S 4.6 Audit of the PBX configuration

Initiation responsibility: PBX System Manager, IT Security Officer

Implementation responsibility: IT Security Officer, Auditor

In order to guarantee the security of the PBX systems, audits of the PBX configuration must be performed at regular intervals. Auditing specifically includes controlling the activities of the system administration, the maintenance personnel, the actual condition of the PBX system, and the adherence to the data protection provisions.

Every change to the configuration, e.g.granting of authorisations for a user, should be entered into a list of current inventory. This list may be maintained manually or automatically. At regular intervals, e.g. every six months, random checks should be performed to see if the list of current inventory matches the actual inventory. The levels of security and data protection aimed at can be ensured by continuously auditing the list of current inventory. If irregularities are detected, these must be clarified with the help of the protocols provided by the PBX system.

For example, it should be verified whether

If it is not desired or possible to set up the role of an independent auditor, the log files may also be evaluated by the administrator. If this is the case, it should be noted that it is difficult to monitor the administrator's activities. Moreover, the administrator may possibly be provided with access to protected data (call protocols) (see S 2.110 Data protection guidelines for logging procedures). The result of the evaluation should therefore at least be presented to the IT Security Officer, the person responsible for IT, or another, specifically appointed person.

Review questions:

© Federal Office for Information Security. All rights reserved.