10.4. Communications Security

Communications refers to the plethora of technology used every day in business. Every form of communications technology has potential for abuse as a channel of attack. It is crucial that writers of the security policy understand these threats and document them in the security policy. Issues may be due to the nature of the technology itself or may come about as a result of poor security practices. In any case, educating the user and enforcing the policy will go a long way to mitigating exposure. Communications technology has come a very long way in the last 10 years and, with the ubiquitous nature of the Internet, the term itself can refer to things that the author of a security policy might not even have considered.

10.4.1. Securing Telephone Use

The purpose of a telephone security policy is to ensure that staff:

  • Verify the identity of callers and those they call;

  • Know what can and cannot be discussed over the telephone;

  • Take measures to protect information exchanged over the phone in an appropriate manner.

A lot of this is obvious but some is more subtle. Nevertheless, best practice dictates documentation of and adherence to a telephone security policy. Whereas protecting against social-engineering attacks is an obvious concern, it is far from the only problem when you consider things like voicemail. When you introduce voice-over-IP (VoIP), the boundaries between technologies and, indeed, organizational barriers become even more blurred. The following ...

Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.