S 2.105 Obtaining PBX units

Initiation responsibility: Top Management

Implementation responsibility: Purchasing Department, Building Services

When purchasing PBX systems or other components, when expanding a classical PBX system with VoIP for example, the results of the requirements analysis and the planning should be taken into account. Due to the variety of functions and possible applications, selection and purchasing is relatively complicated and time consuming

Furthermore, existing communication systems and components of the company must be taken into account in the purchasing process. If an entire new PBX system is not purchased, it must be ensured that the existing equipment and the newly purchased equipment is compatible with each other. When purchasing new PBX systems, it must be ensured that they are selected so that minimal additional personnel and organisational resources are necessary to achieve a high level of security when they are operated later on. For this purpose the following must be ensured above all:

• the existence of adequate functionality for system administration
• sufficient protocol mechanisms and evaluation possibilities
• the auditing capacity of the PBX system

When purchasing a classic PBX system, it must be additionally considered whether it should offer analogue subscriber connections in addition to digital connections. Analogue connections may be necessary if analogue end devices such as fax machines, answering machines, cordless telephones, modems for data applications, such as signalling or emergency calls, are to be connected. In addition, there are the analogue or digital devices selected according to the required features.

In hybrid systems, IP functions are added to classic PBX systems, which allows IP end devices to be connected to the PBX system. In addition to the PBX system, conventional end devices or end devices with IP capability must be purchased. If a PC is used as an end device, then it must have the network interfaces, telephony software, sound card, microphone and a headset, if applicable.

In case of a VoIP-based solution the following elements must be taken into account: VoIP PBX system, VoIP telephones, softphones, VoIP server software, and other network elements. In addition, there is the optional integration of radio solutions and value-added services such as unified communications, which include CTI (Computer Telephone Integration), unified messaging and voice mail as well as a switch board or billing system.

Part 2 (Purchasing Guide) of the BSI Technical Guideline "Secure PBX systems" can be used to assist in purchasing PBX systems. The Purchasing Guide begins with a list of selection criteria for the components of a PBX solution which are based on the safeguards specified in part 1 of the Technical Guideline. In an evaluation table, the requirements are weighted differently depending on the scenarios considered. The structure is based on the methodology of UfAB IV (Document for the request for tenders and evaluation of IT services). Test criteria for product selection and acceptance are developed. In addition to configuration tests, these also describe tests at the protocol interface level using protocol analysers and simulation tools.