GOVERNMENT ICT STANDARDS - ICT Authorityicta.go.ke/powerassets/uploads/2017/10/ICT-Networks-Standard-Revised.pdfto be relevant for government ICT Standards. The development of all

The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke

GOVERNMENT ICT STANDARDS

ICT Networks Standard

First Edition 2016

©ICTA 2016 All rights reserved

2

ICT Networks Standard ICTA-2.001:2016

The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke

ICT Networks StandardFirst Edition 2016

ICTA 2016- All rights reserved

3



ICTA-2.001:2016

ContentsICTA STANDARDS DESCRIPTION 4REVISION OF ICT STANDARDS 5DOCUMENT CONTROL 6FOREWORD 7Introduction 8Scope 9Application 9Normative references 9Definitions 10Abbreviations 14Sub domains 15Requirements 15Functional requirements 15Design 15Subject 15Description 15Requirement 15Implementation 16Non Functional Requirements 16ANNEX 17Annex A. 1 Telecommunication path ways and spaces 17Annex A. 2 Structured Cabling 20Annex A. 3 Wireless Network Connectivity 22Annex A. 4 Fixed telephony service 23Annex B.1 Routing and Switching 25Annex C.1 Network monitoring and management 28Annex D.1 Network Availability 29Annex D3 Main tenability 30Annex D4 Manageability 31Annex D5 Performance 31Annex D6 Security 32APPENDIX 33Appendix 1: Compliance Checklist for telecommunication pathways and spaces 33Appendix II:Compliance Checklist for structured cabling 35Appendix III:Compliance Checklist for wireless network connectivity 37APPENDIX IV Compliance Checklist for routing and switching 38APPENDIX V Compliance checklist for internet 41APPENDIX VI Compliance Checklist for Network Monitoring and Management 42APPENDIX VII Compliance checklist for Network availability 44APPENDIX VIII Compliance checklist for Network Reliability 44APPENDIX IX Compliance checklist for Network Maintanability 44APPENDIX X Compliance checklist for Network Performance 45APPENDIX XII Compliance checklist for Security 45APPENDIX XIII Compliance checklist for Fixed telephony 46APPENDIX IX:Compliance Checklist For Network Design, Configuration Documentation And Commissioning 47APPENDIX XII: TEMPLATE FOR NETWORK INSPECTION IN PREPARATION FOR COMMISSIONING 49APPENDIX XIII: INSPECTION CHECKLIST FOR COMPLETED PROJECTS FOR FINAL INSPECTION 50APPENDIX XIV: PROGRESS OF JOBS PER SITE – THIS IS FOR PROJECTS STILL NOT COMPLETE 51

Appendix iv: Related Documentation 52

4



ICTA STANDARDS DESCRIPTION

S/No

Thematic Area Standards Brief Description

1 Infrastructure ICTA-2.001:2016Network Standard

Provides compliant requirements for design, installations and management of all categories of IT Networks to be deployed in government.

ICTA-2.001:2016Data Center Standard

Provides compliant requirements for design, installations and management of government data centers

ICTA-2.001:2016Cloud Computing Standard

Provides compliant requirements for design, installations and management of cloud computing infrastructures for government

ICTA-2.001:2016End-User Equipment Standard

Provides the minimum specifications for all computing devices being deployed in government

2 Systems & Applications

ICTA-6.001:2016Systems & Applications Standard

Provides compliant requirements for design, installations and management of all government Software and applications Systems.

3 IT Security ICTA-3.001:2016Information Security Standard

Provides compliant requirements for design, installations and management of Information Technology Security in government.

4 Electronic records management

ICTA-4.001: 2016Electronic records and Data Management Standard

Provides compliant requirements for management of government electronic records and data

5 IT Governance ICTA. 5.001: 2016IT Governance Standard

Provides compliant requirements for IT Governance in government. This includes compliance requirements for government IT service providers and Professional Staff.

6 ICT Human Capacity

ICTA.7.001:2016ICT Human Capital and Work force Development Standard

Provides compliant requirements for development of Human Capital capacity for deployment and support for government ICT infrastructure and services.

5



ICTA-2.001:2016

REVISION OF ICT STANDARDS

In order to keep abreast of progress in industry, ICTA Standards shall be regularly reviewed. Suggestions for improvements to published standards, addressed to the Chief Executive Officer,

ICT Authority, are welcome.

©ICT Authority 2016

Copyright. Users are reminded that by virtue of Section 25 of the Copyright Act, Cap. 12 of 2001 of the Laws of Kenya, copyright subsists in all ICTA Standards and except as provided under Section 26 of this Act, no Standard produced by ICTA may be reproduced, stored in a retrieval system in any form or transmitted by any means without prior permission in writing from the Chief Executive Officer.

6



DOCUMENT CONTROL

Document Name: Government ICT Network Standard

Prepared by: ICTA ICT Network Standard Technical Committee

Edition: First Edition

Approved by: Board of Directors

Date Approved: 11th August 2016

Effective Date: 1stJanuary 2017

Next Review Date: After 3 years

7



ICTA-2.001:2016

FOREWORD

The ICT Authority has express mandate to, among others, set and enforce ICT standards and guidelines across all aspects of information and communication technology including systems, infrastructure, processes, human resources and technology for the public service. The overall purpose of this specific mandate is to ensure coherence and unified approach to acquisition, deployment, management and operation of ICTs across the public service, including state agencies, in order to promote service integration, adaptability and cost savings through economies of scales in ICT investments.

In pursuit of achievement of this mandate, the Authority established a Standards Committee to identify the critical standards domain areas as well as oversee the standards development process. A total of Nine Standards falling under six different domain areas were identified by the committee to be relevant for government ICT Standards. The development of all the identified standards was done through a process which took into consideration international requirements, government requirements, stakeholder participation as well as industry/sector best practices. In order to conform to the format of other existing national standards, the committee adopted the Kenya Bureau of Standards (KEBS) format and procedure for standards development. In addition, through Memoranda of Understanding, KEBS has made invaluable contribution to the development of ICT Authority standards.

The ICTA Networks Standard, which falls under the overall Government Enterprise Architecture (GEA), has therefore been prepared in accordance with KEBS standards development guidelines.

The Authority has the oversight role and responsibility for management and enforcement of this standard. The review and approval of the standard is done by the ICTA Board upon recommendation of Standard Review Board. The Authority shall be carrying out quarterly audits in all the Ministries, Counties, and Agencies (MCA) to determine their compliance to this Standard.

The Authority will issue a certificate of compliance to agency upon completion of the audit assessment. For non-compliant agencies, a report detailing the extent of the deviation and the prevailing circumstances shall be tabled before the Standards Review Board who will advise on action to take.

All government agencies are required to ensure full compliance to this standard for effective and efficient service delivery to the citizen. The compliance period is six months from the effective date.

Kipronoh Ronoh P.Director, Programmes and Standards

8



INTRODUCTION

A network is a collection of computers and other hardware interconnected by communication channels that allow sharing of resources and information. Networks are a component of the Government Enterprise Architecture (GEA) and constitute the infrastructure architecture layer. Networks is defined by the following aspects: the medium used to transport data, communications protocol used, scale, topology and the devices used to ensure efficient transfer of data from one point to another in the network. Networks consists of, but not limited to, hubs, switches, routers, servers, Local Area Networks at the equipment locations, and Wide Area Links connecting sites together consisting of the coaxial cables, microwave and fiber optic equipment, and the network management tools provided by the equipment manufacturer. In order to realize the Government Enterprise Architecture and to efficiently use network resources and realize its maximum benefits, it is important to provide a uniform framework for the design and configuration of the network and network devices. Government network infrastructure (GNI) interconnects and provides internal MCA connectivity. Government networks: vProvide shared infrastructure services vProvide a platform for shared services vFacilitate data, multimedia and voice communication vReduce infrastructure development and managements Cost vRemove/manage duplication vEnable integration of future technologies vEnable real time back up and disaster recovery services vProvide a comprehensive Security solution vFacilitate conformity to International Standards

The, design, implementation and management of the Government Networks is guided by the following general principles that support the GEA: vBe operational, reliable and available for essential business processes and mission-critical

operations vProvide for scalability and adaptability vUse industry-proven, mainstream technologies based on open and pervasive-industry

standards and open architecture vBe designed with confidentiality and security of data as a high priority vAllow secure remote accessibility vBe designed to support converged services while accommodating data, voice and video

services and to be “application aware” in the delivery of government services.

9



ICTA-2.001:2016

SCOPE

This ICTA Standard establishes guidelines for planning, design, implementation, utilization and management of network infrastructure in MCA’s single-tenant and multi-tenant buildings.

The objective is to support the development and progressive growth of GNI in accordance with the Government Enterprise Architecture (GEA) principles.

APPLICATION

This standard will be applicable to the following:vCentral Government of KenyavCounty GovernmentsvConstitutional CommisionsvState Corporations

NORMATIVE REFERENCES

The following standards contain provisions which, through reference in this text, constitute provisions of this standard. All standards are subject to revision and, since any reference to a standard is deemed to be a reference to the latest edition of that standard, parties to agreements based on this standard are encouraged to take steps to ensure the use of the most recent editions of the standards indicated below. Information on currently valid national and international standards can be obtained from Kenya Bureau of Standards.

• ANSI/TIA-569-c • ANSI/TIA-568-c.1 • ISO/IEC 60793 • IEEE, 802.3 • IEEE, 802.1 • IETF RFC 3457, 2709, 1518, 1918 • [ANSI/TIA-568-c.2] • [ANSI/TIA-568-B.2.1] • [IEEE 802.3af] • [ANSI/TIA-568-C.3-1] • [(ITU-T) Series G.652] • [IEEE STD-- 802.3-2008] • [IEEE 802.3an 2006] • [TIA/EIA 568-B.3] • [ISO/IEC 11801:2002] • [ANSI/TIA-568-c.3] • [IEEE STD-- 802.11-2012]• [IEEE STD 802.11-2011]• [IEEE 802.1x]• [IEEE 802.11i, g] • [ISO/IEC 17799:2005(E)] • [IEEE 802.1Q] • [ISO/IEC 17799:2000] • [IEEE STD-- 802.3-2008] • [IEEE 802.3an 2006]

10



DEFINITIONS

For the purposes of this ICTA Standard the following definitions, abbreviations and symbols apply:

Ad-hoc Network Refers to a group of wireless devices communicating directly with each other (peer-to-peer or point-to-point) without the use of an access point or central server

Aggregation networkAggregation networks collect traffic from distribution networks and concentrate it onto high bandwidth facilities before they terminate on core or backbone networks.

BridgingConnecting two different kinds of local networks, such as a wireless network to a wired Ethernet network

Bluetooth Describes how mobile phones, computers, and personal digital assistants (PDAs) can be easily interconnected using a short-range wireless connection.

CSMA/CA Defined as Carrier Sense Multiple Access/Collision Avoidance, which is a method of data transfer used to prevent data loss in a network.

Clear to Send A Clear to Send signal is sent by a device to indicate that its readiness to receive data.

Cabling mediaThese include copper and optical fibre cabling.

Core NetworksCore networks provide the backbone for network services

Demand PriorityIncreases Ethernet data rate to 100 Mbps by controlling media utilization

Delay In a network based on packet switching, transmission delay (or store-and-forward delay, also known as packetization delay) is the amount of time required to push all the packet’s bits into the wire. In other words, this is the delay caused by the data-rate of the link.

ExtranetsAn intranet or portion of an intranet to which an MDA allows access by selected external entities, who could be partners of the MCA.

Equipment roomThe Equipment Room is the central point for telecommunications within the building. The Equipment Room is dedicated to the telecommunications function.

11



ICTA-2.001:2016

Entrance roomThe telecommunications carriers (e.g. Telephone Company, ISP etc.) shall provide the point of demarcation for their services in the Entrance Room. The point of demarcation is analogous to a “border” between equipment and facilities owned by the carriers and that owned by the building occupants. Consequently, the Entrance Room will typically house terminations of copper and optical fibre cables (coming from outside the building) owned by the carriers. The Entrance Room is usually combined with a Common Equipment Room which houses electronic equipment owned by the carriers that is required to provide their network services.

Edge networksEdge devices connect end users to the network.

IntranetAn intranet is a computer network that uses Internet Protocol technology to share information, operational systems, or computing services within an organization.

JitterJitter is any deviation in, or displacement of, the signal pulses in a high-frequency digital signal.

Logical LinkThe logical link is the top sub-layer in the data-link layer, OSI Layer 2. It interfaces with the network Layer

LANA local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, or office building.

LatencyLatency is a time interval between the transmission and reception of signal

Metropolitan Area NetworkA metropolitan area network (MAN) is a network that interconnects users with computer resources in a geographic area or region larger than that covered by even a large local area network (LAN) but smaller than the area covered by a wide area network (WAN).

Mesh NetworkExtension of network coverage without increasing the transmit power or the receiver sensitivity

Network design Network planning and design is an iterative process, encompassing topological design, network-synthesis, and network-realization, and is aimed at ensuring that a new telecommunications network or service meets the needs of the user.

Network Address Translation (NAT)NAT technology translates IP addresses of a local area network to a different IP address for the Internet.

Network Monitoring and ManagementNetwork monitoring is the use of a system that constantly monitors a network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages.

12



Path waysTelecommunication pathways transport the cables.They include conduits, under floor ducts and floor boxes, raised floors, ceiling pathways, cable tray systems, perimeter pathways, telecommunication closet and equipment room.

Routing and Switching TechnologiesRouting and switching ensure that computer connections and information flows do not breach the access control policy of the business applications.

Structured CablingStructured cabling is campus telecommunications cabling infrastructure that consists of a number of standardized smaller elements called subsystems e.g horizontal cabling wiring, back borne cabling wiring, telecommunication rooms, equipment rooms, work area components and entrance rooms

TFTPTrivial File Transfer Protocol (TFTP) is a version of the TCP/IP FTP protocol, which uses UDP (User Datagram Protocol). It has no directory or password capability.

Telecommunication path ways and spacesThis are cable trays, conduits and rooms that house and transport telecommunication cables for voice, data and electricity.

Token ringThis is a protocol that resides at the data link layer of the OSI model. It uses a special 3-byte frame called a ring that travels around the ring

Telecommunications roomTelecommunications rooms are intended to distribute all telecommunications signals (e.g. voice, data, image) to the area they serve.

Through putThis refers to Percentage of data transmission per unit time

User Datagram Protocol User Datagram Protocol is a network protocol for transmitting data that does not require acknowledgement from the recipient.

Virtual Local Area Network (VLAN) Technologies and SetupsVLAN is a group of end stations with a common set of requirements, independent of physical location. VLANs have the same attributes as a physical LAN but allow you to group end stations even if they are not located physically on the same LAN segment. VLANs are usually associated with IP subnetworks. [IEEE 802.1Q]

Virtual Private Network An IEEE standard network protocol that specifies how data is placed on and retrieved from a common transmission mediumVoice over internet protocolVoice over IP (VoIP) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet

13



ICTA-2.001:2016

Wireless Local Area Network Wireless Local Area Network is a group of computers and associated devices that communicate with each other wirelessly.

Wi-fiWi-Fi is a local area wireless computer networking technology that allows electronic devices to network, mainly using the 2.4 gigahertz UHF and 5 gigahertz SHF ISM radio bands

Wireless Personal Area NetworkA network for interconnecting devices centered around an individual person’s workspace - in which the connections are wireless.

Wireless Metropolitan Area Networks Data security refers to protective measures that are applied to prevent unauthorized access to computers, databases and websites that causes data corruption.

WANA wide area network (WAN) is a telecommunications network or computer network that extends over a large geographical distance.

14



ABBREVIATIONS

GEA Government Enterprise ArchitectureMCA Ministries, counties and agenciesIEEE Institute of electrical and electronics engineersISO International Organization of StandardizationMDAs Ministry, Departments and AgenciesRFC Request for Comments ICT Information and Communication TechnologiesANSI American National Standards InstituteTIA Telecommunications Industry AssociationGNI Government Network InfrastructureVOIP Voice over internet protocolVLAN Virtual local area networkPSTN Public Switched Telephone NetworkIP Internet protocolSNMP Simple network management protocolSSID Service set identifierRMON Remote monitoringDHCP Dynamic Host Configuration ProtocolUTP Unshielded twisted pairOSPF Open Shortest Path FastRIP Routing Internet ProtocolSSH Secure Socket ShellSSL Secure Socket layerNMS Network monitoring softwareBGP Border gateway ProtocolMBGP Multi protocol border gateway protocolMPLS Multi path label switchingMGCP Multi gateway control protocolToS Type of ServiceTCP/IP Transport communication protocol/ internet protocolCoS Class of serviceWPAN Wireless personal area networkEMI Electro- magnetic interference

15



ICTA-2.001:2016

SUB DOMAINS

This section provides network standards needed design, implement and manage Government Network Infrastructure. All MCAs shall develop operational manuals to institutionalize the standards

a. Functional requirementsb. Non functional requirements

REQUIREMENTSFunctional requirements

Design

Subject Description RequirementTelecommunication path ways and spaces

MCA’s shall ensure Telecommunication pathways and spaces e.g cable trays, conduits and rooms that house & transport telecommunication cables for voice, data and electricity are properly designed and are adaptable to change over their life.

Annex A.1

Structured Cabling MCA’s shall ensure telecommunications cabling infrastructure is designed to ensure the user gets voice, data and signals at maximum data rates and the infrastructure is adaptable to change

Annex A.2

Wireless Network Connectivity MCAs shall provide secure wireless network connectivity to enable access to the internet everywhere

Annex A.3

Fixed telephony service MCAs shall ensure Quality of voice, Interoperability, Security of information, Integration with Public Switched Telephone Network (PSTN) and Scalability when deploying VOIP.

Annex A.4

16



Implementation

Subject Description Requirement

Routing and Switching MCAs shall deploy routers and switches to interconnect the network

Annex B.1

Internet MCAs shall ensure sufficient internet bandwidth is provided and is utilized sustainably by the users

Annex B.2

Network monitoring and management


Network Monitoring and Management

MCA’s shall monitor and manage the network to ensure availability of service.

Annex C.1

Non Functional Requirements


Availability MCAs shall ensure maximum network service uptime to meet business needs

Annex D.1

Maintainability MCAs shall take proactive measures for maintenance of the network

Annex D.2

Manageability MCAs shall store network configurations in a manner that ensures ease of network management

Annex D.3

Performance MCAs shall ensure high network throuput, low latency and delays

Annex D.4

Reliability MCAs shall ensure network devices have high minimum failure time

Annex D.5

Security MCAs shall ensure confidentiality, integrity and availability of information on the network

Annex D.6

17



ICTA-2.001:2016

ANNEXAnnex A. 1 Telecommunication path ways and spaces

Requirement1. Telecommunications

roomSize a. Each floor of government buildings shall contain at least

one telecommunications room ranging in size from 6.6 to 10.2 square metres (70 to 110 square feet), depending on the floor area served. Each Telecommunications Room may serve up to 1000 square metres (10,000 square feet) of floor space and each is dedicated to the telecommunications function – there shall be no electrical distribution equipment in the telecommunication Room.

b. In buildings with (> 300 cables) the telecommunications rooms shall be a “walk in” design, i.e. capable of containing multiple 42u 800 x 800 cabinets. Room should be allowed for front, rear and side working access to the Cabinets. The size of the wiring closet is determined by the number cabinets required. A minimum of one meter access space should be available to the front, rear and at least one side of the cabinet(s).

Design a. The door of Telecommunication room shall open outward, slide sideways, or be removable. It should be fitted with a lock and be a minimum of 36 inches wide by 80 inches high;

b. Sufficient lighting shall be provided. The light switches should be located near the entrance door;

c. These areas shall not have false(drop) ceilings; d. Make sure that these areas are sufficiently

separated from EMI sources such as antennas, medical equipment, elevators, motors and generators.

e. It is preferable for the Telecommunications Rooms to be stacked vertically to facilitate running backbone cables through them

f. When a floor has more than one Telecommunications Room, standards also require that they be joined by a backbone pathway.

Environmental conditions

a. The room shall be neat and shall be devoid of any non telecommunication related substances

b. Adequate ventilation should be provided by means of electric extractor fans and air inlets into the closet, via air vents where deemed necessary. In the larger installations (> 300 cables) the minimum requirement for air conditioning is a Heat Pump Air Conditioning System rated at 5.2Kw. Each cabinet should be equipped with a roof mounted 4 fan cooling fan tray. In smaller installations electric A.C. fans should be placed in the cabinet to keep the active components cool.

c. The recommended temperature for telecommunications and equipment rooms is Cooling to a maximum temperature of 29 degrees celcius is required, and a minimum temperature of 24 degrees is preferred. The temperature should not get colder than 10 degrees.

d. Relative humidity should be maintained in the range from 30 to 80%.

e. The floor and walls should be sealed to inhibit dust ingress into the cabinets

Power a. Electrical power shall be supplied by a minimum of two dedicated 220V-240V nominal from different phases, non-switched, AC-duplex electrical outlets. Each outlet should be on separate branch circuits;

b. Grounding shall be provided; c. The equipment shall be supplied with clean power d. Equip all telecommunication rooms with electrical

surge suppression and a UPS that will supply the area with at least 8 hours of standby power in the event of commercial power failure; Provide standby lighting that will last for at least half an hour if commercial power fails;

Security Telecommunication rooms shall be located in secure restricted areas. The rooms must be fitted with access control in line with GoK information security standards.

18



2. Equipment room Size a. When sized according to standards, the Equipment Room will be quite large and should have ample space to house LAN servers.

b. In buildings with (> 300 cables) the equipment rooms shall be a “walk in” design, i.e. capable of containing multiple 42u 800 x 800 cabinets. Room should be allowed for front, rear and side working access to the Cabinets. A minimum of one meter access space should be available to the front, rear and at least one side of the cabinet(s).

Design a. The door shall open outward, slide sideways, or be removable. It should be fitted with a lock and be a minimum of 36 inches wide by 80 inches high;

b. In situations where changes to the wiring system are anticipated, cable trays shall be used since new cables can be installed by laying them in the tray, instead of pulling them through a pipe.

c. These areas shall not have false(drop) ceilings;d. Shall have a raised floor of not less than 300 mm with

provisions for future expansion. e. These areas shall sufficiently separated from EMI

sources such as antennas, medical equipment, elevators, motors and generators.

Environmental conditions

a. The room shall be neat and shall be devoid of any non telecommunication related substances

b. Sufficient lighting shall be provided. The light switches shall be located near the entrance door

c. Adequate ventilation shall be provided by means of electric extractor fans and air inlets into the closet, via air vents where deemed necessary. In the larger installations (> 300 cables) the minimum requirement for air conditioning is a Heat Pump Air Conditioning System rated at 5.2Kw. Each cabinet should be equipped with a roof mounted 4 fan cooling fan tray. In smaller installations electric A.C. fans should be placed in the cabinet to keep the active components cool.

d. The recommended temperature for telecommunications and equipment rooms is Cooling to a maximum temperature of 29 degrees celcius is required, and a minimum temperature of 24 degrees is preferred. The temperature should not get colder than 10 degrees.

e. Relative humidity should be maintained in the range from 30 to 80%.

f. The floor and walls should be sealed to inhibit dust ingress into the cabinets

Power a. There is no electrical distribution equipment in it other than that required for the telecommunications equipment installed in the Equipment Room.

b. Grounding shall be provided; c. Equip all equipment rooms with electrical surge

suppression and clean power that will supply the area with at least least 8 hours of standby power in the event of commercial power failure; Provide standby lighting that will last for at least half an hour if commercial power fails;

d. SMART signaling, line interactive UPSs will be installed in all cabinets to support the active devices installed in them.

e. The main distribution frame (MDF) cabinet shall have 1 UPS of capacity of 1500VA for core switch installation. All UPSs must be rack mountable.

Security Equipment rooms shall be located in secure restricted areas to which ICT personnel shall have 24 hour 7 day access. The rooms must be fitted with access control in line with information security standards.

19



ICTA-2.001:2016

3. Entrance room Consideration The telecommunications carriers (e.g. Telephone Company, ISP etc.) shall provide the point of demarcation for their services in the Entrance Room. The point of demarcation is analogous to a “border” between equipment and facilities owned by the carriers and that owned by the building occupants. Consequently, the Entrance Room will typically house terminations of copper and optical fibre cables (coming from outside the building) owned by the carriers. The Entrance Room is usually combined with a Common Equipment Room which houses electronic equipment owned by the carriers that is required to provide their network services.

4. Path ways Size a. Trunkings and cableways must be sized to 2.5 times the requirement of the current installation, i.e. if current installation is 2 cables then cableways must be sized for 5 cables.

Design a. It is preferred to use cableways completely separate from electrical power installations; however in certain situations this may not be aesthetically possible. Data must not be allowed to run side by side with electrical cables unless separated by a distance of 50 mm plus an earthed metal fillet.

b. Cable conduits must not be over-filled . c. Cables should be enclosed within conduit or trunking

where exposed. d. The Contractor shall be responsible for the removal, and

reinstatement to the original condition of any fixtures, fittings and structures, disturbed during the installation. Access must be provided to all trunking and cableways in buildings for future refits and expansion.

1. Metal trunking shall be utilized where necessary. Metal trunking of 50mm X 150mm dimension will be used

e. f. All cables between MCA buildings must be installed in

ducting that complies with or is part of the approved Campus Infrastructure plan. Access to these ducts by qualified cabling companies is subject to the approval of the ICT department. Undertakings must be given to cover the full cost of replacing all cables already in the ducts that are damaged during the installation of additional cables and/or draw wires.

20



Annex A. 2 Structured CablingRequirement 1. Cabling media Copper cabling a. A work area shall have a minimum of two information-

outlet ports. b. Each cable shall be assigned a unique cable number both

at the patch panel and the data outlet. c. Wall plate shall be terminated with 8 pin modular jacks

(RJ-45).Data outlets shall be flash mounted on metal trunking

d. There shall be no splicing of any cables installed. Intermediate cross connects transition points are not allowed.

e. All user area patch cords and cabinet patch cords shall be supplied to match the total number of data outlet

f. All fiber optic patch panels must be rack mounted 22 u floor standing shall be used or a u 19”rack wall mounted cabinet located in a suitable closet

g. All cabinets must have a forced cooling”h. Horizontal cabling should not terminate directly

to an application specific device but rather to a telecommunication outlet;

i. Patch cables or equipment cords should be used to connect the device to the cabling;

j. Horizontal Cabling infrastructure shall be done using category 6 cable or higher 4-pair 100 Ω unshielded twisted-pair (UTP) or 4-pair 100 Ω fully shielded twisted-pair

k. Patch cords used in the horizontal Cabling, including equipment cables/cords, should not exceed 5m.

l. Horizontal cable between the face plate and the patch panel shall not exceed 90m.

m. For back bone cables interconnecting between buildings, telecommunications rooms, equipment rooms, main terminal space, and entrance facilities, the backbone cabling shall be configured in a star topology.

n. A total maximum backbone distance of 90m (295 ft.) is specified for high bandwidth capability over copper.

Optical Fibre a. All fibre cables between MCA buildings must be installed in ducting that complies with or is part of the approved Campus Infrastructure plan. Access to these ducts by qualified cabling companies is subject to the approval of the ICT department. Undertakings must be given to cover the full cost of replacing all cables already in the ducts that are damaged during the installation of additional cables and/or draw wires. Existing draw wires must be replaced if used.

b. Connectors shall be protected from physical damage and moisture.

c. Optical fiber cable connecting hardware should incorporate high-density termination to conserve space and provide for ease of optical fiber cable

21



ICTA-2.001:2016

2. Cabinet cabling Cabinet Size a. Room should be allowed for front, rear and side working access to the Cabinets. A minimum of one meter access space should be available to the front, rear and at least one side of the cabinet(s).

b. In installations less than or equal to 200 data points, one 42u full height good quality 19 in (e.g. APC) cabinet may be used. In installations greater than 300 data points, additional cabinets must be used. In smaller installations a 22 u floor standing cabinet shall be used or a u 19”rack wall mounted cabinet located in a suitable closet..

Design a. Each cabinet should be identified by using an agreed name (a, b, c, d , etc) or as on Services drawing.

b. Each cabinet should contain a 48-way to 48-way patch panel to the cabinet containing the fibre. A power disruption unit, rack mountable should be installed with one 3 pin outlet per 24 UTP user points.

c. Cables shall be terminated in RJ45 19” Patch panels. A cable management system is required for every 24 port patch panel inserted. This will ensure correct installation of patch panel cable. All rising cables should be on a tray outside the 19 inch rack space and a shelf should be installed to protect the cables in the bottom of the cabinet in the case of floor standing cabinet.

d. Each data patch panel should be identified by a, b, c, and d from the top of the cabinet. The number on the cabinet should be used, on a 1 to 24 way panel the max number should be 24, on a 1 to 48 way panel the max number should be 48 e.g BA-A-01 this is Block A Patch panel A point number 1

3. Cable Security Design a. Network cabling should be protected from unauthorized interception or damage, for example by using a conduit or by avoiding routes through public areas; b. Power cables should be segregated from communications cables to prevent interference; c. Clearly identifiable cable and equipment markings should be used to minimise handling errors, such as accidental patching of wrong network cables; d. documented patch list should be used to reduce the possibility of errors; e. For sensitive or critical systems further controls to consider include: o installation of armoured conduit and locked rooms or

boxes at inspection and termination points; o use of alternative routings and/or transmission media

providing appropriate security; o use of fibre optic cabling; o use of electromagnetic shielding to protect the cables;

and o initiation of technical sweeps and physical inspections for

unauthorised devices being attached to the cables; o controlled access to patch panels and cable rooms

22



Annex A. 3 Wireless Network Connectivity

Requirement1. Wireless Security Considerations a) Inadequate authentication between clients and

access points is the prime vulnerability or wireless network. Hence, strong mutual authentication between wireless clients and access points is needed to ensure that clients do not connect to a rogue access point deployed by an attacker, and also to ensure that un-authorized wireless users do not connect to the MDA‘s wireless networks; b) Sensitive data between wireless clients and access points should be protected using strong encryption. This will ensure that attackers will not be successful in getting the information, even though they are able to sniff the traffic transmitted over wireless network. The following shall be implemented- Not broadcasting the SSID (Network ID): The

first attempt to secure wireless network was the use of Network ID (SSID). The default feature of broadcasting of SSID by the access point may be disabled and the same can be issued to the clients looking for WLAN connectivity;

- Enforcing MAC Address Filtering: This method uses a list of MAC addresses of client wireless network interface cards that are allowed to associate with the access point;

- - Disabling DHCP service from WLAN access point,

instead if required, the parent DHCP service (from wired LAN) shall be used;

- Using a network firewall to secure a wireless network;

- Use of WPA2 as bare minimum security for authentication and protection of information on a wireless local area network (WLAN).For legacy system with low security impact and which does not support WPA, WEP with at least 128bit key length should be used;

- The MCAs shall change the keys/secrets associated with the wireless access points at least once in six months, through a managed process;

- The MCAs shall periodically, as defined by the MCA security policy, scan for unauthorised wireless access points and take appropriate action if such an access points are discovered. The scan should not be limited to only those areas, containing the high-impact information systems, but should also cover the adjacent areas.

- A guest VLAN shall be created for all guests to access internet only

23



ICTA-2.001:2016

Annex A. 4 Fixed telephony service

Requirement

1. VOIP service type selection

Selection MCAs shall assess, seek expert advice and determine the most ideal VOIP service type for their type of organization. The VOIP service types and their applications are:- Integrated access service which is an entry level

VOIP service is the easiest to implement because MCAs can keep their existing phone system with a VOIP integrated access solution from a service provider. The provider gives phone calls priority when they need it, and when the phones are not being used the network can be used full speed for data needs. This is medium level outsourcing

- SIP trunks is for MCAs who plan to purchase and manage their own IP- based phone equipment. This can be used to connect branches and regional offices. SIP is a set of signalling protocols used to connect IP- PBX systems via IP networks, commonly known as SIP trunking. This is medium level outsourcing

- Managed IP PBX is ideal for MCAs ready to replace their phone systems and PBX but want to avoid the capital investment and/or don’t have the expertice to support and manage the equipment themselves. For a monthly fee the service provider provides the service and equipment, manages the service and maintains the system. This is a high level of outsourcing.

- Hosted IP PBX is for MCAs seeking the benefits of using IP phones and IP enabled PBX without buying and managing a PBX. The service is hosted in the service providers network and accessible via a web portal. There is a higher cost per user than other solutions and upgrading the LAN still a requirement. This is a high level of outsourcing

24



2.VOIP software Considerations VoIP software should provide for:- - Traditional calling features including call by

name, caller ID, last number redial, hold, call waiting, call forwarding , transfer, divert, park, retrieve, voice mail, return call and call conferencing

- Call Coverage Make it easy to ensure that important calls are answered by administrative assistants or team members, via user-controlled Delegation and Team Calling respectively.

- Telephone Directory.

- Maintain Call history.

- Local Number portability, that is, ability to maintain phone numbers when one changes service providers.

3.VOIP deployment Considerations a. MCAs shall endeavor to integrate VOIP with existing telephone infrastructure

b. MCAs shall separate voice and data traffic logically on the network (using VLANs) due to bandwidth, security and Quality of service requirement of VOIP.

c. MCAs shall ensure use of PoE switches to power the telephones

d. Cabling shall be CAT 6 or highere. Network cards shall be running at 100Mbps,

fast ethernetf. MCAs shall consider the following when

selecting a service provider for VOIP.

- Service level agreement- User training- Support- Future growth

25



ICTA-2.001:2016

Annex B.1 Routing and Switching

Requirements1.Edge networks Selection Ethernet switches, including routing devices on the edge network must

support, as a minimum, the following features and protocols. • Active device should support autosensing 10/100/1000Mb/s • The active device used at the LAN egde shall have 24 or 48 port for

connection to the horizontal cabling as may be appriopriate and must be rack mounted

• The active device must support IP routing, Quality of Service(QoS) and Power over Ethernet (POE)

In addition, the following functionality must be supported by the device:

Ø configurable Auto- MDIXØ At least two Gigabit optical ports using SX and LX SFP

transceiversØ RADIUS authentication and accountingØMultilink trunking (supporting both LACP and manual Ø configuration)Ø IGMP snoopingØ 802.1X authentication, with multiple 802.1X users per

portØMAC address-based port authentication to RADIUSØMultiple authentication methods per portØ VLAN allocation per port by RADIUSØMAC address limitingØMAC address lockoutØ Source-port filteringØ Configurable logging using SYSLOGØ SNTPØ SNMP v3Ø RMONØ SFLOWØ Availability of all relevant standard and proprietary

MIBsØ Port monitoring, including remote port monitoringØ Port mirroringØ DHCP snooping with DHCP protectionØ Broadcast limitingØ rate limitingØ 802.1s multipleØ (per-VLAN) Spanning Tree ProtocolØ software/firmware updates available for a minimum

of 5 yearsØ command line interfaceØ SSHv2Ø TFTP file transferØ Secure FTP (SFTP) file transferØ Dual flash images for firmware and configuration

filesØ Flexible mounting options including standard 19”

rack Ømounting

26



2.Core Networks Considerations Devices on the core network must support, in addition to all of the above, the following:

• IPv4 Layer 3 routing• IPv6 Layer 3 routing• RIP, RIP2, OSPF and OSPF3 routing protocols• static routes• multinetting• per-VLAN DHCP forwarding to multiple destinations• flow control• ACLs (access control lists)• IP address lockout• VRRP (Virtual Router Redundancy Protocol)• IGMP• MLD • (Multicast Listener Discovery)• PIM sparse and dense modes• At least four optical ports using SR and LR SFP+ transceivers

2. Network design documentation and configuration

Site surveys • MCAs shall carry out site surveys to ensure a network design that guarantees maximum service availability

• MCAs shall seek ICT Authority assistance in carrying out site surveys

Basic configuration

• MCAs shall ensure that relevant functionalities are configured to deliver robust and secure IP network.

• MCAs shall seek ICT Authority assistance in carrying out basic configuration” under network design documentation

Completion and Commissioning

a. Upon completion of the installation MCA must carry out the tests and the results recorded in one or several measure books showing test results of the cable components. In addition, the measurements must be recorded on soft copies (CD-ROM).

b. All components must be tested and a Completion Certificate issued stating the following:

(i) Number of outlets(ii) Type of cable(iii) Date completed(iv) Type of Warranty

Network installation design documentatiom (physical/logical)

MCAs shall ensure that physical and logical design of the network is documented ‘as built’ using automated software and all the network changes are updated.“As-built” package must be with the following information(i) Updated floor plans(ii) Wire/cable routing schematic(iii) Facility assignment records(iv) Horizontal cable test results(v) Fibre Backbone test results

The documentation shall also include:

a.Synopsis of the cabling (primary and secondary) b.Charts of the distribution highlighting the details of the elements that have been installed c. Detailed map of socket layout (Soft copy on CD-ROM should be availed) d. Reports on measurements (Soft copy on CD-ROM should be availed)

Connection to the government common core network

MCAs shall consult the ICT authority on the basic configurations required to connect to the Government network

27



ICTA-2.001:2016

Annex B2 Internet

Requirements

1. Use of GoK IP addresses

Consideration a. Government agencies shall ensure that internet bandwidth is sufficient for the users needs

b. Internet service shall be cost effective and reliable.

c. Government agencies shall sign a service level agreement with the Internet Service Provider (ISP) to guarantee service availability.

d. IP addresses shall not be assigned from within the Government IP address space for individuals or organizations who are not directly affiliated with the Government of Kenya.

e. MCAs shall assign internal workstation network IP address using Dynamic Host Configuration Protocol (DHCP).

f. DHCP address allocation may be (1) an automatic allocation where DHCP assigns a permanent IP address to the workstation; (2) manually allocated and assigned by the DHCP administrator; or (3) dynamically allocated where DHCP assigns an IP address to a workstation for a limited period of time (lease.)

g. MCAs shall use subnetting to protect IPv4 spaces

h. It is recommended that MCAs shall connect at least two ISPs for internet

2.Acceptable use Considerations a. MCAs shall develop a policy on acceptable use based on GoK information security standard

b. End users shall be sensitized and committed to abide by this policy

28



Annex C.1 Network monitoring and management

Requirements1. NMS configuration NMS software MCA’s shall ensure that network management software acquired shal be

able provide the following but not limited to this features Discover network components such as devices and links. Support Layer 2 and Layer 3 discovery. Generate a layout of the existing network. Report failures and events. Receive SNMP trap messages. Generate customized reports.

Bandwidth Management Bandwidth or the amount of data transferred over a communication channel in a specific amount of time shall be controlled by bandwidth management tools, or traffic or packet shapers. These tools shall enable network managers to control communications by allowing high-priority traffic to utilize more bandwidth than something given a lower priority status as well as enable them identify network traffic patterns, establish priorities, optimize application performance, and allocate resources. As the number of Internet users shall continue to increase and demand for media-rich and peer-to-peer applications rises, bandwidth management shall continue to play a role in network management.

Server Configuration a. The NMS server must have one network interface located inside the management network ( management VLAN). This interface serves for both managing the NMS server itself and for the communication between the NMS tools and the other devices in the network.

b. The NMS shall have an additional network interface in the production part of the network. This interface would allow access to the monitoring system in order to monitor the current status of devices and perform alarm detection. It is necessary to limit access through this interface to intended users only

c. Use of separate IP address ranges for the management part of the network that shall not be routed outside the network

d. The server shall use SNMP V3 for increased securitye. Configuration of SNMP shall be the same on the server and on

the network devices.f. MCAs shall configure SNMP trap mode to ensure timely

detections of network faults

Network configuration MCAs shall ensurea. Configuration of SNMPV3 on network devicesb. a VLAN is defined for management purposes. Although

this VLAN is usually VLAN 1, MCAs shall define a different VLAN for management purposes, a VLAN that will be used for management traffic only, in order to increase security.

c. Use of separate IP address ranges for the management part of the network that should not be routed to the network

d. NAT functionality shall be used for administrator computers accessing devices in the management part of the network

e. Remote access shall be through a VPN and NAT functionality

f. In order to increase security, it is recommended that traffic for all VLANs is tagged.

g. For switches, all connections between switches should be in the mode for transferring multiple VLANs (generally the IEEE 802.1Q standard). The management VLAN (VLAN-MGMT) needs to go through this link as well.

h. For routers, sub-interfaces with an IP address within the range defined for the management VLAN need to be defined on routers (also by using the IEEE 802.1Q standard).

i. VLAN1 should not be used to forward traffiC.2.Monitoring indicators Description Critical management data required to manage the network

Network devices The following shall be monitored- State of the interface both layer 2 and layer 3- Interface data flow- Processor load- Memory load

29



ICTA-2.001:2016

Servers The following shall be monitored- State of the interface both layer 2 and layer

3- Processor load- Memory load- Number of system processes- Number of running services- Number of TCP connections- Logged on users

Other Devices These are defined as all devices whose primary purpose does not require network communication (e.g., uninterruptible power supply devices, air conditioners or humidity sensors). These shall be managed through

a. Statusb. Serial port in the absence of network interface cardc. Network interface if presentd. The following shall be monitored

- The current state of the UPS, i.e., its work mode (battery mode, online mode, malfunction, etc.)

- UPS battery capacity - How long the UPS can work in battery mode- The temperature of the battery- UPS output load- Incoming voltage- Output voltage- Input current - Output current

Annex D.1 Network Availability

Requirements

1. LAN availability SLA An SLA shall be in place with the provider to ensure LAN service availability of 99.998%

2.WAN availability SLA An SLA shall be in place with the provider to ensure LAN service availability of 99.9995%

Annex D.2 Reliability

Requirements

1. Mean time to failure Consideration MCAs shall specify the mean time to failure for all replaceable devices using acceptable methods for predicting the failure for electronic equipment likeIEC/TR 62380

30



Annex D3 Main tenability

Requirements

1.Preventive maintenance (PM)

PM programs a. Maintenance programs shall be identified to detect imminent or conditional failures such as thresholds for CPU and memory, interface utilisation and errors, temperature, power supply current and voltage.

b. Maintenance programs shall be identified for all assets to ensure that the hardware, firmware, software, physical and logical configuration is as designed throughout the life of the asset.

Failure messages

§All message logs with a severity level between 0 and 4 inclusive as defined in IETF RFC 5424 shall be logged to syslog.

§All message logs with a severity level between 0 and 2 inclusive as defined in IETF RFC 5424 shall be regarded as failures requiring immediate corrective action.

§All message logs with a severity level of 3 or 4 as defined in IETF RFC 5424 shall be regarded as conditional failures requiring priority preventative action.

31



ICTA-2.001:2016

Annex D4 Manageability

Requirements

1.Configuration management

Consideration Network devices need to support basic network configuration capabilities

- Support separate running and startup configuration datastores

- Retrieve all of a configuration datastore - Load all of a configuration to a target

configuration datastore - Create or replace a configuration

datastore with the contents of another configuration datastore

- Delete a configuration datastore - Retrieve running configuration

2 Configuration attributes

Logical attributes When queried using SNMPv3, the network devices should return values that correspond with configured values for the logical configuration attributes

- hostname - location - contact

Physical attributes

- firmware revision - software revision - serial number of chassis and field

replaceable units - manufacturer name of chassis and field

replaceable units - model name of chassis and field

replaceable units

Annex D5 Performance

Requirements

1. Through put Consideration Throughput of 100% with line rate equal to 100%

2.Latency Considerationlatency of less than:

- 130 μs for a 1518 byte frame on a 100 Mb/s ethernet interface

- 18 μs for a 1518 byte frame on a 1 Gb/s ethernet interface

- 6.5 μs for a 1518 byte frame on a 10 Gb/s ethernet interface

32



Annex D6 Security

Requirements

1. Security Security features MCAs shall ensure the following are configured in line with GoK information security standards

- VLANs- Firewall and Perimeter Security

Architecture - Connections to Third Parties - Remote Network Administration to Servers - Encryption of Sensitive Information - Virus Protection - E-mail Security - Wireless Security Management - Redundancy of Network Infrastructure - Auditing and Monitoring of Security Logs - Network Intrusion Detection - Network Segmentations - Segregation of Duties - Default User IDs and Network Device

Configuration - Network Inventory and Asset Management - Network Configuration Management - Vulnerability and Patch Maintenance

33



ICTA-2.001:2016

APPENDIX

Appendix 1: Compliance Checklist for telecommunication pathways and spaces

Requirement Yes No Comment

Each floor of the government buildings contains at least one telecommunications room ranging in size from 6.6 to 10.2 square metres (70 to 110 square feet), depending on the floor area served?There is no electrical distribution equipment in the telecommunication Room?If buildings have (> 300 cables) the telecommunications rooms are “walk in” design, i.e. capable of containing multiple 42u 800 x 800 cabinets?Room is allowed for front, rear and side working access to the Cabinets. A minimum of one meter access space is available to the front, rear and at least one side of the cabinet(s)?The door opens outward, slide sideways, or be removable. It is fitted with a lock and be a minimum of 36 inches wide by 80 inches high?Sufficient lighting is provided. The light switches are located near the entrance door?These areas do not have false(drop) ceilings?These areas are sufficiently separated from EMI sources such as antennas, medical equipment, elevators, motors and generators?Telecommunications Rooms to be stacked vertically to facilitate running backbone cables through them?When a floor has more than one Telecommunications Room, they are joined by a backbone pathway?The room is neat and is devoid of any non telecommunication related substances?Adequate ventilation is provided by means of electric extractor fans and air inlets into the closet, via air vents where deemed necessary?In the larger installations (> 300 cables) there is a Heat Pump Air Conditioning System rated at 5.2Kw?Each cabinet is equipped with a roof mounted 4 fan cooling fan tray?In smaller installations electric A.C. fans is placed in the cabinet to keep the active components cool?The temperature is 29 degrees celcius maximum, and 24 degrees minimum?The temperature does not get colder than 10 degrees. Relative humidity is maintained in the range from 30 to 80%?The floor and walls are sealed to inhibit dust ingress into the cabinets?

34



Electrical power is supplied by a minimum of two dedicated 120V-20A nominal, non-switched, AC-duplex electrical outlets. Each outlet is on separate branch circuits?

Grounding is provided?All telecommunication rooms are equipped with electrical surge suppression and a UPS that will supply the area with at least 8 hours of standby power in the event of commercial power failure? Standby lighting is provided that will last for at least half an hour if commercial power fails?Telecommunication rooms are located in secure restricted areas. The rooms are fitted with biometric card access in line with GoK information security standards?

Each building has an equipment room? The Equipment Room is the central point for telecommunications within the building..The Equipment Room is dedicated to the telecommunications function?The Equipment Room has ample space to house LAN servers?

In buildings with (> 300 cables) the equipment rooms are a “walk in” design, i.e. capable of containing multiple 42u 800 x 800 cabinets?Equipment rooms are located in secure restricted areas to which ICT personnel shall have 24 hour 7 day access?

The rooms are fitted with access control in line with information security standards?The telecommunications carriers (e.g. Telephone Company, ISP etc.) provide the point of demarcation for their services in the Entrance Room? The point of demarcation is analogous to a “border” between equipment and facilities owned by the carriers and that owned by the building occupants?The Entrance Room houses terminations of copper and optical fibre cables (coming from outside the building) owned by the carriers?Trunkings and cableways are sized to 2.5 times the requirement of the current installation, i.e. if current installation is 2 cables then cableways must be sized for 5 cables?

Cableways are used completely separate from electrical power installations?Data is not allowed to run side by side with electrical cables unless separated by a distance of 50 mm plus an earthed metal fillet?Metallic trunking is utilized?

Cables are not over- filled

35



ICTA-2.001:2016

Cables are enclosed within conduit or trunking where exposed.

The Contractor is responsible for the removal, and reinstatement to the original condition of any fixtures, fittings and structures, disturbed during the installation?Access is provided to all trunking and cableways in buildings for future refits and expansion?All cables between MCA buildings are installed in ducting that complies with or is part of the approved Campus Infrastructure plan? Access to these ducts by qualified cabling companies is subject to the approval of the ICT department?Undertakings are given to cover the full cost of replacing all cables already in the ducts that are damaged during the installation of additional cables and/or draw wires?

Appendix II:Compliance Checklist for structured cabling

Yes No Comment

A work area has a minimum of two information-outlet ports. One for voice and the other for data?Horizontal cabling does not terminate directly to an application specific device but rather to a telecommunication outlet?Patch cables or equipment cords are used to connect the device to the cabling?Horizontal Cabling infrastructure are done using category 6 cable or higher 4-pair 100 Ω unshielded twisted-pair (UTP) or 4-pair 100 Ω fully shielded twisted-pair?Patch cords used in the horizontal Cabling, including equipment cables/cords, do not exceed 5m?Horizontal cable between the face plate and the patch panel do not exceed 90m.For back bone cables interconnecting between buildings, telecommunications rooms, equipment rooms, main terminal space, and entrance facilities, the backbone cabling are configured in a star topology?A total maximum backbone distance of 90m (295 ft.) is specified for high bandwidth capability over copper?All fibre cables between MCA buildings are installed in ducting that complies with or is part of the approved Campus Infrastructure planAccess to these ducts by qualified cabling companies is subject to the approval of the ICT department. Undertakings are given to cover the full cost of replacing all cables already in the ducts that are damaged during the installation of additional cables and/or draw wires?Fibre Connectors are protected from physical damage and moisture?

36



Optical fiber cable connecting hardware incorporates high-density termination to conserve space and provide for ease of optical fiber cable?Cables terminating on the cabinets are proper arranged for ease of management and troubleshooting?Room allow for front, rear and side working access to the Cabinets.

A minimum of one meter access space is available to the front, rear and at least one side of the cabinet(s).In installations less than or equal to 200 data points, one 42u full height good quality 19 in (e.g. APC) cabinet is used?In installations greater than 300 data points, additional cabinets are used?In smaller installations a wall mounted or floor standing lockable 15 u 19”rack cabinet located in a suitable closet is used? Each cabinet is identified by using an agreed name (a, b, c, d , etc) or as on Services drawing?Each cabinet contains a 48-way to 48-way patch panel to the cabinet containing the fibre?A power disruption unit, rack mountable is installed with one 3 pin outlet per 24 UTP user points?Cables are terminated in RJ45 19” Patch panels? A cable management system present for every 24 port patch panel inserted?All rising cables are on a tray outside the 19 inch rack space and a shelf is installed to protect the cables in the bottom of the cabinet in the case of floor standing cabinet?Each data patch panel is identified by a, b, c, and d from the top of the cabinet?The number on the cabinet is used, on a 1 to 24 way panel the max number is 24, on a 1 to 48 way panel the max number should be 48 e.g BA-A-01 this is Block A Patch panel A point number 1?Power or telecommunication cabling carrying data or supporting information and communication technology services are adequately protected from interception or damage?Network cabling is protected from unauthorized interception or damage, for example by using a conduit or by avoiding routes through public areas?Power cables are segregated from communications cables to prevent interference?Clearly identifiable cable and equipment markings are used to minimise handling errors, such as accidental patching of wrong network cables?

37



ICTA-2.001:2016

Documented patch list is used to reduce the possibility of errors?For sensitive or critical systems further controls to consider include: o installation of armoured conduit and locked rooms or

boxes at inspection and termination points; o use of alternative routings and/or transmission

media providing appropriate security; o use of fibre optic cabling; o use of electromagnetic shielding to protect the

cables; o initiation of technical sweeps and physical

inspections for unauthorised devices being attached to the cables;

Appendix III:Compliance Checklist for wireless network connectivity

Requirement Yes No Comments

Wireless network adheres to the IEEE 802 standards? MCA has standardized security configurations for common wireless LAN components, such as client devices and APs?Strong mutual authentication between wireless clients and access points is implemented to ensure that clients do not connect to a rogue access point deployed by an attacker, and also to ensure that un-authorized wireless users do not connect to the MDA‘s wireless networks?Sensitive data between wireless clients and access points is protected using strong encryption?A guest VLAN is created for all guests to access internet only?The following has been implemented?- Enforcing MAC Address Filtering: This method uses

a list of MAC addresses of client wireless network interface cards that are allowed to associate with the access point;

- Not broadcasting the SSID (Network ID): The first attempt to secure wireless network was the use of Network ID (SSID). The default feature of broadcasting of SSID by the access point may be disabled and the same can be issued to the clients looking for WLAN connectivity;

- Disabling DHCP service from WLAN access point, instead if required, the parent DHCP service (from wired LAN) shall be used; - Using a network firewall to secure a wireless

network

38



- Use of WPA2 as bare minimum security for authentication and protection of information on a wireless local area network (WLAN).- For legacy system with low security impact

and which does not support WPA, WEP with at least 128bit key length should be used;

- The MCAs has changes the keys/secrets associated with the wireless access points at least once in six months, through a managed process

- The MCAs periodically, as defined by the MCA security policy, scan for unauthorised wireless access points and take appropriate action if such an access points are discovered.

APPENDIX IV Compliance Checklist for routing and switching

Activity Yes No Comments

The active device used at the LAN egde has 24 or 48 port for connection to the horizontal cabling as may be appriopriate and must be rack mounted?

The active device supports IP routing, Quality of Service(QoS) and Power over Ethernet (POE)” under routing and switching?

Do the Ethernet switches, including routing devices on the edge network support as a minimum, the following features and protocols?

• At least 48 x autosensing 10/100Mb/s RJ45 ports

• 802.1p Class of Service and traffic prioritisation with at least 4 queues

• RS232- compatible serial console port

• SNTP

• 802.3af PoE or 802.3at PoE+

• Voice VLANs

• LLDP-MED

• LLDP

• CIDR

• Multiple subnets

• 802.1Q VLANs, at least 64 per device

39



ICTA-2.001:2016




• 802.1X authentication, with multiple 802.1X users per port

• IGMP snooping

• Multilink trunking (supporting both LACP and manual configuration)

• RADIUS authentication and accounting

• At least two Gigabit optical ports using SX and LX SFP transceivers

• configurable Auto- MDIX

• Pre- standard PoE support

• Configurable logging using SYSLOG

• Source-port filtering

• MAC address lockout

• MAC address limiting

• VLAN allocation per port by RADIUS

• Multiple authentication methods per port

• MAC address-based port authentication to RADIUS

• SNMP v3

• RMON

• SFLOW

• Availability of all relevant standard and proprietary MIBs

• Port monitoring, including remote port monitoring

• Port mirroring

• DHCP snooping with DHCP protection

40






• SSHv2

• TFTP file transfer

• Secure FTP (SFTP) file transfer

• Dual flash images for firmware and configuration files

• Flexible mounting options including standard 19” rack

• mounting

• software/firmware updates available for a minimum of 5 years

• command line interface

• 802.1s multiple (per-VLAN) Spanning Tree Protocol

• rate limiting

• Broadcast limiting

Do ethernet routing devices on the core network additionally support the following?

• IPv4 Layer 3 routing

• IPv6 Layer 3 routing

• RIP, RIP2 and OSPF3 routing protocols

• static routes

• multinetting

• per-VLAN DHCP forwarding to multiple destinations

• flow control

• ACLs (access control lists)

• IP address lockout

• VRRP (Virtual Router Redundancy Protocol)

41



ICTA-2.001:2016




• IGMP

• MLD (Multicast Listener Discovery)

• PIM sparse and dense modes

• At least four optical ports using SR and LR SFP+ transceivers

• MCAs shall consult the ICT authority on the basic configurations required to connect to the Government common coree network

• MCAs shall ensure that relevant functionalities are configured as per vendor guidelines to deliver a robust and secure IP network.

APPENDIX V Compliance checklist for internet

Requirement Yes No Comments

IP addresses are not assigned from within the Government IP address space for individuals or organizations who are not directly affiliated with the Government of Kenya?

MCA assigns internal workstation network IP address using Dynamic Host Configuration Protocol (DHCP)?

MCAs uses subnetting to protect IPv4 spaces ?

MCAs has developed a policy on acceptable use based on GoK information security standard?

Use of the public Internet by Government Personnel is permitted and encouraged where such use is suitable for business purposes and supports the goals and objectives of the Government of Kenya and its business units?

End users are sensitized on this policy

MCA connects to atleast 2 ISPs

42



APPENDIX VI Compliance Checklist for Network Monitoring and Management


MCA ensures that network management software acquired shal be able provide the following but not limited to this features Discover network components such as devices and links. Support Layer 2 and Layer 3 discovery. Generate a layout of the existing network. Report failures and events. Receive SNMP trap messages. Generate customized reports. Bandwidth or the amount of data transferred over a communication channel in a specific amount of time is controlled by bandwidth management tools, or traffic or packet shapers?These tools enable network managers to control communications by allowing high-priority traffic to utilize more bandwidth than something given a lower priority status as well as enable them identify network traffic patterns, establish priorities, optimize application performance, and allocate resources.

The NMS server has one network interface located inside the management network ( management VLAN). This interface serves for both managing the NMS server itself and for the communication between the NMS tools and the other devices in the network.

The NMS has an additional network interface in the production part of the network? This interface would allow access to the monitoring system in order to monitor the current status of devices and perform alarm detection. It is necessary to limit access through this interface to intended users only

The server use SNMP V3 for increased security?

Configuration of SNMP is the same on the server and on the network devices?MCA have configured configure SNMP trap mode to ensure timely detections of network faults?MCA ensures?

- Configuration of SNMPV3 on network devices

43



ICTA-2.001:2016

- A VLAN is defined for management purposes. Although this VLAN is usually VLAN 1, MCAs shall define a different VLAN for management purposes, a VLAN that will be used for management traffic only, in order to increase security

- Use of separate IP address ranges for the management part of the network that should not be routed to the network

- NAT functionality shall be used for administrator computers accessing devices in the management part of the network

- Remote access shall be through a VPN and NAT functionality

- In order to increase security, it is recommended that traffic for all VLANs is tagged.

- For switches, all connections between switches are in the mode for transferring multiple VLANs (generally the IEEE 802.1Q standard). The management VLAN (VLAN-MGMT) goes through this link as well.

- For routers, sub-interfaces with an IP address within the range defined for the management VLAN need to be defined on routers (also by using the IEEE 802.1Q standard).

The following is monitored?- State of the interface both layer 2

and layer 3- Interface data flow- Processor load- Memory loadThe following is monitored?- State of the interface both layer

2 and layer 3- Processor load- Memory load- Number of system processes- Number of running services- Number of TCP connections- Logged on users

44



UPS is managed through ?- Status- Serial port in the absence of network interface

card- Network interface if present- The following shall be monitored

- The current state of the UPS, i.e., its work mode (battery mode, online mode, malfunction, etc.)

- UPS battery capacity - How long the UPS can work in battery mode- The temperature of the battery- UPS output load- Incoming voltage- Output voltage- Input current - Output current

APPENDIX VII Compliance checklist for Network availability

Requirement Yes No CommentAn SLA is in place with the provider to ensure LAN service availability of 99.998%?Various services run on the wide area nework and their availability is critical?An SLA is in place with the provider to ensure WAN service availability of 99.9995%?

APPENDIX VIII Compliance checklist for Network Reliability


The average minimum time required before equipment fail is necessary to cut replacement costs associated with sub standard devices. MCAs has specified the mean time to failure for all replaceable devices using acceptable methods for predicting the failure for electronic equipment likeIEC/TR 62380

APPENDIX IX Compliance checklist for Network Maintanability


Preventative maintenance programs are identified for all components with an increasing failure rate?Maintenance programs are identified to detect imminent or conditional failures such as thresholds for CPU and memory, interface utilisation and errors, temperature, power supply current and voltage?

45



ICTA-2.001:2016

Maintenance programs are identified for all assets to ensure that the hardware, firmware, software, physical and logical configuration is as designed throughout the life of the asset?All message logs with a severity level between 0 and 4 inclusive as defined in IETF RFC 5424 are logged to syslog. All message logs with a severity level between 0 and 2 inclusive as defined in IETF RFC 5424 are regarded as failures requiring immediate corrective action?All message logs with a severity level of 3 or 4 as defined in IETF RFC 5424 are regarded as conditional failures requiring priority preventative action?

APPENDIX X Compliance checklist for Network Performance

References Yes No Comment

Throughput of 100% with line rate equal to 100% ?

latency of less than?- 130 μs for a 1518 byte frame on a 100 Mb/s

ethernet interface

- 18 μs for a 1518 byte frame on a 1 Gb/s ethernet interface

- 6.5 μs for a 1518 byte frame on a 10 Gb/s ethernet interface

APPENDIX XII Compliance checklist for Security

Requirement Yes NO Comment

The following are configured in line with GoK information security standards

- Firewall and Perimeter Security Architecture - Firewall Configuration - Connections to Third Parties - Remote Network Administration to Servers - Encryption of Sensitive- Information- Virus Protection - E-mail Security - Wireless Security Management - Redundancy of Network Infrastructure

- Auditing and Monitoring of Security Logs - Network Intrusion Detection

46



- Network Segmentations - Segregation of Duties

- Default User IDs and Network Device Configuration

- Network Inventory and Asset Management

- Network Configuration Management

- Vulnerability and Patch Maintenance

APPENDIX XIII Compliance checklist for Fixed telephony


Does the VOIP equipment employ commonly used protocols standards?

Does the network differentiate between voice, video and data through VLANs?

Does the VoIP provide for:- - Traditional calling features including call by name, caller

ID, last number redial, hold, call waiting, call forwarding , transfer, divert, park, retrieve, voice mail, return call and call conferencing

- Call Coverage Make it easy to ensure that important calls are answered by administrative assistants or team members, via user-controlled Delegation and Team Calling respectively.

- Telephone Directory.

- Maintain Call history.

Does the VOIP use a private IP network or virtual private network?

Is the VOIP service type the most ideal for the MCA?

Is there logical separation for voice and data traffic on the network?

Are there PoE switches?

Is the cabling CAT 6 or higher

47



ICTA-2.001:2016


Do the Network cards run at 100Mbps, fast ethernet

Is there service level agreement with the service provider

Are the users trained on operating and using the VOIP?

Does the VOIP support future growth?(Expansion slots)

Is the VOIP service available to all relevant users

Does the VOIP have good quality voice and data?

Is the network able to withstand stress?

APPENDIX IX:Compliance Checklist For Network Design, Configuration Documen-tation And Commissioning

Activity Yes NO Comment

MCA carry out site surveys to ensure a network design that guarantees maximum service availability?MCA ensure that relevant functionalities are configured to deliver robust and secure IP network?

Upon completion of the installation MCA carries out the tests and the results recorded in one or several measure books showing test results of the cable components as per the standard?MCA ensures that physical and logical design of the network is documented ‘as built’ using automated software and all the network changes are updated?“As-built” package must be with the following information(vi) Updated floor plans(vii) Wire/cable routing schematic(viii) Facility assignment records(ix) Horizontal cable test results(x) Fibre Backbone test results

48



The documentation include?

a.Synopsis of the cabling (primary and secondary) b.Charts of the distribution highlighting the details of the elements that have been installed c. Detailed map of socket layout (Soft copy on CD-ROM should be availed) d. Reports on measurements (Soft copy on CD-ROM should be availed)MCA consults the ICT authority on the basic configurations required to connect to the Government network

49



ICTA-2.001:2016

APPENDIX XII: TEMPLATE FOR NETWORK INSPECTION IN PREPARATION FOR COMMISSIONING

TENDER NO: CONTRACTOR: DATE:

Item Details Yes/No REMARKS

Serial No and Models of Switches Indicated in Final Documentation

Switches YESUPSsRoutersDTU

Brief Description of Project Details

-

Network Layout Diagram Data Points LabelledPositions of Cabinets on Floors IndicatedNew Trunking Installed IndicatedFibre Optic Backbone DiagamSite Layout Diagram

Test Results Test Result Matching Data PointsData Points Matching the DesignSummary of Data Points Per CabinetConfirm lengths of cables relative to cabinet positionsTest Results for Fibre Cables

Confirmation of detailed gathered in field against the documentation.Ready for commissioning

Name: Sign: _________________Name: Sign:__________________

50



ICT AUTHORITYAPPENDIX XIII: INSPECTION CHECKLIST FOR COMPLETED PROJECTS FOR FINAL INSPECTION

TENDER NO: CONTRACTOR: DATE: FLOOR

1. Location

2. Cabinet Size

3. Check Earthing of Cabinet

4. COPPER PATCH PANELS

Make of copper panels

No of 24 port on copper panel

No of 48 port on copper panel

No of terminated ports on copper panels

Category of copper patch panels (Cat 6?)

No of Cable Managers

No of 3m Patch Chords

5. FIBRE OPTIC PATCH PANELS (where applicable)

Make of Patch Panel

No of Fibre Optic patch panels

Make of Fibre Optic panels

No of ports on Fibre Optic panel

No of terminated ports on Fibre Optic panel

6. PATCH CHORDS (USER AREA)

Total No of 5m Patch Chords

Total No of 3m Patch Chords

7. UTP CABLES USED

Category of cables

Make of cables

8. LAN edge Switches Serial Nos

Type of switches (Make and Model)

No of 1 2 port of switches

No of 24 port of switches

No of 48 port of switches

No of GigaEthernet ports connected

9. Core Switch Serial No (where applicable)

Type of switch (Make and Model)

No of Power Supply Units (PSU)

Power Capacity of PSU

No of GigaEthernet modules

No. & Type of Supervisor Engines

No. & Type of Gigabit Line Cards

10 TYPE OF UPS(Make and Model)

. UPS Serial/Nos.

11. DTU Serial Number

12. Router Serial Number

Name:_______________________ Sign: _________________

Name:_______________________ Sign:__________________

51



ICTA-2.001:2016

ICT AUTHORITY

APPENDIX XIV: PROGRESS OF JOBS PER SITE – THIS IS FOR PROJECTS STILL NOT COMPLETE

TENDER NO: CONTRACTOR: DATE:

Activity Details Required Comments

1 Site Visit (Y/N)

2 Installation of Trunking % Done

3 Installation of Cabinets % Done

4 Earthing of Cabinets % Done

5 Pulling of UTP cables % Done

6 Termination of UTP cables % Done

7 Pulling of Fibre Optic cables % Done Where Applicable

8 Termination of Fibre Optic cables % Done Where Applicable

9 Testing of UTP cables % Done

10 Testing of Fibre Optic Cables % Done Where Applicable

11 Labeling of patch panels % Done

12 Labeling of data points % Done

13 Installation of Switches % Done

14 Installation of DTU (Y/N)

15 Installation of Router (Y/N)

16 Installation of UPSs % Done

17 Repair of Damages (Y/N)

18 Ready for Commissioning (Y/N)

19 Documentation Ready (Y/N)

Name:_______________________ Sign: _________________

Name:_______________________ Sign:__________________

52



Appendix iv: Related Documentation

Code Number: TitleICTA. 1.001: 2016 Government Enterprise ArchitectureICTA. 2.001: 2016 Infrastructure Standard (Networks, Cloud, End user Computing, Data

Centre)ICTA. 3.001: 2016 Information Security StandardICTA. 4.001: 2016 Electronic Records and Data Management StandardICTA. 5.001: 2016 IT Governance StandardICTA. 6.001: 2016 Systems and Application StandardICTA.7.001:2016 ICT Human Capital and Work force Development Standard

53



ICTA-2.001:2016

54



55



ICTA-2.001:2016

ICT Authority

Telposta Towers, 12th Floor, Kenyatta Ave

P.O. Box 27150 - 00100 Nairobi, Kenya

t: + 254-020-2211960/62

Email: [email protected] or [email protected] or [email protected]

Visit: www.icta.go.ke

Become a fan: www.facebook.com/ICTAuthorityKE Follow us on twitter: @ICTAuthorityKE

Documents

GOVERNMENT ICT STANDARDS - ICT Authorityicta.go.ke/powerassets/uploads/2017/10/ICT-Networks-Standard-Revised.pdfto be relevant for government ICT Standards. The development of all