Electronic communications infrastructure (wired or wireless) used for law enforcement data must be protected from interception or loss of service.
Victoria Police must ensure that Agreements with Approved Third Parties include the requirement that electronic infrastructure (wired or wireless) be protected from interception or loss of service.
Statement of Objective
To ensure the continued availability, confidentiality and integrity of law enforcement data during electronic transmission.
Computer networks provide numerous ‘points of access’ to Victoria Police information and law enforcement data. Whilst extremely useful in providing computing services distributed across Victoria Police, such networks also provide many possible access points that might be exploited by an intruder and used to illegitimately access or release law enforcement data and thus must be protected.
If an intruder is able to gain access to a communications cable carrying law enforcement data, there are numerous means by which they might be able to intercept (and read or steal) that data. Similarly, such cables can be damaged accidentally or intentionally sabotaged causing a disruption to law enforcement data flow. Network cabling should be protected from unauthorised interception or damage, for example by using a conduit or by avoiding routes through public areas.
Clearly identified cable and equipment markings (including cable termination points) should be used to minimise handling errors, such as accidentally connecting unauthorised users to law enforcement data or systems.
Physical network infrastructure that is used to connect computers to networks and systems such as patch panels and cable rooms should only be accessible to authorised people.
Physical network infrastructure, including architecture and configuration of patch panels, should be documented. Standard operating procedures should include the requirement for keeping such configuration documentation up to date when configuration changes are made.
For sensitive or critical systems further controls to consider include:
a) controlled access to patch panels, cable rooms or access points used for inspection and maintenance;
b) the use of secure conduit or securely routing the cables through protected areas;
c) protecting the cable from interception via the use of electromagnetic shielding;
d) the implementation of alternative transmission technologies such as fibre optic cabling (which is more complicated to intercept) where secure routing cannot be assured; and
e) conducting technical and physical inspections for unauthorised devices being attached to the cables.
Law enforcement data travelling over cables can be compromised by interference from electrical power cables. To ensure continued access, data or communications cables should be segregated from electrical power cables.
All computing devices produce unwanted electromagnetic emanations that in certain cases can relate to the information being processed. Using specialised monitoring technology an intruder might be able to intercept the emanations of a computer display screen (monitor) and visually ‘eavesdrop’ on the information being processed. Emanations security (also known as TEMPEST) controls should be considered in accordance with Commonwealth protective security requirements.
Wireless communications enable computers to connect to networks without physically connecting (without wires). As such, the chances of being illegally intercepted by unauthorised persons are greatly increased. When implementing wireless communications infrastructure, a risk assessment will greatly assist in identifying and addressing security issues and reduce exposure.