IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.6 Audit of the PBX configuration
(target/performance reconciliation)
Initiation responsibility: PBX officer; IT Security Management
Implementation responsibility: IT security management, revisor
After each configuration change, e.g. release of a subscriber's authorisation,
this should be recorded in an ACTUAL inventory. That list may be kept
manually or by automatic means. Periodically (not necessarily at regular
intervals), e.g. every six months, reconciliation checks should, at least
randomly, be made of such an ACTUAL inventory and of the actual status.
Incongruities should be cleared by means of the listings/audit trails. In particular,
it should be verified whether
- all dialling numbers not allocated have actually not been set up;
- unpermitted authorisations have indeed not been granted to anybody;
- de-activated user facilities are assuredly inactive.
- de-activated dial-in functions are assuredly inactive.
In collaboration with ZVEI, the Central Association of the Electrical and
Electronics Industry, BSI has drawn up a catalogue of requirements which
contains improved audit. This catalogue is to be used when purchasing new
PBX systems for federal agencies. In the event that PBX systems are already
in place, the extent to which manufacturers can offer improvements as updates
should be reviewed.
Additional controls:
- Is it possible, by reference to the available documents, to provide
information, e.g. on the rights of particular subscriber's stations/lines?
- When was the documentation last reviewed for congruity with the actual
state of affairs?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000