Back

Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards.


CONTROL ID
11853
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Identify and control all network access controls., CC ID: 00529

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Internet Protocol telephony should be configured so that Internet Protocol telephones authenticate themselves to the call controller upon registration, for unclassified systems. (Control: 0551 Bullet 1, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony should be configured so that Internet Protocol telephone auto-registration is disabled, for unclassified systems. (Control: 0551 Bullet 2, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony should be configured so that only a whitelist of authorized devices are allowed to Access the network, for unclassified systems. (Control: 0551 Bullet 2, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony should be configured so that unauthorized devices are blocked by default, for unclassified systems. (Control: 0551 Bullet 3, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony should be configured so that all prohibited and unused functionality is disabled, for unclassified systems. (Control: 0551 Bullet 4, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony must be configured so that Internet Protocol telephones authenticate themselves to the call controller upon registration, for classified systems. (Control: 0552 Bullet 1, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony must be configured so that Internet Protocol telephone auto-registration is disabled, for classified systems. (Control: 0552 Bullet 2, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony must be configured so that only a whitelist of authorized devices are allowed to Access the network, for classified systems. (Control: 0552 Bullet 2, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony must be configured so that unauthorized devices are blocked by default, for classified systems. (Control: 0552 Bullet 3, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony must be configured so that all prohibited and unused functionality is disabled, for classified systems. (Control: 0552 Bullet 4, Australian Government Information Security Manual: Controls)
  • General network security controls for Voice over Internet Protocol should be applied, which includes monitoring bandwidth using tools that are capable of recognizing Voice over Internet Protocol traffic. (CF.09.07.03a, The Standard of Good Practice for Information Security, 2013)
  • General network security controls for Voice over Internet Protocol should be applied, which includes deploying network components to provide resilience and redundancy. (CF.09.07.03b, The Standard of Good Practice for Information Security, 2013)
  • General network security controls for Voice over Internet Protocol should be applied, which includes restricting access to Voice over Internet Protocol networks to authorized devices. (CF.09.07.03d, The Standard of Good Practice for Information Security, 2013)
  • Voice over Internet Protocol-specific controls should be applied, which includes separating voice traffic using virtual local area networks. (CF.09.07.04a, The Standard of Good Practice for Information Security, 2013)
  • Voice over Internet Protocol-specific controls should be applied, which includes hardening Voice over Internet Protocol devices (e.g., Internet Protocol phones, routers, and Internet Protocol public branch exchanges). (CF.09.07.04b, The Standard of Good Practice for Information Security, 2013)
  • Voice over Internet protocol-specific controls should be applied, which includes encrypting sensitive Voice over Internet Protocol traffic. (CF.09.07.04d, The Standard of Good Practice for Information Security, 2013)
  • Wireless Voice over Internet Protocol (VoIP) systems should comply with the Wireless and VoIP STIG and IEEE 802.11 WLAN Implementation Compliance Requirements. Perform all of the applicable tests required in Section 2.0 of the Wireless Checklist. (§ 4.5 (WIR0133), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Voice over Internet Protocol traffic to and from workstation clients that are independently configured by end users for personal use must be prohibited for Department of Defense Information Systems. (ECVI-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Voice over Internet Protocol (VoIP) has been embraced by organizations globally as an addition to, or replacement for, public switched telephone network (PSTN) and private branch exchange (PBX) telephone systems. The immediate benefits are lower costs than traditional telephone services and VoIP can… (§ 5.10.1.4 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Establish usage restrictions and implementation guidance for VoIP technologies. (§ 5.10.1.4 ¶ 2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Establish usage restrictions and implementation guidance for VoIP technologies. (§ 5.10.1.4 ¶ 2 1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The organization must develop and document implementation guidance and usage restrictions for Voice over Internet Protocol (VoIP) technologies. (§ 5.6.15, Exhibit 4 SC-19, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii)… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure usage restrictions and implementation guidance are developed for Voice over Internet Protocol (VoIP) technologies, VoIP is being monitored, documented, and controlled, the use of VoIP is approved by appropriate individuals, and specif… (SC-19, SC-19.2, SC-19.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization must establish Implementation Guidance and usage restrictions for Voice over Internet Protocol technologies based on the potential to cause damage, if used maliciously. (SG.SC-17 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must establish Implementation Guidance and usage restrictions for Voice over Internet Protocol technologies. (App F § SC-19.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization authorizes, monitors, and controls the use of VoIP within the information system. (SC-19b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization authorizes, monitors, and controls the use of VoIP within the information system. (SC-19b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes, monitors, and controls the use of VoIP within the information system. (SC-19b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)