S 2.377 Secure withdrawal from operation of VoIP components

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

If VoIP components, for example end devices or middleware, are to be replaced or taken out of operation, then all security-related information must be deleted from the devices. This not only applies when devices are sent to the manufacturer, a service company, a waste disposal company, or some other third party; the corresponding safeguards must also be taken when scrapping, moving, or transferring the component to another user. This applies especially to the repair, maintenance, and replacement of a device under warranty in addition to the permanent withdrawal of the devices from operation.

In many cases, it is necessary to clarify which safeguards for deleting security-related information are compatible with the conditions of the contract and guarantee beforehand with manufacturers, dealers, or service providers. It is often possible to specify appropriate procedures together with the corresponding company.

Depending on the application scenario of the components, the following information may be stored on the devices, for example:

• lists of who has called whom,
• time and duration of the calls,
• user names and passwords for logging in to the VoIP infrastructure,
• rights and privileges of the individual user,
• email addresses of the individual users for voice mails,
• recorded announcement for the answering machine,
• messages recorded for the users,
• IP addresses and further information allowing for drawing conclusions to the network structure,
• log files,
• certificates and keys,
• configuration files,
• personal telephone books,
• organisation-wide telephone directories containing all employees,
• passwords used to account for the costs of private telephone calls,
• information on other services used by the user such as appointment reminders,
• in exceptional cases, complete recordings of the actual telephone calls.

Due to the protection requirements of this information, it must be ensured that the data is deleted or made unreadable before taking defective or outdated devices out of operation or replacing them. After deleting the data, it must be checked if the deletion was executed successfully. The procedure to follow in this case depends greatly on the type and application scenario of the device.

For "normal" computers that were used as VoIP components, the hard disks should be deleted with a suitable tool so that it is impossible to restore the files after deletion. This can be accomplished, for example, by booting the computer from an external boot medium and overwriting the hard disks with random data. It is recommended in this case to repeat the overwriting process several times.

For appliances, the procedure used depends on whether a hard disk is installed in the device or if the data is stored on a non-volatile storage medium. The devices often provide a "factory reset" option that can be used to reset all configuration settings to the values set at the factory before delivery. It should still be checked if the data has actually been deleted or reset and if certain data or files are still present after performing a "factory reset".

In addition to checking the information stored on the device itself, the backup media should also be checked to determine if they contain sensitive information. If it is not necessary for some other reason to store the backup media (for example for archiving purposes or mandatory storage due to legal regulations), the media should also be erased after taking the device out of operation.

The components often have labels containing names on shortcut keys, IP addresses, telephone numbers, or other technical information. These labels should also be removed before disposal.

Review questions:

• Is there a rule within the framework of the (temporary) withdrawal from operation governing the secure deletion of the data on the IT components to be shut down?
• Is there a rule within the framework of the withdrawal from operation governing the secure deletion of the data media of the IT components to be shut down?