Title

inadequate user training for pc presentation sharing that could lead to compromise of other information on the presenting PC (Cat II impact)

Discussion

Users must be trained regarding the display of information that is not part of the conference. Such training must be based on the SOP discussed under RTS-VTC 2440.01 that is designed to mitigate the vulnerability.

Check Content

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure VTU users receive training in the proper use and operation of PC to CODEC connections and understand the vulnerabilities associated with such interconnections regarding inadvertent or improper information disclosure. Interview a sampling of VTU administrators and users to verify that training has been provided for proper use and operation of PC to CODEC connections and that they understand the vulnerabilities associated with such interconnections regarding inadvertent or improper information disclosure. This is a finding if deficiencies are found. List these deficiencies in the finding details.

Fix Text

[IP][ISDN]; Perform the following tasks: Train users and administrators in the proper use and operation of PC to CODEC connections and provide an understanding of the vulnerabilities associated with such interconnections regarding inadvertent or improper information disclosure.

Additional Identifiers

Rule ID: SV-18871r1_rule

Vulnerability ID: V-17697

Group Title: RTS-VTC 2460.00 [IP][ISDN]

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.