A PBX Audit Checklist

This list was compiled from a brave posting made on the CISSA's mailing list and then augmented with principles from Protection and Security on the Information Superhighway .

Part F - Technical Safeguards

Check all that apply:

Technical safeguards vary by system however, at a general level, the following requirements should be met. System-specific checklists are provided elsewhere.
Direct inward system access capabilities are deactivated or removed from the PBX software.
Programming ports are limited to specific ports in trusted areas.
Modems used for remote access to programming and/or maintenance ports are powered off except during periods when remote maintenance is being performed.
After remote maintenance is completed, a complete dump of internal parameters is made and reconciled with previous dumps.
All voicemail mailboxes that are not assigned are disabled.
All assigned voicemail mailboxes have non-default, non-trivial, non-extension, maximum-length passwords.
No voicemail mailboxes have messages like "YES ... YES ... YES ...".
An uninterruptable power supply is used to assure continuity of operation.
The UPS is tested periodically to assure its proper operation.
A motor generator is used to assure continuity of operation during sustained power outages.
The motor generator is tested periodically to assure its proper operation.
All 976, (900), and (700) and other pay-per-use calls are blocked.
All extensions not requiring outside access are properly limited.
All extensions not requiring long distance access are properly limited.
Incoming calls from outside lines cannot be redirected to make outside calls.

Call forwarding cannot forward incoming calls to outside lines.
Conference calling cannot forward incoming calls to outside lines.
Calls that cross between dual-PBXs cannot forward incoming calls to outside lines.
No known method causes incoming calls to be connected to outside lines.

All transactions are recorded in an external computer system.

All call details are recorded.
All maintenance functions are recorded.
All available audit data is recorded.
Records are recorded in a reusable digital form.
Records are printed as they are recorded.
Records are stored on a WORM disk for additional assurance.
Automated tools analyze records in real-time.
Automated tools produce summary data and reporting.

All phones not routed through the PBX are identified and controlled separately.
Digital services routed through PBX systems are limited to fixed routes.
Modem services through the PBX are restricted to access from known extensions.
Modem service is restricted to not call back into the PBX.
Hang-up times are non-zero for all PBX extensions.
With maximum value of