Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-259891 | SRG-VOIP-000110 | SV-259891r948735_rule | Medium |
Description |
---|
Microphones used with VTC systems and devices are designed to be extremely sensitive so the voice of anyone speaking anywhere within a conference room is picked up and amplified so they can be heard clearly and understood at the remote location on the call. This same sensitivity is included in VTUs that are used in office spaces. This has one disadvantage. The microphones can pick up sidebar conversations that have no relationship to the conference or call in progress. Likewise, in an open area, received conference audio can be broadcast to others in the area that are not part of the conference and possibly should not be exposed to the conference information for need-to-know reasons. Speakerphones exhibit a similar vulnerability. This is the same confidentiality vulnerability posed to audible sound information in the environment as discussed above, with the added twist that the conference audio is vulnerable to others in the environment. While this is more of an issue in environments where classified conversations normally occur, it is also an issue in any environment. This is of particularly concern in open work areas or open offices where multiple people work in near proximity. Users or operators of VTC systems of any type must take care regarding who can hear what is being said during a conference call and what unrelated conversations can be picked up by the sensitive microphone. Where a VTU is used by a single person in an open area, a partial mitigation for this could be the use of a headset with earphones and a microphone. While this would limit the ability of others to hear audio from the conference and could also limit the audio pickup of unrelated conversations, it may not be fully effective. In some instances, such as when a VTU is located in a SCIF, a Push-to-Talk (PTT) handset/headset may be required Microphones embedded in or connected to a communications endpoint, PC, or PC monitor can be sensitive enough to pick up sound that is not related to a given communications session. They could pick up nearby conversations and other sounds. This capability could compromise sensitive or classified information that is not related to the communications in progress. Speakers embedded in or connected to a communications endpoint or PC can be made loud enough to be heard across a room or in the next workspace. This capability could compromise sensitive or classified information that is being communicated during a session. Users must be aware of other conversations in the area and their sensitivity when using any communications endpoint (not only a PC-based voice, video, or collaboration communications application). This awareness must then translate into protecting or eliminating these other conversations. A short-range, reduced-gain, or noise-cancelling microphone may be required. A PTT microphone may also be required for classified areas. The microphone should be muted when the user is not speaking as both mitigation for this issue and proper etiquette when participating in a conference. The muting function should be performed using a positively controlled disconnect, shorting switch, or mechanism instead of a software-controlled mute function on the PC. Users must be aware of other people in the area that could hear what is being communicated. This is particularly an issue if the communicated information is sensitive or classified because the parties overhearing the information may not have proper clearance or a need-to-know. To mitigate this issue, a headset or speakers should be used and at a volume that only the user can hear. |
STIG | Date |
---|---|
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide | 2024-03-12 |
Check Text ( C-63622r946592_chk ) |
---|
Verify a policy and procedure is in place and enforced that addresses the placement and operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. NOTE: This standard operating procedure (SOP) should take into account the classification of the area where the video teleconferencing unit (VTU) or PC supporting a PC-based voice, video, UC, and collaboration communications applications is installed as well as the classification and need-to-know restraints of the information generally communicated via the facility or specific VTU. Measures should also be included such as closing office or conference room doors, muting microphones before and after conference sessions and during conference breaks, volume levels in open offices, and muting the microphone when not speaking. Inspect the applicable SOP. Such an SOP should: - Include policy on the use of headsets containing short-range microphones and earphones in lieu of long-range microphones and speakers in an open office environment. - Address the volume settings of speakers so session information is not heard by nonparticipants in a work area. - Address the potential for the pickup of nonsession-related conversations in the work area. - Discuss Bluetooth, DECT/DECT 6.0, and other RF wireless technologies for accessories. Inspect user training materials and discuss practices to determine if information regarding the SOP is conveyed. Interview a random sampling of users to confirm their awareness of the SOP and related information. If the SOP or training is deficient, this is a finding. |
Fix Text (F-63529r946593_fix) |
---|
Ensure a policy and procedure is in place and enforced that addresses the placement and operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Operational policy and procedures must be included in user training and guides. Produce an SOP that addresses the operation of hardware-based voice and video communications devices and PC-based voice, video, UC, and collaboration communications applications with regard to their audio pickup and broadcast capabilities in relation to the sensitivity of the information communicated. Such an SOP should: - Include policy on the use of headsets containing short-range microphones and earphones in lieu of long-range microphones and speakers in an open office environment. - Address the volume settings of speakers so session information is not heard by nonparticipants in a work area. - Address the potential for the pickup of nonsession-related conversations in the work area. Provide appropriate training so users follow the SOP. Enforce user compliance with the SOP. |