Welcome » IT Booklets » Operations » Risk Mitigation and Control Implementation » Information Distribution and Transmission » Transmission
Transmission controls should address both physical and logical
risks. In large, complex institutions, management should consider
segregating WAN and LAN segments with firewalls that restrict
access as well as the content of inbound and outbound traffic.
Management should also consider using encryption
technology-including basic encryption as well as the use of digital
certificates and public key infrastructure-to secure data
transmissions. Refer to the IT
Handbook's "Information Security Booklet" for additional
discussion of encryption and other security technology.
Telecommunications technology typically incorporates message
content and completion validation. Network management should
continuously monitor telecommunications traffic for problems
involving high rates of lost packets, interference that degrades
connectivity, capacity problems that reduce throughput, or other
anomalies. In addition, administrators should periodically review
network devices to identify any that are operating in promiscuous
mode and acting as packet "sniffers" for network traffic.
Management should implement strong access controls to secure
telecommunication equipment. Telecommunications closets should be
locked and carry no specific identification to provide an
additional measure of security. Changes to telecommunications
equipment and equipment settings or configuration should follow
enterprise change control standards including approval, testing,
and migration to production. An institution should authenticate and
approve any remote access to telecommunication equipment.
Identification, authorization, and authentication to access
telecommunications systems should follow enterprise standards
including approval and documentation of exceptions.
Voice communication is essential to many functions of an
institution. The business continuity plan should include
telecommunication resources. Loss of telecommunications can have a
material impact on the ability of an institution to function,
exposing it to legal, reputation, and financial risks. Therefore,
institutions need to have resiliency and redundancy in their
telecommunications architecture. Where available, planning should
ensure access to a diversity of suppliers. Management should
consider implementing route diversity to ensure data can travel
along an alternate route if its primary path is blocked. Management
can also improve diversity by connecting IT operations to multiple
telephone company central offices. An institution should thoroughly
test in-house and outsourced telecommunications recovery processes.
It should also implement physical security for telecommunications
equipment at any alternate operations site(s) similar to that of
the primary data center.
Management should monitor the financial health of its
telecommunications providers. To ensure continuity of service,
there should be at least one back-up vendor in the event the
primary provider cannot deliver the required service. Large,
complex operations centers and those critical to payment systems
should have multiple primary and secondary providers for bandwidth
and security purposes.
Along with diversity, building redundancy into
telecommunications networks enhances resiliency. An institution
should avoid exposure to single points of failure. Establishing
multiple network entry points into the operations center and
connecting them to redundant infrastructure strengthens a network's
Outsourced back-up facilities should meet all institution
requirements. All telecommunications equipment housed in recovery
facilities should follow institution standards for security,
availability, and change control. Management should test back-up
telecommunications functions during business continuity plan
testing. Management should also document test results and ensure
appropriate changes are made to the business continuity plan.
Contracts with recovery facilities should specify which party is
responsible for telecommunications. They should also ensure
telecommunications controls meet the institution's enterprise
Institutions should be aware of the priority level of recovery
services contracted from their providers.See Financial and
Banking Information Infrastructure Committee Policy on the
Sponsorship of Priority Telecommunications Access for Private
Sector Entities through the National Communications System
Government Emergency Telecommunications Service (GETS).
http://www.fbiic.gov/policies.htm Having a sound
relationship with a telecommunications provider can greatly
facilitate recovery after a business
interruption. Institutions that choose to outsource the
management of their telecommunications networks to third party
providers should receive reports from the vendor on performance,
capacity, availability, and other key metrics.
Refer to the IT
Handbook's "Business Continuity Planning Booklet" and
"Outsourcing Technology Services Booklet" for additional discussion
on these topics.