Sandstorm Enterprises® : PhoneSweep® Modem Policy
Sandstorm Enterprises® Niksun

Directional arrowsSandstorm Home

Directional arrowsPress

Directional arrowsProducts

Directional arrowsSales

Directional arrowsSupport

Directional arrowsPartners

Directional arrowsBlog

Directional arrowsAbout Sandstorm

Get a Quote
Print View
PhoneSweep® Modem Policy

Developing Your Own Modem Use Policy

Executive Summary

Policies are management instructions indicating how an organization is to be run. This policy is designed to be an addition to an existing corporate security policy. It can be an addition to a Remote Access Policy, if one exists, or to simply stand alone as a Modem Access policy if no current policy of this sort exists at the Company.

Acceptance of this kind of policy at a company is the first step to eliminating unauthorized or poorly implemented modems at a site. Near the end of this policy is a section entitled "Steps for Initial Deployment of this Policy," which is an outline of necessary steps within an organization for ensuring that all internal modems are configured properly.

Having a Modem Policy displays due diligence in regard to security at a company. Acceptance of this policy at a management level will also help company auditors access the security posture of the company.

As with anything related to an organization's information security, a Risk Analysis must be made for each modem found. There are a myriad of business reasons for a modem to exist, and each one of those reasons needs to be weighed against the potential vulnerability a poorly configured modem opens up within a company. This policy outlines these potential areas of conflict between the security organization and the business operations aspect of a company. This policy also attempts to resolve these conflicts in a clear manner to enable a company to have a concise understanding of all issues relating to modems within the Company.

Background

Companies rely heavily on their internal automated resources (networks, computers, telephones, etc) to meet their operational, financial and information requirements. All information as it passes and is stored on these resources are important assets of the Company. A system of internal controls and policies should exist to safeguard and control misuse of these assets. Information will be processed securely, and all employees share the responsibility for the confidentiality, integrity, and continued secure availability of the Company’s information. This policy covers both accidental and intentional disclosure of, or damage to, Company assets due to improperly installed remote access devices, specifically, modems.

Scope

This policy statement applies to the confidentiality, integrity, and continued secure availability of the Company’s assets with regards to remote access via telephone and ISDN lines and specifically modems. The main feature of this policy is to outline the extent that devices which allow such access are to be deployed within the Company, and how the enforcement of this policy will be carried out.

Definitions

Assets
Assets include all items which allow a company to stay in business. This includes not only physical items, such as hardware, computers, information stored on computers and cash on hand, as well as non-physical items, such as company reputation, information in transit over the internal network and operating expenses.

Company
The word "Company" means the entire corporation, organization or government entity which ultimately controls and owns all Assets within the scope of this document.

Information.
Information entails both data stored on a computer system or storage medium, as well as data which is in transit.

Modem
A device that enables one computer to communicate with another computer, or enables one computer to operate another device across a telephone or ISDN line.

Employee
Includes all people who work directly for the Company, and those who are temporarily receiving compensation for contributing to the Company’s assets. This includes all direct employees, temporary personnel, consultants, contractors, and dedicated vendor representatives. By extension, employees are directly responsible for enforcement of this policy by non-employees reporting to them, such as a vendor representative assisting the Company in solving a problem with the vendor’s product.

Owner
The Owner of an asset is the employee responsible for the business results of that asset, or the business use of this asset. Where appropriate, ownership may be shared by managers of different departments.

Custodian
The Custodian is an employee or department responsible for the processing and storage of the asset. This term is most often used in relation to information. For instance, mainframe applications may have the Information Services department as the custodian; for smaller systems, the owner or user may retain custodial responsibilities. If a department is responsible for an asset, the head employee/manager/director of that department has the ultimate responsibility for all such assets, and the authority to implement necessary controls to keep the asset secure.

User
The User is any person or employee who has been authorized to utilize, read, enter, or update information or services which the asset provides by the owner of that asset.

Outsider
An Outsider is any person who does not fall into the category of Employee. This includes groups or other businesses. Outsiders may not access any assets without approved supervision by an employee.

Responsibilities

Owner

Information processed within the Company must have an identified owner, and this assignment must be formally documented. This owner can delegate ownership responsibilities to another employee. Within the scope of this Modem Usage policy, the owner has the authority and responsibility to:

  • Authorize access and assign custody of assets.
  • Determine the requirements regarding how access is to be enabled, and communicate this information to the Custodian of the asset.
  • Specify access controls and communicate these control requirements to the Custodian and Users of the information.
  • Support the Custodian’s responsibility and authority to perform the actions necessary to keep the assets secure.
Custodian


The Custodian is responsible for the administration of controls and requirements as specified by the Owner. This includes having the authority and responsibility to:
  • provide physical and technical safeguards for the asset.
  • provide procedural guidelines for the users of the asset.
  • maintain a list of all authorized modems, along with their proper settings (i.e. "auto answer mode off") to facilitate the examination of the telephone auditing logs.
  • administer access to the asset.
  • evaluate the cost-effectiveness of controls.
To properly perform this activity, the Custodian will define and keep up to date a list of ALL modems deployed at the Company, and the activity that each of the modems provides which adds to the value of the Company.

The Custodian will also, at each testing period, update the list of all telephone numbers available to the Company, and regularly perform testing with automated software. This testing will be performed at regular intervals on a monthly or quarterly basis, and will ensure that:
  • all modems deployed at the Company are configured properly.
  • no additional, unregistered modems have been deployed without proper authorization on any telephone/ISDN line within the Company.
Results of this testing will be regularly reported to the Owner of the asset and to the principals of the Company (i.e. Vice Principal and higher in the executive chain, as appropriate to the Company).

User
Each user has the responsibility to:
  • comply with all controls/policies with regards to modem usage as outlined by the owner and custodian. This includes relaying information about this policy to Outsiders or new employees.
  • acquire appropriate authorization from the owner/custodian of any network a newly placed modem will be connected to BEFORE attaching and activating the modem.
  • supply the Custodian with the telephone number, proper settings of the modem, and physical and logical location of all authorized modems the User deploys. This will help the Custodian when the Custodian performs the regular telephone audits.
  • report any known violations of this policy to the custodian or owner immediately upon discovery.


Enforcement

If a violation of this policy is uncovered as a result of the Custodian’s normal audit process, the Custodian has the authority to shut down the offending modem immediately after determining the modem is not on the Custodian’s list of authorized modems.

A violation of standards, procedures or guidelines established pursuant to this policy shall be presented to the Management of the Company for appropriate action. This could result in disciplinary action, including dismissal and/or legal prosecution.

Frequency of Review

This policy will be reviewed with each Employee on a yearly basis, and will be part of the new Employee orientation process to ensure that each Employee is aware of the importance of this policy to the Company.

Steps for Initial Deployment of this policy

  1. Ensure that this policy is approved by appropriate management at the Company.
  2. Obtain and acquire permission and authority to perform a telephone line scan on the Company’s internal telephone system. The time of the scan (during business hours, outside of business hours, etc) needs to be defined during this stage.
  3. The Custodian needs to gather an initial list of all telephone numbers, including internal extensions the Company owns or can potentially own (whether or not the telephone number is currently known to be "in use" or not). This is the "block of numbers" the telephone company has reserved for use for this Company.
  4. A telephone line scanning product, such as Sandstorm’s PhoneSweep product, should be chosen and purchased.
  5. The telephone line scanning product will be used on all potential telephone numbers for the Company.
  6. Examination of all results of the scan will be undertaken. With the assistance of the telephony department, all items will be addressed, and the initial list of authorized modems / configurations / locale will be created.

Policy Coordinator

Information Security Officer of the Company

Date of Last Revision

October 1, 2001

Copyright © 2001 by Sandstorm Enterprises®. This document may be freely copied, modified or excerpted for use internal to commercial, government and non-government organizations without retention of this notice. All other rights, including distribution, presentation or publication on paper or in electronic form by one organization to non-related individuals or other organizations are reserved by Sandstorm Enterprises Inc.

View or save this document in HTML, Text, or Acrobat PDF format.

Sandstorm's Products grey arrow
Order / Get a Quote grey arrow
Contact Us grey arrow
Back to topgrey arrow
Sandstorm Enterprises develops
tools with sharp edges®
for information security professionals.
Site materials © 1998 - 2010 Sandstorm Enterprises, Inc. The Sandstorm logo®, LANWatch®, NetIntercept®, PhoneSweep®, Sandtrap®, TCP.demux™, Single Call Detect™, Tools with sharp edges®, Rapid Event Analysis™, and Sandstorm Enterprises® are all trademarks or registered trademarks of Sandstorm Enterprises, Inc.