Home > Articles > Cisco Network Technology > IP Communications/VoIP > Best Practices for Deploying Secure Cisco IP Telephony Solutions

Best Practices for Deploying Secure Cisco IP Telephony Solutions

  • Article is provided courtesy of Cisco Press.
  • Date: Oct 31, 2012.

Contents

  1. Best Practices for Deploying Secure Cisco IP Telephony Solution

Article Description

Akhil Behl offers a brief discussion about why it's important for your company to secure IP Telephony Networks, how they would go about it (including a risk assessment and the actual deployment thereof), and finally, how it affects your bottom line.

Like this article? We recommend

Securing Cisco IP Telephony Networks

Securing Cisco IP Telephony Networks

$72.99

IP telephony is slowly but surely becoming part of the modern day organization's day-to day-operations. In fact, some organizations depend on it to the extent of their core business or processes based on IP communications. Sadly though, the security aspect pertinent to IP based communications network, applications, and underlying infrastructure is usually not taken into consideration (or is ignored) when enterprises and businesses think of deploying unified communications.

On the same lines of thought, why should anyone for that matter think of securing an IP telephony network? The answer is simple however manifold:

  1. To protect the information flowing in IP communication channels from eavesdropping and reconnaissance attacks as well as from manipulation or injection attacks.
  2. To ensure that the investment in their on-premise or off-premise infrastructure pays off (ROI) and doesn’t end up in a rogue’s hands, utilizing it for malicious purposes.
  3. To lower Total Cost of Ownership (TCO) by leveraging IP communications to offset PSTN/Toll calls and reducing Moving, Addition, Configuration, and Deletion (MACD) and at the same time, keeping conversations safe.
  4. Attacks on the telephony network may result in monetary and reputation loss. Moreover, it can directly or indirectly impact the business continuity and clientage.

Today, many organizations depend on a number of IP telephony services like voice calls, instant messaging, conferencing, and video conferencing. A typical IP telephony network can face several threats like toll fraud, reconnaissance attacks, eavesdropping, Denial of Service (DoS) attack, and call hijack. While most organizations do consider that their network needs protection from internal or external threats, such a notion is missing (usually) when it comes to their IP telephony applications/devices. This is for a number of reasons:

  1. Lack of confidence to secure a relatively newer technology.
  2. Averting risk of breaking down a working environment with introduction of security.
  3. Lack of resources (monetary, man power) to carry out tasks necessary for protecting VoIP resources, as well as lack of support from higher management.

The purpose of this article is to define, in primarily non‐technical terms, best practices for securing Cisco IP telephony network deployments. Please note that not all stages of security lifecycle are covered in this article. The focus is on planning, design, and deployment phases pertinent to Cisco IP telephony solution based on Plan, Prepare, Design, Implement, Operate, Optimize (PPDIOO) model.

So how can you secure your Cisco IP telephony deployment?

With earlier discussion in viewpoint, let’s understand what it takes to deploy a secure Cisco IP telephony solution that is scalable, robust, and resilient. In other words, increases ROI and decreases TCO. According to Cisco, “The objective is to secure a converged communications network to protect its availability, the confidentiality of data that it carries, and the integrity of this data.”

Achieving these objectives requires more than simply implementing a few standalone security controls, devices, and technologies. Instead, it demands a carefully developed security policy that specifies an appropriate security plan, design, implementation, and operations, with costs justified by the benefits.

A Cisco IP telephony network deployment can range from a simple to a complex model, consisting of a wide range of components and applications such as:

  • Cisco Unified Communication Manager (Call-Control)
  • Cisco Unity/Unity Connection (Voicemail)
  • IP Phones
  • Voice Gateways (PSTN T1/E1, FXO connectivity)
  • Cisco Unified Border Element (Session border Controller)
  • Conferencing resources (DSP farm)
  • Mobility Clients
  • Cisco Unified Presence
  • Analog endpoints (VG2XX, ATA’s)
  • Third Party servers (billing, recording, LDAP)
  • Layer 2 (LAN switches)
  • Layer 3 (Routers, L3 switches)
  • Firewalls (Cisco ASA)

And so on.

Cisco IP telephony is a distributed system and has many individual components that must be protected. These components are at various layers of OSI model right from Layer 1 (physical layer) to Layer 7 (application layer). Malicious attacks at any layer can render the system unusable. Some of the tangible threats persist at the following layers/components:

  • Endpoints (including voice gateways, analog phones, and IP Phones) and servers (call control, voicemail servers) could be targets of DoS attacks initiated from within or outside of an organization’s logical/physical territory.
  • Non Voice Operating System (VOS) based servers infected with viruses that can degrade the IP telephony service or even propagate themselves to other servers in the voice or data network thereby, damaged storage and enterprise (LDAP, SQL) data.
  • Intended malicious attacks leading changes in configuration information.
  • Attacks concentrated on IP telephony infrastructure (Layer 1-3) for example: routing protocol manipulation, CAM table overflow, DHCP spoofing, arson, and so on.
  • Toll fraud and abuse of IP telephony equipment.

While all of these seem to be potential threats or risks to the sanctity of a Cisco IP telephony deployment, it is important to understand that these risks may not all be applicable in all different types of IP telephony implementations. So, to begin with security of a Cisco IP telephony solution, risk assessment can reveal existing security gaps in network and infrastructure security, which then leads to formulation of a security policy which can give direction and meaning to efforts towards implementing right security controls or devices where required in line with an organization’s goals and vision. Finally, the security policy (combined with audit efforts) leads to successful security implementation at infrastructure, network, and application layers. These topics are covered in subsequent sections.

Getting Started—IP telephony Risk Assessment

Within the context of IP telephony pertinent to business processes, converged voice and data IP networks are entrusted to carry sensitive information and the essential functions of conducting business to and from the employees, vendors, and partners. Essentially it’s an ecosystem which requires end-to-end security. And in doing so, an IP telephony network must be secured in such a way that:

  • It complies with applicable laws and regulations
  • It protects intellectual property and proprietary information
  • It upholds expectations from corporate reputation viewpoint

Fundamentally, neither an IP telephony solution by-itself be assumed to mitigate all security risks nor should network security measures be assumed to be enough to thwart all threats on their own. A defense-in-depth approach is required to curb and evade potential threats, which can be build aided by a comprehensive risk mitigation strategy blended with network layer and application layer security measures.

According to Cisco, “The primary objective is to integrate IP telephony and traditional data services onto a converged network infrastructure, without compromising the security of either service.”

Thus, layered security approach (defense in depth) for implementation of security controls in a holistic manner in an enterprise or organization lays down a solid foundation to build a secure and robust IP telephony solution. The security solution should be layered, with multiple controls and protection at multiple network and application levels. This minimizes the possibility of a single point of failure leading to a compromise in overall security construct.

The desired end result is that the confidentiality, integrity, and availability of critical IP telephony applications and network resources must be ensured while maintaining the solution’s performance. In a nutshell, security should be transparent to the user, simple to administer, cost‐effective, and standards‐based.

The first step toward securing a Cisco IP telephony solution is to gain an understanding of the risks involved. Pertinent to IP telephony, security risks can be broadly categorized as follows:

  • Interception and impersonation of IP telephony voice and signaling sessions leading to loss of confidentiality or integrity or both
  • Non-authorized or fraudulent use of IP telephony equipment or services for example, toll fraud
  • Denial of Service (DoS) or Distributed DoS attacks, leading to degradation of voice services
  • Direct/Indirect intrusion of other services associated with or facilitated by the IP telephony implementation

The next sections covers risk assessment overview in brief.

Risk Assessment Overview

Risk assessment helps highlight and manage the possible risks which can lead to threats and the implication of the plausible threats being realized. In other words, risk assessment is an important step in protecting your business, assets and workers/workplace as well as complying with the legal requirements. Essentially, performing a risk assessment exercise helps identify assets which are central to a business and the threats to these assets such that, precautions to deter these threats can be taken upfront in order to reduce or minimize damage caused by realization of those threats.

Risk Assessment Process

The first step is to highlight the categories of risk origination. For example, the following types of risk categories could be identified (these may differ as per business verticals or specific requirements):

Process
  • Inadequate controls in the operational processes to maintain and operate UC network
People
  • Failure of staff to comply with the procedures whether intentionally, oversight, or negligence to leverage IP telephony services
  • Non-familiarity of staff with the set guidelines and procedures to manage or operate UC system
System
  • Failure of IP telephony system to meet user requirements
  • Absence of in-built control measures in the application system to deter attacks
External Events
  • Imposition/changes of policies by government regulatory bodies
  • Attempt to attack UC resources or fraud by external entities or customers

Assessing Risk and Risk Categorization

The next major activity is to assess the risk in each category by virtue of component, product, or process. The idea is to identify potential events that, if they occur, will adversely affect the enterprise operation or processes and the associated risk managed within the enterprise’s risk appetite. This is described by following steps:

  1. Identify all the operational processes for managing and operating IP telephony network.
  2. Identity the extent of risk impact/likelihood for each risk category with the magnitude of either High, Medium, or Low. This can be achieved by averaging out the total loss exposure amount and number of incidents happened for a year (annual loss expectancy) to derive at a common median/average.

Risk categories can be mapped into the Risk Quadrant Grid, which is divided into four quadrants as shown in Figure 1:

Figure 1 Risk Assessment Output—Risk Category, probability, and Impact

For example, an attack on Cisco Unified Communications Manager (CUCM) will heavily impact the normal business operations; this should be categorized as a High Impact risk. However, the possibility of a hacker breaking into the network and attacking CUCM is much less; it should be categorized into Low Likelihood. Hence, the outcome is that CUCM as an asset should be placed into ‘Medium High Risk’ category.

Once the asset vs. risk categorization is completed, it’s time to move to the next step, i.e. aligning security controls and mechanisms in line with risk appetite of an asset or process. It is important to understand that to have the right direction to implement security for IP telephony and to have the security deployed in a consistent manner to thwart threats of sorts, it’s essential to have a guideline that an organization’s stakeholders can follow. This guideline is the security strategy, in this case IP telephony security strategy.

Next Steps—IP Telephony Security Strategy

As discussed earlier, a security strategy/policy gives direction to efforts, resources, and security controls or mechanism such that an organization can focus on the where, what, how, why, and when aspects of deploying security for its IT infrastructure. Same goes for IP telephony as well, since Cisco IP telephony is established not just by applications, rather by devices and infrastructure, which applications leverage for their operation. Hence, a systemic approach helps ensure that directional efforts account for resources, and planned controls are in line with business objectives.

When it comes to IP telephony—like any other discipline of networking—rather than implementing security post deployment, it’s a good idea to ensure that security goes with IP telephony planning and design i.e. security is a coherent part of PPDIOO phases in a Cisco IP telephony deployment project. This is depicted in Figure 2:

Figure 2 Security Policy build around PPDIOO Process

Each step in the PPDIOO process is not a discrete or independent step, they are all interrelated. It is an iterative and on-going process, which resembles the very nature of a security strategy process which is ever evolving and re-iterating. Figure 3 illustrates security strategy lifecycle.

Figure 3 Security Strategy Lifecycle

An IP telephony security strategy (policy) should be developed as a collaborative effort cross-organizational team effort requiring participation from representatives from the networking, IT security, telecom, and business departments/business units. Organizations should examine IP telephony security from a business perspective by defining goals, policies, and pattern of usage across all applications—data, voice, video, IM, voicemail, and presence. Security strategy for all these components needs to be aligned and properly balanced against business risks.

In a nutshell, security strategy will differ for different businesses or organizations as per their risk appetite and the requirements from business verticals. For example, a school may not require all endpoints to be authorized before being admitted in the network (Network Access Control); however, for a government organization this might be a norm. Hence, once size fits all doesn’t work with security strategy/policy development. A security strategy for an IP telephony solution may be developed based on following elements (not all inclusive or exclusive):

  • Acceptable usage, behavior, and conduct pertinent to telephony resources/system
  • Physical security measures
  • Network infrastructure security
  • Perimeter access security
  • Server hardening
  • Definition of secure and non-secure zones
  • User endpoint security
  • Wireless infrastructure security
  • Vendor, partner, and consultant access restrictions
  • Back and restore (including disaster recovery) security
  • Network management and security response
  • Internet access
  • Lawful interception of calls

This is a very high level view of what goes into making a security strategy (policy) document which gives a corporate wide guideline to be followed while designing, deploying, operating, monitoring, and maintaining an IP telephony network. Moreover, it goes without saying that, the security strategy should be such that it can be comprehended in a generic way by everyone in an organization.

The next section offers insight for implementing secure Cisco IP telephony networks.

Getting Down to Business—Deploying Secure Cisco IP telephony Networks

We have discussed briefly the types of threats that pester the IP telephony network. To reiterate, attacks on IP telephony systems can be broadly categorized into the following types:

  • Confidentiality/Privacy which includes (not limited to) voice call eavesdropping, hijacking sessions
  • Integrity/Authenticity which includes (not limited to) impersonization, injection
  • Availability which includes (not limited to) DoS/DDoS, network infiltration
  • Theft which includes (not limited to) toll fraud, data theft
  • Spam over Internet Telephony (SPIT) which includes (not limited to) unsolicited calling

With a wide variety of potential threats and attacks, no solo mechanism can curb the otherwise imminent threat. Henceforth, a notion multilayer security approach (as discussed earlier) is not an option but a necessity.

To achieve end-to-end security, everything right from a user endpoint to peripheral gateways to firewalls to physical access should be secured. This is depicted in Figure 4.

Figure 4 End-to-End Security Construct

Following are recommended best practices and recommended security controls to design and deploy secure Cisco IP telephony networks.

Layer 1 (Physical Layer) Security

  1. Badged access to data center and other facilities. Guards at data center or facility periphery
  2. Alarms and sensors at data center periphery and entry/exits
  3. Appropriate arrangements for fire extinguishing
  4. Automatic doors with break proof glass
  5. CCTV cameras where required (and possible)
  6. Equipment secured in racks in data center and in closets at user access level
  7. Role based access (authorization) to IP telephony/network equipment
  8. Uninterrupted Power Supply (UPS) for servers and network devices

Layer 2 (Switching Layer) Security

  1. Segregation of data and voice VLAN
  2. Application of port based security where possible
  3. Dynamic ARP inspection
  4. DHCP snooping
  5. Limited MAC addresses per physical switch port
  6. Layer 2 ACL’s (where possible)
  7. Layer 2 QOS to differentiate between priority, default, and scavenger traffic (where possible)
  8. Network Access Control (NAC)
  9. VLAN pruning
  10. Secure management access to switch interface (SSH)

Layer 3 (Routing Layer) Security

  1. Routing protocol authentication
  2. Secure access to router console, VTY (SSH)
  3. Secure access to router GUI (HTTPS)
  4. uRPF
  5. Filtering of RFC 1918 addresses (at aggregation from untrusted networks)
  6. Secure Hot Standby Routing Protocol (HSRP) (where applicable)
  7. Route poisoning prevention
  8. Layer 3 QOS for segregating intended traffic from scavenger/malicious traffic

Layer 4 -7 (LAN/WAN/Perimeter) Security

  1. Cisco ASA Firewalls to broker connection from untrusted zone to trusted zone (filtering TCP/UDP connections)
  2. Internet or extranet facing servers to be placed in DMZ
  3. Network Intrusion Prevention System (NIPS) to inspect and filter/drop packets/sessions as malicious packet content
  4. IPSec/SSL VPN based off Cisco ASA Firewall and IOS routers
  5. UC proxy services (TLS proxy/Phone proxy)
  6. Deep packet scanning (inspect)
  7. Rate limiting by Application Inspection Control (AIC)

IP telephony Server Security (Call Control)

  1. Secure communications by virtue of Certificate Authentication Proxy Function (CAPF)—TLS for signaling and SRTP for media
  2. Secure access to GUI (HTTPS)
  3. Secure CTI/JTAPI
  4. Secure LDAP integration
  5. Secure voicemail integration
  6. Secure presence integration
  7. Secure SIP Trunks
  8. Integration with external certificates (Third Party PKI chain)
  9. Integration with industry standard SSO solution
  10. Host Intrusion Prevention System (HIPS)—CSA/SELinux
  11. Role based management and user access

IP telephony Server Security (Voicemail)

  1. Secure communications with endpoints—TLS for signaling and SRTP for media
  2. Secure integration with call control
  3. Secure access to GUI (HTTPS)
  4. Secure LDAP integration
  5. Integration with external certificates (Third Party PKI chain)
  6. Secure voice messaging (private messages)
  7. Integration with industry standard SSO solution
  8. HIPS
  9. Role based management and user access

IP telephony Server Security (Presence)

  1. Secure communications with endpoints—TLS for signaling and SRTP for media
  2. Secure integration with call control
  3. Secure access to GUI (HTTPS)
  4. Secure LDAP integration
  5. Integration with external certificates (Third Party PKI chain)
  6. HIPS

IP telephony Server Security (Contact Center)

  1. Secure integration with call control
  2. Secure recording
  3. Secure endpoints for agents
  4. Secure recoding
  5. Platform security for CVP, ICM, and other windows based platforms (Antivirus, HIPS)

IP Phone Security (Wired, Wireless, and Soft phone)

  1. Secure endpoint with CAPF certificates (LSC)
  2. Secure endpoint with built-in certificates (MIC)
  3. Secure network admission (dot1x)
  4. Secure WiFi admission (WPA, WPA2)
  5. Restricted access to settings
  6. Phone hardening
  7. VPN Phone
  8. Restricted access to system registry (for softphone)
  9. Trusted Relay Point (for softphone)

IP telephony Network Management

  1. Secure access to network equipment and servers (In-Band or Out Of Band management)
  2. Secure network management protocols for example: SSH, SCP, SFTP, HTTPS
  3. Security Event Management System (SEMS) or Security Information or Event Management (SIEM)
  4. Backup and restore processes
  5. Disaster Recovery System or and Disaster Recovery Site

Again, this is not a comprehensive list of security controls. However, these security controls and mechanisms should give you an insight to the requirement for security and risk appetite as per your organization’s goals and vision.

Bottom Line

IP telephony deployments expose the enterprise to new and serious threats from within and outside of the organization. This is primarily due to the fact that underlying network infrastructure’s weaknesses are also shared by IP telephony components leveraging the same. Coincidentally, these threats can be adequately mitigated by leveraging best-practices provided organizations rightfully understand the risks and manage them via holistic enterprise wide security architecture, leveraging defense in depth concept to combine of IP telephony system-specific and network-specific security features. Secure IP telephony requires considering voice, data, and video communications as a singular unified system and implementing a multilayered, uniformly applied defense construct for the system infrastructure, call management, applications, and endpoints. This minimizes the possibility that a failure of one or more components in the security construct could compromise overall security.

To summarize, the following are best practices to deploy Cisco IP telephony networks:

  • Treat the development of an IP telephony security program as a collaborative and cross‐organizational project involving stakeholders from all departments.
  • Conduct risk assessment to chalk out—a comprehensive list of threats, the feasibility of each threat, the quantitative impact of each threat, and based upon the risk level, a prioritization of mitigation actions for each of the potential threats.
  • Organizations should examine IP telephony security from a business perspective in line with their goals and vision. Security strategy should be such that it is aligned and is in compliance with applicable laws and regulations. Moreover, it must be properly implemented and balanced against business risks.
  • Consider potential physical security risks and plan well in advance to evade any threats to IP telephony infrastructure.
  • Disperse voice and data on different VLANs. Ensure that LAN switches are equipped with 802.1p prioritization so they can identify and prioritize traffic based on VLAN tags and support multiple queues. Enable port security, DHCP snooping, DAI, and other mechanisms to protect Layer 2.
  • Secure Layer 3 (routing) by routing protocol authentication, NTP authentication, ACL based filtering (RFC 1918 addresses).
  • Leverage VPN technology—IPSec or SSL or both; to provide a secure pathway for endpoints outside organization’s physical or logical premises, remote workers, and extranet. Voice and Video enabled VPN (V3PN) technology can be employed to encrypt voice media, voice signaling, and data traffic using IPSec.
  • ALG aware firewalls at perimeter and within network can provide for granular control, protocol conformance checking, and security checks. Utilize UC proxy services offered by Cisco ASA firewall to support encrypted voice traffic through firewall.
  • Employ NAC in order to unify endpoint security and network security enforcement so that network access is contingent on compliance with established security policies.
  • Protect the integrity of management and managed systems. Segregate management traffic on its own VLAN (OOB). Exercise management access control, authorization, and logging.
  • Employees of an organization should be aware of their responsibility pertinent to organization’s Intellectual Capital (IC) and Information.

Security is everyone’s responsibility. Not just key stakeholders but everyone needs to participate and contribute to build, operate, and maintain a secure Cisco IP telephony network. While users should be aware of their rights and responsibilities, the executives and higher management should be supportive of what IT, security, telecom, and networking departments try to achieve; a robust and secure Cisco IP telephony network which is an asset to an organization.

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020