Protecting NG-911 in five steps

Emergency services are moving from a closed analog environment to an interconnected Internet Protocol (IP) network environment, also known as next-generation 911 (NG-911). Steps must be taken to move security to a level that protects networks, equipment and data in this new environment. The steps along the path to secure NG-911 environments — are addressed in the National Emergency Number Association (NENA) Next Generation Security (NG-SEC) standard. There are other standards that could be used, such as the National Institute of Standards and Technology (NIST) Special Publication 800-53, or the Criminal Justice Information Services (CJIS) Security Policy version 5.0; however, NENA's NG-SEC is stated in terms written specifically for the NG-911 environment.

It is important to note that the CJIS Security Policy is a mandate for systems processing criminal justice information. This is also an excellent resource to secure the remainder of your network.

Whether you ultimately choose to utilize NENA, NIST, CJIS or another security standard, typically they have commonalities that call for:

• Planning
• Policies
• Training
• Monitoring
• Auditing

Moving from a traditional telephony Centralized Automatic Message Accounting (CAMA) environment to an Emergency Services Internet Network (ESInet) with full IP connectivity is a major change. Phone "phreaks" (analog hackers) are replaced with distributed denial-of-service attacks and techno-savvy hackers longing to gain much more than free long-distance service.

There was also a time when you knew the exact location of a caller, because it was the same as their telephone billing address. Today, we are dependent on GPS coordinates to locate a growing majority of callers. What do we need to do today to keep pace with these changes requiring IP connections? Buy new equipment and software, and hope for the best? The first is true; as for the latter, we can do more than hope — we can plan.

Let's examine the essential elements of the planning stage, which is Step 1.

Security — Decide the best means to address security in your environment. What are your requirements and mandates? Who is responsible for the overall security? You must articulate a security plan that establishes the vision and tone for securing your network. This is a formal document announcing your security framework, and further instructions exist (or will exist) in the form of policies and procedures.

Assess — Know your environment, including all call-taker workstations, servers, printers (check — yours might have an IP address), wireless access, radios, service providers, ANI/ALI databases and GIS databases. You need an inventory of everything and everybody who touches your network, whether directly or through another system. List your current policies and procedures. Determine what you already have in place.

Compliance Roadmap — Now that you know what you have, compare this to the requirements of your chosen security standard. Note the requirements that you do not have. The differences represent the gaps. Each of the missing requirements on your gap analysis needs a remediation plan. This may take the form of a compliance roadmap, which is a list of activities that will bring your network into compliance with your chosen standard. Activities addressed in a compliance roadmap often include:

A compliance plan should include a rough order-of-magnitude estimate of the costs associated with activities, as well as a timeline for completion. The timeline demonstrates the opportunity to distribute costs and the workload over five years (more or less as time and funds permit). If your IP network connectivity will be established soon, consider compressing your timeline and choosing the activities that you are able to accomplish quickly, or those that offer the most security. Mitigation strategies should be put in place to provide a viable plan to correct your remaining gaps and achieve complete security compliance.

Activities addressed in a security-compliance roadmap often include:

• Regulatory review
  • Legislative and administrative documents
  • Request updates, if needed
• Creation of security policies
• Updating of procurement contracts to include security compliance for:
  • Equipment
  • Network providers
  • Service providers
• Deployment of secure systems
  • Establish configuration management
  • Update deployed systems
• Creation of an education and awareness program
• Creation of a system to monitor security
  • Establish a security maintenance program
  • Establish an auditing program