Overview:
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
Action Items:
3.13.14[a]
Determine if: use of Voice over Internet Protocol (VoIP) technologies is controlled.
3.13.14[b]
Determine if: use of Voice over Internet Protocol (VoIP) technologies is monitored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System and communications protection policy; procedures addressing VoIP; VoIP usage restrictions; VoIP implementation guidance; system security plan; system design documentation; system audit logs and records; system configuration settings and associated documentation; system monitoring records; other relevant documents or records].
2
Interview: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for managing VoIP].
3
Test: Organizational process for authorizing, monitoring, and controlling VoIP; mechanisms supporting or implementing authorizing, monitoring, and controlling VoIP].
Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing VoIP
3) VoIP usage restrictions
4) VoIP implementation guidance
5) system security plan
6) system design documentation
7) system audit logs and records
8) system configuration settings and associated documentation
9) system monitoring records
10) other relevant documents or records
Additional Guidance:
VoIP has different requirements, features, functionality, availability, and service limitations when compared with Plain Old Telephone Service (POTS) (i.e., the standard telephone service that most homes use). In contrast, other telephone services are based on high-speed, digital communications lines, such as ISDN and FDDI. The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application. NIST Special Publication 800-58 provides guidance on Voice Over IP Systems.
Article ID: 206
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-voip-usage-3-13-14-206.html