Skip Links

VoIP and compliance regulations make strange and difficult bedfellows

Often VoIP isn't cited directly but falls under scrutiny of compliance auditors

By , Network World
September 13, 2010 06:35 AM ET

Page 2 of 3

The threats are real, says Jason Ostrom, the director of Viper Lab, the VoIP and unified communications vulnerability arm of Sipera Systems. A client suspected eavesdropping and planted false information in VoIP calls to see whether it was cited by those suspected of listening in. It was, Ostrom says. It turns out a third party with legitimate access to the corporate network but that was in litigation with Viper's client had tapped the VoIP network, he says.

(The problem can be equally grave with video. The telepresence communications of a Fortune 500 CEO were being picked off by eavesdroppers, Ostrom says.)

Some IT directors Ostrom has dealt with try to keep up with the regulations by educating themselves. That doesn't always prove to be enough says Ross Leo, a senior consultant and trainer for Supremus Group, because some businesses overlook the phone system entirely as a possible vulnerability. "I've had clients who said they'd completely forgotten about it. They think it just a phone system, but it's not; it's computers."

Chris McClean, an analyst for Forrester, says that as regulations change and become more complex, businesses will have to address VoIP compliance more directly, either by investing in internal groups to keep on top of them or by hiring third parties to do it for them.

If by the nature of its work a business faces three or four sets of regulations each with quarterly compliance reports, the task quickly becomes overwhelming for many IT departments, McClean says. And regulators aren't the only ones adding to the burden. Business partners may have contractual demands about security that need verification.

Businesses that record VoIP calls need to store them with applicable regulations in mind as well as the demands of legal discovery should the stored conversations become relevant to court cases, McClean says. "How are you keeping track of these conversations? They may be discoverable if there is an investigation," he says.

Diligence in following cases of VoIP exploitation is essential, he says. When details of such attacks are publicized, businesses should examine their own defenses to determine whether they could have withstood the published assault. If not, they should remediate. "They should ask, 'How would we have responded? Could we have prevented a similar attack?'" McClean says.

Such opportunities are limited, Ostrom says. "The reality of the situation is businesses don't disclose. There's no incentive if they've suffered a breach," he says.

Businesses seeking how to deploy VoIP in compliance with regulations may benefit from services that are just now coming to light, McClean says, from such consultants as LexisNexis (a member firm of Reed Elsevier), SAI Global, Thomson Reuters  and Wolters Kluwer. These consultants can stay on top of regulatory changes and sell that information to their business customers.

"The battle will come down to delivery of premium content, which will still come through a mix of legal and consulting firms, specialty research providers and compliance product integration," he says in his report.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News