STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:SV-17070r1_rule
V-16082
Deficient Imp’n: A/V Pickup/Capture when Inactive
VVoIP 1735 (GENERAL)
CAT II
10
Ensure audio and video pickup/capture capabilities of microphones and cameras associated with a PC are disabled or inhibited when not required for communications such that inadvertent disclosure of aural or visual information is prevented. Ensure that operational policy and procedures are included in user training and guides.
Produce training materials and provide training such that users of PC based collaboration applications disable their microphones and cameras when not participating in a collaboration session. This minimally involves muting the PC microphone and camera. If necessary, the camera lens must be covered, or the camera aimed at a blank wall to “mute” it. Ideally, the microphone and camera would be external devices and not embedded in the PC or an external monitor that could be disconnected from the PC when not needed. The external microphone and camera could remain connected to the PC if there was a positive physical disconnect or mute (shorting) switch for the microphone, and if the camera is disconnected by the switch or the camera lens is covered.
Interview the IAO to validate compliance with the following requirement:
Ensure audio and video pickup/capture capabilities of microphones and cameras associated with a PC are disabled or inhibited when not required for communications such that inadvertent disclosure of aural or visual information is prevented. Ensure that operational policy and procedures are included in user training and guides.
Determine if the applicable training on the required operational procedures is provided. Inspect training materials. Interview a random sampling of users to determine if they are properly trained on this topic and actually perform the mitigating actions. Inspect a random sample of PCs that are not actively communicating to determine if the required mitigations are in place.
NOTE: This requirement minimally involves muting the PC microphone and camera. If necessary, the camera lens must be covered, or the camera aimed at a blank wall to “mute” it. Ideally, the microphone and camera would be external devices and not embedded in the PC or an external monitor that could be disconnected from the PC when not needed. The external microphone and camera could remain connected to the PC if there was a positive physical disconnect or mute (shorting) switch for the microphone, and if the camera is disconnected by the switch or the camera lens is covered.
This is a finding if any of the inspected items are deficient such that audio and video pickup/capture capabilities of microphones and cameras associated with a PC are not disabled or inhibited when not required for communications such that inadvertent disclosure of aural or visual information is prevented.
V-16082
False
VVoIP 1735 (GENERAL)
Interview the IAO to validate compliance with the following requirement:
Ensure audio and video pickup/capture capabilities of microphones and cameras associated with a PC are disabled or inhibited when not required for communications such that inadvertent disclosure of aural or visual information is prevented. Ensure that operational policy and procedures are included in user training and guides.
Determine if the applicable training on the required operational procedures is provided. Inspect training materials. Interview a random sampling of users to determine if they are properly trained on this topic and actually perform the mitigating actions. Inspect a random sample of PCs that are not actively communicating to determine if the required mitigations are in place.
NOTE: This requirement minimally involves muting the PC microphone and camera. If necessary, the camera lens must be covered, or the camera aimed at a blank wall to “mute” it. Ideally, the microphone and camera would be external devices and not embedded in the PC or an external monitor that could be disconnected from the PC when not needed. The external microphone and camera could remain connected to the PC if there was a positive physical disconnect or mute (shorting) switch for the microphone, and if the camera is disconnected by the switch or the camera lens is covered.
This is a finding if any of the inspected items are deficient such that audio and video pickup/capture capabilities of microphones and cameras associated with a PC are not disabled or inhibited when not required for communications such that inadvertent disclosure of aural or visual information is prevented.
I
Inadvertent disclosure of sensitive or classified information in aural or visual form
Information Assurance Manager
594