[unisog] VoIP question.
poepping at cmu.edu
Wed Mar 6 16:51:33 GMT 2002
I think there are two issues, and I'm not sure which you're asking:
- What *can* you capture/store in ordinary network/security mgmt ops?
Are there laws or customs governing management of the data (for
instance, there certainly are laws about handling telephone call records
and recording voice conversations).
- How much *must* you be able to capture/store/translate under
Other data points..
. There are tools that allow you to 'listen in' to a VoIP packet stream.
. There are HIPAA/FERPA issues in *any* packet stream, so I don't think
VoIP presents a new issue in that sense - if you capture/store this data
now, you already have the 'problem'.
> -----Original Message-----
> From: Jim Dillon [mailto:Jim.Dillon at cusys.edu]
> Sent: Tuesday, March 05, 2002 5:55 PM
> To: SANS (E-mail); ISACA (E-mail)
> Subject: [unisog] VoIP question.
> I've been asking some experts and most looked surprised and befuddled
> question, but I think it will come to haunt us eventually, so I
> ask an assortment of security minded folks. Sorry for duplication if
> you are on both lists, but this one seems worth a multi-post to me.
> Is anyone aware of any legislation or attempts at legislation
> capture and monitoring of IP data that includes VoIP content? My
> 1. VoIP is a voice communication, using a different transmission
> nonetheless a voice communication.
> 2. Sniffing or monitoring IP streams that including VoIP packets seems
> paramount to a wire tap.
> 3. Storing, taping, backing up, and transmitting captured data streams
> appear to have FERPA, HIPAA, or other privacy regulation side-effects.
> Here's my concern: What are the costs necessary to address potential
> privacy problems for admins monitoring IP traffic once VoIP is in use?
> Training? User warnings and disclaimers? Changes in institution-wide
> management techniques and policies concerning the collection of data
> storage now that this data may represent voice communications? What
> we recognize as potential "entry costs" into this arena given these
> Given the furor over Carnivore and other privacy topics, it is only a
> of time before this may be an issue. I'd appreciate any knowledgeable
> opinions on the topic, or any indicators that I'm all wet, but it
> be a looming risk/issue. I am decidedly unaware of the actual
> used, but it seems apparent that a set of IP packets that could be
> re-converted into a private conversation could represent trouble if
> mis-handled. My concern is to bring a knowledgeable debate on the
> into decisions to use VoIP, but I've yet to identify someone who
> have a handle on any problem potential here. Most have not given it
> Your informed opinions are coveted.
> Best regards,
> Jim Dillon, CISA
> IT Audit Manager
> jim.dillon at cusys.edu
> Phone: 303-492-9734
> Dept. Phone: 303-492-9730
> Fax: 303-492-9737
More information about the unisog