Transmission controls should address both physical and logical risks. In large, complex institutions, management should consider segregating WAN and LAN segments with firewalls that restrict access as well as the content of inbound and outbound traffic. Management should also consider using encryption technology-including basic encryption as well as the use of digital certificates and public key infrastructure-to secure data transmissions. Refer to the IT Handbook's "Information Security Booklet" for additional discussion of encryption and other security technology.
Telecommunications technology typically incorporates message content and completion validation. Network management should continuously monitor telecommunications traffic for problems involving high rates of lost packets, interference that degrades connectivity, capacity problems that reduce throughput, or other anomalies. In addition, administrators should periodically review network devices to identify any that are operating in promiscuous mode and acting as packet "sniffers" for network traffic.
Management should implement strong access controls to secure telecommunication equipment. Telecommunications closets should be locked and carry no specific identification to provide an additional measure of security. Changes to telecommunications equipment and equipment settings or configuration should follow enterprise change control standards including approval, testing, and migration to production. An institution should authenticate and approve any remote access to telecommunication equipment. Identification, authorization, and authentication to access telecommunications systems should follow enterprise standards including approval and documentation of exceptions.
Voice communication is essential to many functions of an institution. The business continuity plan should include telecommunication resources. Loss of telecommunications can have a material impact on the ability of an institution to function, exposing it to legal, reputation, and financial risks. Therefore, institutions need to have resiliency and redundancy in their telecommunications architecture. Where available, planning should ensure access to a diversity of suppliers. Management should consider implementing route diversity to ensure data can travel along an alternate route if its primary path is blocked. Management can also improve diversity by connecting IT operations to multiple telephone company central offices. An institution should thoroughly test in-house and outsourced telecommunications recovery processes. It should also implement physical security for telecommunications equipment at any alternate operations site(s) similar to that of the primary data center.
Management should monitor the financial health of its telecommunications providers. To ensure continuity of service, there should be at least one back-up vendor in the event the primary provider cannot deliver the required service. Large, complex operations centers and those critical to payment systems should have multiple primary and secondary providers for bandwidth and security purposes.
Along with diversity, building redundancy into telecommunications networks enhances resiliency. An institution should avoid exposure to single points of failure. Establishing multiple network entry points into the operations center and connecting them to redundant infrastructure strengthens a network's survivability.
Outsourced back-up facilities should meet all institution requirements. All telecommunications equipment housed in recovery facilities should follow institution standards for security, availability, and change control. Management should test back-up telecommunications functions during business continuity plan testing. Management should also document test results and ensure appropriate changes are made to the business continuity plan. Contracts with recovery facilities should specify which party is responsible for telecommunications. They should also ensure telecommunications controls meet the institution's enterprise standards.
Institutions should be aware of the priority level of recovery services contracted from their providers.See Financial and Banking Information Infrastructure Committee Policy on the Sponsorship of Priority Telecommunications Access for Private Sector Entities through the National Communications System Government Emergency Telecommunications Service (GETS). http://www.fbiic.gov/policies.htm Having a sound relationship with a telecommunications provider can greatly facilitate recovery after a business interruption. Institutions that choose to outsource the management of their telecommunications networks to third party providers should receive reports from the vendor on performance, capacity, availability, and other key metrics.
Refer to the IT Handbook's "Business Continuity Planning Booklet" and "Outsourcing Technology Services Booklet" for additional discussion on these topics.