Skip to content
Catalogs
XCCDF
Enterprise Voice, Video, and Messaging Policy Security Requirements Guide
SRG-VOIP-000100
The Enterprise Voice, Video, and Messaging Policy must define operations for VTC and endpoint cameras regarding the ability to pick up and transmit sensitive information.
The Enterprise Voice, Video, and Messaging Policy must define operations for VTC and endpoint cameras regarding the ability to pick up and transmit sensitive information. An XCCDF Rule
The Enterprise Voice, Video, and Messaging Policy must define operations for VTC and endpoint cameras regarding the ability to pick up and transmit sensitive information.
High Severity
<VulnDiscussion>Users of conference room or office-based VTC systems and PC-based communications applications that employ a camera must not inadvertently display sensitive or classified information that is not part of the communications session while the camera is active. This can happen if information in the form of charts, pictures, or maps are displayed on a wall within the viewing or capture range of a camera. Any pan, tilt, and zoom (PTZ) capabilities of the camera must be considered. One may consider visual information out of range, but it may be in range considering camera capabilities such as high definition, PTZ, and video enhancement possibilities for captured frames. Inadvertent display of classified information could also happen if the information is lying on a desk or table unprotected.
NOTES:
- Vulnerability awareness and operational training will be provided to users of VTC and video/collaboration communications-related cameras regarding these requirements.
- This requirement is relevant no matter what the classification level of the session. In an IP environment, the classification of VTC or PC communications depends on the classification of the network to which the VTU or PC is attached and the classification of the facility in which it is located. While classified communications can occur at the same level of classification as the network and facility, communications having a lower or no classification (e.g., unclassified or CUI) may also occur in the same environment. Therefore, sensitive or classified information that is not part of the communications session might be improperly disclosed without proper controls in place.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>