A PBX Audit Checklist

This list was compiled from a brave posting made on the CISSA's mailing list and then augmented with principles from Protection and Security on the Information Superhighway .

Part H - Testing

Check all that apply:


The PBX is tested for known flaws at least weekly.
The UPS is tested at least monthly.
The motor generator is tested at least quarterly.
All incident response plans are tested at least yearly.
Backups are tested at least monthly.
Audit mechanisms are tested at least quarterly.
Audit computers are tested periodically.
False incidents are presented to managers to test their response at least every other year.
All trunk lines are tested periodically for proper operation.
Call blocking features are tested at least quarterly.
Voicemail mailboxes are tested at least quarterly.
Non-programming ports are tested for programming features on a random basis.
Blind external testing is done by external auditors.
With maximum value of