Analog/ISDN Line Security Policy

1. Overview

See Purpose.

2. Purpose

This document explains eCuras analog and ISDN line acceptable use and approval policies and procedures. This policy covers two distinct uses of analog/ISDN lines: lines that are to be connected for the sole purpose of fax sending and receiving and lines that are to be connected to computers.

3. Scope

This policy covers only those lines that are to be connected to a point inside eCuras building and testing sites. It does not pertain to ISDN/phone lines connected to employee homes, PBX desktop phones, and Telecom’s lines for emergency and non-corporate information purposes.

4. Policy

4.1  Scenarios & Business Impact

Two critical scenarios involve analog line misuse, which we attempt to guard against through this policy. The first is an outside attacker who calls a set of analog line numbers in the hope of connecting to a computer that has a modem attached to it. If the modem answers (and most computers today are configured out-of-the-box to auto-answer) from inside eCuras premises, then there is the possibility of breaching eCuras’s internal network through that computer, unmonitored. At the very least, information that is held on that computer alone can be compromised. This potentially results in the loss of millions of dollars worth of corporate data.

The second scenario is the threat of anyone with physical access into a eCuras facility being able to use a modem-equipped laptop or desktop computer. In this case, the intruder would be able to connect to the trusted networking of eCuras through the computer’s Ethernet connection, and then call out to an unmonitored site using the modem, with the ability to siphon eCuras information to an unknown location. This could also potentially result in a substantial loss of vital information.

Specific procedures for addressing the security risks inherent in each of these scenarios follow.

4.2  Facsimile Machines

As a rule, the following applies to requests for fax and analog lines:

Waivers for the above policy on analog-as-fax lines will be delivered on a case-by-case basis after reviewing the business need with respect to the request’s level of sensitivity and security posture.

The use of an analog/ISDN fax line is conditional upon the requester’s full compliance with the requirements listed below. These requirements are the responsibility of the authorized user to enforce at all times:

4.3  Computer-to-Analog Line Connections 

The general policy is that requests for computers or other intelligent devices connected with analog or ISDN lines from within eCuras will not be approved for security reasons. Analog and ISDN lines represent a significant security threat to eCuras, and active penetrations have been launched against such lines by hackers. Waivers to the policy above will be granted on a case by case basis.

Replacement lines, such as those requested because of a move, fall under the category of “new” lines. They will also be considered on a case by case basis.

4.4  Requesting an Analog/ISDN Line

Once approved by a manager, the individual requesting an analog/ISDN line must provide the following information to Telecom:

The business case must answer, at a minimum, the following questions:

Also, the requester must be prepared to answer the following supplemental questions related to the security profile of the request:

5. Policy Compliance

5.1  Compliance Measurement

The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

The Infosec team must approve any exception to the policy in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Revised: March 14th, 2018

Table of Content

  1. Acceptable Encryption Policy
  2. Acceptable Use Policy
  3. Clean Desc Policy
  4. Data Breach Response Policy
  5. Disaster Recovery Plan Policy
  6. Digital Signature Acceptance Policy
  7. Email Policy
  8. Ethics Policy
  9. Pandemic Response Planning Policy
  10. Password Construction Guidelines
  11. Password Protection Policy
  12. Security Response Plan Policy
  13. End User Encryption Key Protection Policy
  14. Acquisition Assessment Policy
  15. Bluetooth Baseline Requirements Policy
  16. Remote Access Policy
  17. Remote Access Tools Policy
  18. Router and Switch Security Policy
  19. Wireless Communication Policy
  20. Wireless Communication Standard
  21. Database Credentials Policy
  22. Technology Equipment Disposal Policy
  23. Information Logging Standard
  24. Lab Security Policy
  25. Server Security Policy 
  26. Software Installation Policy
  27. Workstation Security (For HIPAA) Policy
  28. Web Application Security Policy
  29.  Analog/ISDN Line Security Policy
  30. Anti-Virus Guidelines
  31. Server Audit Policy
  32. Automatically Forwarded Email Policy
  33. Communications Equipment Policy
  34. Dial In Access Policy
  35. Extranet Policy
  36. Internet DMZ Equipment Policy
  37. Internet Usage Policy
  38. Mobile Device Encryption Policy
  39. Personal Communication Devices and Voicemail Policy
  40. Removable Media Policy
  41. Risk Assessment Policy
  42. Server Malware Protection Policy
  43. Social Engineering Awareness Policy
  44. DMZ Lab Security Policy
  45. Email Retention Policy
  46. Employee Internet Use Monitoring and Filtering Policy
  47. Lab Anti Virus Policy
  48. Mobile Employee Endpoint Responsibility Policy
  49. Remote Access Mobile Computing Storage
  50. Virtual Private Network Policy