To utilize a VoIP network that provides FTI to a customer, the agency must meet the following mandatory requirements:
- VoIP traffic that contains FTI should be segmented off from non-VoIP traffic via a virtual Local Area Network (vLAN) or other segmentation method. If complete segmentation is not feasible, the agency must have compensating controls in place and properly applied which restrict access to VoIP traffic which contains FTI.
- When FTI is in-transit across the network (either Internet or state agency’s network) the VoIP traffic must be encrypted using a NIST-approved method operating in a NIST-approved mode.
- VoIP network hardware (servers, routers, switches, firewalls) must be physically protected in accordance with the minimum protection standards for physical security outlined in IRS Publication 1075, section 4.0, Secure Storage.
- Each system within the agency’s network that transmits FTI to an external customer through the VoIP network is hardened in accordance with the requirements of Publication 1075 and is subject to frequent vulnerability testing.
- VoIP-ready firewalls must be used to filter VoIP traffic on the network.
- Security testing must be conducted on the VoIP system prior to implementation with FTI and annually thereafter.
- VoIP phones must be logically protected and agencies must be able to track and audit all FTI-applicable conversations and access.
Additionally, the IRS Office of Safeguards recommends the following security requirements be implemented by agencies:
- Soft-phone systems, i.e. software on user’s computer to implement VoIP, should not be used with VoIP networks that transmit FTI.
- Consider employing a variety of specific logical controls such as: authentication at each transition point, or at the device level, such as Media Access Control (MAC).
- Use static IP addresses for the phones.
- Employ an intrusion detection system that can identify and filter packets, allowing only traffic from a legitimate DHCP source.