S 3.13 Increasing staff awareness of potential threats to the PBX

Initiation responsibility: PBX officer; IT Security Management; personnel committee/works council

Implementation responsibility: IT Security Management, Administrators

Staff members must be advised of the risks involved in the use of a digital PBX (telecommunications facility). This could be done, for instance, by means of a short briefing or instruction sheets. It must be borne in mind that abnormal behaviour of a PBX should be reported. Since in case of manipulations of a PBX installation, involvement of the PBX operator cannot be precluded, an independent controller, such as IT Security Management or departmental data security officers, should be informed in such cases.

Additional controls:

• Is awareness training repeated in regular intervals?

• Are new employees made aware of the possible dangers involved in PBX operation?