By: Mike Detrow, CISSP, Senior Consultant and Manager of IT
We are seeing financial institutions continue to expand their use of VOIP (Voice Over Internet Protocol) to reduce expenses and increase efficiencies for voice communications. VOIP is a technology that refers to transmitting voice communications over the internet, LAN (Local Area Network), or WAN (Wide Area Network), rather than through the PSTN (Public Switched Telephone Network). We have found that the risks associated with a VOIP system are not always properly evaluated prior to implementation.
Some of the risks associated with the use of VOIP include:
- Denial of service attacks
- Emergency services inability to use automatic location services (depending on configuration)
- Customer service issues during power or network outages
- Interception of telephone conversations
- Unauthorized or fraudulent use of the telephone system
We have seen situations where public safety personnel were not able to respond to an emergency in a timely manner due to the misconfiguration of E911 physical address information. In addition, we have seen multiple VOIP system outages due to problems at vendor data-centers or the lack of backup plans for data line failures.
During the process of evaluating and implementing a VOIP system, financial institutions should consider the following steps:
- Perform a risk assessment to identify the risks associated with the VOIP system and the mitigating controls that will be used.
- Perform due diligence steps for any vendors involved with the VOIP system and include these vendors in the ongoing vendor review process.
- Develop contingency plans for communications during power or network outages.
- Develop processes to test the contingency plans and to test E911 physical address assignments.
- Verify that VOIP communications that pass over public networks or the internet are encrypted.
- Develop system hardening processes for the VOIP system equipment.
- Develop patch management processes for the VOIP system equipment.
- Develop security procedures for the VOIP system to prevent denial of service attacks and unauthorized use of the system.
- Include the VOIP system in ongoing vulnerability assessments.
With the appropriate planning and ongoing risk management procedures, a financial institution can develop and maintain a secure VOIP system that will reduce expenses and improve customer service.
For more information on this topic or on how Young & Associates, Inc. can assist your bank with its IT needs, contact Mike Detrow at 1.800.525.9775 or click here to send an email.