Telecommunications Policies
Telecommunications generally refers to any technology, service, or system that provides transmission of electronic data and information. Telecommunications may be wired or wireless. This includes voice and data networks; telephones, other wireless services; messaging and directory services; high-speed data communications; facsimile devices; personal digital assistants; tablets; network servers; switches; or any other device, service, or system used in the transmission of electronic communication. It’s not surprising that such a broad topic crosses over into other domains that deal more with data connectivity. For the purposes of this chapter, the telecommunications discussion focuses on devices such as telephones, fax machines, modems, and smartphones.
Control Standards
An essential control standard in this category is Voice over IP (VoIP). These standards describe the security considerations and controls that apply to a VoIP network. Because of the ease of access to and prolific nature of VoIP connections, there are growing technology risks. The telephone system was once isolated within an organization. Now telephone service uses the same network as any other application. This expanded use of the network brings new security challenges and vulnerabilities. A VoIP standard describes countermeasures to prevent unnecessary risk and the compromising of corporate information.
The following are some control statements that might appear in this standard. They are adapted from the U.S. Federal Aviation Administration’s “Voice Over Internet Protocol (VoIP) Security Policy” document:
NOTE
The key point of telecommunication standards is to define the protocols and devices to be used. Once defined, the standards address how to handle data on those devices. Remember, VoIP deals with digital information. These digital conversations can be captured, stored, and played back.
The integration of voice and data into a single physical network is a complex process that may introduce vulnerabilities and risk. To mitigate these risks, the following must be adhered to:
- VoIP systems and networks must adhere to a common security configuration recommended by the organization’s security requirements.
- VoIP equipment used to transmit or discuss confidential or restricted information must be protected with FIPS 140-2 encryption standards.
- VoIP systems must follow security guidance on the segregation of data and voice networks.
WARNING
Securing the physical fax device is as important as security over a copier. Both have internal memory and may store the last documents printed. If these documents contain sensitive information, access to the physical machine must be controlled.
Fax machine standards are another example of telecommunication policies. This standard outlines the controls necessary for the transmission and receipt of faxed information such as company confidential or restricted information.
Baseline Standards
Telecommunications equipment and devices usually have specific technology requirements. The baseline standards focus on securing equipment and on configuration issues. Here are some examples of baseline standards:
- Smartphone Enterprise Server Configuration Requirements Standard—Describes security characteristics for the enterprise server that delivers corporate email to smartphones
- Use of Bluetooth Communications Standard—Describes controls for the use of Bluetooth technology on employer-issued mobile computing devices
- VoIP Security Product Requirements Standard—Documents security controls for specific VoIP equipment selected by the organization
- Use of other wireless—Today we have Z-Wave, Zigbee, ANT+, and other wireless protocols. There should be policies regarding the use of these protocols. They are quite common in smart devices.
Procedures
For each baseline technical standard, you may need to create a procedure document for telecommunications personnel to implement control requirements. Procedure documents might give details for reporting a lost or stolen employer-issued smartphone. Other procedure documents outline how to configure an employer-issued mobile device and VoIP product security.
Guidelines
Guidelines for implementing control standards are helpful to personnel who are responsible for the security of telecommunications devices and equipment. Consider using employer-issued mobile phone and other device security guidelines for employees and administrators. Some organizations also use VoIP systems architecture and security guidelines.