Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
34 views17 pages

MiVB - R10.0SP1 - Data - Protection - v1.0

Uploaded by

Cristian Aguilar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views17 pages

MiVB - R10.0SP1 - Data - Protection - v1.0

Uploaded by

Cristian Aguilar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

MiVoice Business – Personal Data

Protection and Privacy Controls


MiVoice Business Release 10.0 SP1
Version 1.0

May 2023
NOTICE
The information contained in this document is believed to be accurate in all respects but is not warranted
by Mitel Networks™ Corporation (MITEL®). The information is subject to change without notice and
should not be construed in any way as a commitment by Mitel or any of its affiliates or subsidiaries. Mitel
and its affiliates and subsidiaries assume no responsibility for any errors or omissions in this document.
Revisions of this document or new editions of it may be issued to incorporate such changes.
No part of this document can be reproduced or transmitted in any form or by any means – electronic or
mechanical – for any purpose without written permission from Mitel Networks Corporation.

Trademarks
The trademarks, service marks, logos and graphics (collectively "Trademarks") appearing on Mitel's
Internet sites or in its publications are registered and unregistered trademarks of Mitel Networks
Corporation (MNC) or its subsidiaries (collectively "Mitel") or others. Use of the Trademarks is prohibited
without the express consent from Mitel. Please contact our legal department at [email protected] for
additional information.
For a list of the worldwide Mitel Networks Corporation registered trademarks, please refer to the
website: http://www.mitel.com/trademarks .
Contents

1 Introduction .......................................................................................................................................... 0
1.1 Overview ....................................................................................................................................... 0
1.2 What is New in this Release .......................................................................................................... 0
2 Personal Data Collected by MiVoice Business ...................................................................................... 1
3 Personal Data Processed by MiVoice Business ..................................................................................... 2
4 Personal Data Transferred by MiVoice Business .................................................................................. 3
5 How the Security Features Relate to Data Security Regulations .......................................................... 4
6 Data Security Regulations ................................................................................................................... 11
6.1 The European Union General Data Protection Regulation (GDPR) ............................................ 11
6.1.1 What do Businesses need to know about GDPR?............................................................... 11
7 Product Security Information.............................................................................................................. 12
7.1 Mitel Product Security Vulnerabilities ........................................................................................ 12
7.2 Mitel Product Security Advisories ............................................................................................... 12
7.3 Mitel Security Documentation .................................................................................................... 12
8 Disclaimer............................................................................................................................................ 13

List of Tables
Table 1 MiVoice Business Security Features that Customers May Require to Achieve Compliance with
Data Security Regulations ............................................................................................................................. 4
1 Introduction
1.1 Overview
This document is one in a series of product-specific documents that discuss the product security controls
and features available on Mitel products.

This particular document will be of interest to Mitel MiVoice Business customers that are putting
security processes and security controls in place to comply with data security regulations.

This document is intended to assist Mitel MiVoice Business customers with their data security
regulations compliance initiatives by:

• Identifying the types of personal data that are processed by MiVoice Business
• Listing the MiVoice Business Security Features that customers may require to achieve
compliance with data security regulations
• Providing a description of the MiVoice Business Security Features
• Providing information about where the MiVoice Business Security Features are documented

This document is not intended to be a comprehensive product-specific security guideline. For


information on product security guidelines, product engineering guidelines or technical papers, refer to
Mitel's Web Site.

1.2 What is New in this Release


The following security related changes are included in Release 10.0 SP1:

Table 1: Document Version 1.0

Feature/ Update Location Publishing Date


Enhancements

NA No changes have NA May, 2023


been made to this
document for the
10.0 SP1 release.
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

2 Personal Data Collected by MiVoice Business


MiVoice Business is made available as both on-premises and hosted offerings. Both offerings process
only personal data that is required for the delivery of communication services including call control,
billing services, and technical support services. There are no end-user opt-in consent mechanisms
implemented in MiVoice Business.

During the course of installation, provisioning, operation, and/or maintenance, MiVoice Business
collects data related to several types of users, including:

• End-users of MiVoice Business – typically Mitel customer employees using Mitel phones.
• Customers of Mitel customers – for example, voicemail recordings might contain personal
content of both parties in a call; end-user personal contact lists may contain personal data of
their business contacts.
• System administrators and technical support personnel – logs and audit trails contain records of
the activities of system administrators and technical support personnel.

1
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

3 Personal Data Processed by MiVoice Business


MiVoice Business processes the following types of data to enable its communications features:

• Provisioning Data:
o The end-user's name, business extension phone number, mobile phone number,
location, department, and email address.
• Maintenance, Administration, and Technical Support Activity Records:
o System and content backups, logs, and audit trails.
• End-User Activity Records:
o Call history and call detail records.
• End-User Personal Content:

Voice mail recordings and personal contact lists.

2
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

4 Personal Data Transferred by MiVoice Business


Depending on the customer's configuration, and specific use requirements, the personal data collected
may be processed and/or transferred between the MiVoice Business and other related systems and
applications (such as directory systems, voice mail systems, and billing systems.)

For example:

• User provisioning data such as the user's first name, last name, office phone number, and
mobile phone number may be configured to be shared between clustered MiVoice Business
systems, Mitel MiCollab, and management systems such as the Mitel Performance Analytics
system.
• Voice quality logs, phone inventory, username, and phone number may be configured to be
read by Mitel Performance Analytics system and other customer-authorized systems.
• System logs, login and logout audit logs for the desktop tool, voice quality logs, customer
databases, call detail records (also known as CDR or SMDR), and voice quality statistics may be
configured to be transferred to Mitel product support or transferred to customer-authorized log
collecting systems.
• Call Detail Records may be configured to be transferred to third-party call accounting systems.
• When MiVoice Business is part of a Hospitality solution (hotel/motel) the system may be
configured to transfer the end-user's personal data between the MiVoice Business system and
other customer authorized Property Management Systems.

3
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

5 How the Security Features Relate to Data Security Regulations


MiVoice Business provides security-related features that allow customers to secure user data and
telecommunications data and to prevent unauthorized access to the user's data

Table 1 summaries the security features Mitel customers can use when implementing both customer
policy and technical and organizational measures that the customer may require to achieve compliance
with data security regulations.

Table 1 MiVoice Business Security Features that Customers May Require to Achieve Compliance with
Data Security Regulations

Security Feature Relationship to Data Security Regulations Where the Feature is Documented
System Data Access to personal data is limited with the Details are available in the document,
Protection, and Identity following controls. MiVoice Business Security Guidelines and
and Authentication in the MiVoice Business System
Administration Tool Help files.

Management Tool In the MiVoice Business System


Access to the Management Tool is limited Administration Tool Help files go to the:
by allowing only authorised access that is
authenticated using username/password System Security Management Form to
login combinations that use strong configure administrative access controls.
password mechanisms. Failed logins are This form is used to:
logged and restricted to a maximum of
three attempts.

Passwords are stored securely using Set/reset the password


strong encryption. The encryption Establish the password strength rules
mechanism used is the Advanced Set the user session inactivity timer
Encryption Standard - AES 256-bit Set the password expiry interval
encryption. Enable/disable the Login Banner
Set the Phone Administrator's Password
Communications to the system are
performed over authenticated, encrypted
communications channels using HTTPS
(TLS).

A customer can further limit access over System IP Properties Form to configure
the network using standard network VLANs and DNS settings.
security techniques such as VLANs, access
control lists (ACLs), and firewalls. External FTP Server Form to configure
data base backups/restores, scheduled
In all cases, physical access to systems software downloads, and file transfers.
should be restricted by the customer.

4
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

Security Feature Relationship to Data Security Regulations Where the Feature is Documented
Embedded Voice Mail Box
User access to their Voice Mail Box is VM Options Form to configure the
limited with a passcode that can be set to passcode length and lock out rules.
between 4 and 10 digits. OpenSSL’s AES
256-bit encryption is used to encrypt
passcodes.
The Mailbox lockout timer can be set from
0 to 60 minutes, where 0 refers to lock
mailbox “forever”.

Communications Communications protection is provided Details are available in the document


Protection with the following controls. MiVoice Business Security Guidelines and
in the MiVoice Business System
Voice Streaming Administration Tool Help files.
MiVoice Business may be configured to
encrypt all IP voice call media streams In the MiVoice Business System
with either Mitel SRTP or SRTP using AES Administration Tool, go to:
128 encryption.
System Options Form and also see
Note that not all SIP trunks service information entry on Voice Streaming
providers and third-party SIP devices Security.
support encryption. Legacy technologies
such as analog and digital trunks and The Secure Call Icon feature must be
devices do not support encryption. In such enabled by the Administrator. The
cases, if permitted, the communications feature is enabled via the MiVoice
will negotiate to no encryption. Business System Administration Tool.
Within the System Administration Tool,
Note: The 6900 series of MiNET IP sets the system option called Voice/Video
have the ability to indicate on their SRTP Encryption Enabled field must be
displays that a call is secured with end-to- set to Yes for the SRTP security to be
end encryption. negotiated.

Voice Call Signaling See the information entry on Call


Only authenticated devices may connect Signaling Security.
to the MiVoice Business. Call signaling For Release 9.1 and later, the system can
between the MiVoice Business and IP be configured to support only TLS 1.2. For
phones may be secured with TLS. Legacy details, refer to the Knowledge Based
analog and digital trunks and devices do Article SO4819 - How to enable TLS 1.2
not support encryption. only for MiVB 9.1.

5
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

Security Feature Relationship to Data Security Regulations Where the Feature is Documented

Call Privacy
Only authenticated devices may connect Class of Service Options Form and the
to the MiVoice Business. All IP Calling Line ID Restriction Form.
communications are encrypted by Mitel by
default.

Additional Caller privacy is controlled with


a number of option settings and Class of
Service settings including:
Call Privacy settings
Caller ID settings on Trunks
Call Display settings

HCI/CTI/TAPI settings
IP Phone Peripheral settings for Bluetooth,
USB, and PC port.

WAN Security
Some Mitel MiVoice Business 3300 ICP Details are available in the document
appliances have a WAN port on them. MiVoice Business Security Guidelines and
The WAN interface is secured with an in the MiVoice Business System
integral firewall that examines all packets Administration Tool Help files.
attempting to access the internal network
from the Internet. Unless a packet is part Port Forward Table Form to configure the
of an existing connection or matches a MiVoice Business's integral router.
specific TCP or UDP port programmed for IP Routing Form to configure routing
forwarding, it is declared as unknown. All capabilities.
unknown packets are logged in System
Diagnostics and then either dropped or Firewall Control Form to configure the
rejected. integral Internet gateway.

Note: The above-mentioned forms are applicable only to


MiVoice Business 3300 ICP appliances that are equipped
with a WAN interface.
Remote Access Security
The firewall can also be programmed to Remote Access (PPTP) Form to configure
allow Virtual Private Network (VPN) the internet gateway.
tunnels with PPTP and IPSec pass-through
and inbound connections with IP Port Note: The above-mentioned forms are applicable only to
Forwarding. MiVoice Business 3300 ICP appliances that are equipped
with a WAN interface.

IMAP Server
Transmission of usernames and passwords Embedded UM (Unified Messaging)
PINs) between the MiVoice Business and Settings Form to configure the IMAP
an IMAP server may be secured with TLS Server connection.
or with OAuth2.0.

6
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

Security Feature Relationship to Data Security Regulations Where the Feature is Documented
A customer can further limit access over
the network using standard network
security techniques such as VLANs, access
control lists (ACLs), and firewalls.
In all cases, physical access to systems
should be restricted by the customer.

Voice Mail - Authentication with Other


Applications
Embedded UM (Unified Messaging)
The MiVoice Business embedded voice Settings Form to configure the Server
mail application can use OAuth2.0 to connection.
authenticate with a number of
applications such as:

• Microsoft Office 365


• Microsoft Graph
• IMAP
• SMTP

Voice Mail – Forward to Email

The forward to email feature which Details are available in the document
forwards a voicemail message to the MiVoice Business Security Guidelines and
user’s email account supports the in the MiVoice Business System
following transmission and authentication Administration Tool Help files.
methods:
Forward Voice Mail to Email Form to
A non-secure / Cleartext method of configure this feature.
forwarding to email via Port 25. This
method is not supported in the MiCloud
Flex Solution. It is available only with the
MiVB Enterprise solutions.

The STARTTLS method of authentication


for forwarding to email via Port 587. This
method is supported for MiVB Enterprise
solutions and is mandatory for MiCloud
Flex solutions.

The SSL / TLS method of authentication for


forwarding to email via Port 465. This
method is supported for MiVB Enterprise
solutions and is mandatory for MiCloud
Flex solutions.

7
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

Security Feature Relationship to Data Security Regulations Where the Feature is Documented
Access and
Authorization Role-Based Access Details are available in the document
MiVoice Business supports up to five MiVoice Business Security Guidelines and
System Administration Tool users, five in the MiVoice Business System
Group Administration Tool users, and 10 Administration Tool Help files.
Desktop Tool users at a time.

Only the root Administrator can program In the MiVoice Business System
access to the System Administration Tool Administration Tool, the following forms
and use the Import and Export functions in are used to establish role-based access
this form. controls:

User Authorization Profiles Form. This


Other administrators can only manage form is to create, modify, and delete user
user profiles that do not have System profiles which are required to access the
Administrator Tool access rights. following MiVoice Business management
interfaces:
A customer can further limit access over
the network using standard network System Administration Tool
security techniques such as VLANs, access Group Administration Tool
control lists (ACLs), and firewalls. Desktop Tool

In all cases, physical access to systems The Admin Policies Form. This form is
should be restricted by the customer. used to add, modify, and delete policies
that are used to establish permissions for
various user profiles. These permission
policies dictate which System
Administration Tool forms a user is
allowed to access or modify.

Data Deletion The system provides the Administrator Details are available in the document
with the ability to delete a user, or to MiVoice Business Security Guidelines and
delete a user and all phone services and in the MiVoice Business System
MiCollab services associated with that Administration Tool Help files.
user.
In the MiVoice Business System
Deleting a User and Phone Services Administration Tool, the following forms
The MiVoice Business allows the and procedures are used to erase a
Administrator to delete a user, or a user personal data:
and all of the user's associated phone
services. The User and Services Configuration
Form. This form is used to delete a user
or to delete a user and all associated
phone services.

8
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

Security Feature Relationship to Data Security Regulations Where the Feature is Documented
Deleting a User's Embedded Voice Mail The User and Services Configuration Form
Box is also used to delete a user's embedded
The MiVoice Business allows the voice mailbox. Alternately, the
administrator to delete a user's embedded administrator's mailbox can be used to
voice mail box. delete a user's mailbox.

Deleting a User from the Telephone The Telephone Directory Form. This form
Directory is used to delete a user from the
The MiVoice Business allows the telephone directory.
Administrator to delete a user from the
telephone directory.

Deleting Logs
Certain types of logs cannot be deleted on MiVoice Business supports several logs.
a per user basis such as Call Detail Record For a complete list of logs and the forms
logs, CESID logs, and Hot Desking Logs. that are used to manage the logs, refer to
However, MiVoice Business provides the the MiVoice Business System
Administrator with the ability to delete Administration Tool Help files.
the entire contents from all logs.
The System Administrator can delete
Note: Logs that are transferred to external or third-party Property Management System occupancy
systems are not deleted by this method.
For information about how to delete logs from these logs from the MiVoice Business, for
systems, refer to the vendor's documentation. details refer to the MiVoice Business
Security Guidelines, in the section Audits
and Logs.
Deleting Voicemail Messages
The system provides the Administrator In the MiVoice Business System
with the ability to erase a voicemail Administration Tool Help files, look under
message that was left in the end-user's Property management System (PMS) for
voicemail box by a customer of the end- additional information about PMS logs.
user the end-user.

The system Administrator can, once


authenticated, log in to the shell and
locate and delete the file that contains the
voicemail message based on the user's
extension number and the time that the
recording was left in the user's voicemail
box.

9
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

Security Feature Relationship to Data Security Regulations Where the Feature is Documented
Audit Details are available in the document
Audit Trail Logs MiVoice Business Security Guidelines and
Audit trails are supported to maintain in the MiVoice Business System
records of data processing activities. Administration Tool Help files.
Audit Trail Logs provide a historical record
of changes made to the system from the In the MiVoice Business System
System Administration Tool and various Administration Tool, go to the following
other user interfaces and applications. It forms:
does this by recording certain actions
(such as who logged in and when) and Audit Trails Logs Form. This form
storing this information in a log. Use the provides a historical record of changes
logs to help with troubleshooting when made to the system from the System
problems arise and to determine who in a Administration Tool and various other
multi-administrator system is responsible user interfaces and applications.
for a particular change.

SMDR Logs SMDR Options Form (Station


Station Message Detail Recording (SMDR) Management Detail Recording). This
is the Mitel name for Call Detail Recording form is used to configure SMDR options.
(CDR) logs on the MiVoice Business
platform. The system allows the
Administrator to configure the details that
will be recorded for internal calls, external
calls and details related to location-based
accounting.

End Customer MiVoice Business Security Guidelines are The MiVoice Business Security Guidelines
Guidelines available to assist with installation, provide detailed recommendations on
upgrades, and maintenance. how the MiVoice Business security-based
features can be used within the customer
GDPR compliance initiatives.

The MiVoice Business Security Guidelines


are available at Mitel online.

10
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

6 Data Security Regulations


This section provides an overview of the security regulations that MiVoice Business customers may need
to be compliant with.

6.1 The European Union General Data Protection Regulation (GDPR)


The European Union (EU) General Data Protection Regulation (GDPR) effective on 25 May 2018 replaces
the previous EU Data Protection Directive 95/46/EC.

The intent of GDPR is to harmonize data privacy laws across Europe so that the data privacy of EU
citizens can be ensured. GDPR requires businesses to protect the personal data and privacy of EU
citizens for transactions that occur within EU member states. GDPR also addresses the export of
personal data outside of the EU. Any business that processes personal information about EU citizens
within the EU must ensure that they comply with GDPR. Under GDPR, 'processes personal information'
means any operation performed on personal data, such as collecting, recording, erasing, usage,
transmitting, and disseminating.

6.1.1 What do Businesses need to know about GDPR?


GDPR applies to businesses with a presence in any EU country, and, in certain circumstances, to
businesses that process personal data of EU residents even if the businesses have no presence in any EU
country.

In order to achieve GDPR compliance, businesses must understand what personal data is being
processed within their organization and ensure that appropriate technical and organizational measures
are used to adequately safeguard such data. Section 5 of this document explains what personal data is
processed by Mitel’s MiVoice Business and highlights available security features to safeguard such data.

11
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

7 Product Security Information

7.1 Mitel Product Security Vulnerabilities

The Product Security Policy discusses how Mitel assesses security risks, resolves confirmed security
vulnerabilities, and how the reporting of security vulnerabilities is performed.

Mitel's Product Security Policy is available at:


https://www.mitel.com/support/security-advisories/mitel-product-security-policy

7.2 Mitel Product Security Advisories

Mitel Product Security Advisories are available at:


https://www.mitel.com/support/security-advisories

7.3 Mitel Security Documentation


Mitel security documentation includes product-specific Security Guidelines and Important Information
for Customer GDPR Compliance Initiatives and Data Protection and Privacy Controls. Mitel also has
Technical Papers and White papers that discuss network security and data centre security.

Mitel Product Security Documentation is available at:


https://www.mitel.com/en-ca/document-center

12
MIVOICE BUSINESS PERSONAL DATA PROTECTION AND PRIVACY CONTROLS

8 Disclaimer

THIS SOLUTIONS ENGINEERING DOCUMENT IS PROVIDED “AS IS” AND WITHOUT WARRANTY. IN NO
EVENT WILL MITEL NETWORKS CORPORATION OR ITS AFFILIATES HAVE ANY LIABILITY WHATSOEVER
ARISING FROM IN CONNECTION WITH THIS DOCUMENT. You acknowledge and agree that you are solely
responsible to comply with any and all laws and regulations in association with your use of MiVoice
Business and/or other Mitel products and solutions including without limitation, laws and regulations
related to call recording and data privacy. The information contained in this document is not, and should
not be construed as, legal advice. Should further analysis or explanation of the subject matter be
required, please contact an attorney.

13

You might also like