Security Policy

A security policy is a statement of rules that must be followed by all the people who are given access to an organization's information and technology assets, both hardware and software. Security problems change constantly. Security measures that you implement today may not be so secure tomorrow. One of the most important tools for securing a system is to have a published security policy that you enforce. Having a security policy in place is of paramount importance for the functioning of your system in an efficient and secure manner and protecting the information assets of your organization. This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining network access, service access, local and remote user authentication, dial-in and dial-out, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security. In addition, the security policy must clearly:

• Identify what is to be protected.

• State what it needs to be protected against.

• State the possibilities and occurrences of well known threats.

• Describe processes to implement measures that protect corporate assets in a cost-effective manner.

• Describe processes for reviewing an improving the security measures on a continuous basis.

• Define corporate security goals.

• Include rules about negative or irresponsible behavior, a path of problem escalation, and information about who to notify of all security issues.

• Define measures that ensure that the security policy is not circumvented by anyone.

The security policy must be based on a carefully conducted security analysis, risk assessment, and business needs analysis. Refer to the Site Security Handbook memo (RFC2196) issued by the Internet Engineering Task Force at www.ietf.org for help on creating a security policy.

General security guidelines

Security is more than preventing hackers from eavesdropping on messages. It also means protecting your system against fraudulent long distance charges, corporate espionage, and malicious system intrusions. By recognizing the different types of hackers and the trails they leave, you can protect your system, and possibly catch the culprit. Prevention is your most effective weapon against voice mail hackers. In fact, almost all can be deterred with a combination of common-sense policies and procedures that involve better system design and administration, subscriber education, and effective company voice mail policies and guidelines.

A well established security policy can considerably enhance the security of your system. Following are some of the general guidelines that can help reduce unauthorized usage. Ensure that the security policy includes the following:

• Protects System Administration Access. Establish multiple access levels for subscribers, system managers, system programmers. Require passwords for each level of access. Ensure that secure passwords exist for all logins that allow system administration or maintenance access to the system. Change the passwords frequently.

• Prevents Voice Mail System Transfer to Dial Tone. Activate secure transfer features in voice mail systems. Place appropriate restrictions on voice mail access and egress ports.

• Denies Unauthorized Users Direct Inward System Access. Manage your long distance capabilities and disallow or restrict calls to long distance numbers through the voice mail system. Do not allow access to outside lines through an automated attendant, or if you have 800 number access to voice mail. If you are not using remote access features, deactivate or disable them. If you are using remote access, require the use of barrier codes or authorization codes set for maximum length. Change the codes frequently.

• Places Protection on Systems that Prompt Callers to Input Digits. Administer the system to prevent unintended dialing of digit combinations at prompts. Auto attendants and call vectors should be restricted from allowing access to dial tone.

• Uses System Software to Intelligently Control Call Routing. Create ARS or WCR patterns to control how each call is to be handled. Use Time Of Day routing capabilities to limit availability of facilities on nights and weekends. Deny all end-points the ability to directly access outgoing trunks.

• Blocks Access To International Calling Capability. When international access is required, establish permission groups. Limit access to only the specific destinations required for business.

• Protects Access to Information Stored as Voice. Use passwords to restrict access to voice mailboxes. Use non-trivial passwords and change passwords regularly.

• Provides Physical Security for Telecommunications Assets. Locate your voice mail system in a room with controlled access. Restrict unauthorized access to equipment rooms and wire connection closets. Protect system documentation and reports data from being compromised.

• Monitors Traffic and System Activity for Abnormal Patterns. Establish procedures and make review of system and network reports, to identify hackers, a weekly required part of system management. Activate features that turn off access in response to unauthorized access attempts. Use traffic and call detail reports to monitor call activity levels.

• Educates System Users to Recognize Toll Fraud Activity and React Appropriately. From safely using Calling Cards to securing voice mailbox passwords, users need to be trained on how to protect themselves from inadvertent compromises to the system security.

• Reviews security with concerned personnel. Review security measures regularly, audit voice mail mailboxes for reasonable passwords, enforce a password change schedule, and do not allow preprogramming of passwords.

Top of page

Educate and train users

Everyone who uses the system is responsible for the security of the system . Users and attendants need to be aware of how to recognize and react to potential hacker activity. Informed people are more likely to cooperate with security measures that often make the system less flexible and more difficult to use. A bit of renewed awareness, perhaps in the form of a refresher course or an updated manual can go a long way in enhancing the general security of the system.

In addition ensure that do the following:

• Never program passwords or authorization codes onto auto dial buttons. Display phones reveal the programmed numbers and internal abusers can use the auto dial buttons to originate unauthorized calls.

• Discourage the practice of writing down passwords. If a password needs to be written down, it must be kept in a secure place and never discarded while it is active.

• Establish well controlled procedures for resetting passwords.

• Limit the number of invalid attempts to access a voice mail to five or less.

• Advise attendants that they should tell their system manager if they answer a series of calls where there is silence on the other end or if the caller hangs up.

• Advise users who are assigned voice mailboxes that they must frequently change personal passwords and not choose obvious passwords.

• Advise users with special telephone privileges, such as remote access, voice mail outcalling, and call forwarding off-switch, of the potential risks and responsibilities.

• Advise users that they should be suspicious of any caller who claims to be with the telephone company and wants to check an outside line. They should ask for a callback number, hang up, and confirm the caller’s identity.

• Never distribute the office telephone directory to anyone outside the company. Be careful when discarding it.

• Never accept collect phone calls.

• Never discuss your telephone system’s numbering plan with anyone outside the company.

• Distribute voice mail security policies to all employees.

• Make sure operators and receptionists are security conscious and do not transfer callers to an outside line.

• Establish procedures to counter social engineering. Social engineering is a con game that hackers frequently use to obtain information that may help them gain access to your system.

Top of page