Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-19

voice over internet protocol

assessment objective:

Determine if the organization:

sc-19(a)

sc-19(a)[1]

establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

sc-19(a)[2]

establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

sc-19(b)

sc-19(b)[1]

authorizes the use of VoIP within the information system;

sc-19(b)[2]

monitors the use of VoIP within the information system; and

sc-19(b)[3]

controls the use of VoIP within the information system.

potential assessment methods and objects:

Examine: [select from: System and communications protection policy; procedures addressing VoIP; VoIP usage restrictions; VoIP implementation guidance; information system design documentation; information system configuration settings and associated documentation; information system monitoring records; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing VoIP].

Test: [select from: Organizational process for authorizing, monitoring, and controlling VoIP; automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling VoIP].