Title page
Contents
Structure of the draft code of practice 6
Section 1. Introduction and background 7
Introduction 7
The tiering system 8
Legal status of the code of practice 9
Implementation timeframes 10
Updating the code of practice 11
Section 2. Key concepts 13
1. Overarching key concepts 13
2. Network architecture 17
3. Protection of data and network functions 34
4. Protection of certain tools enabling monitoring or analysis 41
5. Monitoring and analysis 43
6. Supply chain 49
7. Prevention of unauthorised access or interference 56
8. Preparing for remediation and recovery 58
9. Governance 61
10. Reviews 63
11. Patching and updates 65
12. Competency 67
13. Testing 69
14. Assistance 71
Section 3. Technical guidance measures 73
Overarching security measures 73
Management plane 1 74
Signalling plane 1 74
Third party supplier measures 1 76
Supporting business processes 78
Management plane 2 80
Signalling plane 2 80
Third party supplier measures 2 81
Customer premises equipment 83
Third party supplier measures 3 84
Management plane 3 91
Signalling plane 3 94
Virtualisation 1 95
Third party supplier measures 4 99
Network Oversight Functions 99
Monitoring and analysis 1 101
Management plane 4 105
Signalling plane 4 105
Virtualisation 2 106
Monitoring and analysis 2 107
Retaining national resilience and capability 107
Annex A. Glossary of terms 108
Annex B. Vendor Security Assessment 113
Annex C. Extracts from the Cyber Assessment Framework 131
Table 1. Signalling protocols 29
Table 2. Criticality and exposure‑adjusted maximum timeframes for application of patches (from supplier release date) 66
Figure 1. Example of 'browse up' architecture 19
Figure 2. Example of 'browse‑down' architecture 21
Figure 3. Third party administrator secure access to multiple providers 22
Figure 4. Example of bare‑metal hypervisors 23
Figure 5. Example of containers 24
Figure 6. Virtualisation fabric broken into host 'pools' 25
Figure 7. Segregating trust domains using host pools 26
Figure 8. Example of cross‑domain data transfer 37