VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application.  [SP 800-58] provides guidance on Voice Over IP Systems.

Priority: High

Baseline Security Configurations 

Services Associated with AWS:

  1. Amazon Chime
  2. AWS CloudTrail
  3. Amazon GuardDuty

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings

Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Intrusion Prevention System (IPS)
  • Access Control List (ACL) 

What needs to be answered?

Is the use of VoIP controlled? Is the use of VoIP authorized, and monitored?

  • VoIP Usage Restriction Check

    Description: This check ensures that there are appropriate usage restrictions in place for VoIP technologies in use within the system. The check verifies that there is a policy for controlling the use of VoIP and that these policies are adhered to, helping to prevent potential misuse.

  •  VoIP Monitoring Check
    Description: This check ensures that all usage of VoIP within the system is properly monitored. The check verifies that monitoring tools are in place and functioning as expected to detect any unauthorized or potentially harmful usage of VoIP.

More Details:

VOIP systems not used within organization.