Telecommunications Internal Control Questionnaires

OBJECTIVES

The objective of this ICQ is to evaluate the way in which users and computer-based systems communicate with each other. The proliferation of personal computers, portable terminals, and hand-held computers accessing larger systems by standard public telephone networks has increased the potential for network penetration. As telecommunications and data processing technology continue to expand, we should evaluate how they affect the overall data security of the University.

Data that are transmitted over telecommunications lines may be subject to a variety of exposures: disclosure, errors, misrouted messages, or third-party negligence. To the extent possible, we should attempt to recommend controls that are primarily preventive in nature. In the absence of preventive controls, we should recommend detective controls that will act both as an audit trail and as a deterrent.

GENERAL

1. Are there documented procedures for using the telecommunications network? (If so, obtain a copy.)
2. Has the responsibility and liability of the University and network vendors been defined (e.g., contracts)?
3. Is there any inventory of data communications equipment, including lines, terminals, modems, controllers, etc.?
4. Has a network diagram, which illustrates physical and logical connections between communications equipment, been prepared?
5. Does network documentation include a description of:
   • data communications equipment used to support each network applications?
   • protocols used?
   • gateways to other networks?
6. Has communications equipment been labeled to facilitate cross reference to documentation?
7. Are authorization codes required to:
   • access the computer system?
   • access the applications programs?
   • perform transactions?
8. Are different authorization codes required to perform different transactions?
9. Are authorization codes controlled to restrict unauthorized usage?
10. Are authorized codes periodically changed?
11. Are terminals physically or logically defined to the network on the basis of written authorization?
12. Is a terminal identification check performed by the computer so that various transaction types can be limited to authorized data entry and editing stations?
13. Is network usage of critical applications restricted to business hours?
14. Is supervisory approval needed to bring terminal/lines up outside of scheduled operating hours?

PERFORMANCE/INTEGRITY

1. Is there a specific terminal designed to monitor activity within the on-line system?
2. Have performance standards been established?
3. Do priorities (by terminal or application requirements) assigned to each network line seem reasonable?
4. Do network support personnel review new applications to determine their impact on existing systems?
5. Does capacity planning include analyses of message length, protocol, transaction volume, and message traffic?
6. Are response times measured and evaluated for possible enhancement of communications throughput?
7. Is polling of communications peripherals utilized? If so, does the pause perimeter (time frame between each line scan of inactive devices) seems reasonable?
8. Is hardware performance compared to vendor specifications?
9. Does management routinely review vendor services performed?
10. Are periodic checks of the network made to verify proper operation and detect terminal/line/modem errors?
11. Are communications hardware failures documented, including corrective actions taken?
12. Have guidelines for communications modem "wrap tests" been established? (Wrap tests are run to determine whether errors are caused by modems, terminals, or controllers.)
13. Are modem switch settings periodically compared to the network configuration line specifications?
14. If leased circuits are used, has line conditioning been considered to reduce transmission errors?
15. Has digital transmission been considered to reduce transmission errors?
16. Have procedures been established to ensure that all transactions sent have been received? (E.g., record counts sent/received?)
17. In messaging or communications systems that use a store and forward system (e.g., GE Network, INCOTEL), are there appropriate controls to ensure that communications were sent to their proper destinations?
18. Is there a review of all transaction messages that are unaccounted for, distorted, duplicated, or delayed?
19. Does the on-line software log all errors and retransmissions?
20. Is an individual assigned to review error logs and notify the security personnel of anything unusual?
21. Is there a method for creating a journal (trail) of all messages sent?
22. Does each message contain identifying information such as:
    • Port number (if dialed)?
    • Message number?
    • Terminal?
    • User?
    • Date?
    • Transaction Code?
    • End-of-message?
    • End-of-transmission?
23. Is there a method (sequence number on each message) to account for all messages and to identify illegal messages?
24. Are there back-up facilities for the on-line system in the event of an emergency?
25. Are dial-up lines used in case of leased line failures?
26. If so, is there a sufficient number of dial-up lines (2 lines per modem) available to facilitate the Switched Network Back-up Compatibility (SNBU)?
27. Are there back-up modems available for these lines?
28. In the event of service interruptions, are there written procedures to follow for restarting the on-line network?
29. Does the system provide for restart/recovery procedures to regain communication following hardware/software failure?
30. If a service bureau is used, does it provide adequate back-up and recovery controls?

DIAL-UP SECURITY

1. Is there a list of authorized users of dial-up facilities?
2. Have provisions been established to ensure the confidentiality of telephone numbers (e.g., unlisted)?
3. Are dial-up telephone numbers changed periodically?
4. Are dial-up telephone numbers on a three-digit exchange that is different from the University's main, published number?
5. Are telephone numbers removed from modems to prevent access to the dial-in telephone number?
6. Is a "call-back" to a specific telephone number and reverification of the user ID required?
7. Can the CPU interrogate a dial-up terminal, automatically obtain its ID, and verify that the terminal calling is the same terminal that "says" it is calling?
8. Does the system disconnect users who hang up the telephone without properly logging off?

PHYSICAL SECURITY

1. Are physical and environmental concerns adequately addressed to protect communications equipment from adverse operating environments?
2. Are communications controllers located in a secure area under the control of operations personnel or a central communications facility?
3. Is telephone equipment room secured?
4. Are cables and video display screens electrically shielded to prevent electrical emanations or physical tampering?
5. Are cable/line closets locked and unlabeled?
6. Are cables/lines periodically checked for active/passive wiretaps?
7. Is access to test equipment (e.g., data scopes, line monitors) and diagnostic communications software restricted to appropriate personnel?
8. Is test equipment used to monitor the communications network controlled?
9. Is a data scope being used to monitor on-line circuits and equipment? If so:
   • Is it in a secured area?
   • Does it log entries?
   • Has it the capability to enter data onto a line?
   • Does the unit restrict access to authorized personnel only?
10. Are logon, system commands, and on-line transaction documentation manuals labeled as confidential and placed in a secured area when not in use?

LOGICAL SECURITY

1. Are passwords and unique user codes required to logon to communications software?
2. Has the principle of least privilege (e.g., granting the minimum access authorization necessary for performance required tasks) been implemented?
3. Are only authorized personnel permitted to access communications software? If so, who?
4. Are only authorized personnel permitted to inspect storage buffers (e.g., using NCCF software or data scopes, users can examine messages including Ids and passwords)?
5. If the network has been configured to allow remote terminal functions (e.g., vendor maintenance or service) by non-University personnel, are vendor field service default parameters reviewed for demonstrated need?
6. If a service bureau is being used to transmit data, has it provided adequate security measures for Ids and password control?
7. Does the system prevent the display of any "HELP" information before the user has successfully logged on?
8. During logon, does the system inform the user when he/she last logged off?
9. Are terminal buffers erased after successful logon?
10. Are users prevented from making an unlimited number of unsuccessful logon attempts?
11. If there are nonexistent terminals predefined in the system tables, are intruder terminals prevented from being attached to the system as one of the predefined entities?
12. If sensitive information is being processed, are there adequate controls to ensure that output can only be directed to "authorized" printers or "authorized" print facilities?
13. Has message encryption been considered as a means of securing sensitive data and password during transmission?
14. If encryption is being used, have controls over the encryption key been developed?
15. Does the system employ a method of traffic flow security to conceal the presence of valid messages on the line by causing the circuit to appear busy at all times or by encrypting the source and destination addresses of valid messages?
16. On systems with electronic mail capability where messages pop up in interactive mode, have users been instructed to ignore an intruder's request for an ID/password by being informed that this is not a legitimate system request?