|
Initiation responsibility: PBX officer; departmental data privacy officer
Implementation responsibility: Administrators
During the operation of PBX facilities, call data are generated. This contains information on:
Call data are personal data within the meaning of the relevant federal and state protection laws. This implies that also under the IT baseline protection measures proposed hereafter, a separate review must in any case be made with regard to the requirements of data protection laws (e.g. the Annex to Section 9 of the Federal Data Protection Act - BDSG).
Such data can be stored both on the fixed disk of the PBX itself and on an external customer billing computer. In many cases, both variants will be combined. Where possible, computers must be protected in such a way that only authorised persons can access the call data. To achieve this, the billing computer must be installed in a specially protected room (cf. Chapter 4.3.2 - Server Room). For systems in which call data are stored, safeguards S 1.23 Locked doors, S 2.5 Division of responsibilities and separation of functions, S 2.6 Granting of site access authorisations, S 2.7 Granting of system/network access authorisations, S 2.8 Granting of (application/data) access rights, S 2.13 Disposal of resources requiring protection, and S 2.17 Entry regulations and controls must be implemented as well.
Additional controls:
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |