It is vital that a security risk assessment is carried out on all IP Office installations, both initial (prior to deployment or for existing deployments if one has not yet been carried out), and periodically after initial assessment to review any change.

A primary differentiator of security risk for IP Office is whether the system is potentially accessible from external or unsecured networks or individuals, especially the Internet.

This document does not cover security assessments in any detail; however there are many resources available that cover this process, including for example:

• US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology System:

  - http://dx.doi.org/10.6028/NIST.SP.800-30r1

• UK British Standards Institute (BSI) ISO/IEC 27001, Self-assessment questionnaire:

  - http://www.bsigroup.co.uk/en-GB/iso-27001-information-security/ISO-27001-for-SMEs/

• The SANS Institute also provides a wide range of security-related information, including risk assessments and audits:

  - http://www.sans.org/reading-room