9-9-0671 Highly Important Network Operators, Service Providers, Property Managers and Public Safety should design and implement a preventive maintenance and inspection program for electrical systems.
9-9-0674 Important Network Operators, Service Providers, Property Managers, and Public Safety should initiate or continue a modernization program to ensure that outdated power equipment is phased out of plant considering capabilities of smart controllers, local and remote monitoring and control, alarm systems when updating power equipment, and being integrated into engineering and operational strategies.
9-9-0679 Highly Important Network Operators, Service Providers and Equipment Suppliers should provide diverse power feeds for all redundant links (e.g., SS7, BITS clocks) and any components identified as "critical" single points of failure (SPOF) in transport and operations of the network.
9-9-0689 Important Network Operators, Service Providers and Public Safety should provide a separate "battery discharge" alarm for all critical infrastructure facilities, and where feasible, periodically (e.g., every 15 minutes) repeat the alarm as long as the condition exists.
9-9-0690 Important Network Operators, Property Managers and Public Safety should consider providing power alarm redundancy so that no single point alarm system failure will lead to a network power outage.
9-9-0693 Important Network Operators, Service Providers and Property Managers should emphasize the use of Methods Of Procedures (MOPs), vendor monitoring, and performing work on in-service equipment during low traffic periods.
9-9-0694 Important Network Operators and Service Providers should check for current flow in cables with AC/DC clamp-on ammeters before removing the associated fuses or opening the circuits during removal projects.
9-9-0695 Highly Important Network Operators, Service Providers, Property Managers and Public Safety should develop and test plans to address situations where normal power backup does not work (e.g., commercial AC power fails, the standby generator fails to start, automatic transfer switch fails).
9-9-0697 Important Network Operators, Service Providers, Equipment Suppliers and Public Safety should employ an "Ask Yourself" program as part of core training and daily operations.
9-9-0699 Highly Important Network Operators, Service Providers, Equipment Suppliers, Property Managers and Public Safety should design standby systems (e.g., power) to withstand harsh environmental conditions.
9-9-0700 Highly Important Network Operators, Service Providers and Equipment Suppliers should consider the need for power expertise/power teams.
9-9-0701 Highly Important Network Operators, Service Providers, Property Managers, and Public Safety should provide security for portable generators.
9-9-0736 Highly Important Network Operators should develop and implement a rapid restoration program for cables and facilities.
9-9-0745 Important Equipment Suppliers should design equipment so that changes and upgrades are non-service impacting.
9-9-0750 Highly Important Equipment Suppliers should provide a mechanism for feature activation or deactivation that is not service impacting to end-users (e.g., avoid re-boot, re-start or re-initialization).
9-9-0758 Critical Network Operators, Service Providers and Public Safety should, upon restoration of service in the case of an outage where 9-1-1 call completion is affected, make/request multiple test calls to the affected PSAP(s) to ensure proper completion.
9-9-0759 Important Network Operators and Service Providers should ensure that engineering, design, and installation processes address how new network elements are integrated into the office and network synchronization plan(s).
9-9-0760 Important Network Operators, Service Providers and Public Safety should maintain records that accurately track the diversity of internal wiring for office synchronization, including timing leads and power.
9-9-0762 Highly Important Network Operators should engineer networks supporting VoIP applications to provide redundant and highly available application layer services.
9-9-0766 Highly Important Service Providers should consider using a minimum interoperable subset for VoIP coding standards (for example, TI 811 mandates the use of G.711) in a VoIP-to-PSTN gateway configuration in order to achieve interoperability and support all types of voiceband communication (e.g., DTMF tones, facsimile, TTY/TDD).
9-9-0773 Highly Important Network Operators, Service Providers, Property Managers, and Public Safety should perform annual capacity evaluation of power equipment, and perform periodic scheduled maintenance, including power alarm testing.
9-9-0774 Important Network Operators, Service Providers , Equipment Suppliers, and Public Safety should provide warning signs to indicate precautions to be taken when powering on circuits that require special procedures
9-9-0775 Highly Important Network Operators and Service Providers should consult and update the synchronization plan whenever facility (e.g., intra-/inter-office or inter-provider interconnect circuits) rearrangements, additions, deletions, or consolidations are planned. Verify the completed changes against the synchronization plan.
9-9-0780 Critical Network Operators, Service Providers, and Public Safety should consider including coordination information of each other when developing disaster restoration and prioritization plans.
9-9-0786 Critical Network Operators, Service Providers, and Public Safety should consider allowing Equipment Suppliers or third party Service Providers remote secured access to vital hardware components.
9-9-0797 Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should consider creating a workforce augmentation plan prior to a pandemic or other crisis situation.
9-9-0803 Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers are encouraged to continue to participate in the development and expansion of industry standards for traffic management that promote interoperability and assist in meeting end user quality of service needs.
9-9-0805 Important Service Providers, Network Operators and Equipment Suppliers should work to establish operational standards and practices that support broadband capabilities and interoperability (e.g., video, voice, data, wireless).
9-9-0819 Important For the deployment of Residential Internet Access Service, Network Operators should provide backup power for broadband network equipment when economically and technically practical.
9-9-0823 Highly Important For the deployment of Residential Internet Access Service, Network Operators, Service Providers and Equipment Suppliers should design, build, and operate broadband networks considering performance aspects of the data facilities employed, such as: packet loss ratio, Bit Error Ratio, latency, and compression, where feasible.
9-9-0900 Highly Important Network Operators and Service Providers operating a Virtual Private Cloud (VPC), Mobile Positioning Center (MPC), or Gateway Mobile Location Center (GMLC) should strive to reduce bad shell record data routing errors for 9-1-1 pseudo Automatic Number Identification (pANI) due to incorrect Master Street Address Guide (MSAG) to Emergency Service Number (ESN) to Public Safety Answering Point (PSAP) relationship (MSAG-ESN-PSAP) by following National Emergency Number Association (NENA) 56-504 “NENA VoIP 9-1-1 Deployment and Operational Guidelines” to fully test routing for every pANI placed in service.
9-9-0901 Highly Important Voice over Internet Protocol (VoIP) Service Providers (VSP) should conduct extensive 9-1-1 call-through testing for environments that have a high user capacity (e.g., university campuses, large commercial enterprise campuses, and densely populated multi-tenant buildings/complexes) to immediately reduce the risk of misrouting a block of callers at a particular facility and in turn reduce the liability for those same entities.
9-9-0902 Highly Important Service Providers and Network Operators when reconfiguring their network (e.g., changes to Virtual Private Cloud (VPC), Mobile Position Center (MPC), Gateway Mobile Location Center (GMLC), or Emergency Services Gateway (ESGW)) should assess the impact on the routing of 9-1-1 calls.
9-9-1001 Critical Network Operators, Service Providers, Equipment Suppliers, Property Managers, and Public Safety should formally document their business continuity processes in a business continuity plan covering critical business functions and business partnerships. Key areas for consideration include: Plan Scope, Responsibility, Risk Assessment, Business Impact Analysis, Plan Testing, Training and Plan Maintenance.
9-9-1004 Highly Important Network Operators, Service Providers, Equipment Suppliers, Property Managers, and Public Safety should review their Business Continuity Plan(s) on an annual basis to ensure that plans are up-to-date, relevant to current objectives of the business and can be executed as written.
9-9-1005 Critical Network Operators, Service Providers, Equipment Suppliers, and Public Safety should perform a Business Impact Analysis (BIA) to assess the impact of the loss of critical operations, support systems and applications.
9-9-1009 Highly Important Network Operators, Service Providers, Equipment Suppliers, and Public Safety should regularly conduct exercises that test their Disaster Recovery Plans. Exercise scenarios should include natural and man-made disasters (e.g., hurricane, flood, nuclear, biological, and chemical).
9-9-1010 Critical Network Operators, Service Providers, Equipment Suppliers, and Public Safety should designate personnel responsible for maintaining Business Continuity and Disaster Recovery Plans.
9-9-1011 Critical Network Operators, Service Providers, Equipment Suppliers, and Public Safety should establish alternative methods of communication for critical personnel.
9-9-1015 Important Network Operators, Service Providers, and Public Safety should make available to the disaster recovery team "as-built" drawings of network sites.
9-9-1017 Critical Network Operators, Service Providers, and Public Safety should have documented plans or processes to assess damage to network elements, outside plant, facility infrastructure, etc. for implementation immediately following a disaster.
9-9-1018 Highly Important Network Operators, Service Providers ,Equipment Suppliers and Public Safety should emphasize employee and public safety during a disaster and all phases of disaster recovery
9-9-1020 Highly Important Network Operators, Service Providers, Public Safety and Equipment Suppliers should assess the need for Chemical, Biological, Radiological and Nuclear (CBRN) response program to safely restore or maintain service in the aftermath of fuel/chemical contamination or a Weapons of Mass Destruction (WMD) attack.
9-9-1022 Critical Network Operators, Service Providers, Public Safety, and Equipment Suppliers should consider the development of a vital records program to protect vital records that may be critical to restoration efforts.
9-9-1023 Critical Network Operators, Service Providers, Public Safety and Equipment Suppliers should identify essential staff within their organizations that are critical to disaster recovery efforts. Planning should address the availability of these individuals and provide for backup staff.
9-9-1024 Important Network Operators, Service Providers, Public Safety and Equipment Suppliers should plan for the possibility of a disaster occurring during a work stoppage.
9-9-1026 Important Network Operators, Public Safety and Service Providers should consider creating a policy statement that defines a remote system access strategy, which may include a special process for disaster recovery.
9-9-1028 Critical Network Operators, Service Providers, Public Safety and Property Managers should engage in preventative maintenance programs for network site support systems including emergency power generators, UPS, DC plant (including batteries), HVAC units, and fire suppression systems.
9-9-1029 Important Network Operators, Public Safety and Service Providers should periodically review their portable power generator needs to address changes to the business.
9-9-1031 Highly Important Network Operators, Public Safety and Service Providers should consider entering into Mutual Aid agreements with partners best able to assist them in a disaster situation using the templates provided on the NRIC and NCS websites. These efforts could include provisions to share spectrum, fiber facilities, switching, and/or technician resources.
9-9-1032 Highly Important Network Operators, Public Safety and Service Providers should document their critical equipment suppliers, vendors, contractors and business partners in their Business Continuity Plans along with an assessment of the services, support, and capabilities available in the event of a disaster.
9-9-1033 Critical Network Operators should develop a strategy for deployment of emergency mobile assets such as Cell on Wheels (COWs), cellular repeaters, Switch on Wheels (SOWs), transportable satellite terminals, microwave equipment, power generators, HVAC units, etc. for emergency use or service augmentation for planned events (e.g., National Special Security Event (NSSE)).
9-9-1034 Critical Network Operators and Public Safety should ensure that the emergency mobile assets are maintained at a hardware and software level compatible with the existing network infrastructure so that the emergency mobile assets will be immediately available for deployment.
9-9-1035 Important Network Operators, Public Safety and Service Providers should include trial deployment of emergency mobile assets in disaster response exercises to evaluate level of personnel readiness.
9-9-1037 Highly Important Network Operators, Public Safety, Service Providers, Equipment Suppliers and Public Safety Authorities should use a disaster recovery support model that provides a clear escalation path to executive levels, both internally and to business partners.
9-9-1038 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should consider during all hazard and preplanned events, communicating the response status frequently and consistently to all appropriate employees detailing what processes have been put in place to support customers and what priorities have been established in the response.
9-9-1058 Highly Important Network Operators, Service Providers, Public Safety and Equipment Suppliers should work collectively with local, state, and federal governments to develop relationships fostering efficient communications, coordination and support for emergency response and restoration.
9-9-1063 Critical Network Operators, Public Safety and Service Providers should set Initial Address Messages (IAMs) to congestion priority in accordance with applicable ANSI standards. This will ensure government emergency calls (e.g., 9-1-1, GETS) receive proper priority during national emergency situations. Implementation in all networks should be in accordance with ANSI T1.111.
9-9-1067 Highly Important Network Operators, Public Safety, Service Providers and Property Managers should consider, in preparation for predicted natural events, placing standby generators on line and verifying proper operation of all subsystems (e.g., ice, snow, flood, hurricanes).
9-9-3202 Important The Service Provider and the Public Safety Agency or its agent that utilize Public Safety mass calling systems for emergency notification should have a pre-established procedure to notify all impacted network operators, prior to launching an alert event.
9-9-3204 Highly Important Public Safety and Government should work with Service Providers to educate the public on the proper use of N11 Access codes (e.g., 211, 311, 411 or 511 services) where available, such that it enables the 9-1-1 network and personnel to be exclusively focused on emergencies.
9-9-3205 Important Network Operators, Service Providers and Public Safety organizations should consider participating in standards bodies and other forums contributing to Emergency Telecommunications Services (ETS).
9-9-3211 Highly Important Network Operators, Public Safety and Service Providers should develop and maintain operations plans that address network reliability issues. Network Operators and Service Providers should proactively include Public Safety authorities when developing network reliability plans in support of 9-1-1 services.
9-9-3212 Important Network Operators and Service Providers should consider including notification of Public Safety Authorities, as appropriate, in their trouble notification plans.
9-9-3214 Important Public Safety Answering Points should avoid deploying an automatic ALI rebid function for wireless E9-1-1 calls. However, where deemed necessary, an automatic ALI rebid function should only be deployed for the initial bid to retrieve the Phase II location.
9-9-3215 Important For Network Operators that operate Mobile Switching Centers (“MSCs”), the MSC should default route 9-1-1 calls based on cell sector/tower location to the proper serving Public Safety Answering Point (PSAP) when necessary and where feasible.
9-9-3216 Important For Network Operators that cannot default route 9-1-1 calls based on cell sector/tower location, switch level defaulted calls should be routed to a “fast busy” tone or to an appropriate recorded announcement.
9-9-3217 Highly Important Network Operators and Service Providers should provide and maintain current 24/7/365 contact information accessible to Public Safety Answering Points (PSAPs) so that PSAPs may obtain additional subscriber information as appropriate.
9-9-3218 Important Public Safety should provide Training to educate PSAP personnel as to the process to obtain E9-1-1 Phase II data.
9-9-3219 Important Public Safety should provide training to educate PSAP personnel as to the proper meaning and interpretation of the E9-1-1 Phase II display parameters.
9-9-3223 Highly Important Network Operators, Public Safety and Service Providers should implement dedicated trunk groups between the Mobile Switching Center (MSC) end office or similar source and the E9-1-1 Selective Router (SR), based on the geography served by the default Public Safety Answering Points (PSAPs).
9-9-3224 Highly Important Network Operators, Service Providers, and Public Safety should use dedicated Signaling System 7 (SS7) or Multi-Frequency (MF) controlled trunk groups for the normal routing of 9-1-1 calls from originating switching entities to 9-1-1 Selective Routers (SRs) rather than using shared Public Switched Telephone Network (PSTN) trunk arrangements and where appropriate and necessary supported by service level agreements.
9-9-3225 Highly Important Network Operators, Public Safety and Service Providers that deploy geographically diverse 9-1-1 Mobile Positioning Centers (MPC) with dual load sharing nodes should ensure that the utilization on either node is less than half of each node's capacity so that if one node fails the other node will absorb the load.
9-9-3226 Critical Network Operators, Public Safety and Service Providers operating Mobile Positioning Centers (MPC) should provide 24x7 network operations support.
9-9-3227 Highly Important Network Operators, Service Providers, Public Safety and Equipment Suppliers should deploy location solutions such that the E9-1-1 related data traffic between the Position Determining Entity (PDE) and the mobile subscriber associated with location determination should not interfere with the voice traffic, when feasible.
9-9-3228 Highly Important Network Operators, Service Providers, Public Safety and Equipment Suppliers that use Global Positioning System (GPS) enabled Phase II location solutions should ensure that the GPS satellite location information (e.g., GPS ephemeris, almanac, etc.) is as current as is feasible to assist the handset in providing improved accuracy of the GPS fix, aiding in the reduction of the time of database responses and reduction of the number of database query rebids.
9-9-3229 Important Network Operators, Public Safety and Service Providers that operate Mobile Positioning Centers (MPC)/ Gateway Mobile Location Centers (GMLC) should maintain local storage of record logs for a minimum of 7 days showing incoming successful requests from Emergency Services Message Entity (ESME) and outgoing responses to ESME.
9-9-3230 Important Network Operators, Public Safety and Service Providers that produce location event records that include time-stamped call detail transactions should store these records for a minimum of 3 days.
9-9-3231 Highly Important Network Operators, Public Safety and Service Providers that use Global Positioning System (GPS) enabled Phase II location solutions should ensure that the GPS satellite location identification information (e.g., GPS ephemeris, almanac, etc.) is transmitted to the Phase II Mobile Subscriber or Position Determining Entities (PDE) as soon as is feasible after the E9-1-1 call commences in order to reduce the number of database query rebids.
9-9-3233 Important Service Providers and Public Safety deploying wireless Phase II should work to ensure that Phase II accuracy is optimized and the performance trouble resolution process is followed as needed.
9-9-3234 Critical Network Operators, Service Providers, and Public Safety should establish mechanisms in Next Generation 9-1-1 (NG9-1-1) applications to handle call congestion and outages through diversion of calls to alternate Public Safety Answering Points (PSAP) that have the capabilities to effectively answer and provide assistance during periods of extreme overload or network failure scenarios.
9-9-3235 Critical Network Operators, Service Providers, and Public Safety should design Emergency Services IP Networks (ESInets) with redundant interconnectivity to Online Service Providers (OSPs) and Public Safety Answering Points (PSAP) to maintain connectivity in the face of extensive disaster damage using the characteristics of IP routing to provide assistance in ensuring 9-1-1 calls will reach a PSAP if there is any path possible.
9-9-3236 Highly Important Network Operators, Public Safety, and Equipment Suppliers should have procedures in place to allow for manual configuration in the event of a failure of automatic synchronization systems.
9-9-3237 Highly Important Network Operators, Public Safety, and Equipment Suppliers should consider restricting provisioning technicians from all commands except those that are needed for their work (least privileges) and avoid any "global" commands or unauthenticated, privileged access that may have the potential for significant impact.
9-9-3238 Highly Important Network Operators, Service Providers, and Public Safety should consider using wireless public or private networks as a backup to dedicated trunks for the 9-1-1 network during periods of network failure. In cases where the ability to deliver 9-1-1 calls to the Public Safety Answering Point (PSAP) through normal routing is interrupted by a failure (not all trunks busy conditions) consider forwarding the call over wireless public, private networks, or satellite-based services to provide an additional alternate path to the PSTN, providing IP multimedia connectivity for next generation networks, or used solely as an alternate call delivery path for the voice component of 9-1-1 calls.
9-9-3239 Highly Important Network Operators, Service Providers, and Public Safety should implement testing and verification processes for 9-1-1 pseudo Automatic Number Identification (pANI) to prevent bad data from being entered into the wrong routing databases typically occurring at the Automatic Location Information (ALI) or Selective Router (SR) stage of the provisioning process.
9-9-3240 Highly Important Network Operators, Service Providers, and Public Safety should establish an assignment accuracy process to send a list of all applicable Master Street Address Guide (MSAG) ranges to Virtual Private Cloud (VPC) and Mobile Positioning Center (MPC) operators to ensure pseudo Automatic Number Identification (pANI) shell records are built correctly during original pANI provisioning to reduce negative impact of errors related to data entry.
9-9-3241 Highly Important Network Operators and Service Providers using IP-based connection arrangements for routing to a 9-1-1 system Service Provider (SSP) or Public Safety agency should ensure those transport facilities are diverse private facilities or their functional equivalent (e.g., generic routing encapsulation (GRE) tunneling, virtual private network (VPN), or equally secure industry protocols) and where appropriate and necessary supported by service level agreements.
9-9-3242 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should work together to jointly perform cause analysis, and meet periodically with the specific agenda of sharing the failure and outage information to develop corrective measures.
9-9-3243 Highly Important Service Providers, Network Operators, and Public Safety should coordinate and perform necessary testing of all new call paths between their network and the emergency services network (e.g., Selective Routers, or the Emergency Services IP Network (ESInet)) that includes a test call using all routing elements.
9-9-5012 Highly Important Network Operators, Service Providers, Public Safety and Equipment Suppliers should limit access to areas of critical infrastructure to essential personnel.
9-9-5073 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should perform risk assessment on significant network changes (e.g., technology upgrades).
9-9-5112 Critical Network Operators, Service Providers and Equipment Suppliers should, at the time of the event, coordinate with the appropriate local, state, or federal agencies to facilitate timely access by their personnel to establish, restore or maintain communications, through any governmental security perimeters (e.g., civil disorder, crime scene, disaster area).
9-9-5113 Critical Network Operators, Service Providers, Public Safety and Property Managers, when feasible, should provide multiple cable entry points at critical facilities (e.g., copper or fiber conduit) avoiding single points of failure (SPOF).
9-9-5127 Critical Network Operators, Service Providers, Equipment Suppliers and Public Safety should provide a Government Emergency Telecommunications Service (GETS) card to essential staff critical to disaster recovery efforts and should consider utilizing Wireless Priority Service (WPS) for essential staff. Appropriate training and testing in the use of GETS & WPS should occur on a regular basis (i.e. in conjunction with testing of the corporate disaster recovery plan).
9-9-5128 Critical Network Operators, Service Providers, Equipment Suppliers and Public Safety should maintain accurate records for Government Emergency Telecommunications Service (GETS) cards and Wireless Priority Service (WPS) phone assignments as staff changes occur.
9-9-5130 Important Network Operators, Service Providers, Public Safety, Equipment Suppliers and the Government should conduct public and media relations in such a way as to avoid disclosing specific network or equipment vulnerabilities that could be exercised by a terrorist.
9-9-5131 Highly Important Network Operators and Public Safety should provide appropriate security for emergency mobile units (both pre- and post-deployment) in order to protect against a coordinated terrorist attack on emergency communications capabilities.
9-9-5132 Important Network Operators and Public Safety should identify primary and alternate transportation (e.g., air, rail, highway, boat) for emergency mobile units and other equipment and personnel.
9-9-5133 Highly Important Network Operators and Public Safety should minimize availability of information to a need to know basis regarding locations where emergency mobile units and equipment are stored.
9-9-5139 Highly Important Network Operators, Service Providers, Public Safety and Equipment Suppliers should consider establishing procedures for managing personnel who perform functions at disaster area sites.
9-9-5160 Highly Important Public Safety, Network Operators, Service Providers, Equipment Suppliers and Property Managers should have contingency plans in place for the possible absence of critical personnel in their business continuity plan.
9-9-5162 Critical Network Operators, Service Providers, Public Safety and Equipment Suppliers should ensure adequate physical protection for facilities/areas that are used to house certificates and/or encryption key management systems, information or operations.
9-9-5175 Important Network Operators, Service Providers, Public Safety and Equipment Suppliers should establish a proprietary information protection policy to protect proprietary information in their possession belonging to the company, business partners and customers from inadvertent, improper or unlawful disclosure. The policy should establish procedures for the classification and marking of information; storage, handling, transfer and transmission of information, retention guidelines and disposal/deletion of information.
9-9-5196 Critical Network Operators, Public Safety and Service Providers should ensure that contractors and Equipment Supplier personnel working in critical network facilities follow the current applicable MOP (Method of Procedures), which should document the level of oversight necessary.
9-9-5200 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should establish and implement procedures for the proper disposal and/or destruction of hardware (e.g., hard drives) that contain sensitive or proprietary information.
9-9-5204 Critical Service Providers, Network Operators, Public Safety and Property Managers should ensure availability of emergency/backup power (e.g., batteries, generators, fuel cells) to maintain critical communications services during times of commercial power failures, including natural and manmade occurrences (e.g., earthquakes, floods, fires, power brown/black outs, terrorism). The emergency/backup power generators should be located onsite, when appropriate.
9-9-5206 Critical Network Operators, Service Providers, Public Safety and Property Managers should maintain sufficient fuel supplies for emergency/backup power generators running at full load and ensure contracted refueling is in place.
9-9-5207 Critical Network Operators, Service Providers, Public Safety and Property Managers should take appropriate precautions to ensure that fuel supplies and alternate sources of power are available for critical installations in the event of major disruptions in a geographic area (e.g., hurricane, earthquake, pipeline disruption). Consider contingency contracts in advance with clear terms and conditions (e.g., Delivery time commitments, T&Cs).
9-9-5208 Important Network Operators, Service Providers, Equipment Suppliers, Public Safety and Property Managers should ensure that electrical work (e.g., AC and high current DC power distribution) is performed by licensed technicians.
9-9-5223 Highly Important Network Operators, Service Providers, Public Safety and Equipment Suppliers should establish a technical support plan that prevents the loss of one facility or location from disabling their ability to provide support.
9-9-5225 Important Network Operators, Service Providers, Equipment Suppliers, Public Safety and Property Managers should ensure that Business Continuity Plan(s) are restricted to those with a need-to-know.
9-9-5227 Highly Important Network Operators, Service Providers, Equipment Suppliers, Pubic Safety and Property Managers should perform after-action reviews of emergency response and restoration of major events to capture lessons learned (e.g., early warning signs) and to enhance emergency response and restoration plans accordingly. A process similar to NRIC VII, Focus Group 2B Report Appendices Appendix Z “Recovery Incident Response (IR) Post Mortem Checklist” can be used to capture and identify countermeasures to prevent or mitigate the impact of future incidents and to quickly and effectively restore service from such events in the future.
9-9-5228 Important Network Operators, Service Providers and Equipment Suppliers should consider including cross-subsidiary (e.g. A LEC and its Wireless Business Unit) resource sharing and communications in business continuity plans to support emergency response and restoration.
9-9-5231 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers and Property Managers should develop documentation for the restoration of power for areas of critical infrastructure including such things as contact information, escalation procedures, restoration steps and alternate means of communication. This documentation should be maintained both on-site and at centralized control centers.
9-9-5232 Critical Network Operators, Service Providers, Pubic Safety and Property Managers should test fuel reserves used for standby or backup power for contamination at least once a year or after any event (e.g., earth tremor, flood) that could compromise the integrity of the tank housing, fill pipe or supply pipe.
9-9-5234 Important Network Operators, Service Providers, Pubic Safety and Property Managers should provide or arrange for security to protect temporary equipment placements and staging areas for critical infrastructure equipment in a disaster area.
9-9-5237 Highly Important Network Operators, Service Providers, Pubic Safety and Equipment Suppliers should verify the integrity of system spares and replenish spares, as appropriate, as part of a disaster response and at the conclusion of a disaster response at a facility.
9-9-5240 Highly Important Network Operators, Service Providers, Equipment Suppliers, Pubic Safety and Property Managers should have a plan for responding to malfunctioning access control equipment to include determining restoration priorities for failed security systems after an event.
9-9-5241 Highly Important Network Operators, Service Providers, Pubic Safety and Equipment Suppliers should consider placing access and facility alarm points to critical or sensitive areas on backup power.
9-9-5252 Highly Important Network Operators should evaluate the priority on re-establishing diversity of facility entry points (e.g., copper or fiber conduit, network interfaces for entrance facilities) during the restoration process.
9-9-5258 Important Network Operators, Service Providers, Pubic Safety and Equipment Suppliers should define and assign responsibility for retrieval of all corporate assets (e.g., access cards, equipment) and ensure temporary physical and logical access is removed after completion of a restoration effort for all temporary personnel associated with the restoration.
9-9-5259 Highly Important Network Operators, Service Providers, Equipment Suppliers, Pubic Safety and Property Managers should establish and enforce access control and identification procedures for all individuals (including temporary contractors, and mutual aid workers) at restoration sites for which they have responsibility. Provide for issuing and proper displaying of ID badges and the sign-in and escorting procedures, where appropriate.
9-9-5260 Important Network Operators, Service Providers, Equipment Suppliers, Pubic Safety and Property Managers should provide any significant changes to access control procedures to affected personnel involved in a restoration.
9-9-5281 Highly Important Network Operators, Service Providers, Pubic Safety and Property Managers with buildings serviced by more than one emergency generator, should design, install and maintain each generator as a standalone unit that is not dependent on the operation of another generator for proper functioning, including fuel supply path.
9-9-8005 Important Document Single Points of Failure: Service Providers and Network Operators should implement a continuous engineering process to identify and record single points of failure and any components that are critical to the continuity of the infrastructure. The process should then pursue architectural solutions to mitigate the identified risks as appropriate.
9-9-8008 Critical Network Operators, Service Providers, and Public Safety should implement architectures that partition or segment networks and applications using means such as firewalls, demilitarized zones (DMZ), or virtual private networks (VPN) so that contamination or damage to one asset does not disrupt or destroy other assets. In particular, where feasible, it is suggested user traffic networks, network management infrastructure networks, customer transaction system networks, and enterprise communication/business operations networks be separated and partitioned from one another.
9-9-8018 Critical Hardening OAM&P User Access Control: Service Providers, Network Operators, and Equipment Suppliers should, for OAM&P applications and interfaces, harden the access control capabilities of each network element or system before deployment to the extent possible (typical steps are to remove default accounts, change default passwords, turn on checks for password complexity, turn on password aging, turn on limits on failed password attempts, turn on session inactivity timers, etc.). A preferred approach is to connect each element or system's access control mechanisms to a robust AAA server (e.g., a RADIUS or TACAS server) with properly hardened access control configuration settings.
9-9-8019 Critical Hardening OSs for OAM&P: Service Providers, Network Operators, and Equipment Suppliers with devices equipped with operating systems used for OAM&P should have operating system hardening procedures applied. Harding procedures include (a) all unnecessary services are disabled; (b) all unnecessary communications pathways are disabled; (c) all critical security patches have been evaluated for installations on said systems/applications; and d) review and implement published hardening guidelines, as appropriate. Where critical security patches cannot be applied, compensating controls should be implemented.
9-9-8026 Critical Distribution of Encryption Keys: When Service Providers, Network Operators, and Equipment Suppliers use an encryption technology in the securing of network equipment and transmission facilities, cryptographic keys must be distributed using a secure protocol that: a) Ensures the authenticity of the sender and recipient, b) Does not depend upon secure transmission facilities, and c) Cannot be emulated by a non-trusted source.
9-9-8030 Important For Network Operators, Service Providers, Public Safety and Equipment Suppliers, all Operations, Administration, Maintenance, and Provisioning (OAM&P) applications, systems, and interfaces should use session timers to disconnect, terminate, or logout authenticated sessions that remain inactive past some preset (but ideally configurable by the Administrator) time limit that is appropriate for operational efficiency and security.
9-9-8032 Important Patching Practices: Service Providers, Network Operators, and Equipment Suppliers should design and deploy a patching process based on industry recommendations, especially for critical OAM&P systems.
9-9-8034 Highly Important Software Patching Policy: Service Providers and Network Operators should define and incorporate a formal patch/fix policy into the organization's security policies.
9-9-8035 Important Network Operators, Service Providers, and Public Safety should include steps to appropriately test all patches/fixes in a test environment prior to distribution into the production environment in their patch/fix policy and process guidelines.
9-9-8037 Important Network Operators, Service Providers, and Public Safety should maintain a complete inventory of elements to ensure that patches/fixes can be properly applied across the organization. This inventory should be updated each time a patch/fix is identified and action is taken.
9-9-8038 Highly Important For Network Operators and Service Providers, a formal process during system or service development should exist in which a review of security controls and techniques is performed by a group independent of the development group, prior to deployment.
9-9-8039 Critical Service Providers, Network Operators, and Public Safety should perform a verification process to ensure that patches/fixes are actually applied as directed throughout the organization. Exceptions should be reviewed and the proper patches/fixes actually applied.
9-9-8061 Critical Service Providers, Network Operators, and Public Safety should establish a set of standards and procedures for dealing with computer security events that should be part of the overall business continuity/disaster recovery plan, exercised periodically and revised as needed, and cover likely threats to those elements of the infrastructure which are critical to service delivery/business continuity. See Appendix X and Y of the NRIC VII, Focus Group 2B Report Appendices.
9-9-8064 Critical Service Providers, Network Operators, and Public Safety should generate and collect security-related event data for critical systems (i.e., syslogs, firewall logs, IDS alerts, remote access logs, etc.). Where practical, this data should be transmitted to secure collectors for storage and should be retained in accordance with a data retention policy. A mechanism should be enabled on these systems to ensure accurate timestamps of this data (e.g., Network Time Protocol).
9-9-8065 Critical Network Operators, Service Providers, Public Safety and Equipment Suppliers should establish a process for releasing information to members of the law enforcement and intelligence communities and identify a single Point of Contact (POC) for coordination/referral activities.
9-9-8068 Critical Service Providers, Network Operators, Public Safety, and Equipment Suppliers should develop and practice a communications plan as part of the broader Incident response plan identifying key players to include as many of the following items as appropriate: contact names, business telephone numbers, home telephone numbers, pager numbers, fax numbers, cell phone numbers, home addresses, internet addresses, permanent bridge numbers, etc. Notification plans should be developed prior to an event/incident happening where necessary. The plan should also include alternate communications channels (e.g., alpha pagers, internet, satellite phones, VOIP, private lines, smart phones) balancing the value of any alternate method against the security and information loss risks introduced.
9-9-8071 Critical Threat Awareness: Service providers and Network Operators should subscribe to vendor patch/security notifications and services to remain current with new vulnerabilities, viruses, and other security flaws relevant to systems deployed on the network.
9-9-8073 Critical Service Providers, Network Operators, and Public Safety should deploy Intrusion Detection/Prevention Tools (IDS/IPS) with an initial policy that reflects the universe of devices and services known to exist on the monitored network. Due to the ever evolving nature of threats, IDS/IPS tools should be tested regularly and tuned to deliver optimum performance and reduce 0 positives.
9-9-8074 Critical Denial of Service (DoS) Attack - Target: Where possible, Service Provider and Network Operator networks and Equipment Supplier equipment should be designed to survive significant increases in both packet count and bandwidth utilization. Infrastructure supporting mission critical services should be designed for significant increases in traffic volume and must include network devices capable of filtering and/or rate limiting traffic. Network engineers must understand the capabilities of the devices and how to employ them to maximum effect. Wherever practical, mission critical systems should be deployed in clustered configuration allowing for load balancing of excess traffic and protected by a purpose built DoS/DDoS protection device. Operators of critical infrastructure should deploy DoS survivable hardware and software whenever possible.
9-9-8079 Highly Important Use Strong Passwords: Service Provider, Network Operators, and Equipment Suppliers should create an enforceable policy that considers different types of users and requires the use of passwords or stronger authentication methods. Where passwords can be used to enhance needed access controls, ensure they are sufficiently long and complex to defy brute force guessing and deter password cracking. To assure compliance, perform regular audits of passwords on at least a sampling of the systems.
9-9-8080 Highly Important Change Passwords on a Periodic Basis: Service Providers, Network Operators, and Equipment Suppliers should change passwords on a periodic basis implementing a policy which considers different types of users and how often passwords should be changed. Perform regular audits on passwords, including privileged passwords, on system and network devices. If available, activate features across the user base which force password changes.
9-9-8081 Highly Important Protect Authentication Methods: Service Providers, Network Operators, and Equipment Suppliers should develop an enforceable password policy, which considers different types of users, requiring users to protect, as applicable, either (a) the passwords they are given/create or (b) their credentials for two-factor authentication.
9-9-8083 Highly Important Authentication databases/files used by Network Operators, Service Providers, Public Safety, and Equipment Suppliers must be protected from unauthorized access, and must be backed-up and securely stored in case they need to be restored.
9-9-8086 Critical Network Operators, Service Providers, Public Safety, and Equipment Suppliers based on the principles of least–privilege (the minimum access needed to perform the job) and separation of duties (certain users perform certain tasks) should develop capabilities and processes to determine which users require access to a specific device or application.
9-9-8101 Important Document and Verify All Security Operational Procedures: Service Providers and Network Operators should ensure that all security operational procedures, system processes, and security controls are documented, and that documentation is up to date and accessible by appropriate staff. Perform gap analysis/audit of security operational procedures as often as security policy requires relative to the asset being protected. Using results of analysis or audit, determine which procedures, processes, or controls need to be updated and documented.
9-9-8103 Critical Service Providers, Network Operators, and Public Safety should deploy malware protection tools where feasible, establish processes to keep signatures current, and establish procedures for reacting to an infection.
9-9-8111 Important Protect Sensitive Data in Transit for Externally Accessible Applications: Service Providers and Network Operators should encrypt sensitive data from web servers, and other externally accessible applications, while it is in transit over any networks they do not physically control.
9-9-8121 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should conduct regular audits of their Information Security practices.
9-9-8124 Important Conduct Organization Wide Security Awareness Training: Service Providers, Network Operators, and Equipment Suppliers should ensure staff is given awareness training on security policies, standards, procedures, and general best practices. Awareness training should also cover the threats to the confidentiality, integrity, and availability of data including social engineering. Training as part of new employee orientation should be supplemented with regular "refreshers" to all staff.
9-9-8131 Important Network Operators, Service Providers, and Public Safety Business Continuity and Recovery Plans should factor in potential Information Security threats of a plausible likelihood or significant business impact.
9-9-8132 Important Leverage Business Impact Analysis for Incident Response Planning: Service Providers and Network Operators should leverage the BCP/DR Business Impact Assessment (BIA) efforts as input to prioritizing and planning Information Security Incident Response efforts.
9-9-8134 Important Security of Devices Beyond Scope of Control: Service Providers should carefully consider possible impacts on their networks from changes in the configuration or authentication information on devices beyond the service demarcation point, and thus beyond their physical or logical scope of control. Service Providers should consider network filters or network authentication to protect against malicious traffic or theft of service caused by such insecure devices.
9-9-8136 Important Service Providers, Network Operators and Public Safety should deploy tools to detect unexpected changes to file systems on Network Elements and Management Infrastructure systems where feasible and establish procedures for reacting to changes. Use techniques such as cryptographic hashes.
9-9-8139 Highly Important Service Providers, Network Operators and Public Safety should review and analyze security-related event data produced by critical systems on a regular basis to identify potential security risks and issues. Automated tools and scripts can aid in this analysis process and significantly reduce the level of effort required to perform this review.
9-9-8502 Critical When a compromise occurs, or new exploits are discovered, Service Providers, Network Operators and Public Safety should perform an audit of available network services to reassess any vulnerability to attack and re-evaluate the business need to provide that service, or explore alternate means of providing the same capability.
9-9-8506 Highly Important Following a compromise and reestablishment of lost service, Service Providers, Network Operators and Public Safety should re-evaluate the architecture for single points of failure. Review the process of evaluating and documenting single points of failure and provide spares for redundancy in the architecture to ensure adequacy of the security architecture.
9-9-8508 Important Immediately following incident recovery, Service Providers, Network Operators, and Public Safety should re-evaluate the adequacy of existing security architecture and implement revisions as needed.
9-9-8509 Important Recover from Poor Network Isolation and Partitioning: When, through audit or incident, a co-mingling of data or violation of a trust relationship is discovered, Service Providers and Network Operators should, as part of a post-mortem process, review segmentation design to evaluate adequacy of the architecture and data isolation.
9-9-8510 Highly Important Network Operators, Service Providers, Public Safety, and Equipment Suppliers should upon an occurrence of compromise or trust violations conduct a forensic analysis to determine the extent of compromise, revoke compromised keys, and establish new crypto keys as soon as possible, and review crypto procedures to re-establish trust.
9-9-8522 Important Upon discovery of an unsanctioned device on the organizational network, Service Providers, Network Operators, and Public Safety should investigate to determine ownership and purpose/use of the device. Where possible, this phase should be non-alerting (i.e., log reviews, monitoring of network traffic, review of abuse complaints for suspect IP address) to determine if the use is non-malicious or malicious/suspect. If use is determined to be non-malicious, employ available administrative tools to correct behavior and educate user. Conduct review of policies to determine: If additional staff education regarding acceptable use of network/computing resources is requiredIf processes should be redesigned / additional assets allocated to provide a sanctioned replacement of the capability. Was the user attempting to overcome the absence of a legitimate and necessary service the organization was not currently providing so that s/he could perform their job? If the use is deemed malicious/suspect, coordinate with legal counsel: Based on counsel's advice, consider collecting additional data for the purposes of assessingDepending on the scope of the misuse, consider a referral to law enforcement.
9-9-8523 Critical Recovery from Network Element Resource Saturation Attack: If the control plane is under attack, Service Providers and Network Operators should: 1) Turn on logging where appropriate to analyze the logs, 2) Implement the appropriate filter and access list to discard the attack traffic 3) Utilize DoS/DDoS tracking methods to identify the source of attack.
9-9-8540 Critical Recover from Unauthorized Remote OAM&P Access: When an unauthorized remote access to an OAM&P system occurs, Service Providers and Network Operators should consider terminating all current remote access, limiting access to the system console, or other tightened security access methods. Continue recovery by re-establishing new passwords, reloading software, running change detection software, or other methods, continuing quarantine until recovery is validated, as practical.
9-9-8553 Critical Sharing Information with Industry & Government during Recovery: During a security event, Service Providers, Network Operators, and Equipment Suppliers should release to the National Communications Service National Coordination Center (ncs@ncs.gov) or USCERT (cert@cert.org) information which may be of value in analyzing and responding to the issue, following review, edit and approval commensurate with corporate policy. Information is released to these forums with an understanding redistribution is not permitted. Information which has been approved for public release and could benefit the broader affected community should be disseminated in the more popular security and networking forums such as NANOG and the SecurityFocus Mailing Lists.
9-9-8554 Critical Insomuch as is possible without disrupting operational recovery, Service Providers, Network Operators and Public Safety should handle and collect information as part of a computer security investigation in accordance with a set of generally accepted evidence-handling procedures.
9-9-8564 Critical After responding to a security incident or service outage, Service Providers, Network Operators and Public Safety should follow processes similar to those outlined in Appendix X of the NRIC VII, Focus Group 2B Report Appendices to capture lessons learned and prevent future events.
9-9-8629 Important Equipment Suppliers, Service Providers, Network Operators, and Public Safety should have processes in place to ensure that all third party software (e.g. operating system) have been properly patched with the latest security patches and that the system works correctly with those patches installed.
9-9-8647 Important Service Standards: Service Providers should develop and implement security event logging systems and procedures to allow for collection of security related events.
9-9-8648 Important General: Service Providers and Network Operators [that provide or manage Customer Premise Equipment (CPE)] should ensure that initial configurations are secure.
9-9-8725 Important Signaling DoS Protection: Network Operators should establish alarming thresholds for various message types to ensure that DoS conditions are recognized. Logs should be maintained and policies established to improve screening and alarming thresholds for differentiating legitimate traffic from DoS attacks.
9-9-8727 Important Network Operators, Service Providers and Public Safety should implement industry guidelines for validating physical diversity, and consider performing signaling link diversification validation on a scheduled basis (e.g., twice a year).
9-9-8729 Critical Signaling Services Requested Changes: Network Operators should establish policies and processes for adding and configuring network elements, that include approval for additions and changes to configuration tables (e.g., screening tables, call tables, trusted hosts, and calling card tables). Verification rules should minimize the possibility of receiving inappropriate messages.
9-9-8748 Critical Service providers, Network Operators, Equipment Vendors and Public Safety should test new devices to identify unnecessary services, outdated software versions, missing patches, and misconfigurations, and validate compliance with or deviations from an organization’s security policy prior to being placed on a network.
9-9-8755 Important Service Providers, Network Operators, Equipment Suppliers and Public Safety should utilize automated (where possible) Patch Management to quickly deploy patches for known vulnerabilities. PSAP software version control is important for backroom PSAP systems
9-9-8756 Critical Network Operators and Public Safety should establish and implement procedures to ensure that all security patches and updates relevant to the device or installed applications are promptly applied. The patching process should be automated whenever possible. The system should be rebooted immediately after patching if required for the patch to take effect.
9-9-8757 Important Service Providers, Network Operations and Public Safety should set policy within each corporation or agency to provide guidance when there is a security breach.
9-9-8759 Highly Important Recover from Unauthorized Use: Network Operators and Service Providers should remove invalid records whenever it is determined that a network element has been modified without proper authorization, or rollback to the last valid version of record. The attack should be investigated to identify potential security changes.
9-9-8762 Critical Recover from DoS Attack: Network Operators and Service Providers should work together to identify, filter, and isolate the originating points of Denial of Service (DoS) attacks when detected, and reroute legitimate traffic in order to restore normal service.
9-9-8771 Important Service Providers, Network Operators, and Public Safety should consider implementing a control-signaled (i.e. SIP) network using media gateway controllers according to appropriate industry standards (i.e. Internet Engineering Task Force (IETF)) in order to achieve interoperability between the IP Multimedia (IM) Core Network (CN) subsystem and Circuit Switched (CS) networks.
9-9-8772 Critical Service Providers, Network Operators, Equipment Suppliers and Public Safety should establish a process for releasing information to members of the law enforcement and intelligence communities and identify a single Point of Contact (POC) for coordination/referral activities.
9-9-8773 Important Social Engineering: Network Operators, Service Providers and Equipment Suppliers should establish policies in preventing socially engineered attacks, but perhaps the most important step is educating employees to make them aware of the danger of social engineering. Source: http://www.windowsecurity.com/articles/Social_Engineers.html

• Training the front-line employees through case studies and understanding the need to recognize social engineering threats and its harmful consequences. The training must include:

1- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

2- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.

3- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

4- Don't send sensitive information over the Internet before checking a website's security (see Protecting Your Privacy for more information).

5- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

6- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).