Avaya

Modular Messaging Help

Home | Search | Site Index
Print | Back | Fwd | Legal | Close

 Getting Started 
 Installation 
 Administration 
 Maintenance 
 Reference 
Home > Getting started > Modular Messaging and security > Security policy

Security policy

A security policy is a statement of rules for an organization. The policy rules state how people must handle organizational information and technology assets. The technological assets include hardware and software.

Security issues change constantly. Security measures that you implement today might not be as secure tomorrow. One of the most important tools for securing a system is to have a published security policy that you enforce. A security policy in place is vital for an efficient and secure system. It protects the information assets of your organization. This security policy must include the following information:

  • Published security guidelines to inform users of their responsibilities

  • Corporate policies to define network access, service access, local and remote user authentication, dial-in and dial-out, disk and data encryption, and virus protection measures

  • Employee training

Protect all potential points of network attack with the same level of network security. In addition, the security policy must clearly provide the following information:

  • Identify what is to be protected.

  • State what it needs to be protected against.

  • State the possibilities and occurrences of well-known threats.

  • Describe processes to implement measures that protect corporate assets in a cost-effective manner.

  • Describe processes to review and improve the security measures on a continuous basis.

  • Define corporate security goals.

  • Include rules about negative or irresponsible behavior, a path for problem escalation, and information about whom to notify of all security issues.

  • Define measures to ensure that no one circumvents the policy.

The security policy must be based on a carefully conducted security analysis, risk assessment, and business needs analysis. For more information, use the Site Security Handbook memo (RFC2196) at www.ietf.org to help create a security policy. The Internet Engineering Task Force issues the handbook.

Topics in this section include:

General security guidelines

Security is more than preventing hackers from eavesdropping on messages. Security also means protecting your system against fraudulent long-distance charges, corporate espionage, and malicious system intrusions. By recognizing the different types of hackers and the trails they leave, you can protect your system, and possibly catch the hackers. Prevention is your most effective weapon against voice mail hackers. You can deter most voice mail hackers with common-sense policies and procedures. The policies and procedures address better system design and administration, subscriber education, and effective company voice mail policies and guidelines.

A well established security policy can enhance the security of your system considerably. The following general guidelines can help reduce unauthorized usage. Ensure that the security policy addresses the following:

  • Protects system administration access. Establish multiple access levels for subscribers, system managers, and system programmers. Require passwords for each level of access. Ensure that secure passwords exist for all logins that allow system administration or maintenance access to the system. Change the passwords frequently.

  • Prevents voice mail system transfer to dial tone. Activate secure transfer features in voice mail systems. Place appropriate restrictions on voice mail access and egress ports.

  • Denies unauthorized users direct access into the system. Manage your long-distance capabilities. Do not allow or restrict calls to long-distance numbers through the voice mail system. Do not allow access to outside lines through an automated attendant or through an 800 number access to voice mail. Disable or deactivate the remote access features that you do not use. For each remote access feature that you use, require the use of barrier codes, or authorization codes set for maximum length. Change the codes frequently.

  • Places protection on systems that prompt callers to input digits. Administer the system to prevent unintended dialing of digit combinations at prompts. Restrict auto attendant and call vector access to dial tone.

  • Uses system software to intelligently control call routing. Create Automatic Route Selection (ARS) and World Class Routing (WCR) patterns to control how each call is handled. Use Time Of Day routing capabilities to limit availability of facilities on nights and weekends. Deny all endpoints the ability to directly access outgoing trunks.

  • Blocks access to international calling capability. When international access is required, establish permission groups. Limit access to only the specific destinations required for business.

  • Protects access to information stored as voice. Use passwords to restrict access to voice mailboxes. Use nontrivial passwords. Change passwords regularly.

  • Provides physical security for telecommunications assets. Locate your voice mail system in a room with controlled access. Restrict unauthorized access to equipment rooms and wire connection closets. Protect system documentation and reports data from being compromised.

  • Monitors traffic and system activity for abnormal patterns. Establish weekly procedures to system and network reports to identify hackers. Activate features that turn off access in response to unauthorized access attempts. Use traffic and call detail reports to monitor call activity levels.

  • Educates system users to recognize toll fraud activity and to react appropriately. Toll fraud can occur when using calling cards and securing voice mailbox passwords. Train users on how to protect themselves from inadvertent compromises to the system security.

  • Reviews security with concerned personnel. Review security measures regularly. Audit voice mail mailboxes for reasonable passwords. Enforce a password change schedule. Do not allow preprogramming of passwords.

Educate and train users

Everyone who uses the system is responsible for the security of the system. Users and attendants must know how to recognize and react to potential hacker activity. Informed people are more likely to cooperate with security measures that make the system less flexible and perhaps more difficult to use. Renewed awareness in the form of a refresher course or an updated manual can enhance the general security of the system.

In addition, ensure that the training addresses the following guidelines:

  • Never program passwords or authorization codes onto auto-dial buttons. Display telephones reveal the programmed numbers, and internal abusers can use the auto-dial buttons to originate unauthorized calls.

  • Discourage the practice of writing down passwords. If a password needs to be written down, keep the password in a secure place, and never discard the password while it is active.

  • Establish well-controlled procedures for resetting passwords.

  • Limit the number of invalid attempts to access a subscriber mailbox to five or fewer.

  • Advise attendants to tell their system manager when they answer a series of telephone calls in which the caller is silent or hangs up.

  • Advise users who have voice mailboxes that they must change personal passwords frequently. Do not choose obvious passwords.

  • Advise users with special telephone privileges of the potential risks and responsibilities. Special telephone privileges can include remote access, voice mail outbound calling, and call forwarding off-switch.
  • Advise users that they must be suspicious of any caller who claims to be with the telephone company and wants to check an outside line. Users must ask for a callback number, hang up, and confirm the caller's identity.
  • Never distribute the office telephone directory to people outside the company. Be careful when discarding it.

  • Never accept collect telephone calls.

  • Never discuss your telephone system numbering plan with anyone outside the company.

  • Distribute voice mail security policies to all employees.

  • Ensure that operators and receptionists are security conscious and do not transfer callers to an outside line.

  • Establish procedures to prevent social engineering. Social engineering is a con game that hackers frequently use to obtain information that can help them gain access to your system.

Top of page

Home | Search | Site Index | Print | Back | Fwd | Legal | Close

©2007 Avaya Inc. All rights reserved. Last modified: