Telecommunications - Preliminary Survey
In starting any telecommunications audit, begin with the person
responsible for the organization's telecommunications management
function. The following questions are designed to help gather
the information needed to complete the audit:
Network Records
- Where are the records of network inventory and configuration
stored?
- Who has access to these records?
- Who is the custodian?
- How is access controlled?
Telecommunications Operating System Software
- Where are the backup copies of telecommunications operating
system software stored?
- How often are these backup copies tested to ensure they can
be used in an emergency?
- Who has access to the system software?
- Who is the custodian? How is access to system software controlled?
- How are changes and upgrades to the telecommunications software
handled?
- Where is the file of system changes stored?
Telecommunications Diagnostic Software
- Obtain a list of diagnostic software used by the telecommunications
group (i.e., software that can be used to alter operating system
parameters and equipment features, often without leaving an adequate
audit trail). Where is diagnostic software stored?
- Who is the custodian?
- How is access controlled?
- Under what circumstances is diagnostic software used?
- How is such use monitored?
Telecommunications Diagnostic/Test Equipment
- Obtain a list of diagnostic/test equipment used by the telecommunications
group (i.e., equipment may be used to make telephone calls that
can bypass certain equipment and their controls). Where is diagnostic/test
equipment stored?
- Who has access? How is access controlled?
- Under what circumstances is diagnostic/test equipment used?
- How is such use monitored?
Trouble/Event Reporting System
- Describe the trouble reporting or event reporting system.
- How do users report situations to telecommunications management?
- What is the average monthly volume of reports?
- Describe how trouble reports are handled.
- When or how often is the user informed of the status or resolution?
- To whom do the reports go when they have been resolved?
- Which summary reports are prepared on events, trends, conditions,
or cases?
- Who receives these reports?
Training of Telecommunications Staff
- What experience and training do the telecommunications staff
have currently?
- What are the training plans for the coming year?
- Have the costs for these plans been included in the current
budget?
- In which professional associations do staff members participate?
Determination of Telecommunications Needs
- How are employees' telecommunications needs determined?
- How are changes to the levels of service demands or changes
to these needs monitored?
Telecommunications Vendors
- What methods are used to select telecommunications vendors?
- What is the current evaluation of each vendor?
- Have these evaluations been documented and discussed with
the interested parties (upper management, purchasing, and the
vendor)?
Employees Awareness Campaigns
- What employee information campaigns have been tried in the
past year concerning the abuse of telephone privileges or information/telecommunication
security?
Telephone Directories/Lists
- What are the procedures for issuing and destroying campus
telephone directories and lists?
- Which lists are stored on computers?
Telecommunications and Information Security
- What is the relationship between the telecommunications staff
and the information security staff and/or the University's security
group?
- What is the relationship between the telecommunications staff
at various locations and their counterparts at the headquarters?
- How are telecommunications operations/services coordinated?
Telecommunications Policy and Proprietary Information Policy
- Obtain a copy of the current Telecommunications Policy and
Proprietary Information Policy, or their equivalents. How often
are these policies reviewed by employees? By managers with their
employees? By senior management to see if they continue to meet
the needs of the University?
- What are the restrictions on employee use of telecommunications
for personal business?
- How are employee calls monitored?
- How often are these details reviewed? By whom?
Access Codes and Passwords
- Who maintains the access codes (personal identification numbers)
list?
- Who else has access?
- How is this access controlled?
- Who assigns passwords?
- How often are these changed, and what is the notification
process?
- What is the method of distribution for new passwords? For
changes?
Telephone Switch Room
- Where is the telephone switch room located?
- Is the physical security over the telecommunications equipment
in the switch room adequate?
- Who has access to the switch room?
- How is this access controlled?
Physical Inventory
- How often is a physical inventory taken?
- What group performs this inventory?
- Where are the records of the latest inventory and reconciliation?
- How is purchased equipment distinguished from leased equipment?
Business Continuity/Disaster Recovery Plan
- Does the campus have it own Business Continuity/Disaster Recovery
Plan?
- Where is the Business Continuity/Disaster Recovery Plan stored?
- When was it last reviewed?
- When was the last exercise, and where are the records of the
critique?
- What are the routine backup procedures?
- What systems, how often, and where are the copies stored?
Telecommunications Services
- Who is authorized to order telecommunications services?
- Where are the service order files stored?
- Describe the billing arrangements for telecommunications services.
- Who reconciles the telephone bills?
- How are discrepancies resolved?
Fraud Awareness Training
- What type of fraud awareness training is in place for telecommunications
staff? For operating and general management?