1.0 Protection Management
1. Who is responsible for maintaining and operating the equipment?
2. Are maintenance agreements the most cost effective agreements available?
3. Surely there are a lot more protection management responsibilities than this. What are they, how can they be clarified, how do they relate to the rest of this checklist?
2.0 Protection Policy
1. Is there a company written policy on phone use?
2. What is it? Are there particular features it should have, and what are they?
3. Are there things it should not have, and what are they? Why
4. is the policy set as it is, who sets it, how does it change,is it realistic for the environment?
3.0 Standards and Procedures
1. Are Customer Service Records reconciled with the Property Accounting Fixed Asset Register?
2. Are monthly phone bill tracking reports reviewed?
3. Are PBX traffic, performance, circuit outage, and problem reports reviewed by telecom management?
4. Is there an agreement with the LEC, the IXC, and the equipment vendors for the ability of only authorized personnel to request service level changes, and to report errors?
5. Is there a regular dump of Incoming Peg Count, Attendant Response, All Trunks Busy, Service Queue, and Trunk Group Overflow reports? Reported to telecom management?
6. What are the procedures for making PBX SW or HW changes.
7. Is the PBX program backed up whenever changes are made?
8. Does anyone on the telecom staff carry a pager number during off-hours?
9. Are all orders for services in writing? Are confirmations in writing?
10. Are service order numbers used?
11. Are bills reviewed for accuracy? How often?
12. Are monthly telephone bills distributed to department managers for review? Do they sign approval and return them?
13. How are phone charges allocated to each cost center? Are they accurate?
14. Are all toll calls billed verified against the PBX traffic reports?
15. How are billing issues resolved?
16. Is there internal recording of Install/Remove services?
17. Are all leased trunks, lines, and circuits billed verified against the PBX inventory reports?
18. Are services for part of the month pro-rated?
19. Is Call Detail Recording (CDR) or Call Accounting reconciled with phone bills?
20. Are maintenance bills reviewed, broken down, and verified? By who? How and who approve replacement parts?
1. Obtain network maps and topology diagrams, telecommunication records, and policy and procedure guides. Are they up to date and easily understood?
2. Are Customer Service Records listing the equipment reviewed and retained? By whom?
3. Are monthly phone bill tracking reports generated?
4. Accurate and up to date list of current trunks and leased lines?
5. Are circuit numbers clearly marked on channel banks,CSU/DSUs, and modems?
6. Is there an up to date list that correlates telephones and Central Office lines to ports on the PBX?
7. Are MDFs and IDFs clearly labeled?
8. Are the procedures for making PBX SW or HW changes fully documented?
9. Is there a list of authorized contacts?
10. Does the telecom manager have a list of home phone numbers for the LEC, IXC, and PBX account executives?
11. Are PBX operating manuals available to telecom staff?
12. Are there 3rd party calls on the phone bills?
13. Is Call Detail Recording (CDR) or Call Accounting enabled?
14. This is an interesting list. It is probably not comprehensive, but it is more so than the other areas. There is no question
15. about where the documentation is kept and who has access, how the documentation tracks to the other areas, etc. but it's a real good start.
5.0 Protection Audit
Who audits the PBX, how often, what do they look for, etc. This is
covered to some extent in standards and procedures, but
only a few issues are loosely covered and no explanation of
why is provided. Audit has to be done by specific people
who do PBX audits in order to be effective.
6.0 Technical Safeguards
1. Are DISA capabilities activated?
2. Are "leaky PBX" capabilities designed?
3. Is there a modem on the PBX programming port?
4. Is there a UPS?
5. Are 976, (900), and (700) calls blocked?
6. Is Call Detail Recording (CDR) or Call Accounting enabled?
This is a starting point, but hardly comprehensive. A good
PBX auditor will cover many other technical issues.
This is, of course, PBX specific, so it's hard to make
a generic list, but more than these items should be included.
7.0 Incident Response
1. Is there a disaster recovery plan?
2. Is there a standby site for moving operations in the event of a disaster? Does it have sufficient trunking for voice and data? Is it periodically re-evaluated or tested?
3. Is the PBX program backup stored off-site?
4. Has a "bounty hunter" telecom payment consultant been used in the past? Results?
5. Do maintenance agreements guarantee technician response time?
This is deisnged for disaster recovery only. It doesn't
take a comprehensive view of incidents and how they are
responded to. How do we respond to day-to-day incidents?
How do we detect them? Who does it? What tools do they need? etc.
1. Has the disaster recovery plan been tested?
2. Is the UPS tested?
(There are a lot of other testing issues that have to be addressed in a comprehensive PBX audit.)
9.0 Physical Protection
1. Where is the telephone equipment (PABXs) located?
2. Who has access to the equipment?
3. What are the visiting procedures for accessing the equipment?
4. Are craftspeople escorted?
5. Is there fire suppression equipment installed and tested?
6. Are cabinet doors kept closed and locked?
7. Do the cables entering and leaving the PBX or equipment room pass through firestop material?
8. Are power circuits clearly marked?
(This is a good starting list, but not a comprehensive list of physical security issues to be considered.)
10.0 Legal Considerations
1. What are the purchase/lease/rental agreements for telecom equipment?
2. What maintenance agreements are signed?
( It's a start, but where is corporate liability covered?nHow about employee agreements? Is policy properly verified by legal, and is it enforcable? How do we proceed to track down attackers so that we can prosecute, or do we want to prosecute? Is there adequate insurance? etc.
11.0 Protection Awareness
1. Are there education programs for users?
(This is not an adequate question to cover the issue of awareness.)
12.0 Training and Education
1. What training is provided telecom staff for the PBX?
(This is not an adequate question to cover these issues.)
13.0 Organizational Suitability
(This is not addressed in the audit at all.)