S 4.5 Logging for PBX systems

Initiation responsibility: PBX System Manager, IT Security Officer, Data Protection Officer

Implementation responsibility: Administrator

PBX systems usually offer logging options. For example, who uses services such as telephone, fax, or data transmission and with whom communication is established can be logged. This information can be captured, processed, and stored. Often, the data is used for accounting and verification purposes. Amongst other things, the logged information contains entries on:

• time and date of a call or a connection,
• source and destination telephone numbers, and
• duration of the call.

The data can be analysed internally using the integrated call detail records acquisition or transmitted to corresponding external systems.

Since the data is confidential, the information must be protected on all systems and additionally during transmission. Corresponding precautions for protecting the confidentiality and integrity must be taken. For example, the information may be transmitted using a dedicated network connection or encrypted using the LAN. Additionally, it must be ensured that the stored data may only be accessed by authorised persons. Who has access to the call detail records and what roles they assume when accessing the data must be documented.

Additionally, all system-related interventions comprising program modifications, as well as evaluation procedures, data transmissions, and data accesses should be logged.

Administration work

All administration work regarding the PBX system should be logged in order to provide for the traceability of who changed the settings in which way. For this, it makes sense to log the user ID, the date and the time, as well as the successful login within the framework of authentication. In the event of successful access, the type of access (read, write), as well as any administrative activities performed should be logged in addition to the data already logged within the framework of authentication. The logs generated must be clear, complete, and correct.

Unauthorised persons must not be able to disable or subsequently modify the logging function. Modification of the logged data should also be ruled out.

The logged information must be checked regularly. Frequent unsuccessful attempted logins should be investigated in a targeted manner. If there are also doubts regarding successful logins, these should be compared to the documentation of performed configuration and maintenance activities. In the event of abnormalities, the regulations governing the approach in the event of a suspected security incident must be applied immediately until a suspected attack is disproved conclusively.

Since the log files usually contain personal data, steps must be taken to ensure that this data is only used for the purposes of monitoring, adherence to data protection requirements, data backup or ensuring that operations are being carried out in the proper manner (see S 2.110 Data protection guidelines for logging procedures). The scope of logging and the criteria used in evaluating log files should be documented and agreed within the organisation. If necessary, any other committees having a say in this matter should become involved early on.

Review questions:

• Is there a regulation governing administration and maintenance of the IT systems?