S 3.82 Training on the secure use of PBX systems

Initiation responsibility: IT Security Officer, Head of Personnel, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

In order to properly use services and devices related to the PBX system as intended, the users must be instructed. Additionally, the users of the PBX system should be provided with all required documents regarding the operation of the corresponding terminal devices such as the operating instructions for the telephone. If the users are unsure as to how to operate the system, this endangers the confidentiality and integrity, but can also mean that not all available possibilities are known and the system is not used as planned. In this context, it is advantageous to appoint contact persons and persons in charge. In general, compliance with the policies and regulations governing the use of PBX systems must be pointed out.

Additionally, it is important that all users of a (classic) PBX system know what the common warnings, signals, and symbols of the PBX system mean. This include, in particular:

• warning tone for the direct voice calling mode,
• intrusion warning tone,
• hands-free calling indicator,
• indicator for enabled direct voice calling,
• indicator for automatic callback, and
• display/indicator for three-way conference calls.

The warnings should provide unambiguous information as soon as insecure features of the PBX system are used. The use of certain approved features which are not actually approved (for example: silent monitoring) may have adverse effects on information security. Therefore, the warnings and warning tones for these should be known in particular. The warning signal indicating that a third party is entering a telephone call is an important example.

Any abnormalities regarding the PBX system's behaviour should be reported to the corresponding persons in charge and, if possible, alternative communication channels should be used until the issue is clarified. In the event of manipulations to the PBX system, the IT Security Officer or the Data Protection Officer must be informed.

It is important to additionally point out the protection of the terminal devices with the help of passwords or PINs in order to prevent unauthorised persons from accessing confidential information stored in the terminal devices. Many terminal devices are already equipped with default passwords set ex factory that should be changed during initial operation by the user.

The employees should be instructed differently depending on the user groups. The content of training for administrators should be different to the content for the users. The secure application of the content that has been taught can be supported in a targeted manner for all participants. Amongst other things, this may be achieved with the help of entries in the intranet, information events, user leaflets for the telephone, work instructions for the security personnel, or checklists for administrators. Such aids should have already been created at the time the training is conducted and should be integrated in a targeted manner.

Along with classic training courses, training measures with the help of web-based interactive programs in the intranet are also conceivable. Current developments may also be communicated with the help of newsletters or circular letters and within the framework of regular events such as department meetings.

Review questions:

• Have the terminal devices of the PBX system been configured in such a way that clear indications are given as soon as insecure features are used?
• Are all employees familiar with the warnings, signals, and symbols of the PBX system?
• Are the employees informed about the threats related to using a PBX system?
• Have the right operating instructions been placed near all of the PBX terminal devices?