Cable management systems are implemented in shared non-government facilities to minimise risks to data and information.

]]> This section provides specific requirements for cabling installed in facilities shared by agencies and non-government organisations. This section is to be applied in addition to common requirements for cabling as outlined in Section 10.1 - Cable Management Fundamentals section.

]]> The controls within this section are applicable only to communications infrastructure located within facilities in New Zealand. For deployable platforms or facilities outside New Zealand, Emanation Security Threat Assessments (Section 10.7) of this chapter of this manual MUST be consulted.

]]> Fibre optic cabling is essential in a shared non-government facility. Fibre optic cabling does not produce and is not influenced by electromagnetic emanations; as such it offers the highest degree of protection from electromagnetic emanation effects especially in a shared non-government facility where an agency’s controls may have a limited effect outside the agency controlled area.

]]> Fibre optic cable is more difficult to tap than copper cabling and anti-tampering monitoring can be employed to detect tampering.

]]> Many more fibres can be run per cable diameter than wired cables, reducing cable infrastructure costs.

]]> In TOP SECRET areas, agencies MUST use fibre optic cabling.

]]> Agencies SHOULD use fibre optic cabling.

]]> In a shared non-government facility, it is imperative that cabling systems be inspectable for tampering and damage on a regular basis particularly where higher threat levels exist or where threats are unknown.

]]> In TOP SECRET areas, cables MUST be fully inspectable for their entire length.

]]> Cabling SHOULD be inspectable at a minimum of five-metre intervals.

]]> In a shared non-government facility, tighter controls are placed on sharing reticulation systems as the threats attributable to tampering and damage are increased.

]]> In TOP SECRET areas, approved cable groups can share a common reticulation system but MUST have either a dividing partition or a visible gap between the differing cable groups.

]]> TOP SECRET cabling MUST run in a non-shared, enclosed reticulation system.

]]> Approved cable groups can share a common reticulation system but SHOULD have either a dividing partition or a visible gap between the differing cable groups.

]]> In a shared non-government facility, TOP SECRET cabling is enclosed in a sealed reticulation system to prevent access and control cable management.

]]> In TOP SECRET areas, the front covers for conduits and cable trays in floors, ceilings and of associated fittings MUST be clear plastic or be inspectable and have tamper proof seals fitted.

]]> The front covers of conduits, ducts and cable trays in floors, ceilings and of associated fittings SHOULD be clear plastic or be inspectable and have tamper proof seals fitted.

]]> In a shared non-government facility, cabling run correctly in walls allows for neater installations facilitating separation and inspectability. Controls are more stringent than in a non-shared facility or a shared government facility.

]]> A party wall is a wall shared with an unclassified area where there is no control over access. In a shared non-government facility, cabling is not allowed in a party wall. An inner wall can be used to run cabling where the area is sufficient for inspection of the cabling.

]]> Cabling MUST NOT run in a party wall.

]]> In a shared non-government facility, where the threats of access to cable reticulation systems is increased, GCSB endorsed anti-tamper seals are required to provide evidence of any tampering or illicit access.

]]> In a shared non-government facility, all conduit joints and wall penetrations are sealed with a visible smear of glue or sealant to prevent access to cabling.

]]> Agencies MUST use GCSB endorsed tamper evident seals to seal all removable covers on reticulation systems, including:

  • conduit inspection boxes;
  • outlet and junction boxes; and
  • T-pieces.
]]> Tamper evident seals MUST be uniquely identifiable and a register kept of their unique number and location.

]]> Conduit joints MUST be sealed with glue or sealant.

]]> Conduit joints SHOULD be sealed with glue or sealant.

]]> A cable wall penetration into a lesser-classified area requires the integrity of the classified area be maintained. All cabling is encased in conduit with no gaps in the wall around the conduit. This prevents any visual access to the secure area.

]]> Wall penetrations that exit into a lower classified area, cabling MUST be encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound.

]]> In a shared non-government facility, it is important that TOP SECRET systems have control over the power system to prevent denial of service by deliberate or accidental means. The addition of a UPS is required to maintain availability of the TOP SECRET systems.

]]> Secure facilities MUST have a power distribution board located within the secure area and supply UPS power all equipment.

]]> Power filters are used to provide filtered (clean) power and reduce opportunity for technical attacks. Refer to 10.1.32 or consult the GCSB for technical advice.

]]> Power filters MUST be used to provide filtered (clean) power and reduce opportunity for technical attacks.

]]> A visible gap between equipment cabinets will make any cross-cabling obvious and will simplify inspections for unauthorised or compromising changes.

]]> Equipment cabinets MUST have a visible gap or non-conductive isolator between cabinets of different classifications.

]]> There SHOULD be a visible inspectable gap or non-conductive isolator between equipment cabinets of different classifications.

]]>