A PBX Audit Checklist

This list was compiled from a brave posting made on the CISSA's mailing list and then augmented with principles from Protection and Security on the Information Superhighway .

Part C - Standards and Procedures

Check all that apply:

PBX audit is done of each PBX at least once per quarter by internal IT auditors.
Internal PBX audit includes:

Verifying that all records kept in electronic form (as identified above).
Verifying that all changes are within normal operating parameters.
Verifying that technical protection is set appropriately.
Detecting substantial deviations from normal operating conditions.
Performing tests to verify that actual operation corresponds to percieved operation.

Internal PBX auditors review all aspects of this checklist as well as other aspects of PBX protection at least once per year.
External PBX audit is done at least once per year.
External PBX audit includes:

Examining sample internal audit reports to verify that internal audit meets the requirements specified herein.
Examining sample PBX systems to find discrepencies between internal audit reports and reality.
Examining the overall scheme of operation and protection.
Performing tests to verify that actual operation corresponds to percieved operation.
Looking for recently discovered vulnerabilities to determine if internal audit and protection are keeping up with the state-of-the-art.
Comparing protection to comperable organizations and assessing the implications of any differences.
Providing an overall assessment of the balance between risks, benefits, and costs associated with the PBX protection function.

At least once per month, financial audit reconciles all PBX and telephone related bills and costs and identifies and investigates any substantial deviations.
PBX auditors are fully trained in the specific systems being audited and are periodically updated regarding new threats and defenses.
With maximum value of