Back

Install and maintain redundant telecommunication feeds for critical assets.


CONTROL ID
00726
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain organizational facility continuity plans., CC ID: 02224

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should implement sufficient and effective alternative service delivery channels to ensure e-banking services can be provided continuously to customers as far as appropriate. In particular, if an Internet banking system is temporarily not accessible, AIs should ensure that their other service cha… (§ 9.5.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should implement sufficient and effective alternative service delivery channels to ensure e-banking services can be provided continuously to customers as far as appropriate. In particular, if an Internet banking system is temporarily not accessible, AIs should ensure that their other service cha… (§ 9.5.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • F106: The organization should base cabling from line-related systems to individual terminal devices on the dual-redundant design to facilitate a fast response to a line failure at head/branch offices. O96.2: The organization should use communication lines that are separate from the convenience store… (F106, O96.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • O62.3: To be prepared for CD/ATM and/or other equipment failure, the organization should establish additional networks and procedures for communicating during times of unattended monitoring (nighttime, weekends, and national holidays). These networks and procedures should be reviewed periodically. T… (O62.3, T3.3, T5.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • To be prepared for CD/ATM and/or other equipment failure, the organization should establish additional networks and procedures for communicating during times of unattended monitoring (nighttime, weekends, and national holidays). These networks and procedures should be reviewed periodically. (O62.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • For large installations or highly protected facilities, two physically separated telecommunications paths to the telephone center should be used. (Pg 7-I-5, Revised Volume 4 1-I-25, Protection of Assets Manual, ASIS International)
  • There should be a Process for dealing with vulnerabilities in network devices, which includes automatically re-routing network traffic to an alternative network device. (CF.09.01.06c, The Standard of Good Practice for Information Security)
  • Power cables to critical facilities (including locations that house computer systems, such as data centers, networks, telecommunication equipment, sensitive physical material, and other important assets) should be protected by alternative feeds or routing. (CF.19.02.01d, The Standard of Good Practice for Information Security)
  • The organization should help to ensure the availability of access to information stored in the cloud by establishing multiple methods of connection (e.g., wired network, wireless, and 3g / 4g). (CF.16.04.10b, The Standard of Good Practice for Information Security)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by re-routing network traffic automatically when critical network equipment or links fail. (CF.20.03.06a, The Standard of Good Practice for Information Security)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by installing duplicate or alternative network components (e.g., routers, hubs, bridges, concentrators, switches, firewalls, and network traffic filters) to critical communications eq… (CF.20.03.06b, The Standard of Good Practice for Information Security)
  • The availability of communication services used to access external information systems, networks and voice facilities (including those provided in the cloud) should be protected by providing duplicate or alternative points of connection to external communications carriers. (CF.20.03.07a, The Standard of Good Practice for Information Security)
  • The availability of communication services used to access external information systems, networks and voice facilities (including those provided in the cloud) should be protected by routing critical links to more than one external exchange or switching center. (CF.20.03.07b, The Standard of Good Practice for Information Security)
  • The availability of communication services used to access external information systems, networks, and voice facilities (including those provided in the cloud) should be protected by arranging for use of an alternative communications carrier (e.g., using alternative communication technologies, such a… (CF.20.03.07c, The Standard of Good Practice for Information Security)
  • There should be a Process for dealing with vulnerabilities in network devices, which includes automatically re-routing network traffic to an alternative network device. (CF.09.01.06c, The Standard of Good Practice for Information Security, 2013)
  • Power cables to critical facilities (including locations that house computer systems, such as data centers, networks, telecommunication equipment, sensitive physical material, and other important assets) should be protected by alternative feeds or routing. (CF.19.02.01d, The Standard of Good Practice for Information Security, 2013)
  • The organization should help to ensure the availability of access to information stored in the cloud by establishing multiple methods of connection (e.g., wired network, wireless, and 3g / 4g). (CF.16.04.10b, The Standard of Good Practice for Information Security, 2013)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by re-routing network traffic automatically when critical network equipment or links fail. (CF.20.03.06a, The Standard of Good Practice for Information Security, 2013)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by installing duplicate or alternative network components (e.g., routers, hubs, bridges, concentrators, switches, firewalls, and network traffic filters) to critical communications eq… (CF.20.03.06b, The Standard of Good Practice for Information Security, 2013)
  • The availability of communication services used to access external information systems, networks and voice facilities (including those provided in the cloud) should be protected by providing duplicate or alternative points of connection to external communications carriers. (CF.20.03.07a, The Standard of Good Practice for Information Security, 2013)
  • The availability of communication services used to access external information systems, networks and voice facilities (including those provided in the cloud) should be protected by routing critical links to more than one external exchange or switching center. (CF.20.03.07b, The Standard of Good Practice for Information Security, 2013)
  • The availability of communication services used to access external information systems, networks, and voice facilities (including those provided in the cloud) should be protected by arranging for use of an alternative communications carrier (e.g., using alternative communication technologies, such a… (CF.20.03.07c, The Standard of Good Practice for Information Security, 2013)
  • Two diverse routes should be used to connect the telecommunications equipment to the utility provider. This redundancy will prevent the organization from losing voice services if one path is damaged or lost. (§ 9.2.2, ISO 27002 Code of practice for information security management, 2005)
  • Do the physical security and environmental controls present in the building / data centers that contain scoped systems and data include redundant telecommunication feeds? (§ F.1.2.23, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Does the data center that contains scoped systems and data have multiple telecommunication feeds? (§ F.2.11, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Are two active network connections allowed at the same time (split-tunneling) when wireless networking technology is being used? (§ G.12.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are "red and blue" fully redundant networks run at the physical level? (§ V.1.68, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Intrusion Detection Systems' alarm signals must have two independent transmission routes to the monitoring station. (§ 5-904, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Developing and maintaining a plan to address an outage in the telecommunications lines with its primary third-party service providers. (App A Objective 6:6b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Provide for high redundancy levels in the telecommunications infrastructure. (IV Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Establish redundant communications between branches and data centers. (App A Objective 6:2a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Inquiring about the physical paths used by telecommunications providers and verifying that system redundancies have been properly implemented. (App A Objective 6:6i, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implements appropriate redundancy capabilities for the entity's telecommunications infrastructure. (App A Objective 13:3a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements redundant telecommunications services and establishes work-around procedures for situations where needed. (App A Objective 13:3q, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the entity's IT infrastructure implementation includes considerations for server and data redundancy and resilience of telecommunications lines. (App A Objective 13:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Designs and builds telecommunications infrastructure components for resilience (e.g., implement route diversity), including selecting infrastructure components and telecommunications providers that help avoid a single point of failure. (App A Objective 13:3m, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Operations centers should have telecommunications feeds from different vendors. The feeds should be traced to ensure there is not a single point of failure or redundancy with different vendors using the same cables. (Pg 18, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The Information System Contingency Plan Coordinator should identify single points of failure that could affect critical systems or processes when developing a contingency plan for a LAN. (§ 5.3.2 ¶ 1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The organization should use redundant and parallel power cabling paths. (App F § PE-9(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)