Telecommunications Internal Control Questionnaires
OBJECTIVES
The objective of this ICQ is to evaluate the way in which users
and computer-based systems communicate with each other. The proliferation
of personal computers, portable terminals, and hand-held computers
accessing larger systems by standard public telephone networks
has increased the potential for network penetration. As telecommunications
and data processing technology continue to expand, we should evaluate
how they affect the overall data security of the University.
Data that are transmitted over telecommunications lines may be
subject to a variety of exposures: disclosure, errors, misrouted
messages, or third-party negligence. To the extent possible, we
should attempt to recommend controls that are primarily preventive
in nature. In the absence of preventive controls, we should recommend
detective controls that will act both as an audit
trail and as a deterrent.
GENERAL
- Are there documented procedures for using the telecommunications
network? (If so, obtain a copy.)
- Has the responsibility and liability of the University and
network vendors been defined (e.g., contracts)?
- Is there any inventory of data communications equipment, including
lines, terminals, modems, controllers, etc.?
- Has a network diagram, which illustrates physical and logical
connections between communications equipment, been prepared?
- Does network documentation include a description of:
- data communications equipment used to support each network
applications?
- protocols used?
- gateways to other networks?
- Has communications equipment been labeled to facilitate cross
reference to documentation?
- Are authorization codes required to:
- access the computer system?
- access the applications programs?
- perform transactions?
- Are different authorization codes required to perform different
transactions?
- Are authorization codes controlled to restrict unauthorized
usage?
- Are authorized codes periodically changed?
- Are terminals physically or logically defined to the network
on the basis of written authorization?
- Is a terminal identification check performed by the computer
so that various transaction types can be limited to authorized
data entry and editing stations?
- Is network usage of critical applications restricted to business
hours?
- Is supervisory approval needed to bring terminal/lines up
outside of scheduled operating hours?
- Is there a specific terminal designed to monitor activity
within the on-line system?
- Have performance standards been established?
- Do priorities (by terminal or application requirements) assigned
to each network line seem reasonable?
- Do network support personnel review new applications to determine
their impact on existing systems?
- Does capacity planning include analyses of message length,
protocol, transaction volume, and message traffic?
- Are response times measured and evaluated for possible enhancement
of communications throughput?
- Is polling of communications peripherals utilized? If so,
does the pause perimeter (time frame between each line scan of
inactive devices) seems reasonable?
- Is hardware performance compared to vendor specifications?
- Does management routinely review vendor services performed?
- Are periodic checks of the network made to verify proper operation
and detect terminal/line/modem errors?
- Are communications hardware failures documented, including
corrective actions taken?
- Have guidelines for communications modem "wrap tests"
been established? (Wrap tests are run to determine whether errors
are caused by modems, terminals, or controllers.)
- Are modem switch settings periodically compared to the network
configuration line specifications?
- If leased circuits are used, has line conditioning been considered
to reduce transmission errors?
- Has digital transmission been considered to reduce transmission
errors?
- Have procedures been established to ensure that all transactions
sent have been received? (E.g., record counts sent/received?)
- In messaging or communications systems that use a store and
forward system (e.g., GE Network, INCOTEL), are there appropriate
controls to ensure that communications were sent to their proper
destinations?
- Is there a review of all transaction messages that are unaccounted
for, distorted, duplicated, or delayed?
- Does the on-line software log all errors and retransmissions?
- Is an individual assigned to review error logs and notify
the security personnel of anything unusual?
- Is there a method for creating a journal (trail) of all messages
sent?
- Does each message contain identifying information such as:
- Port number (if dialed)?
- Message number?
- Terminal?
- User?
- Date?
- Transaction Code?
- End-of-message?
- End-of-transmission?
- Is there a method (sequence number on each message) to account
for all messages and to identify illegal messages?
- Are there back-up facilities for the on-line system in the
event of an emergency?
- Are dial-up lines used in case of leased line failures?
- If so, is there a sufficient number of dial-up lines (2 lines
per modem) available to facilitate the Switched Network Back-up
Compatibility (SNBU)?
- Are there back-up modems available for these lines?
- In the event of service interruptions, are there written procedures
to follow for restarting the on-line network?
- Does the system provide for restart/recovery procedures to
regain communication following hardware/software failure?
- If a service bureau is used, does it provide adequate back-up
and recovery controls?
- Is there a list of authorized users of dial-up facilities?
- Have provisions been established to ensure the confidentiality
of telephone numbers (e.g., unlisted)?
- Are dial-up telephone numbers changed periodically?
- Are dial-up telephone numbers on a three-digit exchange that
is different from the University's main, published number?
- Are telephone numbers removed from modems to prevent access
to the dial-in telephone number?
- Is a "call-back" to a specific telephone number
and reverification of the user ID required?
- Can the CPU interrogate a dial-up terminal, automatically
obtain its ID, and verify that the terminal calling is the same
terminal that "says" it is calling?
- Does the system disconnect users who hang up the telephone
without properly logging off?
- Are physical and environmental concerns adequately addressed
to protect communications equipment from adverse operating environments?
- Are communications controllers located in a secure area under
the control of operations personnel or a central communications
facility?
- Is telephone equipment room secured?
- Are cables and video display screens electrically shielded
to prevent electrical emanations or physical tampering?
- Are cable/line closets locked and unlabeled?
- Are cables/lines periodically checked for active/passive wiretaps?
- Is access to test equipment (e.g., data scopes, line monitors)
and diagnostic communications software restricted to appropriate
personnel?
- Is test equipment used to monitor the communications network
controlled?
- Is a data scope being used to monitor on-line circuits and
equipment? If so:
- Is it in a secured area?
- Does it log entries?
- Has it the capability to enter data onto a line?
- Does the unit restrict access to authorized personnel only?
- Are logon, system commands, and on-line transaction documentation
manuals labeled as confidential and placed in a secured area when
not in use?
- Are passwords and unique user codes required to logon to communications
software?
- Has the principle of least privilege (e.g., granting the minimum
access authorization necessary for performance required tasks)
been implemented?
- Are only authorized personnel permitted to access communications
software? If so, who?
- Are only authorized personnel permitted to inspect storage
buffers (e.g., using NCCF software or data scopes, users can examine
messages including Ids and passwords)?
- If the network has been configured to allow remote terminal
functions (e.g., vendor maintenance or service) by non-University
personnel, are vendor field service default parameters reviewed
for demonstrated need?
- If a service bureau is being used to transmit data, has it
provided adequate security measures for Ids and password control?
- Does the system prevent the display of any "HELP"
information before the user has successfully logged on?
- During logon, does the system inform the user when he/she
last logged off?
- Are terminal buffers erased after successful logon?
- Are users prevented from making an unlimited number of unsuccessful
logon attempts?
- If there are nonexistent terminals predefined in the system
tables, are intruder terminals prevented from being attached to
the system as one of the predefined entities?
- If sensitive information is being processed, are there adequate
controls to ensure that output can only be directed to "authorized"
printers or "authorized" print facilities?
- Has message encryption been considered as a means of securing
sensitive data and password during transmission?
- If encryption is being used, have controls over the encryption
key been developed?
- Does the system employ a method of traffic flow security to
conceal the presence of valid messages on the line by causing
the circuit to appear busy at all times or by encrypting the source
and destination addresses of valid messages?
- On systems with electronic mail capability where messages
pop up in interactive mode, have users been instructed to ignore
an intruder's request for an ID/password by being informed that
this is not a legitimate system request?