Security best practices get the nod
- By William Jackson
- Oct 21, 2003
The Network Reliability and Interoperability Council has endorsed a set of best practices to preserve networks during manmade or natural disruptions.
At a quarterly meeting at the Federal Communications Commission this spring, working groups of the federally chartered council presented 162 recommendations for network operators, equipment manufacturers and service providers.
The council's 300 best practices to boost physical and cybersecurity appear at www.nric.org
'These recommendations conclude our work' on a comprehensive set of best practices, said Richard C. Notebaert, the council's chairman and chief executive officer of Qwest Communications International Inc. of Denver. The second phase will be outreach and education.
The council, created in 1992, received a charter from FCC chairman Michael Powell in 2002 as a matter of national security because most of the government's critical communications travel over commercial links.
The 56-member panel has representatives from cable, wireless, satellite and Internet providers as well as carriers and equipment manufacturers.
Security and recovery practices are difficult but necessary in a harsh business climate, Powell said, adding that 'the blow will likely come one day.'
Several speakers commented on the need for funds to improve practices, but they gave no recommendations for who should provide resources.Preventing attacks
The best practices focus on preventing attacks through new technology, access controls, design and construction methods, inventory management, auditing, surveillance and integration of security in business plans.
The council's recommended best practices for preventing cyberattacks focus on technology, operations, administration, authentication, virtual access control and incident management.
'Recovery is a necessary evil,' said Bill Hancock, chairman of the council's Cybersecurity Working Group and chief security officer of Cable and Wireless PLC of Vienna, Va. 'Prevention of a cyberattack is much cheaper than recovery,' but no amount of prevention can eliminate the need to be prepared for disaster.
The best practices are voluntary, but several officials emphasized that the alternative would be mandates in the form of government regulation.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.