VoIP and compliance regulations make strange and difficult bedfellows
Network World - As attacks against VoIP persist businesses not only have to defend themselves, they have to do it under the gun of regulators who want proof that security was addressed in accordance with their ever-changing rules.
VoIP denial of service, toll fraud and eavesdropping attacks are serious problems, yet many businesses lack some of the most basic VoIP protections such as encryption, experts say. There is a sense of urgency to deal with these issues because at the same time, businesses are forced to comply with regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPPA) and Payment Card Industry (PCI) standards that present a moving target as they are revised and updated.
"Recent events involving financial fraud, product safety recalls, and disasters in environmental health and safety have escalated this issue even more in the past two years," according to a Forrester Research study, "The Regulatory Intelligence Battlefield Heats Up", "and the appetite among legislators in the U.S. and abroad seems decidedly in favor of tighter regulatory control."
For the most part, regulations try to protect personally identifiable information that can lead to identity theft, fraudulent use of credit cards, pilfered bank accounts and toll fraud against corporate phone systems.
VoIP is rarely addressed directly in these regulations, but the rules nevertheless apply in some cases. For example, PCI standards say, "Use strong cryptography and security such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks."
That calls for encrypting VoIP calls that cross the open Internet in which credit card numbers are being recited, says Michelle Klinger, a PCI qualified security assessor from Dallas. "I would be inclined to validate that the calls are being encrypted," she says, although VoIP on internal networks would not need that protection. Businesses need to look out for language in regulations that sound like it refers to VoIP.
For instance, HIPAA says businesses must take steps to secure electronic protected health information, which might not seem to affect VoIP calls, but relates directly to recorded calls and digitally stored voice mail, part of any VoIP system. Similarly, if interactive voice response is used to navigate to protected information, its use should be monitored and documented.
On the other hand, the Federal Deposit Insurance Corporation (FDIC) has published specific VoIP guidelines to protect customer data traveling in IP voice networks in accordance with Graham-Leach-Bliley regulations.
"The risks associated with VoIP should be evaluated as part of a financial institution's periodic risk assessment," the advisory says, "with status reports submitted to the board of directors as mandated by section 501(b) of the Gramm-Leach-Bliley Act (GLBA). Any identified weaknesses should be corrected during the normal course of business." That is accompanied by a list of nine recommended actions.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts