S 2.472 Drawing up a security policy for PBX systems

Initiation responsibility: Top Management, Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

The security specifications for the organisation's PBX system result from the organisation-wide security policy. Based on this general policy, the requirements must be be put into concrete terms and summarised in a security policy for the PBX system. In this context, it must be examined whether there are any other overriding specifications, such as IT policies, password policies or specifications, for example, regarding the use of VoIP (Voice over IP) that must be taken into account in addition to the organisation-wide security policy.

The security policy should provide basic information on the availability of the PBX system and on the confidentiality and integrity of the data stored or processed. In this context, it must be taken into account that, in general, high expectations are placed on the availability and the confidentiality of communication services. When storing personal data, aspects such as data protection and statutory retention provisions must be taken into account additionally. The latter serve as a basis for security analyses in the event of suspicions or for audit purposes

All persons and groups involved in the purchasing, design, implementation, and operation of the PBX system must be familiar with the security policy for PBX systems and use at as the basis for their work. Like all policies, its contents and its implementation should be examined regularly within the framework of a general audit.

Within the framework of the security policy for PBX systems, the users should be informed briefly and comprehensibly about the threats connected to the use of a PBX system and its communication services (see also S 3.82 Training on the secure use of PBX systems). In this context, the latest developments in the field of technology and the most recent threats should also always be taken into account. This information should make users aware of this policy and motivate them to follow it.

In addition to the features of a classic PBX system such as, for example, toggling, enquiry call, call completion to busy subscriber, call waiting, and also entering an existing call, call conferencing, and pick-up of an incoming telephone call, hybrid systems and VoIP systems offer a large number of additional IT-based functions due to the coupling of features of the classic PBX system and IT systems. It is, for example, possible to transmit voice messages and faxes via e-mail, to initiate and route calls from an application on the PC by clicking with the mouse, and to view the current availability of a subscriber. The policy should therefore specify which functions and features of the PBX system are to be used. In addition, it must be specified who may use which services for which purposes. The extent of private use should also be specified in this context.

In addition, security safeguards regulating the selection and installation of the required security hardware and software as well as specifications for secure configuration of the PBX system and its end devices must be taken into account. When using a hybrid system or a VoIP systems, the policies applying to these systems must be observed additionally. In some cases, it may be expedient to allow the users to perform certain configuration settings, such as locking the telephone end device in case of absence, themselves directly on the end device. This should be documented in the policies; otherwise, it should be prohibited.

It also makes sense to include the following points in the policies, for example:

• Rules regarding physical data access control:
  
  A PBX system should always be installed in a separate security area, such as, for example, a lockable computer room. Here, it must be specified who is granted access to the room or data access to the system itself. Access for administration, which can generally be obtained using administration software but also using separate end devices, should be restricted to the PBX operating personnel (see also S 2.27 Maintenance of a PBX system).
• Rules regarding the work of the administrators:
  
  The schema according to which the administration rights are assigned must be specified. In this, it must be considered whether the tasks of the administrator for the IT systems are separated from those of the person responsible for the PBX system. It must be set out which administrator may exercise which rights and how these rights are obtained. In the next step, the access routes used by the administrators to access the systems must be specified. Local access at the PBX system itself, access via a dedicated administration network or via the remote maintenance interface is possible (see also S 5.14 Shielding of internal remote accesses of PBX systems and S 5.15 Shielding of external remote accesses of PBX systems).

In addition, it must be specified which procedures must be documented and in what form the documentation is produced and maintained. This includes the following specifications for installation and configuration:

• procedure for installation of the overall PBX system and the end devices,
• checking the default settings for security threats and changing them, if required, as well as changing the default passwords,
• use and configuration of the PBX system and end devices,
• documentation and backup of the configuration.

Specifications for secure operation should be made, such as, for example:

• securing the administration (restricting the access for administration to the PBX operating personnel by technical means),
• logging of all login attempts at the PBX system, logging and regular checking of remote maintenance accesses,
• permitted tools for operation and maintenance,
• deactivation of all other access capabilities which are not intended to be used,
• assignment of authorisations,
• procedures for software updates and configuration changes,
• data backup and recovery,
• rules for how to react to operational disruptions, technical errors (local support, remote maintenance), and security incidents.

The security policy should also make the readers aware of the secure disposal of the components of the PBX system. For example, connection data and other personal data are sometimes stored on data media in the PBX system. End devices often have labels containing names on shortcut keys, IP addresses, telephone numbers, or other technical information. The individual components must be destroyed in such a way that reconstruction of the data is not possible.

The IT operating personnel is responsible for implementing the security policy for PBX systems. Changes and deviations to this policy may only be made in agreement with the IT security officer.

Review questions:

• Is there an up-to-date security policy for PBX systems?
• Have all employees been informed of the security policy for PBX systems?