Overview
You should also
■
■
provide effective physical security for the room containing your
telecommunications equipment and the room with administrative tools,
records, and System Administration information. These areas should be
locked when unattended.
provide a secure trash disposal for all sensitive information, including
your company’s telephone directories, call accounting records, or
anything that may supply information about your communications system.
This trash should be shredded.
Security Policy and User EducationAs part of your responsibility for protecting system security, you should
establish and communicate security policies for all system users. You should
let users know what measures they should take to protect system security and
explain how hackers may try to gain access to the system. In particular, you
should provide users with the following information:
■
■
■
All reports of trouble, requests to move extensions, or any other
administrative details associated with the communications system or the
voice mail system should be handled by one person (the System
Manager) or within one department. Anyone claiming to be a telephone
company representative should be referred to this person or department.
If a caller claims to be an authorized telephone company representative,
verify his or her identity before permitting that person any access to the
system.
Establish well-controlled policies for passwords:
—Establish a specific date for changing passwords (for example, the
first of each month) and help users remember to do it.
—Advise subscribers to use a 4-digit password.
—Tell users that passwords should not be recycled. They should be
hard to guess and should not contain:
■all the same numbers (for example, 4444)
■sequential characters (for example, 1234)
■personal information that can be associated with them (such as
their name, birthdate, telephone number, or social security number)
—Discourage the practice of writing down passwords. If a password
needs to be written down, keep it in a secure place and never discard
it while it is still active.
—Tell users never to program passwords onto Auto Dial buttons. Display
phones reveal the programmed numbers.
Educate employees that hackers may try to trick them into providing
them with dial tone or dialing a number for them.
■
1-16