Check: SRG-NET-000512-VVEP-00049
Voice Video Endpoint SRG:
SRG-NET-000512-VVEP-00049
(in versions v2 r2 through v1 r8)
Title
The Voice Video Endpoint camera must provide hardware mechanisms, such as push-to-see (PTS) camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks. (Cat II impact)
Discussion
Cameras used with Voice Video Endpoints may reveal sensitive or classified information. This is especially at risk when unclassified conversations are conducted in classified spaces. Users or operators of videoconferencing systems must take care regarding what is being said and seen during a conference call and what sensitive information can be picked up by a camera or microphone. Voice Video Endpoints used in classified areas must use hardware mechanisms such as push-to-see (PTS) to prevent sensitive or classified information picked up by the camera in the area of the call from being transmitted over unclassified systems. This capability mitigates the risk to compromise sensitive or classified information not related to the conversation in progress.
Check Content
If the unclassified Voice Video Endpoint is not deployed where sensitive or classified information is displayed or discussed, this check procedure is Not Applicable. Verify the Voice Video Endpoint camera provides hardware mechanisms, such as push-to-see camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks. If the Voice Video Endpoint camera does not provide hardware mechanisms, such as push-to-see camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks, this is a finding. If the Voice Video Endpoint camera does provide hardware mechanisms but is not configured to use these features, this is a finding.
Fix Text
Configure the Voice Video Endpoint camera hardware mechanisms, such as push-to-see camera switches, to prevent pickup and transmission of sensitive or classified information over non-secure networks.
Additional Identifiers
Rule ID: SV-206796r604140_rule
Vulnerability ID: V-206796
Group Title: SRG-NET-000512
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |