The organization must manage Voice Video system identifiers (e.g., phone numbers) by preventing reuse for a locally defined time period.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300449

Associated with: CCI-001975

VVSP-01-000097_rule The organization must manage Voice Video system identifiers (e.g., phone numbers) by preventing reuse for a locally defined time period.

Vulnerability discussion

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, device-unique identifiers, and phone numbers. Preventing reuse of identifiers implies preventing the assignment of previously used identifiers to different devices. For Voice Video systems, the importance of preventing reuse must also consider fire and emergency services (FES) requirements for life safety and Command and Control (C2) requirements mandating communications among top-level officials. Location (ALI) and phone number (ANI) databases are often used with VoIP systems to identify the precise location of a Voice Video endpoint. When endpoints are reused, these databases must also be updated. Adversaries can use improperly maintained databases as a way of mobilizing security and emergency personnel to a faux site to weaken responses in another area.

Check content

Review each Voice Video system security plan (SSP). Ensure the organization manages Voice Video system identifiers (e.g., phone numbers) by preventing reuse for a locally defined time period. The locally defined time period must be identified in the Voice Video SSP. Confirm that the phone number's administrative procedure includes verifying that the locally defined time period has elapsed prior to reuse, with exceptions allowable for replacement of personnel performing similar business functions. If the locally defined time period is not identified in the Voice Video SSP, this is a finding. If the Voice Video SSP does not contain an administrative procedure that includes verifying that the locally defined time period has elapsed prior to reuse, this is a finding.

Fix text

Develop and document in each Voice Video SSP the locally defined time period for reuse of phone numbers and other Voice Video system identifiers that associate a user with a service. Develop and document in each Voice Video SSP an assignment procedure for verifying that the locally defined time period has elapsed prior to reuse of phone numbers or other Voice Video system identifiers associating users with services. Considerations must be made for situations where a person is replaced by another person and maintaining that phone number to conduct business functions is essential.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer