With all the recent buzz and excitement around the iPhone 4, Droid 'Incredible', Droid 'X', and similar, there are a number of articles and blogs related to information security and privacy concerns associated with those devices. ITBusinessEdge.com has an informative 2-part series on aspects of phone security, for example. But, what people often overlook as a potentional information security and privacy risk is the digital work phone sitting on their desk.
We use our work phone every day. For some, it is joined to their ear as much as their mobile phone is joined to their hip. For others, it is simply a paper weight. Nevertheless, the digital desk phone of today is a fairly sophisticated computing device and should be viewed as a potential access point to your company network and information. It is for this reason, we should always assume phone and voicemail systems are 'open systems' subject to the risk of unauthorized access. As a result, many of the mitigating control concepts we apply to laptops, smartphones, and other devices, should also be applied to your digital work phone.
Below are just some of the practices we should keep in mind to help ensure the security and privacy of information when using phone and voicemail systems.
Hardware and Software
- Do not rely on the phone's default security settings
- Never alter or disable the phone's authorized software or security settings
- Ensure the phone's security settings are in compliance with company policies and standards
- Never alter or disable the phone's authorized security settings
- Lock down physical ports on the phone if they are not part of your company's standard configuration or usage parameters
- Never alter or disable the phone's authorized software
- Never install unauthorized software on the phone
Policy and Awareness
- Always follow your company's 'Acceptable Use' Policy
- Do not share your vociemail password
- Always confirm the individual you are speaking with is authorized to discuss the information
- Always protect your conversations when in public and in the office
- Do not leave voicemails containing information that must be kept secure and private
- Never intentionally alter time stamp, routing details, or other information used to track calls
- Keep in mind, most organizations have a 'no assumption of privacy' policy
Robert Salandre manages Information Security Policy and Awareness at Westfield Insurance. Sharing Knowledge. Building Trust
Comments