3.13.14 has a weight of -1 points
(System and Communication Protection Family) 14/16
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
Example of Sysytem Security Plan (SSP):
- Security Plan: Control and Monitoring of Voice over Internet Protocol (VoIP) Technologies
- Objective: Our company has implemented a comprehensive security plan to control and monitor the use of Voice over Internet Protocol (VoIP) technologies. VoIP has different requirements, features, functionality, availability, and service limitations when compared with traditional telephone services like Plain Old Telephone Service (POTS), Integrated Services Digital Network (ISDN), and Fiber Distributed Data Interface (FDDI). The primary goal is to ensure the secure and reliable usage of VoIP systems while mitigating potential risks and unauthorized access.
- Scope: This security plan applies to all VoIP technologies utilized within our organization, including VoIP phone systems, softphones, and any related equipment.
- Implemented:
- Control and Monitoring of Voice over Internet Protocol (VoIP) Technologies:
- Identified VoIP Technology: A comprehensive inventory of all VoIP technologies utilized within our organization has been created, including VoIP phone systems, softphones, and related equipment.
- Authorized Users: Personnel with legitimate business needs and appropriate job roles have been identified and granted access to VoIP systems. Unauthorized users have been restricted from accessing VoIP resources.
- Password Protection: Robust password policies have been implemented for VoIP user accounts, including minimum length, complexity requirements, and regular password changes.
- Multi-factor Authentication: We have evaluated and implemented multi-factor authentication as an additional security layer for VoIP user accounts, enhancing access control measures.
- Segregated Processes: Automated script updates and processes have been associated with specific authorized users, and the use of generic account names for critical processes has been avoided.
- Device Access Control: Measures have been established to control access to VoIP systems, ensuring only authorized devices are granted network access.
- Secured VPN Access: Our VPN for VoIP systems has been configured to authenticate and authorize only authorized devices attempting to connect.
- Regular Access Control Reviews: Access controls for VoIP systems are regularly reviewed and updated to align with changes in personnel and business needs, promptly removing access rights for individuals who no longer require them.
- Monitoring and Auditing: VoIP systems are continuously monitored, and logs are regularly reviewed to detect any unauthorized access attempts or suspicious activities.
- User Training and Awareness: Authorized users have received training on secure VoIP usage and best practices, ensuring they are aware of potential risks associated with unauthorized access to VoIP resources. Regular training sessions are conducted to reinforce security protocols.
- Our commitment to controlling and monitoring VoIP technologies ensures the secure and reliable use of these systems, minimizing potential risks and unauthorized access.
Example of Plan of Action and Milestones ( POA & M):
Missing
RELEVANT INFORMATION:
VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application. [SP 800-58] provides guidance on Voice Over IP Systems.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.