Telecommunications - Preliminary Survey

In starting any telecommunications audit, begin with the person responsible for the organization's telecommunications management function. The following questions are designed to help gather the information needed to complete the audit:

Network Records

  1. Where are the records of network inventory and configuration stored?
  2. Who has access to these records?
  3. Who is the custodian?
  4. How is access controlled?

Telecommunications Operating System Software

  1. Where are the backup copies of telecommunications operating system software stored?
  2. How often are these backup copies tested to ensure they can be used in an emergency?
  3. Who has access to the system software?
  4. Who is the custodian? How is access to system software controlled?
  5. How are changes and upgrades to the telecommunications software handled?
  6. Where is the file of system changes stored?

Telecommunications Diagnostic Software

  1. Obtain a list of diagnostic software used by the telecommunications group (i.e., software that can be used to alter operating system parameters and equipment features, often without leaving an adequate audit trail). Where is diagnostic software stored?
  2. Who is the custodian?
  3. How is access controlled?
  4. Under what circumstances is diagnostic software used?
  5. How is such use monitored?

Telecommunications Diagnostic/Test Equipment

  1. Obtain a list of diagnostic/test equipment used by the telecommunications group (i.e., equipment may be used to make telephone calls that can bypass certain equipment and their controls). Where is diagnostic/test equipment stored?
  2. Who has access? How is access controlled?
  3. Under what circumstances is diagnostic/test equipment used?
  4. How is such use monitored?

Trouble/Event Reporting System

  1. Describe the trouble reporting or event reporting system.
  2. How do users report situations to telecommunications management?
  3. What is the average monthly volume of reports?
  4. Describe how trouble reports are handled.
  5. When or how often is the user informed of the status or resolution?
  6. To whom do the reports go when they have been resolved?
  7. Which summary reports are prepared on events, trends, conditions, or cases?
  8. Who receives these reports?

Training of Telecommunications Staff

  1. What experience and training do the telecommunications staff have currently?
  2. What are the training plans for the coming year?
  3. Have the costs for these plans been included in the current budget?
  4. In which professional associations do staff members participate?

Determination of Telecommunications Needs

  1. How are employees' telecommunications needs determined?
  2. How are changes to the levels of service demands or changes to these needs monitored?

Telecommunications Vendors

  1. What methods are used to select telecommunications vendors?
  2. What is the current evaluation of each vendor?
  3. Have these evaluations been documented and discussed with the interested parties (upper management, purchasing, and the vendor)?

Employees Awareness Campaigns

  1. What employee information campaigns have been tried in the past year concerning the abuse of telephone privileges or information/telecommunication security?

Telephone Directories/Lists

  1. What are the procedures for issuing and destroying campus telephone directories and lists?
  2. Which lists are stored on computers?

Telecommunications and Information Security

  1. What is the relationship between the telecommunications staff and the information security staff and/or the University's security group?
  2. What is the relationship between the telecommunications staff at various locations and their counterparts at the headquarters?
  3. How are telecommunications operations/services coordinated?

Telecommunications Policy and Proprietary Information Policy

  1. Obtain a copy of the current Telecommunications Policy and Proprietary Information Policy, or their equivalents. How often are these policies reviewed by employees? By managers with their employees? By senior management to see if they continue to meet the needs of the University?
  2. What are the restrictions on employee use of telecommunications for personal business?
  3. How are employee calls monitored?
  4. How often are these details reviewed? By whom?

Access Codes and Passwords

  1. Who maintains the access codes (personal identification numbers) list?
  2. Who else has access?
  3. How is this access controlled?
  4. Who assigns passwords?
  5. How often are these changed, and what is the notification process?
  6. What is the method of distribution for new passwords? For changes?

Telephone Switch Room

  1. Where is the telephone switch room located?
  2. Is the physical security over the telecommunications equipment in the switch room adequate?
  3. Who has access to the switch room?
  4. How is this access controlled?

Physical Inventory

  1. How often is a physical inventory taken?
  2. What group performs this inventory?
  3. Where are the records of the latest inventory and reconciliation?
  4. How is purchased equipment distinguished from leased equipment?

Business Continuity/Disaster Recovery Plan

  1. Does the campus have it own Business Continuity/Disaster Recovery Plan?
  2. Where is the Business Continuity/Disaster Recovery Plan stored?
  3. When was it last reviewed?
  4. When was the last exercise, and where are the records of the critique?
  5. What are the routine backup procedures?
  6. What systems, how often, and where are the copies stored?

Telecommunications Services

  1. Who is authorized to order telecommunications services?
  2. Where are the service order files stored?
  3. Describe the billing arrangements for telecommunications services.
  4. Who reconciles the telephone bills?
  5. How are discrepancies resolved?

Fraud Awareness Training

  1. What type of fraud awareness training is in place for telecommunications staff? For operating and general management?