pbx audit review and questionnaire
DESCRIPTION
*Determine if adequate controls are in place to ensure the PBX meets business requirements. -TELECOMMUNICATIONS ORGANIZATION -MONTHLY USAGE CHARGES -FACILITY ASSET MANAGEMENT -TELECOMMUNICATION FACILITY SECURITY -LOGICAL AND SYSTEM ACCESS -PBX CHANGE MANAGEMENT -PROBLEM RESOLUTION PROCESS -BUSINESS CONTINUITY PLANNING -PBX UTILIZATION *Determine if physical security controls are in place for the telecommunications facilities. Physical security of equipment and patchbay. PBX CONTROLSTRANSCRIPT
PBX Audit Review and Questionnaire
KEY AREAS TO REVIEW DURING A PBX AUDIT
-TELECOMMUNICATIONS ORGANIZATION-MONTHLY USAGE CHARGES-FACILITY ASSET MANAGEMENT-TELECOMMUNICATION FACILITY SECURITY-LOGICAL AND SYSTEM ACCESS-PBX CHANGE MANAGEMENT-PROBLEM RESOLUTION PROCESS-BUSINESS CONTINUITY PLANNING-PBX UTILIZATION
OBJECTIVES FOR PBX AUDIT:
*Determine if the telecommunications organization is effectively structured and has sufficient resources and training.
*Determine if monthly usage is reviewed and challenged by management for controlling costs.
*Determine if the telecommunications assets and facilities are effectively managed.
*Determine if physical security controls are in place for the telecommunications facilities.
*Determine if logical and system security controls are in place to protect the PBX from abuse.
*Determine if controls are in place for making changes to PBX configurations, software, and users.
*Determine if controls are in place to protect the PBX when problems are detected.
*Determine if emergency and business continuity procedures are in place and reliable.
*Determine if adequate controls are in place to ensure the PBX meets business requirements.
*Determine if vendor fraud monitoring and insurance are required to protect company assets.
PBX CONTROLS
Monitor call patterns, capacity and errors.
Network Class of Service - User profileRestrict numbers and time of day calling
Physical security of equipment and patchbay.
Authorization codes for long distance.
Restrict Call forwarding and dial through.
Install Essential Service Lines
Disable Remote Maintenance Port
Formal Change Control Procedure
PRELIMINARY SURVEY
Objective: To gain an understanding of the Voice System Environment, and the risks and controls in the Voice Application systems.
VOICE APPLICATION SYSTEM
A. TELECOMMUNICATIONS ORGANIZATION
1. Obtain organizational charts and outline the organization staffing and functions. a. Review departmental delineation of functions. b. If Telecom and IS share functions, are each department's duties defined.
2. Obtain job descriptions and show specific responsibilities related to PBX or telecommunications.
3. Obtain the Training and Education Policy. a. Is vendor or professional training available or emphasized.
VOICE APPLICATION SYSTEM
B. FACILITY ASSET MANAGEMENT
1. Obtain network maps and diagrams. a. Are network maps current and understandable.
2. Review lease and rental agreements. a. Are all agreements monitored for expiration dates. 3. Is the PBX backed up after software/configuration changes. a. Are system and backup tapes stored safely with 24 hour accessibility. b. Are software/configuration changes recorded in case backups fail. 4. Review maintenance contract management. a. If the contract is on a per port basis, how many ports are in the contract.
VOICE APPLICATION SYSTEM
C. TELECOMMUNICATION FACILITY SECURITY
1. Determine the location of the PBX.
a. Is the PBX in a location able to be adequately locked and controlled.
2. Review access procedures. a. Is PBX access controlled using key or sign-in/sign-out logs. b. Are access logs reviewed regularly.
3. Obtain the equipment inventory list. a. Is there a current inventory of all installed equipment by location.
VOICE APPLICATION SYSTEM
D. LOGICAL AND SYSTEM ACCESS
1. Review class of service. a. Are classes of services allocated to control usage.
VOICE APPLICATION SYSTEM
E. PBX CHANGE MANAGEMENT
1. Review moves, adds, and changes a. Are moves, adds and changes authorized and documented.
2. Review authorized change initiators a. Are changes initiated by authorized personnel.
3. Review change orders. a. Are change orders approved by authorized personnel.
VOICE APPLICATION SYSTEM
F. PBX UTILIZATION
1. Service group review. a. Are WATS and 800 service bills reviewed for service groups with low use.
2. Trunk group review. a. Are PBX traffic reports checked weekly for trunk groups with low use.
3. Trunk busy review. a. Are PBX traffic reports checked weekly for trunk group busy conditions.
4. PBX report writer. a. Is the PBX printer powered up with paper installed and checked regularly.
5. Review call pattern exceptions. a. Are call pattern exceptions tracked, reviewed, and reconciled.
VOICE APPLICATION SYSTEM
G. PROBLEM RESOLUTION PROCESS
1. Review contact lists a. Are contact lists maintained with current personnel and account data.
2. Review escalation procedures. a. Are internal and external problem escalation procedures in place.
3. Are procedures in place for addressing problems after business hours.
4. Are trouble tickets created and reviewed for tracking problem resolution. VOICE APPLICATION SYSTEM
H. BUSINESS CONTINUITY PLANNING
1. Is there a business continuity plan.
2. Is the plan modified to correct the problems noted in testing.
3. Are telecommunications staff reachable by pager or phone after hours.
4. Are company executives reachable by pager or by phone after hours.
5. Review Power Failure Transfer Phones a. Does the PBX have sufficient power failure transfer phones.
7. Is there a PBX standby or "hot site" for ensuring business continuity.
8. Does the standby site have sufficient trunking for the company's needs.
9. Does the PBX have a UPS or alternate power supply.
10. Is the UPS adequate for current and projected PBX configuration. VOICE APPLICATION SYSTEM
G. FRAUD DETECTION AND INSURANCE
1. Review carrier monitoring. a. Does the local or long distance carrier monitor the PBX for usage anomalies.
2. Review fraud risk assessment. a. Has carrier fraud coverage been evaluated to cover the risk of fraud or abuse.
3. Determine if carriers perform audits of the PBXs and what method they use. VOICE APPLICATION SYSTEM
H. CELLULAR PHONES
1. Are appropriate approvals in place for acquisition of cellular services. 2. Phone services for executives, sales personnel, etc.
3. Are cellular charges monitored by user. 4. Is the user billed for cellular services.
5. Have users been notified that cellular transmission can be overheard.
6. Are cellular transmissions monitored to detect: a. errors b. signal loss
7. Are cellular users authenticated before logging in to system 8. Are cellular phones strictly controlled a. retrieved on termination
9. Who approves payment of celluar charges.
VOICE APPLICATION SYSTEM
L. VOICE MAIL SECURITY
1. Ensure new voice mail boxes are allocated special pass codes - not default pass codes such as extension number.
2. Disable all dial through features and paging from the voice mail system.
3. Run a report on all allocated voice mail boxes and compare the list to active employees. Note and follow up on discrepancies.
4. Review who has access to the administration functions on the voice mail system.
5. Review the system operator log. Has the system been downloaded and reloaded in a short period of time.
6. Use ANI on voice mail 800 numbers and a special front end authorization code before allowing access.
CELLULAR PHONE USAGE
Are appropriate approvals in place for acquisition of cellular services. a. phone services for executives, sales personnel, etc.
Are cellular charges monitored by user. Is the user billed for cellular services.
Have users been notified that cellular transmission can be overheard.
Is scrambling or encryption in use where appropriate.
Are cellular transmissions monitored to detect: -errors -signal loss
Are cellular users authenticated before logging in to system -user ID and password -changed frequently -secondary authentication used
Are cellular phones strictly controlled -retrieved on termination
Who approves payment of cellular charges.