voice over internet protocol voip audit assurance program icq eng 0112
TRANSCRIPT
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
1/44
Voice-over Internet Protocol (VoIP)
Audit/Assurance Program
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
2/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
ISACA®
With 95,000 constituents in 160 countries, ISACA (www.isaca.org ) is a leading global provider o !no"ledge,
certiications, co##unit$, advocac$ and education on inor#ation s$ste#s (IS) assurance and securit$, enterprisegovernance and #anage#ent o I%, and I%&related ris! and co#pliance' ounded in 1969, the nonproit, independent
ISACA hosts international conerences, publishes the ISACA® Journal , and develops international IS auditing and
control standards, "hich help its constituents ensure trust in, and value ro#, inor#ation s$ste#s' It also advancesand attests I% s!ills and !no"ledge through the globall$ respected Certiied Inor#ation S$ste#s Auditor (CISA),
Certiied Inor#ation Securit$ *anager (CIS*), Certiied in the +overnance o nterprise I% (C+I%) and
Certiied in -is! and Inor#ation S$ste#s Control. (C-ISC.) designations' ISACA continuall$ updates C/I%,
"hich helps I% proessionals and enterprise leaders ulil their I% governance and #anage#ent responsibilities, particularl$ in the areas o assurance, securit$, ris! and control, and deliver value to the business'
DisclaimerISACA has designed and created Voice-over Internet Protocol (VoIP) Audit/Assurance Program (the Wor!2)
pri#aril$ as an inor#ational resource or audit and assurance proessionals' ISACA #a!es no clai# that use o an$o the Wor! "ill assure a successul outco#e' %he Wor! should not be considered inclusive o all proper
inor#ation, procedures and tests or e3clusive o other inor#ation, procedures and tests that are reasonabl$ directed
to obtaining the sa#e results' In deter#ining the propriet$ o an$ speciic inor#ation, procedure or test, audit and
assurance proessionals should appl$ their o"n proessional 4udg#ent to the speciic circu#stances presented b$ the particular s$ste#s or I% environ#ent'
Reservation of Rights 01 ISACA' All rights reserved' 7o part o this publication #a$ be used, copied, reproduced, #odiied,
distributed, displa$ed, stored in a retrieval s$ste# or trans#itted in an$ or# b$ an$ #eans (electronic, #echanical, photocop$ing, recording or other"ise) "ithout the prior "ritten authori8ation o ISACA' -eproduction and use o
all or portions o this publication are per#itted solel$ or acade#ic, internal and nonco##ercial use and
consultingadvisor$ engage#ents and #ust include ull attribution o the #aterial:s source' 7o other right or
per#ission is granted "ith respect to this "or!'
ISACA
;
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
3/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
ISACA wishes to recognize:
AuthorEe Fal"eris!$, CISA, CA (SA), GISH C Interactive Inc', @SA
!"ert Revie#ersiane ' ili, @SCI, Canada
Jves *' orleans, CISA, Charles -iver >aboratories, @SA
F' F' *oo!he$, CISA, CIS*, C-ISC, CISS, 7et"or! Intelligence India vt' >td', IndiaEohn +' %annahill, CIS*, C+I%, C-ISC, CA, E' %annahill K Associates, Canada
ISACA $oard of DirectorsFenneth >' Lander Wal, CISA, CA, rnst K Joung >> (retired), @SA, International residentChristos F' i#itriadis, h'', CISA, CIS*, C-ISC, I7%-A>/% S'A', +reece, Lice resident
+regor$ %' +rochols!i, CISA, %he o" Che#ical Co', @SA, Lice resident
%on$ Ga$es, C+I%, ACGS, CG, ACS, CA, IIA, Mueensland +overn#ent, Australia, Lice resident 7ira4 Fapasi, CISA, Fapasi angad %ech Consulting vt' >td', India, Lice resident
Ee Spive$, C-ISC, C, S, Securit$ -is! *anage#ent, Inc', @SA, Lice resident
Eo Ste"art&-attra$, CISA, CIS*, C+I%, C-ISC, CSS, -S* ird Ca#eron, Australia, Lice resident
#il :Angelo, CISA, CIS*, an! o %o!$o&*itsubishi @E >td' (retired), @SA, ast International resident>$nn C' >a"ton, CISA, C-ISC, CS CI%, CA, IIA, F*+ >td', -ussian ederation, ast International
residentAllan 7eville oard#an, CISA, CIS*, C+I%, C-ISC, CA (SA), CISS, *organ Stanle$, @F, irector *arc Lael, h'', CISA, CIS*, C+I%, CISS, Laluendo, elgiu#, irector
%no#ledge $oard*arc Lael, h'', CISA, CIS*, C+I%, CISS, Laluendo, elgiu#, Chair#an
*ichael A' erardi Er', CISA, C+I%, an! o A#erica, @SA
Eohn Go Chi, CISA, CIS*, C-ISC, C, CC, rnst K Joung >>, Singaporehillip E' >ageschulte, C+I%, CA, F*+ >>, @SA
Eon Singleton, CISA, CA, Auditor +eneral o *anitoba (retired), Canadaatric! Stachtchen!o, CISA, C+I%, Stachtchen!o K Associates SAS, rance
&uidance and Practices Committeehillip E >agesch lte C+I% CA F*+ >> @SA Chair#an
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
4/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
7or"ich @niversit$
Solva$ russels School o cono#ics and *anage#ent
Strategic %echnolog$ *anage#ent Institute (S%*I) o the 7ational @niversit$ o Singapore
@niversit$ o Ant"erp *anage#ent School
ASI S$ste# Integration
Ge"lett&ac!ard
I*S/Aro4ects Inc'
S$#antec Corp'
%ruAr3 Inc'
Table of Contents
I' Introduction D
II' @sing %his ocu#ent 5
III' Assurance and Control ra#e"or! ?IL' 3ecutive Su##ar$ o AuditAssurance ocus ?
L' AuditAssurance rogra# 1
1' lanning and Scoping the Audit 1
' reparator$ Steps 1D
;' +overnance 16
D' Server Coniguration D
5' 7et"or! ;
6' Contingenc$ lanning ;;
LI' *aturit$ Assess#ent ;5
Appendi3 1' LoI %hreat %a3ono#$ D0
Appendi3 ' Separation o ata and LoI L>A7s (Sche#atic) D1
Appendi3 ;' -eerences D
I. Introduction
vervie#
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
5/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
*an$ organi8ations have e#braced several ra#e"or!s at an enterprise level, including the Co##ittee o
Sponsoring /rgani8ations o the %read"a$ Co##ission (C/S/) Internal Control ra#e"or!' %he
i#portance o the control ra#e"or! has been enhanced due to regulator$ re=uire#ents b$ the @SSecurities and 3change Co##ission (SC) as directed b$ the @S Sarbanes&/3le$ Act o 00 and
si#ilar legislation in other countries' nterprises see! to integrate control ra#e"or! ele#ents used b$the general auditassurance tea# into the I% audit and assurance ra#e"or!' Since C/S/ is "idel$ used,
it has been selected or inclusion in this auditassurance progra#' %he revie"er #a$ delete or rena#e
these colu#ns to align "ith the enterprise:s control ra#e"or!'
I' &overnance, Ris+ and Control
I% governance, ris! and control are critical in the peror#ance o an$ assurance #anage#ent process'+overnance o the process under revie" "ill be evaluated as part o the policies and #anage#ent
oversight controls' -is! pla$s an i#portant role in evaluating "hat to audit and ho" #anage#ent
approaches and #anages ris!' oth issues "ill be evaluated as steps in the auditassurance progra#'
Controls are the pri#ar$ evaluation point in the process' %he auditassurance progra# "ill identi$ thecontrol ob4ectives and the steps to deter#ine control design and eectiveness'
Res"onsiilities of I' Audit and Assurance ProfessionalsI% audit and assurance proessionals are e3pected to custo#i8e this docu#ent to the environ#ent in
"hich the$ are peror#ing an assurance process' %his docu#ent is to be used as a revie" tool and starting point' It #a$ be #odiied b$ the I% audit and assurance proessionalH it is not intended to be a chec!list or
=uestionnaire' It is assu#ed that the I% audit and assurance proessional has the necessar$ sub4ect #atter
e3pertise re=uired to conduct the "or! and is supervised b$ a proessional "ith the CISA designation
andor necessar$ sub4ect #atter e3pertise to ade=uatel$ revie" the "or! peror#ed'
II. Using This Document
%his auditassurance progra# "as developed to assist the audit and assurance proessional in designingand e3ecuting a revie"' etails regarding the or#at and use o the docu#ent ollo"'
.or+ Program Ste"s
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
6/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
%he #aturit$ assess#ent, "hich is described in #ore detail later in this docu#ent, #a!es up the last
section o the progra#'
%he auditassurance plan "rap&upOthose processes associated "ith the co#pletion and revie" o "or!
papers, preparation o issues and reco##endations, report "riting, and report clearingOhas beene3cluded ro# this docu#ent since it is standard or the auditassurance unction and should be identiied
else"here in the enterprise:s standards'
C$I' Cross-reference%he C/I% cross&reerence provides the audit and assurance proessional "ith the abilit$ to reer to the
speciic C/I% control ob4ective that supports the auditassurance step' %he C/I% control ob4ective
should be identiied or each auditassurance step in the section' *ultiple cross&reerences are not
unco##on' rocesses at lo"er levels in the "or! progra# are too granular to be cross&reerenced to
C/I%' %he auditassurance progra# is organi8ed in a #anner to acilitate an evaluation through a
structure parallel to the develop#ent process' C/I% provides in&depth control ob4ectives and suggested
control practices at each level' As proessionals revie" each control, the$ should reer to C/I% D'1 or
the I! Assurance %uide& 'sing CI! or good&practice control guidance'
CS Com"onents
As noted in the introduction, C/S/ and si#ilar ra#e"or!s have beco#e increasingl$ popular a#ongaudit and assurance proessionals' %his ties the assurance "or! to the enterprise:s control ra#e"or!'
While the I% auditassurance unction uses C/I% as a ra#e"or!, operational audit and assurance
proessionals use the ra#e"or! established b$ the enterprise' Since C/S/ is the #ost prevalent internal
control ra#e"or!, it has been included in this docu#ent and is a bridge to align I% auditassurance "ith
the rest o the auditassurance unction' *an$ auditassurance organi8ations include the C/S/ control
co#ponents "ithin their report and su##ari8e assurance activities to the audit co##ittee o the board o
directors'
or each control, the audit and assurance proessional should indicate the C/S/ co#ponent(s) addressed'
It is possible, but generall$ not necessar$, to e3tend this anal$sis to the speciic audit step level'
%h i i l C/S/ i t l t l ! t i d i t I 00D C/S/ i d
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
7/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Figure 1Com!arison of C"S" Internal Control and #$% Integrated Framewor&s
Internal Control Framewor& #$% Integrated Framewor&
$is& AssessmentB ver$ entit$ aces a variet$ o ris!s ro# e3ternal
and internal sources that #ust be assessed' A precondition to ris!assess#ent is establish#ent o ob4ectives, and, thus, ris! assess#ent is
the identiication and anal$sis o relevant ris!s to achieve#ent o
assigned ob4ectives' -is! assess#ent is a prere=uisite or deter#iningho" the ris!s should be #anaged'
$is& AssessmentB -is!s are anal$8ed, considering the li!elihood and
i#pact, as a basis or deter#ining ho" the$ could be #anaged' -is!areas are assessed on an inherent and residual basis'
$is& $es!onseB *anage#ent selects ris! responsesOavoiding,
accepting, reducing or sharing ris!Odeveloping a set o actions toalign ris!s "ith the entit$:s ris! tolerances and ris! appetite'
Control Acti'itiesB Control activities are the policies and procedures
that help ensure #anage#ent directives are carried out' %he$ help
ensure that necessar$ actions are ta!en to address ris!s to achieve#ent
o the entit$Ps ob4ectives' Control activities occur throughout theorgani8ation, at all levels and in all unctions' %he$ include a range o
activities as diverse as approvals, authori8ations, veriications,
reconciliations, revie"s o operating peror#ance, securit$ o assets
and segregation o duties'
Control Acti'itiesB olicies and procedures are established and
i#ple#ented to help ensure the ris! responses are eectivel$ carried
out'
Information and CommunicationB Inor#ation s$ste#s pla$ a !e$
role in internal control s$ste#s as the$ produce reports, including
operational, inancial and co#pliance&related inor#ation that #a!e it possible to run and control the business' In a broader sense, eective
co##unication #ust ensure inor#ation lo"s do"n, across and up
the organi8ation' ective co##unication should also be ensured "ith
e3ternal parties, such as custo#ers, suppliers, regulators and
shareholders'
Information and CommunicationB -elevant inor#ation is
identiied, captured and co##unicated in a or# and ti#e ra#e that
enable people to carr$ out their responsibilities' ectiveco##unication also occurs in a broader sense, lo"ing do"n, across
and up the entit$'
%onitoringB Internal control s$ste#s need to be #onitoredOa
process that assesses the =ualit$ o the s$ste#:s peror#ance over
ti#e' %his is acco#plished through ongoing #onitoring activities orseparate evaluations' Internal control deiciencies detected through
these #onitoring activities should be reported upstrea# and corrective
actions should be ta!en to ensure continuous i#prove#ent o the
s$ste#'
%onitoringB %he entiret$ o enterprise ris! #anage#ent is #onitored
and #odiications are #ade as necessar$' *onitoring is acco#plished
through ongoing #anage#ent activities, separate evaluations or both'
Inor#ation or figure 1 "as obtained ro# the C/S/ "eb site, www.coso.org/aoutus.tm .
%he original C/S/ internal control ra#e"or! addresses the needs o the I% audit and assurance
proessionalB control environ#ent, ris! assess#ent, control activities, inor#ation and co##unication,
and #onitoring' As such, ISACA has elected to utili8e the ive&co#ponent #odel or these audit
assurance progra#s' As #ore enterprises i#ple#ent the -* #odel, the additional three colu#ns can be
added i relevant When co#pleting the C/S/ co#ponent colu#ns consider the deinitions o the
http://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htm
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
8/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
III. Assurance and Control Framewor&
ISACA I' Assurance *rame#or+ and Standards%he I%A sections relevant to LoI server are ;6;0 +eneral Controls and ;650 Auditing Applications'
ISACA Controls *rame#or+ C/I% is a ra#e"or! or the governance o I% and supporting tool set that allo"s #anagers to bridge
the gap a#ong control re=uire#ents, technical issues and business ris!s' C/I% enables clear polic$
develop#ent and good practice or I% control throughout enterprises'
As described in the ollo"ing 3ecutive Su##ar$, LoI server is an architecture that supports and drives business processes'
%he pri#ar$ C/I% processes associated "ith an i#ple#entation o LoI server are as ollo"sB
• / efine te Information Arcitecture0 eined data classiication sche#e used to establish
content securit$ re=uire#ents
• /6 Communicate $anagement Aims and irection O/nce governance and policies are established
co##unicating sa#e to the users
•
AI1 Identif1 Automated Solutions0 usiness re=uire#ents necessar$ to deine and i#ple#ent business processes
• AI; Ac2uire and $aintain !ecnolog1 Infrastructure0 %echnolog$ architecture re=uired to support
the LoI server environ#ent and ensure align#ent "ith the enterprise architecture
• S5 *nsure S1stems Securit1 OSecurit$ coniguration and processes re=uired to secure the LoI
server contents
• S9 $anage te Configuration OConiguration settings o the various servers "hich support the
inrastructure o LoI server '
•
S11 $anage ata Oata #anage#ent classiication, storage, and retention• * $onitor and *valuate Internal Control0 %he decentrali8ed nature o LoI server installations
re=uires the #onitoring o internal control b$ as a part o the #anage#ent structure
• *; *nsure Com+liance wit *3ternal ,e2uirements OCo#pliance "ith regulator$ and legal entities
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
9/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Co##on ter#s related to LoI are Internet %elephon$, I %elephon$, roadband %elephon$ and Loice&
over roadband' %hese ter#s each reer to ho" LoI is being used and should be considered as reerringto LoI technologies, rather than being s$non$#ous "ith LoI'
%raditional analog circuit&based telephon$, the public s"itched telephone net"or! (S%7), is o"ned and
operated b$ the traditional local and international carriers, reerred to as teleco#s'2 %he legac$ S%7 is
based on circuit&s"itched %i#e ivision *ultiple3ed (%*) connections, also !no"n as lain /ld
%elephone Service (/%S)'
LoI provides an eective channel or voice and #ulti#edia co##unications at lo"er cost and "ith
greater le3ibilit$'
LoI has beco#e an i#portant co#ponent o #odern corporate co##unications, and #an$ enterprises
depend entirel$ on it or voice and #ulti#edia' As "ith #ost ne" technologies, there are both securit$
opportunities and ris! "ith LoI' %he ris! includes i#proper or inade=uate installation, co##ingling o
voice and data on the sa#e circuits, =ualit$ o service (MoS) and the li!elihood o hac!ing attac!s on
LoI net"or!s' %he opportunities include leveraging e3isting inor#ation securit$ inrastructures to
protect LoI pac!et strea#s (e'g', ire"alls) and the use o encr$ption to protect the conidentialit$ o
voice and #ulti#edia co##unications'
LoI s$ste#s include traditional phone handsets, conerencing units and #obile devices, as "ell as other
co#ponents such as call processors, gate"a$s, routers, ire"alls and various LoI protocols' ue to thehigh&peror#ance de#ands o LoIOespeciall$ voice and videoOstandard net"or! hard"are and
sot"are are t$picall$ supple#ented "ith special LoI co#ponents'
A #a4or advantage o "ireless LoI is that I phones that "or! on Wi&i net"or!s can be used in place o
cell phones, in #an$ cases' ublic ?0'11 hotspots are oten ree or available at a lo" dail$ cost to the end
user' When connecting to a Wi&i net"or! or "eb and eail access, there is no additional cost to #a!eLoI calls other than the cost o the users: LoI service' LoI service usuall$ costs ar less than cell phone
service and #a$ oer ree unli#ited international calling, so#ething end users do not get "ith #ost
cellular plans'
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
10/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
and video' ailure to deliver consistent MoS re=uire#ents (dropped calls, indistinct or garbled video, etc')
has an obvious negative i#pact on dail$ operations across the enterprise, ro# oices to the shop loor to
e3ecutive suites'
Since LoI uses the I protocol, it is vulnerable to the usual attac!s b$ hac!ers, #al"are, etc' In addition,ailure to enorce ade=uate separation bet"een voice and data circuits i#plies that i either one "ere to be
co#pro#ised, the enterprise "ould be e3posed to the partial or co#plete loss o both critical unctions'
@nli!e the S%7, "hich uses 100 percent o allocated band"idth (usuall$ 6D Fbitssec), LoI
connections are routed b$ the underl$ing I net"or! using the best #eans possible at that particular
#o#ent' It is possible, thereore, to e3perience lo"er MoS due to LoI net"or! congestion' %hus, the
=ualit$ o the call "ill be a unction o the =ualit$ o the underl$ing net"or!' or e3a#ple, LoI calls#ade over a lo"&band"idth, consu#er grade, est orts2 Internet connection "ill be o poorer =ualit$
than those #ade over an enterprisePs high&speed (e'g', %1 class or above) local area net"or! (>A7) or
"ide area net"or! (WA7)'
%he dependence on LoI co##unications i#plies a direct or indirect i#pact onB
• Co##unications, both "ithin the enterprise and "ith the e3ternal "orld
• /ngoing business operations
• Custo#er relations• Gelp des! and technical support
• Contractual issues
• >egal and co#pliance issues (e'g', ris! o trans#itting sensitive personal identiiable inor#ation
(II) in LoI S*S #essages or chat sessions, in breach o the @S Gealth Insurance ortabilit$ and
Accountabilit$ Act (GIAA) or a$#ent Card Industr$ (CI) re=uire#ents)
Loice and #ulti#edia co##unications t$picall$ contain or relate to business&critical inor#ation,
including, but not li#ited toB• Intellectual propert$ (e'g', patents, cop$righted #aterial)
• Sensitive corporate #aterial, including data relating to inancials, #ar!eting and strategic planning,
sensitive personnel inor#ation sales and #ar!eting and dail$ business operations
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
11/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
• Securit$ breaches due to #al"are carried b$ instant #essaging
• >oss o sales due to inabilit$ o custo#ers to reach sales personnel
• rand da#age and loss o co#petitive advantage• >a"suits b$ aggrieved third parties i hac!ers succeed in using co#pro#ised LoI servers to attac!
other sites
• Inabilit$ to co#pl$ "ith legal discover$ de#ands
• Inabilit$ to restore voice or #ulti#edia co##unication "ithin a reasonable ti#e ra#e
• /icer liabilit$
1ective and Sco"eA t$pical LoI net"or! co#prises a co#ple3 series o cooperating protocols, net"or!s ("ireless and"ired), servers, securit$ architectures, special services (such as &911), bac!up and recover$ s$ste#s, and
interaces to the S%7'
uring the audit planning process, the auditor #ust deter#ine the scope o the audit' epending on the
speciic i#ple#entation, this #a$ includeB
• valuation o governance, policies and oversight relating to LoI
• ata classiication policies and #anage#ent
• %he appropriate LoI business case, actual deplo$#ent or upgrade processes, strateg$ andi#ple#entation controls
• %echnical architecture(s), including securit$ s$ste#s, #ultiple plator#s (dierent vendors "hich
suppl$ andor support LoI), interaces "ith data net"or!s, bac!up and recover$, data retention and
destruction polic$, and technolog$
• Assess#ents o I% inrastructure and personnel to support the LoI architecture(s)
• aseline conigurations o deplo$ed hard"are and sot"are
• Issues related to decentrali8ed LoI servers, such as diering securit$ standards
• Issues related to ailover clustering, "here appropriate
Securit$ considerations or the S%7 or dial&up are outside the scope o this docu#ent'
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
12/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
). Audit,Assurance 0rogram
Audit,Assurance 0rogram Ste!C"5ITCross6
reference
C"S"
$eference-+!er6
lin&
IssueCross6
reference
Comments
C o n t r o l , n v i r o n #
e n t
- i s !
A s s e s s #
e n t
C o n t r o l A c t i v i t i e s
I n o r #
a t i o n a n d
C o # # u n i c a t i o n
* o n i t o r i n g
34 P5A66I6& A6D SCPI6& ' A7DI'
1.1 Define the audit,assurance ob(ecti'es. The audit,assurance ob(ecti'es are high6le'el
and describe the o'erall audit goals.
1'1'1 -evie" the auditassurance ob4ectives in the introduction to this auditassurance
progra#'
1'1' *odi$ the auditassurance ob4ectives to align "ith the auditassurance universe,
annual plan and charter'
1./ Define audit assignment success. The success factors need to be identified.
Communication among the IT audit,assurance team7 other assurance teams and
the enter!rise is essential.
1''1 Identi$ the drivers or a successul revie"' (%his should e3ist in the assurance
unction:s standards and procedures')
1'' Co##unicate success attributes to the process o"ner or sta!eholder, and obtain
agree#ent'
1. Define the boundaries of the re'iew. The re'iew must ha'e a defined sco!e.
Understand the functions and a!!lication re8uirements for the )oI0 ser'ers withinthe sco!e.
1';'1 /btain a list o LoI servers and, or each, the relevant #anuacturer, supplier
and sot"are versions'
1';' Identi$ the criteria or selecting LoI servers or inclusion or e3clusion in the
current auditrevie"'
01 ISACA' All rights reserved' age 1
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
13/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
1.9 Identif+ and document audit ris&. The ris& assessment is necessar+ to e'aluate
where audit resources should be focused. In most enter!rises7 audit resources are
not a'ailable for all !rocesses. The ris&6based a!!roach assures utilization of audit
resources in the most effecti'e manner.
1'D'1 Identi$ the business ris! associated "ith the use o LoI under consideration or
auditrevie"'
1'D' ased on the ris! assess#ent, evaluate the overall audit ris! actor or peror#ing the auditrevie"'
1'D'; ased on the ris! assess#ent, identi$ changes to the scope'
1'D'D iscuss the ris! "ith I% #anage#ent and ad4ust the ris! assess#ent'
1'D'5 ased on the ris! assess#ent, revise the scope'
1. Define the audit change !rocess. The initial audit a!!roach is based on the
re'iewer;s understanding of the o!erating en'ironment and associated ris&. As
further research and anal+sis are !erformed7 changes to the sco!e and a!!roach
ma+ result.
1'5'1 Identi$ the senior I% assurance and business resources responsible or the
revie"'
1'5' stablish the process or suggesting and i#ple#enting changes to the
auditassurance progra# and the authori8ations re=uired'
1.< Define the audit,assurance resources re8uired. The resources re8uired are defined
in the introduction to this audit,assurance !rogram.
1'6'1 eter#ine the auditassurance s!ills necessar$ or the revie"'
1'6' sti#ate the total auditassurance resources (hours) and ti#e ra#e (start and
end dates) re=uired or the revie"'
01 ISACA' All rights reserved' age 1;
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
14/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
1.= Define deli'erables. The deli'erables are not limited to the final re!ort.
Communication between the audit,assurance teams and the !rocess owner is
essential to assignment success.
1' Communicate the audit,assurance !rocess clearl+ to the customer,client.
1'?'1 Conduct an opening conerence to discussB
• /b4ectives "ith the sta!eholders• -elevant docu#ents (e'g', policies, processes, #anage#ent
co##unications, #inutes o #eetings, deplo$#ent docu#entation) re=uired
to peror# the auditrevie"
• Scope, scope li#itations (audit boundaries), budgets, due dates, ti#e lines,
#ilestones and deliverables
• Available inor#ation securit$ resources re=uired to assist "ith the
auditrevie"
84 PRPARA'R9 S'PS
/.1 "btain and re'iew the current organizational charts relating to )oI0
communications.
'1'1 /btain the organi8ational chart or senior #anage#ent overseeing LoI
co##unications'
'1' /btain the organi8ational chart or the I% inrastructure supporting and
interacing "ith LoI'
'1'; /btain the organi8ational chart or LoI coniguration and user #aintenance'
/./ "btain the (ob descri!tions of !ersonnel res!onsible for the )oI0 infrastructure7
configuration and user administration.
/. Determine if !re'ious )oI0 infrastructure audits,re'iews ha'e been !erformed.
';'1 I prior auditsrevie"s have been peror#ed, obtain the relevant "or! papers'
01 ISACA' All rights reserved' age 1D
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
15/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
';'1'1 -evie" the current securit$ coniguration docu#entation, as "ell as
relevant unctional and ad#inistrative control, to deter#ine i previousl$
identiied issues have been addressed'
';'1' eter#ine i the speciic LoI servers or net"or!s under consideration
or inclusion in the scope o this auditrevie" "ere included in the prior
auditrevie"'
';'1'; -evie" an$ penetration testing and vulnerabilit$ assess#ent that "as
peror#ed'/.9 Select the )oI0 ser'ers or networ&s to be included in the audit,re'iew.
'D'1 /btain a list LoI net"or!s and servers' LoI #edia servers #a$ include an$ o
the ollo"ingB
*edia gate"a$, or protocol translation t$picall$ S%7 toro# local
protocols
G';; gate!eeper "hich provides address translation (alias to I address)
ire"alls and application&la$er gate"a$s or address iltering and securit$
Interactive voice response (IL-) server
Signaling #edia server (#edia gate"a$ controller) to handle call control
Auto#ated call distribution (AC) or receiving and distributing calls in a
contact center Conerencing #edia server or voice and video conerencing
%e3t&to&speech (%%S) serverOconverts te3t eail to speech
Auto#ated voice&to&eail response s$ste#
Loice or video applications server
Strea#ing content server
a3&on&de#and server
otentiall$ running LoiceR*> or *-C' 01 ISACA' All rights reserved' age 15
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
16/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
'D' eter#ine the business units associated "ith each LoI net"or! or server'
Select the net"or!s or inclusion in a sa#ple o the population' Include in the
sa#ple high&proile net"or!sservers, processes re=uiring intensive resources
(such as dedicated to video conerencing) or IL-'
/."btain Ser'er Documents
or the servers to be included in scope, obtain the ollo"ing docu#ents ro# each serverB
Server docu#entsB coniguration, sot"are versions, hard"are, LoI protocols
deplo$ed, etc'
Securit$ docu#ents olicies docu#ents
>ist o ad#inistrators "ith access
LoI net"or! diagra#
:4 &VR6A6C
.1 5usiness Case
AuditAssurance /b4ectiveB %he initial LoI server inrastructure and LoI applications
are supported b$ a docu#ented business case describing the return on invest#ent and
other direct and indirect beneits'
LoI usiness Case -e=uire#ents
ControlB A business case to support the deplo$#ent o LoI is ull$ docu#entedand describes the beneits to be reali8ed'
/1'
/'1AI1';
AI;'1
S11'1
R R R
;'1'1'1 /btain a cop$ o the business case docu#ent supporting the deplo$#ent
o LoI in the enterprise to replace earlier (analog) technolog$'
;'1'1' eter#ine that business case docu#ent ade=uatel$ describes the beneits
to be reali8ed ro# deplo$ing LoI in place o analog technolog$ and is
appropriatel$ authori8ed'
;'1'1'; eter#ine that, subse=uent to deplo$#ent, the pro4ected beneits "ere
achieved or e3ceeded'
01 ISACA' All rights reserved' age 16
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
17/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
;'1'1'D eter#ined "hether the conversion to LoI "as included in an$ short&
ter# or long&ter# strategic I% plan'
./ )oI0 0olicies
+uiding rinciples
AuditAssurance /b4ectiveB LoI deplo$#ent adheres to enterprise ob4ectives or
guiding principles'
LoI +uiding rinciples ocu#ent
ControlB A guiding principles docu#ent has been established and
addresses !e$ issues o LoI design, deplo$#ent and operations'
/1'D
/6AI1'1
AI1'D
*D
R R
;''1'1 eter#ine i a guiding principles or si#ilarl$ na#ed
docu#ent e3ists "hich outlines the speciic design
ob4ectives or a LoI architecture or inrastructure'
;''1' /btain a cop$ o the guiding principles docu#ent'
;''1'; eter#ine "hether the guiding principles address general
enterprise policies relating to conidentialit$ and privac$,
data integrit$, and availabilit$, as "ell as cop$right, records
retention and overall securit$';''1'D $ reerence to or#al docu#entation (#inutes o #eetings,
progress reports, etc'), deter#ine "hether the guiding
principles "ere enorced during the ac=uisition o LoI
technolog$ and deplo$#ent'
;''1'5 Site esignB Leri$ that the guiding principles re=uire that
LoI architectsB
• @se a consistent design
• Approve changes based on de#onstrated need
• Gave a designated o"ner or each net"or!
;''1'6 Architecture ocu#entationB Leri$ that docu#entation isB
01 ISACA' All rights reserved' age 1<
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
18/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
• Stored in a location and or#at that prevents
unauthori8ed changes
• Is updated regularl$ as changes occur
• Is accessible to authori8ed personnel
olicies and Standards
AuditAssurance /b4ectiveB olicies and standards adhere to enterprise policies and
standards'
LoI olicies and Standards
ControlB LoI policies are deined, docu#ented, and distributed to LoI
ad#inistrators, architects and relevant users'
/6'D/6'5 R
;''1'< eter#ine i a LoI policies and standards docu#ent e3ists'
;''1'? /btain the LoI policies and standards docu#ent, and revie" it
as noted in the ollo"ing steps'
;''1'9 eter#ine that LoI policies and standards are revie"ed at least
annuall$ and updated as re=uired'
;''1'10 -evie" the LoI policies and standards docu#ent, and revie" it
as noted in the ollo"ing steps'
;''1'11 Architecture standards include the points indicated in theollo"ing steps'
;''1'1 All LoI phones #ust be on a virtual >A7 (L>A7)
separate ro# an$ data L>A7 and #ust use -C
191? nonroutable addresses';
;''1'1; Loice >A7s and L>A7s #ust be ire"alled o ro#
an$ data L>A7s>A7s'
; *ost LoI phones have a built&in s"itch that supports the ?0'1p= L>A7 standard, #a!ing it possible to establish L>A7s bet"een the des!top and the nearest "iring closet'
See sche#atic diagra# in Appendi3 ' 01 ISACA' All rights reserved' age 1?
http://www.techweb.com/encyclopedia/defineterm.jhtml?term=VLAN&x=&y=http://www.techweb.com/encyclopedia/defineterm.jhtml?term=VLAN&x=&y=http://www.techweb.com/encyclopedia/defineterm.jhtml?term=VLAN&x=&y=
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
19/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a
t i o n
*
o n i t o r i n g
;''1'1D Appropriate #echanis#s, such as access control lists
(AC>s), are re=uired to prevent an$ co##unication
across L>A7s'
;''1'15 -evie" the AC>s to ensure the$ provide the appropriate
isolation bet"een LoI L>A7 and dataother
L>A7s'
;''1'16 Connections ro# LoI co#ponents to the Internet are
e3pressl$ orbidden';''1'1< In the case o an$ e3ceptions to the above polic$,
deter#ine that the ris! has been docu#ented and
appropriate counter#easures i#ple#ented (e'g',
additional LoI&a"are ire"alls)'
;''1'1? I teleco##uters are per#itted to access the LoI R
over the Internet, the$ #ust enter via an encr$pted
L7 tunnel "ith strong user authentication'
;''1'19 An intrusion detection s$ste# (IS) or intrusion
prevention s$ste# (IS) is deplo$ed to protect
against e3ternal enial o Service (oS) attac!s'
;''1'0 LoI&enabled phones #ust authenticate "hen connecting
to the R b$ a challenge&response process'
;''1'1 In a high&securit$ environ#ent, LoI phones #ust be
encr$pted to deter internal attac!s (e'g', "here a
rogue2 C is connected to a LoI net"or! to
intercept voice pac!ets')D
D In a situation in "hich encr$ption is not being used, the LoI L>A7 should prevent sniing o the LoI traic b$ preventing a laptop ro# being connected to the LoI net"or!' %hus, in general,
unauthori8ed devices such as laptops "ith sotphones or other LoI phones (ro# so#e other #anuacturer) should be prevented ro# successull$ connecting on to the LoI L>A7' 01 ISACA' All rights reserved' age 19
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
20/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a
t i o n
*
o n i t o r i n g
;''1' I encr$ption is deplo$ed, it #ust be enorced toro# all
phones and bet"een the gate"a$ and the e3ternal
S%7'
;''1'; I encr$ption is deplo$ed, an industr$&standard
encr$ption algorith# such as AS or ;S, is
re=uired' 7o proprietar$ algorith#s, vendor&
supplied or other"ise should ever be used, due to
their un!no"n eectiveness'
;''1'D I "ireless connectivit$ is deplo$ed (i'e', toro# cell
phones), a strong encr$ption protocol, such as
WA, is used, not W or other "ea! encr$ption'
;''1'5 In a regulated environ#ent, S!$pe is not per#itted due
to the ease o user i#personation and lac! o
G%%S (encr$ption) protection'
;''1'6 Where easible, the option o *AC&binding should be
i#ple#ented to ensure no unauthori8ed devices
connect to the LoI L>A7'
;''1'< /perations
;''1'? Leri$ that all LoI&related ad#inistrative pass"ords
(and encr$ptiondecr$ption !e$s, "here appropriate)
have been changed ro# the #anuacturer:s deault
values'
;''1'9 Leri$ that ad#inistrative pass"ords and
encr$ptiondecr$ption !e$s are !no"n onl$ to a
restricted list o trusted personnel'
;''1';0 eter#ine that e#ergenc$ copies o all ad#inistrative
pass"ords and encr$ptiondecr$ption !e$s are !ept
in a secure location "ith restricted access'
01 ISACA' All rights reserved' age 0
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
21/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t
r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a
t i o n
*
o n i t o r i n g
;''1';1 eter#ine that LoI policies and standards are revie"ed
at least annuall$ and updated as re=uired'
;''1'; LoI Content
;''1';; Instant #essage (I*) and chat content are sub4ect to
revie" according to enterprise data classiication
and acceptable use policies'
;''1';D I* and chat data are retained according to enterprise
retention policies, "ith provisions or a #orestringent polic$ based on data classiication, data
content or user group (e'g', C&suite e3ecutives)'
;''1';5 eplo$#ent olicies
;''1';6 LoI deplo$#ents ollo" a prescribed pro4ect
ra#e"or!, e'g', the I% Inrastructure >ibrar$
(I%I>)'
;''1';< I this is a ne" deplo$#ent o LoI or a recent upgrade
ro# an earlier version o LoI, docu#ented
industr$&standard good practices "ere ollo"ed'
;''1';? %he deplo$#ent process includes or#al securit$ and
control re=uire#ents, including secure architecture,
net"or! securit$, patching, incident and incident&
trigger deinition, co#pliance, e&discover$, and
encr$ption'5
;''1';9 Securit$ re=uire#ents are deined according to enterprise
securit$ policies, separation o duties, approval
policies, co#pliance, disaster recover$, incident
#anage#ent, etc'
5 7ote that the Co##unications Assistance or >a" norce#ent Act (CA>A), 199D, re=uires LoI s$ste#s to be capable o la"ul intercept'
01 ISACA' All rights reserved' age 1
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
22/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t
r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a
t i o n
*
o n i t o r i n g
;''1'D0 %he deplo$#ent process includes appropriate e3pected
peror#ance #etrics to =uanti$ hard"are needed,
at present and in the uture'
;''1'D1 LoI operations sta conducts appropriate and regular
capacit$ planning to deter#ine anticipated uture
processing capacit$ to #eet e3pected business
needs'
;''1'D Speciic /rgani8ational @nit olicies;''1'D; Speciic organi8ational units #a$ alter policies to re=uire
#ore stringent securit$ and design guidelines' *ore
rela3ed policies not in co#pliance "ith data
classiication standards and guidelines #ust be
approved b$ inor#ation securit$ #anage#ent and
the business data o"ner'
;''1'DD +ain docu#entar$ evidence o an$ such recent
approval(s)'
;''1'D5 Audit olicies
;''1'D6 Audit policies are aligned "ith enterprise audit policies based on data classiication'
;''1'D< Audit policies include #onitoring o access to LoI
servers b$ ad#inistrators and other privileged users'
-oles and -esponsibilities
AuditAssurance /b4ectiveB olicies and standards address the roles and
responsibilities or i#ple#enting and #aintaining LoI server installations
including the underl$ing technolog$ stac! that supports LoI server'
-oles and -esponsibilities escription
ControlB A LoI server policies and roles docu#ent describes the speciic
/D'6
/<R R
01 ISACA' All rights reserved' age
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
23/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a
t i o n
*
o n i t o r i n g
responsibilities o !e$ 4ob unctions'
;''1'D? eter#ine i a LoI Server roles and responsibilities docu#ent
e3ists'
;''1'D9 I a LoI server roles and responsibilities docu#ent e3ists,
evaluate the appropriateness o the descriptions or the
ollo"ing rolesB
• 3ecutive sponsor (applications)
•
+overnance board or steering co##ittee (applications)• %echnolog$ ad#inistrator
• %echnolog$ support tea#
• LoI ad#inistrator
• 7et"or! architect
• /rgani8ational unit ad#inistrator
;''1'50 -evie" the roles against the ollo"ing responsibilities to assure
these responsibilities are assigned to a 4ob unction and to
speciic individualsB
• *anage#ent o the technical inrastructure, including
server, net"or!s, database #anage#ent, #ailbo3
#anage#ent, etc'• *anage#ent o the LoI server inrastructure
• Applications #anage#ent
• Access controls, i'e', user provisioning
• eror#ance evaluation
• usiness continuit$ and disaster recover$
01 ISACA' All rights reserved' age ;
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
24/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a
t i o n
*
o n i t o r i n g
. %onitoring
*onitoring
AuditAssurance /b4ectiveB LoI server i#ple#entations and applications are
sub4ect to regular #onitoring and reporting, based on criticalit$ and sensitivit$ o
data, and adherence to #anage#ent oversight re=uire#ents'
*anage#ent /versight o LoI Server eplo$#ents and /perations
ControlB LoI server i#ple#entations ollo" the enterprise pro4ect
#anage#ent s$ste#, and "here practical, the pro4ect #anage#ent ands$ste#s develop#ent lie c$cle'
/10
*1 R R
;';'1'1 repare a sa#ple o recent LoI server deplo$#ents (upgrades or
ne" deplo$#ents')
;';'1' Select high&ris! or high&proile LoI server i#ple#entations'
;';'1'; /btain pro4ect docu#entation'
;';'1'D eter#ine i the #onitoring o the LoI server pro4ect "asis in
align#ent "ith enterprise standards'
;';'1'5 eter#ine i LoI server operations are #onitored in a #anner
consistent "ith other operational processes'
Issue *onitoring
ControlB LoI server i#ple#entation and operations are sub4ect to issue
#onitoring and escalation to appropriate #anagers in the I% and business
units'
/10
S?
*1
*
*D
R R R R
;';'1'6 /btain issue #onitoring reports'
;';'1'< valuate the issue #onitoring unction or eectiveness,
co#pleteness, and appropriate and ti#el$ escalations'
01 ISACA' All rights reserved' age D
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
25/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a
t i o n
*
o n i t o r i n g
;4 SRVR C6*I&7RA'I6
9.1 )irtualization
AuditAssurance /b4ectiveB LoI servers running in a virtuali8ed environ#ent are ull$
segregated ro# other servers running on the sa#e ph$sical hard"are'
Lirtuali8ation Segregation
ControlB LoI servers are segregated ro# other servers in the virtuali8ation pool'
/'1
S5'1
S9R
/btain the server virtuali8ation speciications and architecture docu#entation'
eter#ine that controls "ithin the virtuali8ation coniguration assure co#plete
segregation o LoI server processes and access rights ro# other
environ#ents'
I a virtuali8ation audit has been peror#ed, revie" the indings and issue
#onitoring or identiied control concerns and re#ediation plans'
I no recent virtuali8ation audit has been peror#ed and the LoI servers operate
in a virtuali8ed environ#ent, consider postponing the LoI server audit
until a virtuali8ation audit can be peror#ed' -eer to the ISACA
L*"are Server Lirtuali8ation AuditAssurance rogra#, as needed'
9./ "!erating S+stem -ardening
AuditAssurance /b4ectiveB /perating s$ste#s o the host servers are hardened
according to best practices'
/perating S$ste#s Are Conigured or Securit$
ControlB /perating s$ste#s are conigured or #a3i#u# securit$'S9 R
D''1'1 stablish "hether a recent operating s$ste# auditrevie" "as co#pleted
or the relevant operating s$ste#'
• I so, obtain a cop$ o the report and ensure all issues "ere
appropriatel$ re#ediated'
• I not, consider conducting an auditrevie" o the underl$ing
01 ISACA' All rights reserved' age 5
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
26/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a
t i o n
*
o n i t o r i n g
operating s$ste# securit$ and controls' -eer to the appropriate
ISACA /perating S$ste# AuditAssurance rogra#, as needed'
D''1' -evie" i the organi8ation has an$ operating s$ste# coniguration
baseline or LoI servers'
D''1'; Leri$ that LoI serversOvirtual and realOare dedicated to LoI
processes onl$'
D''1'D Leri$ that nonessential services or dae#ons are not operating on the
servers'D''1'5 Leri$ that onl$ ports necessar$ or LoI are open in the server ire"all'
D''1'6 Leri$ that ire"alls protecting LoI L>A7s and servers are conigured
to deter #ost co##on LoI attac! scenarios' %he ollo"ing is a
none3haustive list o such attac!sB
• oS and istributed enial o Service (oS) attac!s
• MoS *odiication Attac!
• LoI ac!et In4ection
• oS Against Supple#entar$ Services (e'g', d$na#ic host
coniguration protocol GCT or do#ain na#e s$ste# 7ST)
• Wireless oS
• ac!et o eath2 oSOessentiall$ a lood o rando# trans#ission
control protocol (%C), @, or Internet control #essage protocol
(IC*) pac!ets designed to crash LoI servers
• I hone lood oSOa large volu#e o call data is sent to a single
LoI endpoint in an atte#pt to e3haust its central processing unit
(C@), band"idth, %C sessions, etc'
• 7S oisoning
• %oll raudOuse o LoI servers to place unauthori8ed toll calls over
the S%7
01 ISACA' All rights reserved' age 6
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
27/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
9. )oI0 S!ecific 0olicies
Securit$ Settings Are stablished @sing olicies
AuditAssurance /b4ectiveB Securit$ settings or users are established and
enorced through policies assigned to the organi8ational units and director$ root'
Securit$ olic$ Settings Are stablished @sing olic$ ocu#ents
ControlB Securit$ polic$ is established or users using the polic$ docu#ent
and is assigned to the organi8ational unit, and, "here necessar$ to an
individual'
/';
S5';
S5'D
S9
R
D';'1'1 /btain the policies docu#ent or each server in scope'
D';'1' eter#ine i policies have been established "ithin the director$ hierarch$'
D';'1'; eter#ine i e3plicitl$ assigned policies create an e3posure or
unauthori8ed access'
ass"ord olicies
AuditAssurance /b4ectiveB ass"ord policies ade=uatel$ protect the users and the
privac$ o eails and applications'
D';'1'D ass"ord olicies rotect the Identit$ and Access to ails
ControlB LoI pass"ordpersonal identiication nu#ber (I7) policies are
in align#ent "ith enterprise identit$ #anage#ent policies and practices'
S5';
S5'D
S9R
D';'1'5 eter#ine that all users are re=uired to set up a private pass"ord
to access their voice #ails'
D';'1'6 or a sa#ple o LoI phones, deter#ine that voice #ail cannot
be accessed "ithout a pass"ordI7 and that deault
pass"ordsI7s (e'g', 0000, 1;D) have been changed'
D';'1'< Leri$ that ire"all rule bases bloc! an$ access b$ regular (data)
users to the LoI L>A7 ro# their "or!stations'
ass"ordI7 olicies rotect the LoI hone:s Coniguration
ControlB A I7 is re=uired to access coniguration inor#ation on each
S5';
S5'D
S9
R
01 ISACA' All rights reserved' age <
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
28/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
individual LoI handsetphone'
D';'1'? eter#ine that a D&digit or longer I7 is assigned to each LoI
handsetphone to access the device:s coniguration #enu'
Application Access Controls
AuditAssurance /b4ectiveB Applications (e'g', call center, custo#er sel&service)
utili8ing the LoI inrastructure have appropriate access securit$ in align#ent "ith
data classiication and user account policies'
D';'1'9 Access Control *aintenance
ControlB Access controls are #aintained or provisioning, deprovisioningand transer procedures'
S5';S5'D R
D';'1'10 /btain the provisioning, transer and ter#ination procedures'
D';'1'11 valuate the procedures or design eectiveness'
D';'1'1 Select a sa#ple o ne" users, ter#inated users and transerees'
Leri$ that access control to a sa#ple set o users is in
co#pliance "ith the access control #aintenance procedures'
h$sical Securit$ Controls
AuditAssurance /b4ectiveB LoI R servers have ade=uate ph$sical protection
against unauthori8ed ta#pering'
h$sical Access to L>A7 Gard"are is -estrictedControlB Access to sensitive devices, such as L>A7 s"itches, is
restricted to a s#all nu#ber o trusted individuals on a strict need to
!no"2 basis'
D';'1'1; Select a sa#ple o L>A7 s"itches and other hard"are and
deter#ine that the$ are all in loc!ed cabinets or roo#s to "hich
access is li#ited to a s#all nu#ber o trusted engineers'
D';'1'1D eter#ine that appropriate electronic access controls, such as
#agnetic badge readers, s#art card readers, bio#etric scanners
(ingerprint, hand geo#etr$, iris, acial geo#etr$, etc'), are in
place to restrict such access'
01 ISACA' All rights reserved' age ?
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
29/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
etails o the eplo$ed LoI S$ste# Are -estricted
AuditAssurance /b4ectiveB Inor#ation about "hich LoI hard"are and sot"are
are deplo$ed is restricted or internal use onl$'
>i#itations on LoI eplo$#ent
ControlB Speciic details about the deplo$ed LoI hard"are and sot"are
(such as #anuacturer, supplier, #odel, version nu#ber, etc') are restricted
to internal e#plo$ees on a need to !no"2 basis'
D';'1'15 eter#ine that the above sensitive inor#ation ("hich could be
used b$ intruders to plan attac!s on the LoI net"or!s) are 7/% displa$ed on open e3ternal or internal "eb sites'
D';'1'16 eter#ine that access to technical docu#entation relevant to
the deplo$ed LoI net"or!(s) is restricted to a s#all group o
trusted individuals, on a need to !no"2 basis'
D';'1'1< eter#ine that and all such inor#ation is classiied as
Conidential, Internal @se /nl$2 or si#ilar'
9.9 )oI0 Ser'er Configuration
Ad#inistrators Access
AuditAssurance /b4ectiveB Ad#inistrators are li#ited in their abilit$ to accessand #odi$ server conigurations'
D'D'1'1 Ad#inistrator Access is eined
ControlB LoI Ad#inistrators are deined and docu#ented b$ access
level'
S5'; R
D'D'1' /btain the ad#inistrator access assign#ents'
D'D'1'; eter#ine that the ad#inistrator access rights have been created
in a granular #anor consistent "ith the enterprise securit$
policies'
D'D'1'D eter#ine that the access assign#ents deine the ollo"ing LoI
01 ISACA' All rights reserved' age 9
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
30/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o
l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
ad#inistrator access rightsB
• ull access ad#inistrators
• Ad#inistrators (speciic server)
• atabase ad#inistrators
• -e#ote R ad#inistrators
• Lie"&onl$ ad#inistrators
• S$ste# ad#inistrator
@nauthori8ed @sers Cannot Assu#e Ad#inistrator rivilegesControlB /nl$ ad#inistrators have access to the privileged ad#inistrator
unctions'
S9 R
D'D'1'5 /btain access and identi$ proiles, and veri$ that onl$
authori8ed ad#inistrators have access to LoI server and
ad#inistration unctions'
D'D'1'6 eter#ine that, i groups are used, the #e#bers o the LoI
ad#inistrative groups are appropriate based on 4ob title'
D'D'1'< eter#ine i users or #e#bers o groups associated "ith the
ad#inistrator unctions should no longer have access due to
ter#ination, 4ob transer or 4ob redeinition'
igital Certiicate *anage#ent
AuditAssurance /b4ectiveB R'509 digital certiicates used to drive server
authentication "ith SS>%>S, are ade=uatel$ #anaged and corresponding private
!e$s protected'
D'D'1'? SS>%>S igital Certiicates are Ade=uatel$ %rac!ed and *anaged
ControlB An electronic or digital log o all deplo$ed R'509 digital
certiicates (digital identities) is #aintained and updated'
S5'<
S5'? R
D'D'1'9 eter#ine that a suitable trac!ing log or inde3 is #aintained o
all deplo$ed digital certiicates, sho"ing at least the ollo"ing
inor#ationB
01 ISACA' All rights reserved' age ;0
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
31/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
• Certiicate I, supplier
• 3piration date
• ate revo!ed (i applicable)
• rivate !e$ (a long string o he3adeci#al digits)
• -elevant server I
• ass"ord to unloc! the certiicate in the operating s$ste#
certiicate store
D'D'1'10 eter#ine that access to the above log or inde3 is restricted to a
s#all list o trusted, senior personnel'
Server Access
AuditAssurance /b4ectiveB Server access is li#ited as re=uired to peror# 4ob
unction'
Server Access -estrictions
ControlB Access to LoI servers is deined b$ 4ob unction'S5'D R
D'D'1'11 eter#ine i LoI server access is deined b$ 4ob unction'
D'D'1'1 or the sa#ple set o LoI servers, deter#ine "ho can access
the servers b$ revie"ing relevant docu#entation'
D'D'1'1; valuate i these access settings are appropriate and consistent"ith enterprise securit$ polic$'
>i#it ort Access to LoI Servers
AuditAssurance /b4ectiveB 7et"or! coniguration is set to provide #a3i#u#
securit$'
LoI Is Conigured or Secure 3ternal Access
ControlB Access to LoI re=uires an encr$pted L7 tunnel'
S5'<
S5'? R
D'D'1'1D @sing the sa#ple o LoI server docu#ents, deter#ine the
ollo"ingB
• ither an encr$pted L7 tunnel or SS>%>S is re=uired to gain
access to an$ LoI server in use
01 ISACA' All rights reserved' age ;1
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
32/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n
t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
• /nl$ industr$&standard encr$ption is allo"ed (AS or ;S)
• Strong authentication is re=uired or all e3ternal users
9. )oI0 %essaging Configuration
Internet Access Is Gighl$ -estricted
AuditAssurance /b4ectiveB Access to and ro# the Internet is restricted to
ad#inistrators'
Access to the Internet ro# An$ LoI evice Is orbidden
ControlB 7o Internet&enabled "or!stations are per#itted to connect toan$ voice L>A7'
S9 R
D'5'1'1 -evie" LoI architecture docu#entation to deter#ine "hether
an$ "or!stations (Cs, laptops, notepads, netboo!s or tablets)
can access the data net"or!'
D'5'1' ro# an internal "or!station, atte#pt to connect to the I
address o one or #ore LoI servers' (%his should be
unsuccessul in all cases')
D'5'1'; eter#ine i antivirus and other antial"are protection sot"are is
re=uired to protect LoI servers'
D'5'1'D or each server, deter#ine that the re=uired sot"are pac!ages b$ vendor and versionrevision level are installed, updated and #onitored'
9.< %essaging Com!liance
AuditAssurance /b4ectiveB LoI is appropriatel$ conigured to co#pl$ "ith relevant
regulator$, legal, industr$ and enterprise internal re=uire#ents'
*essage -etention is Appropriate or the 7eeds o the nterprise
ControlB %e3t #essages (I* and Chat) are retained or the appropriate ti#e span to
co#pl$ "ith the #ost restrictive re=uire#ent'S11' R
D'6'1'1 Leri$ that "ritten enterprise polic$ speciicall$ and clearl$ deines the
retention period or all electronic #essaging and that this ti#e period
01 ISACA' All rights reserved' age ;
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
33/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n
t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
e=uals or e3ceeds that or the #ost restrictive relevant co#pliance
re=uire#ent'
D'6'1' Leri$ that LoI server operations #anage#ent is ull$ a"are o the
#essage retention and electronic discover$ policies'
D'6'1'; Consider legal advice as to "hether the retention policies also appl$ to
video content'
olicies Are in lace to ect a >egal Gold
ControlB A legal hold polic$ is docu#ented, up to date, and conve$ed to LoI server operations #anage#ent'
S5
S11*1
R R
D'6'1'D /btain a cop$ o the legal hold polic$ and deter#ine "hether it has been
co##unicated to, and understood b$, LoI server operations
#anage#ent'
D'6'1'5 $ =uer$ and observation, deter#ine "hether LoI server operations
#anage#ent has the necessar$ tools and e3pertise to peror# e&
discover$ searches across #ultiple te3t #ailbo3es'
9.= Auditing And 2ogging
AuditAssurance /b4ectiveB LoI server is conigured to log access to critical process
unctions'
Auditing is nabled
ControlB %he LoI server logging is #aintained and revie"edOeither operating
s$ste# logs or LoI server logs or both'
S9 R
D'
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
34/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n
t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
A7'S5'1 R
5'1'1'1 /btain a net"or! sche#atic or the LoI servers "ithin the audit scope'
5'1'1' eter#ine i the LoI server net"or! seg#ents are ade=uatel$ secured,
i'e', not directl$ accessible ro# the Internet, behind the appropriate
ire"all(s), and "ithin the scope o deplo$ed ISsISs'
5'1'1'; eter#ine that ire"alls in ront o LoI L>A7s are LoI&a"are (i'e',
the$ understand2 the deplo$ed LoI protocols SI or G';;T) and that
the appropriate ports are open in the ire"all, depending on the speciic
LoI hard"are'
./ ?etwor& 0rotection
AuditAssurance /b4ectiveB %he LoI net"or!s and L>A7s are included in securit$
#onitoring and vulnerabilit$ assess#ent'
Inclusion in 7et"or! Assess#ents and enetration %ests
ControlB LoI and I R servers are included in all net"or! securit$ assess#ents
and penetration tests'S5'9 R R
5''1'1 -evie" docu#entation relating to recent vulnerabilit$ assess#ents and
penetration tests (b$ internal or e3ternal testers) and deter#ine that all
LoI servers and L>A7s "ere included in the scope o such tests'
5''1' eter#ine "hether all vulnerabilities relating to LoI net"or!s and
L>A7s "ere appropriatel$ re#ediated in a ti#el$ ashion'
01 ISACA' All rights reserved' age ;D
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
35/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n
t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c a t i o n
*
o n i t o r i n g
=4 C6'I6&6C9 P5A66I6&
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
36/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
Audit,Assurance 0rogram Ste!
C"5IT
Cross6
reference
C"S"
$eference
-+!er6
lin&
Issue
Cross6
reference
Comments
C o n t r o l , n v i r o n # e n t
- i s !
A s s e s s # e n t
C o n
t r o l A c t i v i t i e s
I n o r # a t i o n a n d
C o # # u n i c
a t i o n
*
o n i t o r i n g
na#el$ all o the ollo"ingB
• Service level agree#ents (S>As), "hich deine ho" long LoI can
be do"n beore service has to be restored (li!el$ ver$ short)
• -ecover$ point ob4ectives (-/s), "hich deter#ine ho" #uch data
can be lost, #easured in #inutes
• -ecover$ ti#e ob4ectives (-%/s), "hich deter#ine the #a3i#u#
ti#e allo"ed or recovering each service, #easured in #inutes
6''1' /btain and revie" a cop$ o the last recover$ test and deter#ine "hether
all o the above "ere tested and "hether all deiciencies in the testedrecover$ process have been ull$ re#ediated'
6''1'; eter#ine "hether bac!up copies o the LoI server databases and
sot"are areB
• *aintained in a secure osite acilit$
• ac!up tapes or dis!s are encr$pted beore leaving the pre#ises
• Access to osite bac!up copies is restricted to a s#all nu#ber o
trusted e#plo$ees
• ac!up copies are carried to the osite storage b$ a third part$ in a
secure ashion (e'g', ar#ored vehicles, ar#ed guards)
•
*aintained at a vault utilit$ service
01 ISACA' All rights reserved' age ;6
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
37/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
)I. %aturit+ Assessment
%he #aturit$ assess#ent is an opportunit$ or the revie"er to assess the #aturit$ o the processes revie"ed' ased on the results o the auditassurance revie"
and the revie"er:s observations, assign a #aturit$ level to each o the ollo"ing C/I% control ob4ectives'
C"5IT Control "b(ecti'eAssessed
%aturit+
Target
%aturit+
$eference
-+!er6
lin&
Comments
0"1 Define a Strategic IT 0lan
• /1'1 I% Lalue *anage#entOWor! "ith the business to ensure that the enterprise
portolio o I%&enabled invest#ents contains progra##es that have solid business casesU
• /1' usiness&I% Align#entOstablish processes o bi&directional education and
reciprocal involve#ent in strategic planning to achieve business and I% align#ent and
integrationU
0"/ Define the Information Architecture
• /'1 nterprise Inor#ation Architecture *odelOstablish and #aintain an enterprise
inor#ation #odel to enable applications develop#ent and decision&supporting activities,
consistent "ith I% plans as described in /1U
• /'; ata Classiication Sche#eOstablish a classiication sche#e that applies
throughout the enterprise, based on the criticalit$ and sensitivit$ (e'g', public, conidential,
top secret) o enterprise data' %his sche#e should include details about data o"nershipH
deinition o appropriate securit$ levels and protection controlsH and a brie description o
data retention and destruction re=uire#ents, criticalit$ and sensitivit$' It should be used as
the basis or appl$ing controls such as access controls, archiving or encr$ption'
0"9 Define the IT 0rocesses7 "rganisation and $elationshi!s
• /D'6 stablish#ent o -oles and -esponsibilitiesOstablish and co##unicate roles and
responsibilities or I% personnel and end users that delineate bet"een I% personnel and end&
user authorit$, responsibilities and accountabilit$ or #eeting the organisation’s needs'
• /D'? -esponsibilit$ or -is!, Securit$ and Co#plianceO#bed o"nership and
responsibilit$ or I%&related ris!s "ithin the business at an appropriate senior level' eine
and assign roles critical or #anaging I% ris!s, including the speciic responsibilit$ or
inor#ation securit$, ph$sical securit$ and co#plianceU
• /D'9 ata and S$ste# /"nershipOrovide the business "ith procedures and tools,
enabling it to address its responsibilities or o"nership o data and inor#ation s$ste#s'
/"ners should #a!e decisions about classi$ing inor#ation and s$ste#s and protecting
the# in line "ith this classiication'
01 ISACA' All rights reserved' age ;<
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
38/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
C"5IT Control "b(ecti'eAssessed
%aturit+
Target
%aturit+
$eference
-+!er6
lin&
Comments
AI1 Identif+ Automated Solutions
• AI1'1 einition and *aintenance o usiness unctional and %echnical -e=uire#entsO
Identi$, priorities, speci$ and agree on business unctional and technical re=uire#ents
covering the ull scope o all initiatives re=uired to achieve the e3pected outco#es o the
I%&enabled invest#ent progra##e'
• AI1'; easibilit$ Stud$ and or#ulation o Alternative Courses o ActionOevelop a
easibilit$ stud$ that e3a#ines the possibilit$ o i#ple#enting the re=uire#ents' usiness
#anage#ent, supported b$ the I% unction, should assess the easibilit$ and alternative
courses o action and #a!e a reco##endation to the business sponsor'
AI Ac8uire and %aintain Technolog+ Infrastructure
• AI;'1 %echnological Inrastructure Ac=uisition lanOroduce a plan or the ac=uisition,
i#ple#entation and #aintenance o the technological inrastructure that #eets established
business, unctional and technical re=uire#ents and is in accord "ith the organisation:s
technolog$ direction'
AI= Install and Accredit Solutions and Changes
• AI
-
8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112
39/44
Voice-over Internet Protocol (VoIP) Audit/Assurance Program
C"5IT Control "b(ecti'eAssessed
%aturit+
Target
%aturit+
$eference
-+!er6
lin&
Comments
• S5'; Identit$ *anage#entOnsure that all users (internal, e3ternal and te#porar$) and
their activit$ on I% s$ste#s (business application, I% environ#ent, s$ste# operations,
develop#ent and #aintenance) are uni=uel$ identiiable' nable user identities via
authentication #echanis#s' Conir# that user access rights to s$ste#s and data are in line
"ith deined and docu#ented business needs and that 4ob re=uire#ents are attached to user
identities' nsure that user access rights are re=uested b$ user #anage#ent, approved b$
s$ste# o"ners and i#ple#ented b$ the securit$&responsible person' *aintain user
identities and access rights in a central repositor$' eplo$ cost&eective technical and
procedural #easures, and !eep the# current to establish user identiication, i#ple#ent
authentication and enorce access rights'
• S5'D @ser Account *anage#entOAddress re=uesting, establi