S 4.6 Audit of the PBX configuration (target/performance reconciliation)

Initiation responsibility: PBX officer; IT Security Management

Implementation responsibility: IT security management, revisor

After each configuration change, e.g. release of a subscriber's authorisation, this should be recorded in an ACTUAL inventory. That list may be kept manually or by automatic means. Periodically (not necessarily at regular intervals), e.g. every six months, reconciliation checks should, at least randomly, be made of such an ACTUAL inventory and of the actual status. Incongruities should be cleared by means of the listings/audit trails. In particular, it should be verified whether

• all dialling numbers not allocated have actually not been set up;
• unpermitted authorisations have indeed not been granted to anybody;
• de-activated user facilities are assuredly inactive.
• de-activated dial-in functions are assuredly inactive.

In collaboration with ZVEI, the Central Association of the Electrical and Electronics Industry, BSI has drawn up a catalogue of requirements which contains improved audit. This catalogue is to be used when purchasing new PBX systems for federal agencies. In the event that PBX systems are already in place, the extent to which manufacturers can offer improvements as updates should be reviewed.

Additional controls:

• Is it possible, by reference to the available documents, to provide information, e.g. on the rights of particular subscriber's stations/lines?
• When was the documentation last reviewed for congruity with the actual state of affairs?