Authenticate Video Calls and Manage Settings
Ensure all video call actions and settings changes are verified with authentication and authorisation.
Plain language
This control ensures that all the actions you take on a video call, like starting a call or changing settings, are done by someone who's been verified. It's like double-checking that the person making changes is really supposed to be doing it. If you skip this, anyone might make unapproved changes or eavesdrop, potentially exposing sensitive conversations or causing disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings.
Why it matters
If video call setup and settings changes aren’t authenticated and authorised, attackers can join calls, change meeting options, or disrupt sessions, exposing sensitive discussions.
Operational notes
Enforce authentication/authorisation for call setup and settings changes; review meeting and admin logs and alert on failed logins or unauthorised attempts to change call settings.
Implementation tips
- The IT team should enforce user login for all video call setups. This can be done by requiring everyone to sign in with a unique username and password before starting or joining a call, ensuring that only authorised people can participate.
- Managers need to set up permissions for changing video call settings. This involves specifying who can alter settings like mute features or participant access, which can be managed through user roles in the conferencing tool.
- IT should regularly audit the video conference logs. Set up a schedule, perhaps monthly, to review who accessed calls and what changes they made, looking for patterns that might indicate misuse or unauthorised access.
- HR should clearly communicate video call procedures to staff. Run training sessions where employees learn why it's important to use secure login details and adhere to set protocols before initiating or adjusting calls.
- System owners should assign a gatekeeper for video conferencing settings. This person will be responsible for reviewing and approving any requests for changes to settings, ensuring a clear trace of accountability.
Audit / evidence tips
- AskThe video conferencing user access policy: Review this document to see how user roles and access permissions are specified GoodIs a comprehensive document with detailed role-based access clearly outlined
- GoodIs a detailed log showing authorised participant activity and no unauthorised changes
- AskThe training records for employee video call protocols: Check the participants and frequency of these sessions. Ensure regular training is conducted and attended by all relevant staff GoodIncludes recent training dates and staff participation records
- GoodIs a dated report showing completed reviews and corrective actions taken
- AskIncident reports related to video conferencing: Review these for any access or authorisation issues. Ensure there was an appropriate response and follow-up for each incident GoodInvolves detailed reports with documented resolutions and preventive measures for future occurrences
Cross-framework mappings
How ISM-0553 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires organisations to control the allocation and management of authentication information (e.g., credentials) via a defi... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (6) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.