Voice Over Internet Protocol (“VoIP”) is a term to describe the delivery of traditional telephone voice communications over the Internet instead of through a public switched telephone network (PSTN). VoIP translates a caller's voice into a stream of data packets by an analog-digital converter, transmitted over the Internet and converted to a voice signal on the other end of the communication. Potential cost savings, such as elimination of long distance charges, may make VoIP can attractive alternative to traditional telephone networks and only one network is managed for both voice and data, resulting in additional savings. In FIL-69-2005, dated July 27, 2005, the FDIC provides Guidance on VoIP technology and warns that initial implementation costs may be significant, along with increased data security risks. Therefore, prior to investing in VoIP technology, institutions are advised to weigh benefits against disadvantages and consider that it, if improperly implemented, may pose significant operational risks. Bank management is advised to perform a comprehensive risk assessment before implementation to ensure the confidentiality, integrity and availability of voice communications using VoIP.
Susceptible to identical Internet data networks risks, e.g., viruses, worms, Trojans and man-in-the-middle attacks (where an intruder sits between two parties, monitors the transmission and is then able to impersonate one of the parties),VoIP devices and underlying operating systems may enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud (theft of service), which risk the loss of privacy and integrity. There is also concern over potential exploitation of SPAM using VoIP and allowing unwanted and potentially offensive phone calls. Since speed affects transmission and voice quality, VoIP requires highest priority access to available bandwidth to be fast enough to avoid delay, loss, out-of-sequence delivery or non-delivery in the processing and delivery of voice packets. Institutions considering VoIP technology are advised to consider the following best practices that are further covered in the “Voice over Internet Protocol Informational Supplement”:
Resources to assist in developing VoIP security policies and practices, including best practices, are published by the National Institute of Standards and Technology (NIST) – the agency responsible for developing information security standards for federal agencies (a special NIST Publication 800-58, Security Considerations for Voice over IP Systems, is found at http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf).
In conclusion, the Guidance provides that should an institution decide to invest in VoIP technology, the associated risks are to be evaluated as part of the institution's periodic risk assessment and discussed in status reports submitted to its board of directors as required by § 501(b) of the Gramm-Leach-Bliley Act. Any identified weaknesses should be corrected during the normal course of business.