adio (LMR) systems. Security plans provide public safety agencies with the
information necessary to minimize security risks associated with their radio systems.
To provide comments regarding the information in this document or to obtain additional
information regarding the purpose and goals of the PSWN, please contact the PSWN Program
Management Office (PMO) at 800-565-PSWN or see the PSWN Web page at
www.pswn.gov
. LMR Security Planning Template
August 1999
ii
TABLE OF CONTENTS
Page
1. Introduction ........................................................................................................................ 1
1.1
Purpose.............................................................................................................. 1
1.2
Scope................................................................................................................. 2
1.3
Document Organization ..................................................................................... 2
1.4
How To Use the Template ................................................................................. 3
1.5
Terminology ...................................................................................................... 3
2. System Identification............................................................................................................ 6
2.1
System Name/Acronym...................................................................................... 6
2.2
Responsible Organization ................................................................................... 6
2.3
Designated Point of Contact............................................................................... 6
2.4
System Operator ................................................................................................ 6
2.5
System Status .................................................................................................... 6
2.6
System Description ............................................................................................ 6
2.7
System Interconnection/Information Sharing ........................................................ 8
2.8
System Environment ............................................................................................ 8
3. Sensitivity of Information ...................................................................................................... 9
3.1
Applicable Laws or Regulations Affecting the System ......................................... 9
3.2
Information Sensitivity ....................................................................................... 10
3.3
General Description of Sensitivity ..................................................................... 10
3.4
Protection Needs............................................................................................... 11
4. System Security Control Measures ...................................................................................... 14
4.1
Status of Security Activities .............................................................................. 14
4.2
Material Weaknesses.......................................................................................... 14
4.3
Security Control Measures ................................................................................ 14
A.
Management/Administrative Controls .................................................... 15
1.
Assignment of Security Responsibility ........................................ 15
2.
Risk Assessment and Management ............................................. 15
3.
Security Documentation.............................................................. 15
4.
Security Awareness and Training ................................................ 15
5.
Personnel Screening ................................................................... 15
6.
Continuity of Support ................................................................. 15
7.
Management of Contractors........................................................ 16
B.
Computer/Network Management Controls ............................................ 16
1.
User Identification and Authentication........................................ 16
2.
Access Controls ......................................................................... 16
3.
Audit Trails................................................................................ 16
4.
Virus Protection......................................................................... 16
5.
Dial-in Access............................................................................ 16 LMR Security Planning Template
August 1999
iii
C.
Physical Controls................................................................................... 17
1.
Facility Protection...................................................................... 17
2.
Computer Room(s) .................................................................... 17
3.
Dispatch Center(s) ..................................................................... 17
4.
Remote Tower Sites................................................................... 17
5.
Telecommunications Closet........................................................ 18
6.
Environmental Protection........................................................... 18
D.
Communications Controls...................................................................... 18
1.
Transmission Security ................................................................ 18
2.
Encryption ................................................................................. 18
3.
Key Management for Encryption................................................ 19
4.
Trunked Key Management ......................................................... 19
5.
Firewall/Router ........................................................................... 19
E.
Radio Controls ...................................................................................... 19
1.
Radio Authentication ................................................................. 19
2.
Talk Group Assignment ............................................................. 19
3.
Lost and Stolen Radio Controls.................................................. 19
4.
Radio Maintenance .................................................................... 19
F.
MDTs/MCTs Controls .......................................................................... 20
1.
User Identification and Authentication........................................ 20
2.
Access Controls ......................................................................... 20
3.
Audit Trails................................................................................ 20
4.
MDTs/MCTs Maintenance......................................................... 20
5. Additional Needs/Comments ............................................................................................... 21
6. Review and Approval Signatures........................................................................................ 22
APPENDIX A REFERENCES ........................................................................................... A-1
APPENDIX B LIST OF ACRONYMS ............................................................................... B-1 LMR Security Planning Template
August 1999
1
1.
INTRODUCTION
Todays rapidly changing technical environment requires public safety agencies to adopt a
minimum set of security controls to protect their information technology (IT) resources
.
Executive Order 13010, National Performance Review Action Item A06, the final report from the
Presidents Commission on Critical Infrastructure Protection (PCCIP), and Presidential Decision
Directives (PDD) 62 and 63 require that the emergency services infrastructure be protected from
physical and cyber threats. Additionally, PDD 67 requires that critical federal agencies'
infrastructures provide continuity of operations in emergency situations. The Public Safety
Wireless Network (PSWN) Program Management Office (PMO) is supporting this ongoing
requirement by encouraging public safety agencies to prepare for major technology changes that
could dramatically affect the security posture of their communications systems.
To ensure secure implementation of a new radio system or secure configuration of an
existing radio system, a security plan is necessary as part of the system development life cycle
process. This security planning template is intended for use by local, state, and federal public
safety agencies in developing security plans for their land mobile radio (LMR) communications
systems. The PSWN program recommends that radio managers use this template to develop their
security plans and to ensure necessary management support to improve security of their radio
systems.
1.1
Purpose
The objective of system security planning is to improve protection of IT resources. All
radio communication systems have some level of sensitivity and require protection as part of good
system management. It is a good business practice to document the protection of a radio system
in a system security plan.
This template provides a guideline for public safety radio system managers to follow when
developing their own security plans that document management, technical, and operational
controls for radio systems. The security plan shall be viewed as documentation of the structured
process for planning adequate, cost-effective security protection of a radio system. The security
plan will allow radio managers to accomplish the following objectives:
Identify the security requirements of the radio system

Identify the radio systems overall security