«
»

Week 3: NFPA 1221

posted by Daniel
Dec 18

Normally when a NFPA catalog shows up in my mailbox I toss it aside without much thought, a couple months ago however I happened to flip through it when I came across NFPA 1221: Standard for the Installation, Maintenance, and Use of Emergency Services Communications Systems. So I logged in to the website so I could check it out and see what it entailed. Many of the chapters are not relevant to this discussion, however the entirety of Chapter 13 is devoted to data security. The majority of the requirements are directed towards communications (dispatch) centers however many items are applicable to all agencies.

The chapter starts out mandating the development, implementation, and utilization of a comprehensive security plan. The plan must encompass people, technology, and operations as well as providing a framework for safeguarding vital systems including CAD and IP-based NG9-1-1 systems, as well as wireless networks and devices used by first responders either on public safety or public wireless carrier networks. Most of these items are pretty basic in nature.

The rest of section 13.1 spells out the items that are to be included in the plan:

  • Policy statement from the AHJ (authority having jurisdiction) detailing the requirements and goals of the plan
  • Assignment of responsibilities for the performance of security functions
  • Training and education requirements for employees including a continuing education component
  • Control provisions for access to physical premises, radio subscriber units into the radio system, and personnel access to various portions of the networks and computers
  • Network security provisions to prevent unauthorized access to the public safety IP network, public safety phone network, land mobile radio network, and any other networks that operate within or under the control of the communications center that are required to receive or process alarms
  • Network security provisions to prevent unauthorized use of public safety handheld IP-enabled devices on either a public safety network or a public wireless carrier network
  • Computer security provisions to prevent attacks on the center’s computers and servers
  • Implement software patch management provisions to ensure all software is periodically updated
  • Data disaster recovery procedures to ensure rapid recovery of databases, servers, and similar equipment used in the communications center, public safety wireless network, and for local storage of important information
  • Implement logging and auditing provisions to allow investigation of security or operational problems
  • Implement a vulnerability management process to assess periodically the ability of the public safety communications systems, including communications centers, wireless networks, and wired IT networks
  • Implement environmental and physical security provisions to ensure that it can monitor physical aspects of the public safety communications system at all locations such as physical entry, fire, smoke, power supply performance, base radio performances and other parameters as judged necessary by the AHJ

The remaining two sections cover testing and records of the tests. The plan is to include methods, procedures, and schedules for testing for security breaches or failures, with the frequency to be determined by the AHJ.

References:

National Fire Protection Association. (2015). Standard for the installation, maintenance, and use of emergency services communications systems. (2016 ed.) [PDF] Retrieved from http://www.nfpa.org/

Tags:

Categories: Uncategorized


Leave a Reply