Skip to main content

This section of the ISM provides guidance on telephone systems.

Telephone systems usage policy

All non-secure telephone systems are subject to interception. Accidentally or maliciously revealing sensitive or classified information over a public telephone network can lead to the compromise of such information.

Security Control: 1078; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS
A telephone systems usage policy is developed and implemented.

Personnel awareness

As there is a potential for unintended disclosure of information when using telephone systems, it is important that personnel are made aware of what they can discuss on particular telephone systems, as well as security risks associated with the use of non-secure telephone systems in sensitive or classified areas.

Security Control: 0229; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems.

Security Control: 0230; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur.

Visual indication

When single telephone systems are approved to hold conversations at different levels, alerting the user to the sensitivity or classification of information that can be discussed will assist in reducing the likelihood of unintended disclosure of information.

Security Control: 0231; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made.

Protecting conversations

When sensitive or classified conversations are to be held using telephone systems, the conversation needs to be appropriately protected through the use of encryption.

Security Control: 0232; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems.

Cordless telephone systems

Cordless telephone systems have minimal transmission security and are susceptible to interception. Using cordless telephone systems can result in disclosure of information to an unauthorised party through interception.

Security Control: 0233; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Cordless telephone systems are not used for sensitive or classified conversations.

Speakerphones

As speakerphones are designed to pick up and transmit conversations in the vicinity of the device, using speakerphones in TOP SECRET areas presents a number of security risks. However, if an organisation is able to reduce security risks through the use of an audio secure room that is secured during conversations, then they may be used.

Security Control: 0235; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room.

Off-hook audio protection

Providing off-hook security minimises the chance of background conversations being accidentally coupled into handsets and speakerphones. Limiting the time an active microphone is open minimises this security risk.

Security Control: 0236; Revision: 4; Updated: Sep-18; Applicability: O, P
In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information.

Security Control: 0931; Revision: 4; Updated: Sep-18; Applicability: O, P, S
In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information.

Security Control: 0237; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information.

Further information

Further information on Internet Protocol (IP) telephony can be found in the video conferencing and Internet Protocol telephony section of these guidelines.

Further information on mobile phones can be found in the Guidelines for Enterprise Mobility.

Further information on encryption can be found in the Guidelines for Cryptography.