I am right in the middle of a VoIP audit and thought that I would share some important security-related thoughts with you. Without a doubt, VoIP can save your company money and give your users features that are not available with a PBX.
However, you need to be aware of security issues in case someone like me comes knocking on your door to audit your system. Although I am a nice person, or so I am told, I will be looking for certain documents to include in my audit and if I don't get them, you will definitely get an audit finding against you. So, if you want to avoid explaining in front of an audit committee why you have a finding, pay attention!
- Is your system documented or are you the only one who knows how it works? Create diagrams that show how the system works so that when you are on vacation sunning yourself on a nice beach somewhere, the person who is covering for you knows how it works as well. New people joining your department would appreciate it also.
- Do you have a process for adding and deleting users? If a new employee joins the organization, do you get a ticket to create a user ID for them? Do you also get a ticket to remove them from the system?
- Who has admin rights on your system? As an IT auditor, I would want to see who has the authority to administer your system. I better see separate accounts for everyone who does. In other words, what controls do you have in place?
- Do you open change-management tickets for changes to the production system? I would pull at least the last three months of changes to see if you are putting in tickets. This tells me that you are getting approvals for changes and that you are communicating changes with business and technology leaders.
- Are you backing up the systems? Auditing is about being able to prove what you are doing and what controls are in place. I would need to see a crontab entry (if on Unix), backup sheets from operations and logs to know this is being done on a scheduled basis.
- Is your features list reviewed on a regular basis? Can people still "sit" on a conference call after you hang up? Can employees make long-distance calls after hours?
- Finally, I would do a vulnerability assessment on your system(s). Can I get to the voice network from the data network? Can I hack an IP phone? Can I capture voice packets and play them back later? Here are some tools that you may consider running against your system:
*Note: I take no responsibility for your results with these tools.
Many people don't like auditors. I don't know why; they are nice people at heart. However, you don't want to get on the bad side of one. So, follow my advice and you should be fine. Also, buying them a cup of coffee would be helpful.