Back

Install and maintain redundant telecommunication feeds for critical assets.


CONTROL ID
00726
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain organizational facility continuity plans., CC ID: 02224

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should implement sufficient and effective alternative service delivery channels to ensure e-banking services can be provided continuously to customers as far as appropriate. In particular, if an Internet banking system is temporarily not accessible, AIs should ensure that their other service cha… (§ 9.5.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should implement sufficient and effective alternative service delivery channels to ensure e-banking services can be provided continuously to customers as far as appropriate. In particular, if an Internet banking system is temporarily not accessible, AIs should ensure that their other service cha… (§ 9.5.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • F106: The organization should base cabling from line-related systems to individual terminal devices on the dual-redundant design to facilitate a fast response to a line failure at head/branch offices. O96.2: The organization should use communication lines that are separate from the convenience store… (F106, O96.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • O62.3: To be prepared for CD/ATM and/or other equipment failure, the organization should establish additional networks and procedures for communicating during times of unattended monitoring (nighttime, weekends, and national holidays). These networks and procedures should be reviewed periodically. T… (O62.3, T3.3, T5.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • To be prepared for CD/ATM and/or other equipment failure, the organization should establish additional networks and procedures for communicating during times of unattended monitoring (nighttime, weekends, and national holidays). These networks and procedures should be reviewed periodically. (O62.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • For the power supply and monitoring facilities, the connection lines should be correctly identified and they should be properly maintained even after any change or extension work. (P54.8., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is also recommended that backup lines be provided for private lines in a computer center as well as for LANs in important sections. (P87.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is recommended that duplex lines be used from line-related facilities to each important device at the computer center. Especially, when duplex lines are installed outside the building, it is recommended that duplex lines be used from MDF to important devices such as a communications control devic… (P87.3. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is recommended to provide multiple lines between sites (outside the premises) for important lines or to secure backup lines for important lines. Note that when multiple lines are provided, it is recommended that routes be physically separated (that is, passing through different exchange facilitie… (P87.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is recommended to make backup lines available for critical lines. (F106.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For critical lines from line-related systems to individual pieces of terminal devices in head offices and branch offices, it is recommended to adopt a redundant system such as prior installation of backup lines to facilitate prompt problem determination for failures and recovery in the event of wire… (F106.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • the CSIRTs shall ensure a high level of availability of their communication channels by avoiding single points of failure, and shall have several means for being contacted and for contacting others at all times; they shall clearly specify the communication channels and make them known to constituenc… (Article 11 1 ¶ 1(a), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • A redundant supply for media (e.g. electricity, communication connections) is provided. (3.1.2 Requirements (should) Bullet 6, Information Security Assessment, Version 5.1)
  • For large installations or highly protected facilities, two physically separated telecommunications paths to the telephone center should be used. (Pg 7-I-5, Revised Volume 4 1-I-25, Protection of Assets Manual, ASIS International)
  • There should be a Process for dealing with vulnerabilities in network devices, which includes automatically re-routing network traffic to an alternative network device. (CF.09.01.06c, The Standard of Good Practice for Information Security)
  • Power cables to critical facilities (including locations that house computer systems, such as data centers, networks, telecommunication equipment, sensitive physical material, and other important assets) should be protected by alternative feeds or routing. (CF.19.02.01d, The Standard of Good Practice for Information Security)
  • The organization should help to ensure the availability of access to information stored in the cloud by establishing multiple methods of connection (e.g., wired network, wireless, and 3g / 4g). (CF.16.04.10b, The Standard of Good Practice for Information Security)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by re-routing network traffic automatically when critical network equipment or links fail. (CF.20.03.06a, The Standard of Good Practice for Information Security)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by installing duplicate or alternative network components (e.g., routers, hubs, bridges, concentrators, switches, firewalls, and network traffic filters) to critical communications eq… (CF.20.03.06b, The Standard of Good Practice for Information Security)
  • The availability of communication services used to access external information systems, networks and voice facilities (including those provided in the cloud) should be protected by providing duplicate or alternative points of connection to external communications carriers. (CF.20.03.07a, The Standard of Good Practice for Information Security)
  • The availability of communication services used to access external information systems, networks and voice facilities (including those provided in the cloud) should be protected by routing critical links to more than one external exchange or switching center. (CF.20.03.07b, The Standard of Good Practice for Information Security)
  • The availability of communication services used to access external information systems, networks, and voice facilities (including those provided in the cloud) should be protected by arranging for use of an alternative communications carrier (e.g., using alternative communication technologies, such a… (CF.20.03.07c, The Standard of Good Practice for Information Security)
  • There should be a Process for dealing with vulnerabilities in network devices, which includes automatically re-routing network traffic to an alternative network device. (CF.09.01.06c, The Standard of Good Practice for Information Security, 2013)
  • Power cables to critical facilities (including locations that house computer systems, such as data centers, networks, telecommunication equipment, sensitive physical material, and other important assets) should be protected by alternative feeds or routing. (CF.19.02.01d, The Standard of Good Practice for Information Security, 2013)
  • The organization should help to ensure the availability of access to information stored in the cloud by establishing multiple methods of connection (e.g., wired network, wireless, and 3g / 4g). (CF.16.04.10b, The Standard of Good Practice for Information Security, 2013)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by re-routing network traffic automatically when critical network equipment or links fail. (CF.20.03.06a, The Standard of Good Practice for Information Security, 2013)
  • The resilience of critical business processes should be improved by reducing single points of failure in the network by installing duplicate or alternative network components (e.g., routers, hubs, bridges, concentrators, switches, firewalls, and network traffic filters) to critical communications eq… (CF.20.03.06b, The Standard of Good Practice for Information Security, 2013)
  • The availability of communication services used to access external information systems, networks and voice facilities (including those provided in the cloud) should be protected by providing duplicate or alternative points of connection to external communications carriers. (CF.20.03.07a, The Standard of Good Practice for Information Security, 2013)
  • The availability of communication services used to access external information systems, networks and voice facilities (including those provided in the cloud) should be protected by routing critical links to more than one external exchange or switching center. (CF.20.03.07b, The Standard of Good Practice for Information Security, 2013)
  • The availability of communication services used to access external information systems, networks, and voice facilities (including those provided in the cloud) should be protected by arranging for use of an alternative communications carrier (e.g., using alternative communication technologies, such a… (CF.20.03.07c, The Standard of Good Practice for Information Security, 2013)
  • Two diverse routes should be used to connect the telecommunications equipment to the utility provider. This redundancy will prevent the organization from losing voice services if one path is damaged or lost. (§ 9.2.2, ISO 27002 Code of practice for information security management, 2005)
  • Do the physical security and environmental controls present in the building / data centers that contain scoped systems and data include redundant telecommunication feeds? (§ F.1.2.23, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Does the data center that contains scoped systems and data have multiple telecommunication feeds? (§ F.2.11, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Are two active network connections allowed at the same time (split-tunneling) when wireless networking technology is being used? (§ G.12.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are "red and blue" fully redundant networks run at the physical level? (§ V.1.68, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Intrusion Detection Systems' alarm signals must have two independent transmission routes to the monitoring station. (§ 5-904, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Developing and maintaining a plan to address an outage in the telecommunications lines with its primary third-party service providers. (App A Objective 6:6b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Provide for high redundancy levels in the telecommunications infrastructure. (IV Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Establish redundant communications between branches and data centers. (App A Objective 6:2a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Inquiring about the physical paths used by telecommunications providers and verifying that system redundancies have been properly implemented. (App A Objective 6:6i, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implements appropriate redundancy capabilities for the entity's telecommunications infrastructure. (App A Objective 13:3a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements redundant telecommunications services and establishes work-around procedures for situations where needed. (App A Objective 13:3q, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the entity's IT infrastructure implementation includes considerations for server and data redundancy and resilience of telecommunications lines. (App A Objective 13:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Designs and builds telecommunications infrastructure components for resilience (e.g., implement route diversity), including selecting infrastructure components and telecommunications providers that help avoid a single point of failure. (App A Objective 13:3m, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Operations centers should have telecommunications feeds from different vendors. The feeds should be traced to ensure there is not a single point of failure or redundancy with different vendors using the same cables. (Pg 18, Exam Tier I Obj 7.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The Information System Contingency Plan Coordinator should identify single points of failure that could affect critical systems or processes when developing a contingency plan for a LAN. (§ 5.3.2 ¶ 1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Redundancy from NSP or Internet Service Provider (ISP). The ISCP Coordinator should consult with the selected NSP or ISP to assess the robustness and reliability within their core networks (e.g., redundant network-connecting devices and power protection). (§ 5.3.2 ¶ 8 Bullet 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Coordinate with network security policy and system security controls. Mainframe contingency solutions should include duplicating interfaces and telecommunications infrastructure as well as coordinating with network security policies, such as stringent access controls. (§ 5.4.1 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Redundant communications links. Redundant communications links usually are necessary when the network processes critical data. The redundant links could be the same type, such as two T-1 connections, or the backup link could provide reduced bandwidth to accommodate only critical transmissions in a c… (§ 5.3.2 ¶ 8 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should use redundant and parallel power cabling paths. (App F § PE-9(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)