S 4.5 Logging of PBX administration jobs

Initiation responsibility: PBX officer; IT Security Management

Implementation responsibility: Administrators

All entries made through the PBX service ports should be logged. This may be done either through a logging printer and/or on other data media. The PBX administrator must not have any write access to the generated log files. The print-outs supplied by the printer should be serially numbered, and the individual logging messages should have sequential message numbers.

In collaboration with ZVEI, the Central Association of the Electrical and Electronics Industry, BSI has drawn up a catalogue of requirements which contains improved logging. This catalogue is to be used when purchasing new PBX systems for federal agencies. In the event that PBX systems are already in place, the extent to which manufacturers can offer improvements as updates should be reviewed.

Additional controls:

• Does logging take place?
• Is it possible to ascertain whether the logging printer has been switched off?

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000