The Enterprise Voice, Video, and Messaging Policy must define operations for VTC and endpoint cameras regarding the ability to pick up and transmit sensitive information.

An XCCDF Rule

Description

<VulnDiscussion>Users of conference room or office-based VTC systems and PC-based communications applications that employ a camera must not inadvertently display sensitive or classified information that is not part of the communications session while the camera is active. This can happen if information in the form of charts, pictures, or maps are displayed on a wall within the viewing or capture range of a camera. Any pan, tilt, and zoom (PTZ) capabilities of the camera must be considered. One may consider visual information out of range, but it may be in range considering camera capabilities such as high definition, PTZ, and video enhancement possibilities for captured frames. Inadvertent display of classified information could also happen if the information is lying on a desk or table unprotected. NOTES: - Vulnerability awareness and operational training will be provided to users of VTC and video/collaboration communications-related cameras regarding these requirements. - This requirement is relevant no matter what the classification level of the session. In an IP environment, the classification of VTC or PC communications depends on the classification of the network to which the VTU or PC is attached and the classification of the facility in which it is located. While classified communications can occur at the same level of classification as the network and facility, communications having a lower or no classification (e.g., unclassified or CUI) may also occur in the same environment. Therefore, sensitive or classified information that is not part of the communications session might be improperly disclosed without proper controls in place.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259890r948734_rule
Severity: High
References: CCI-002213
Updated: 19 days ago

Ensure a policy and procedure is in place and enforced that addresses the operation of video/collaboration communications-related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information. 

Do not post potentially sensitive information on the walls in view of the camera(s).

Produce an SOP that addresses the operation of video/collaboration communications-related cameras (e.g., webcams or VTC cameras) regarding their ability to inadvertently capture and transmit sensitive or classified information such that: 
- Conference room and office users do not display sensitive or classified information on walls that are within the view of the camera(s).- Conference room and office users do not place sensitive or classified information on a table or desk within the view of the camera(s) without proper protection. (e.g., a proper cover).
- Conference room and office users do not read or view sensitive or classified information at such an angle that the camera(s) could focus on it. 

NOTE: While covering such information mitigates disclosure when a camera is to be used, if the camera is activated unexpectedly or without taking action to cover the information prior to activating, the information can be compromised. Best practice is to not display it in view of the camera at all.

Provide appropriate training so users follow the SOP. Enforce user compliance with the SOP.

The Enterprise Voice, Video, and Messaging Policy must define operations for VTC and endpoint cameras regarding the ability to pick up and transmit sensitive information.

Description

Remediation - Manual Procedure