S 5.74 Maintenance of fax server address books and distribution lists

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Fax Mail Centre

Most fax servers provide facilities for both central and also individual address books. Central address books are available to all users of a fax server and should be maintained centrally by the fax mail centre. Individual address books can be created by any user but are generally available only to the author.

It is especially important that central address books are protected against unauthorised changes. To achieve this, the user access rights for the fax server application should be granted in such a way that only the fax mail centre can alter the central address books, or, if this is not possible, then the resources of the operating system should be called on so as to achieve the same result.

The fax mail centre should perform regular checks to ensure that all central address books are intact and up-to-date. Most fax servers allow several recipients to be grouped together in the address books as one group. If an attacker succeeds in manipulating such groups, he/she or other unauthorised persons can obtain access to confidential fax transmissions. The fax mail centre should therefore also regularly review the assignment of recipients to individual groups to ensure that these are up-to-date. Where faxes are exchanged between workstations within an organisation via the fax server, the fax mail centre must keep all internal address books up-to-date as well.

In addition, the users have an obligation to check the entries they use personally at regular intervals. This applies both to central address books and also to individual ones.

Distribution lists are used by the fax server to route incoming fax transmissions to recipients. Incorrect entries in the distribution lists could result in unauthorised persons gaining access to fax transmissions containing confidential information. The fax mail centre should therefore check the distribution lists at regular intervals to ensure that they are up-to-date and intact.

To ensure that address books and distribution lists are kept up-to-date, the fax mail centre must be informed when any member of staff leaves the organisation.

To ensure that all administration work performed is traceable, all entries and alterations in central address books and distribution lists should be documented.

Review questions:

• Are the central fax server address books protected against unauthorised changes?
• Is the integrity and up-to-dateness of the central fax server address books and distribution lists checked regularly?
• Is it ensured that the fax mail centre is informed of personnel changes to enable up-to-date maintenance of the address books and distributions lists?
• Are entries and changes in the central fax server address books and distribution lists documented comprehensibly?