Audit questionnaire: Telecommunications

Number Question
operations
12A
12A01

1
R-V1

Security of operational procedures

Securitatea procedurilor operationale

Consideration of security in relation with operational

personnel (permanent and temporary staff)

Luarea n considerare a securitii n legtur cu

personalul operaional (personal permanent i
temporar)

12A01-01 Is there a security policy, specifically aimed at operations

personnel, related to telecommunications?
This policy should cover the requirements for the protection of
information as well as the protection of physical assets and
processes and mention the forbidden behaviors

Exist o politic de securitate, care vizeaz n mod

specific personalul operaional, legat de telecomunicaii?
Aceast politic ar trebui s acopere cerinele privind
protecia informaiilor, precum i protecia bunurilor fizice
i a proceselor i s menioneze comportamentele
interzise

12A01-02 Is telecommunication operations personnel required to sign

contract clauses of adherence to that security policy (no
matter their status: permanent or temporary staff, students,
etc.)?

Este personalul implicat n operaiuni de telecomunicaii

avizat s semneze clauzele contractuale de aderare la
aceast politic de securitate (indiferent de statutul lor:
personal permanent sau temporar, studeni etc.)?

12A01-03 Do these clauses make clear that the personnel has an

obligation not to tolerate any action contrary to security from
other people?

Specific aceste clauze n mod clar c personalul are

obligaia de a nu tolera nici o aciune contrar securitii
din partea altor persoane?

12A01-04 Does the signature of these clauses represent a formal

commitment?
In order to achieve a formal commitment, the personnel
should explicitly state that his/her signature implies having
understood and accepted the security policy

Reprezint semntura acestor clauze un angajament

formal? n scopul de a realiza un angajament oficial,
personalul trebuie s menioneze n mod explicit c
semntura lui/ei presupune c a neles i acceptat
politica de securitate

12A01-05 Are these same clauses obligatory for contractors working on

systems operations?
Practically, the contractors should ensure that their personnel
sign individually and explicitly under the same conditions than
internal staff.

Sunt aceste clauze obligatorii pentru contractorii care

lucreaz la operaiunile de sisteme?
Practic,
contractorii trebuie s se asigure c personalul lor
semneaz n mod individual i explicit sub aceleai
condiii ca si personalul intern.

12A01-06 Is there a mandatory and well adapted training course aimed Exist un curs de formare obligatoriu i bine adaptat,
at systems operation personnel?
orientat catre personalul de exploatare a sistemelor?
12A01-07 Are the security policy compliance agreements, signed by
personnel, securely kept (at least in a locked cupboard )?

Sunt acordurile de conformitate, semnate de personal,

pstrate n siguran (cel puin ntr-un dulap ncuiat)?

12A01-08 Are the security policy compliance agreements, signed by

external contractors, securely kept (at least in a locked
cupboard )?

Sunt acordurile de conformitate, semnate de contractani

externi, pstrate n siguran (cel puin ntr-un dulap
ncuiat)?

12A01-09 Is there a regular audit, at least once a year, of the effective

application of the signature procedure by operational
personnel (directly employed by the company or indirectly
through a service company) ?

Exist un audit regulat, cel puin o dat pe an, al aplicrii

efective a procedurii de semnare de ctre personalul
operaional (angajat direct de ctre societate sau indirect,
printr-o companie prestatoare de servicii)?

12A02

Control of the implementation of new equipments or

upgrade of existing systems
Equipments for classical telephony : PABX, ...
With ToIP : call server, gateway converter to classical
telephony, routers, switches
Equipments dedicated to users: telephone terminal, fax
machines (often combined with printing, scanning and
photocopy capabilities , ...), tele and videoconferencing, ...
These systems may provide configuration, management,
directory, billing and storage (answering machine, voice mail)
services,

Controlul punerii n aplicare a noilor echipamente sau

modernizarea sistemelor existente
Echipamente pentru telefonia clasica:
centrale telefonice, ...Cu ToIP: server de apel, convertor
poarta de acces la telefonia clasica, routere, switch-uri
Echipamente dedicate utilizatorilor: terminale telefonice,
aparate fax (adesea combinate cu imprimare, scanare i
fotocopiere, ...), tele i videoconferine, ... Aceste sisteme
pot furniza configurare, gestionare, facturare i depozitare
(robot telefonic, mesagerie vocal) servicii, ...

12A02-01 Are the decisions to change or update equipment and

systems significantly subject to a control procedure
(registration, planning, formal approval, communication to all
concerned individuals, etc.)?
The possible separation (physical or logical, using VLAN) of
data and voice flows shall be analyzed when moving to ToIP
and revised based on the observed load changes, the same
applies to interconnection capabilities between the two
networks

Sunt deciziile de a schimba sau actualiza echipamentele

i sistemele semnificativ supuse unei proceduri de control
(de nregistrare, planificare, aprobare formal,
comunicare catre toate persoanele implicate etc.)?
Posibila separare (fizic sau logic, folosind VLAN) a
datelor i a fluxurilor de voce se analizeaz atunci cnd
se deplaseaz la ToIP i se revizuieste pe baza
schimbrilor de sarcin observate, acelai lucru se aplic
capacitilor de interconexiune ntre cele dou reele

12A02-02 Are the change decisions based on an analysis of the

capacity of the new equipment and systems to ensure the
required load and take into account the evolution of
foreseeable requests?

Sunt deciziile de schimbare, bazate pe o analiza a

capacitii noilor echipamente i sisteme de a asigura
sarcina necesar i de a lua n considerare evoluia
cererilor previzibile?

12A02-03 Do the installations take into account physical protection?

Protected access, no direct external view on equipments, no
multiple physical threats, continuity of power supply, weather
conditions, protection against thunderbolts, protection against
dust, etc.

Iau n considerare instalaiile protecia fizic?

Acces protejat, nicio vedere directa din exterior asupra
echipamentelor, fr multiple ameninri fizice,
continuitatea alimentrii cu energie, condiiile
meteorologice, protecie mpotriva trsnetelor, protecie
mpotriva prafului etc.

12A02-04 Is any new or modified functionality linked to a new system or Este orice funcionalitate nou sau modificat legat de
new version of a system, systematically documented before un sistem nou sau versiune nou a unui sistem,
moving into production?
documentata n mod sistematic nainte de a trece n
producie?
12A02-05 Is such new functionality (or change in functionality), linked to
a new system or new version of a system, formally and
systematically reviewed in conjunction with the IT security
function?

Este o astfel de funcionalitate nou (sau o modificare n

funcionalitate), legat de un nou sistem sau o nou
versiune a unui sistem, revizuit n mod oficial i sistematic
n legtur cu funcia de securitate IT?

12A02-06 Does this review include an analysis of the risks that may
result from the changes?

Include aceast reexaminare o analiz a riscurilor care

pot rezulta din modificri?

12A02-07 Have telecommunication operations staff received formal

appropriate training in risk analysis?
This should include service continuity as well as
confidentiality and integrity of the data and the transmissions

Personalul de operaiuni de telecomunicaii a primit o

instruire formal adecvat n analiza de risc?
Acest lucru ar trebui s includ o continuitate a serviciului,
precum i confidenialitatea i integritatea datelor i a
transmisiilor

12A02-08 May the operation staff obtain an appropriate support

specially competent on risk analysis?

Poate personalul de exploatare s obin un sprijin

adecvat special si competent privind analiza de risc?

12A02-09 Are the security measures, determined to counter the new

identified risks, formally reviewed before implementation?

Sunt msurile de securitate, determinate pentru a

contracara noile riscuri identificate, revizuite n mod oficial
nainte de punerea n aplicare?

12A02-10 Are security parameters and configuration rules (deletion of

generic accounts, changing of any default passwords,
blocking of unauthorized communications ports, setting of
access rights and authentication parameters, etc.) listed in
detail and regularly updated?

Sunt parametrii de securitate i regulile de configurare

(tergerea conturilor generice, schimbarea de parole
implicite, blocarea porturilor de comunicaii neautorizate,
stabilirea drepturilor de acces i a parametrilor de
autentificare, etc) enumerate n detaliu i actualizate
regulat?

12A02-11 Are the security parameters and configuration rules controlled Sunt parametrii de securitate i regulile de configurare
prior to any start of production of a new version?
controlate nainte de orice nceput al produciei unei noi
versiuni?
12A02-12 Has the eventual impact of the systems' changes regarding
the continuity plans been considered?

A fost luat n considerare eventualul impact al

modificrilor sistemelor n ceea ce privete continuitatea
planurilor?

12A02-13 Are any derogations from the prerequisite risk analysis and
control of security parameters subject to strict procedures,
including a signature from senior management?

Sunt orice derogri de la analiza i controlul parametrilor

de securitate a riscurilor condiie pentru proceduri stricte,
inclusiv o semntur din partea conducerii superioare?

12A02-14 Can the start of production of new systems and applications

be only carried out by operations personnel?

Poate nceperea produciei de noi sisteme i aplicaii s

fie efectuata numai de ctre personalul implicat n
operaiuni?

12A02-15 Is the start of production of new versions of systems or

applications possible by the use of a defined validation and
authorization process?

Este nceputul produciei de noi versiuni ale sistemelor

sau aplicaiilor posibil prin utilizarea unui proces de
validare i autorizare definit?

12A02-16 Are the start of production control procedures regularly

audited?

Inceperea procedurilor de control al produciei este

auditata n mod regulat?

12A03

Control of maintenance operations

Controlul operaiunilor de mentenana

12A03-01 Is it kept a trace of all maintenance operations?

Este pstrata o urm a tuturor operaiunilor de

mentenana?

12A03-02 Are all maintenance operations required to terminate with a

systematic control of physical or recorded configurations and
security parameters (as defined at time of start of
production)?

Sunt toate operaiunile de mentenana necesare pentru a

termina cu un control sistematic al configuraiilor fizice sau
nregistrate i a parametrilor de securitate (aa cum este
definit la momentul nceperii produciei)?

12A03-03 Are all maintenance operations required to terminate with a

systematic control of the recording parameters for security
events and the life span of records?

Sunt toate operaiunile de mentenana necesare pentru a

termina cu un control sistematic al parametrilor de
nregistrare pentru evenimente de securitate i durata de
via a nregistrrilor?

12A03-04 Are all maintenance operations required to terminate with a

systematic control of system administration parameters
(required profile, authentication type, removal of standard
logins etc.)?

Sunt toate operaiunile de mentenana necesare pentru a

termina cu un control sistematic al parametrilor de
administrare a sistemului (profilul necesar, tipul de
autentificare, ndeprtarea conectrii standard, etc)?

12A03-05 Is a formal dispensation, signed by a responsible manager,

required if the above mentioned procedures are not
observed?

Este necesar o hotarare formal, semnat de un

manager responsabil, n cazul n care nu sunt respectate
procedurile menionate mai sus?

12A03-06 Is the effective implementation of these controls regularly

audited?

Este punerea efectiv n aplicare a acestor controale

auditata n mod regulat?

12A04

Control of Remote Maintenance

Controlul de mentenan de la distan

12A04-01 In the case of remote maintenance, is the remote

n cazul mentenantei de la distan, accesul biroului de
maintenance desk's access subject to a secure authentication mentenanta la distan este supus unei proceduri de
procedure?
autentificare securizat?
12A04-02 In the case of remote maintenance, are maintenance staff
subject to a secure authentication procedure?

n cazul mentenantei de la distan, personalul de

ntreinere este supus unei proceduri de autentificare
securizat?

12A04-03 Is there a set of procedures covering the granting and

revocation of access rights for remote maintenance
operatives and the granting of rights in urgent situations?

Exist un set de proceduri referitoare la acordarea i

revocarea drepturilor de acces pentru ageni de
mentenan la distan i acordarea drepturilor n situaii
de urgen?

12A04-04 Does the usage of the remote maintenance line require the
prior agreement (for each usage) of telecommunication
operations personnel (upon request by the manufacturer or
editor specifying the nature, date and time of the
intervention)?

Utilizarea liniei de ntreinere de la distan necesit

acordul prealabil (pentru fiecare utilizare) al personalului
operaional de telecomunicaii (la solicitarea de ctre
productor sau de editor, specificnd natura, data i ora
interveniei)?

12A04-05 Is the usage of the remote maintenance line under strict

control ?
A strict control supposes that each use of the line, the name
of the maintenance operative and the actions carried out is
registered, and that there be a subsequent audit of the
appropriateness of the actions and their conformity with the
rules laid down by maintenance managers.

Este utilizarea liniei de ntreinere de la distan sub

control strict?
Un control strict presupune c la fiecare utilizare a liniei,
numele mentenantei operative i aciunile desfurate
sunt nregistrate si exista un audit ulterior al caracterului
adecvat al aciunilor i conformitatea acestora cu normele
stabilite de ctre managerii responsabili de mentenanta.

12A04-06 Are control procedures for remote maintenance regularly

audited?

Sunt procedurile de control pentru mentinerea de la

distan auditate n mod regulat?

12A05

Management of Operating Procedures for

Telecommunication Operation
12A05-01 Do the operating procedures result from the study of the
overall cases to be covered by said procedure (normal
operating cases and incidents)?

Gestionarea procedurilor de operare pentru

Operaiunea de telecomunicaie
Procedurile de operare rezult din studiul cazurilor
generale care urmeaz s fie acoperite prin procedura
menionat (cazuri de funcionare normale i incidente)?

12A05-02 Are the operating procedures documented and kept up to

date?

Sunt procedurile de operare documentate i actualizate?

12A05-03 Are the operating procedures readily available upon request

by any accredited individual?

Sunt procedurile de operare disponibile imediat, la cerere,

de ctre orice persoan acreditat?

12A05-04 Is the telecommunications operation Management required to Este managementul operaiunilor de telecomunicaii
approve changes to procedures ?
responsabil a aproba modificri ale procedurilor?
12A05-05 Are these procedures protected from unauthorized
alterations?

Sunt aceste proceduri protejate de modificri

neautorizate?

12A05-06 Are the operating procedures audited regularly for

authenticity and relevance?

Sunt procedurile de operare auditate cu regularitate

pentru autenticitate i relevan?

12A06

Management of service providers relating to

telecommunication
12A06-01 Is it regularly ensured that the security services allocated to
suppliers or providers are efficiently implemented and
maintained by them?

Gestionarea furnizorilor de servicii legate de

telecomunicaii
Se asigura n mod regulat c serviciile de securitate
alocate furnizorilor sunt implementate i meninute de
ctre acestia n mod eficient?

12A06-02 Is it ensured that the telecommunications service suppliers or

providers have efficiently prepared the appropriate
arrangements to ensure that the services are provided as
agreed?

Se asigura c furnizorii sau prestatorii de servicii de

telecomunicaii au pregtit n mod eficient modalitile
adecvate pentru a se asigura c serviciile sunt furnizate
conform celor convenite?

12A06-03 Is the respect of the security provisions by the suppliers or

providers regularly reviewed?

Respectarea dispoziiilor de securitate de ctre furnizorii

sau prestatorii de servicii este revizuita n mod regulat?

12A06-04 Is it ensured that the suppliers and providers report and

document any security incident concerning information or
networks?

Este garantat faptul c furnizorii i prestatorii de servicii

raporteaza i documenteaza orice incident de securitate
cu privire la informaii sau reele?

12A06-05 Is there a regular review of these incidents or malfunctions

with the concerned suppliers and providers?

Exist o revizuire periodic a acestor incidente sau

defeciuni cu furnizorii i prestatorii de servicii n cauz?

12A06-06 Are any changes in the contract relationship (obligations,

service levels, etc.) analyzed for resulting potential risks?

Sunt orice modificri ale relaiilor contractuale (obliga ii,

nivelele de servicii, etc.), analizate pentru riscuri
poteniale care rezult?

12B

Controlul configuraiilor hardware i

software

Control of hardware and software

configurations

12B01

Network equipment customizing and compliance control

of configurations
12B01-01 Is an exact inventory of the equipments kept up to date by the
concerned responsible persons?
Of key importance with ToIP for the move of terminal
equipments and their configuration (including configured
emergency call numbers)

Particularizarea echipamentelor de reea i controlul

conformitii configurailor
Exista un inventar exact al echipamentelor pstrate pn
n prezent de ctre persoanele responsabile n cauz?
De o importan-cheie cu ToIP pentru mutarea
echipamentelor terminale i configuraia acestora (inclusiv
numerele de apel de urgen configurate)

12B01-02 Is there a document (or a set of documents ) or an

operational procedure which describes all security
parameters for the equipments and systems?
Such a document should be derived from the security policy
and describe all the filtering rules decided. It should also
mention the reference to the system versions so as to check
the status of the updates.

Exist un document (sau un set de documente) sau

proceduri operaionale care descriu toi parametrii de
securitate pentru echipamente i sisteme?
Un astfel de document ar trebui s fie derivat din politica
de securitate i s descrie toate regulile de filtrare
stabilite. Acesta ar trebui s menioneze, de asemenea,
trimiterea la versiunile n sistem, astfel nct s se verifice
starea actualizrilor.

12B01-03 Does this document require that all generic or by default

accounts be deleted and their list established?

Necesita acest document ca toate conturile generice sau

implicite s fie terse i lista lor stabilit?

12B01-04 Are the system versions, fixes and parameters updated

regularly in line with latest information?
This should be done in cooperation with expert authorities
(specialized audits, subscription to a service center, regular
consultation with CERTs, etc.)

Versiunile, remedierile i parametrii sunt actualizate n

mod regulat, n conformitate cu cele mai recente
informaii?
Acest lucru trebuie realizat n cooperare cu autoritile de
experi (audit de specialitate, abonament la un centru de
service, consultri regulate cu CERTs, etc.)

12B01-05 Does the resulting document or procedure impose a

synchronization feature, based on a reliable time reference?

Documentul sau procedura rezultat impun o

caracteristic de sincronizare, bazat pe o referin fiabil
de timp?

12B01-06 Are these reference documents protected, by secure

methods, against untimely or illicit alteration (sealing)?

Sunt aceste documente de referin protejate, prin

metode sigure, mpotriva modificrii intempestive sau
ilicite?

12B01-07 Is the integrity of system configurations checked, regularly (at Este integritatea configuraiei sistemului verificata, n mod
least weekly) if not at each system start-up, against the
regulat (cel puin sptmnal), daca nu la fiecare start-up
configuration theoretically expected?
al sistemului, in raport cu configuraia ateptata teoretic?
12B01-08 Are regular audits carried out of the compliance to the
specifications for security parameters?

Rxista audituri periodice efectuate cu respectarea

specificaiilor pentru parametrii de securitate?

12B01-09 Are regular audits carried out of the exception and escalation Exista audituri regulate efectuate in mod exceptional i o
procedures in the case of difficulty or installation problems? escaladare n cazul unor dificultati sau probleme de
instalare?
12B01-10 Are the development and test environments separated from
the operational environments?

Sunt mediile de dezvoltare i testare separate de cele

operaionale?

12B01-11 Is it possible to control, each time it is needed, the

compliance of the architecture and of the configurations of
the equipments ?

Este posibil s se controleze, de fiecare dat cnd este

necesar, conformitatea arhitecturii i a configuraiilor
echipamentelor?

12B02

Conformity control of operational software to a reference

version
12B02-01 Do the telecommunications operations manage a reference
version for each equipment or system in operation (source
and executable code)?

Controlul conformitii programului operaional la o

versiune de referin
Operaiunile de telecomunicaii gestioneaza o versiune de
referin pentru fiecare echipament sau sistem n
funciune (cod surs i executabil)?

12B02-02 Is this reference version protected against all possible illicit or Este aceast versiune de referin protejat mpotriva
untimely modification (signed media kept by a senior
oricrei posibile modificri ilicite sau nainte de vreme
manager, electronic sealing, etc.)?
(mass-media semnate inute de un manager senior,
sistemul de nchidere electronic, etc.)?
12B02-03 Is this protection considered to be inviolable (sealing by
Este aceast protecie considerat ca fiind inviolabila
cryptographic algorithm approved by the Information Security (sigilare prin algoritmul de criptare aprobat de ctre
Officer)?
responsabilul cu securitatea informatiei)?
12B02-04 Is the protective seal controlled automatically (otherwise it
may be an authoritative signature) at each new installation?

Este sigiliul de protecie controlat automat (n caz contrar

acesta poate fi o semntur de autoritate) la fiecare
instalaie nou?

12B02-05 Is a check made of the proof of origin and integrity of received Este o verificare fcut pentru dovada originii i integrit ii
maintenance module or a new version, from the editor or the modulului de mentenanta primite sau o versiune mai
manufacturer (for operating systems)?
nou, de la editorul sau productorul (pentru sistemele de
operare)?
12B02-06 Are the sealing and sealing control tools protected against
any unauthorized usage?

Sunt instrumentele de control i de etanare protejate

mpotriva oricrei utilizri neautorizate?

12B02-07 Does the inhibition of the automatic control of seals trigger an Inhibarea controlului automat al sigiliilor declan eaz o
alarm to a manager?
alarm catre un manager?
12B02-08 Are there regular audits of protection procedures for
reference programs?

Exist audituri regulate ale procedurilor de protecie

pentru programele de referin?

12C

Service continuity

Continuitatea serviciilor

Organization of operational equipment maintenance

Organizarea mentenantei operationale a

echipamentelor
Fac toate echipamentele obiectul unui contract de
mententanta?

12C01

12C01-01 Is all equipment covered by a maintenance contract?

12C01-02 Are there specific maintenance contracts for all hardware
which require a high availability and for which the
replacement must be made within limited delays?

Exist contracte specifice de mentenanta pentru toate

componentele hardware care necesit o disponibilitate
ridicat i pentru care nlocuirea trebuie s fie fcut n
ntrzieri limitate?

12C01-03 Do the contracts stipulate maximum delays before

intervention and compatible with the requirements of
availability?

Contractele prevd ntrzieri maxime nainte de

intervenie i compatibilitati cu cerinele de disponibilitate?

12C01-04 Do the contracts detail the required time slots and days of
intervention (24h/7d for example) compatible with the
requirements of availability?

Contractele detaliaza intervalele de timp necesare i zilele

de intervenie (24h / 7d, de exemplu), compatibile cu
cerinele de disponibilitate?

12C01-05 Do the contracts stipulate the conditions of escalation in case Contractele stipuleaz condiiile de escaladare n caz de
of difficulty?
dificultate?

12C01-06 Do the contracts detail specific clauses for when the

hardware downtime exceeds the specific times stipulated
(penalties, hardware replacement, etc.)?
It is desirable that these clauses be general and apply to all
cases no matter what the reasons (technical difficulty, staff
strikes, etc.)

Contractelo detaliaza clauze specifice pentru hardware n

cazul n care timpii mori depesc timpii specifici
prevzuti (penalizri, de nlocuire a hardware, etc.)?
Este de dorit ca aceste clauze s fie generale i sa se
aplice n toate cazurile, indiferent de motivele (dificultate
tehnic, greve de personal, etc.)

12C01-07 Do the maintenance contracts anticipate the complete

replacement of equipment in the case of important damage
which might not be taken into consideration by reparative
maintenance?
A special attention should be born on the confidentiality of
data stored on the disk of the replaced equipments

Anticipeaz contractele de mentenanta nlocuirea

complet a echipamentelor n cazul unor daune
importante, care nu ar putea fi luate n considerare de
mentenanta reparatorie?
O atenie deosebit trebuie cordata confidenialitatii
datelor stocate pe discul echipamentelor nlocuite

12C01-08 Are the maintenance contracts, the choice of subcontractors

and associated maintenance procedures subject to regular
audit?

Sunt contractele de mentenanta, alegerea

subcontractanilor i procedurile de mentenanta asociate
supuse auditului periodic?

12C02

Organization of software maintenance (systems and

attached services)
12C02-01 Are there maintenance contracts for all acquired software
products (systems software, middleware and applications)?

Organizarea software-ului de mentenanta (sisteme i

servicii ataate)
Exist contracte de mententanta pentru toate produsele
software achiziionate (sisteme de software, middleware
i aplicaii)?

12C02-02 Do the suppliers provide a technical software support center

which guarantees a quick and competent telephone
assistance?

Furnizorii ofer un centru de suport tehnic de software,

care garanteaz o asisten telefonic rapid i
competent?

12C02-03 Are there specific maintenance contracts for software

products (systems, middleware and applications) which
require corrective delays that standard maintenance cannot
cover?

Exist contracte specifice de mentenanta pentru produse

software (sisteme, middleware i aplicaii), care necesit
ntrzieri corective care nu sunt acoperite de intretinerea
standard?

12C02-04 Do these contracts detail specific maximum intervention

delays, compatible with the availability requirements?

Aceste detalii ale contractelor specifica intarzierile

maxime de interventie, compatibile cu cerinele de
disponibilitate?

12C02-05 Do the contracts detail the required time slots and days of
intervention (24h/7d for example) compatible with the
requirements of availability?

Detaliaza aceste contracte intervalele de timp necesare i

zilele de intervenie (24h / 7d, de exemplu), compatibile
cu cerinele de disponibilitate?

12C02-06 Do the contracts stipulate the conditions of escalation in case Contractele stipuleaz condiiile de escaladare n caz de
of difficulty?
dificultate?
12C02-07 Do the contracts specify specific clauses when hardware
downtime exceeds specific durations stipulated (penalties,
replacement of hardware, etc.)?
It is desirable that these clauses be general and apply to all
cases no matter what the reasons (technical difficulty, staff
strikes, etc.)

Specifica contractele clauze specifice, atunci cnd timpii

mori ai hardware-ului depesc duratele specifice
prevzute (penaliti, inlocuirea hardware-ului, etc.)?
Este de dorit ca aceste clauze s fie generale i se aplice
n toate cazurile, indiferent de motive (dificultate tehnic,
greve de personal, etc.)

12C02-08 Are the maintenance contracts, the choice of subcontractors

and associated maintenance procedures subject to regular
audit?

Sunt contractele de mentenanta, alegerea

subcontractanilor i procedurile de mententanta asociate
supuse auditului periodic?

12C03

Backup of software configurations (system, services and

configuration parameters)
12C03-01 Has a backup plan been established which covers all
programs and defines all objects to save and the frequency of
backups?

Backup de configuraii software (sistem, servicii i

parametrii de configurare)
A fost stabilit un plan de rezerv, care se refer la toate
programele i definete toate obiectele de salvat i
frecvena de backup?

12C03-02 Does the plan also cover configuration parameters of the

telecommunication equipments to save?

Planul acoper, de asemenea, parametrii de configurare

a echipamentelor de telecomunicaii ce trebuie salvate?

12C03-03 Is the plan implemented by automatic production routines?

Este planul pus n aplicare prin rutine automate de

producie?

12C03-04 Are there regular tests that the backup copies of

configurations enable the effective restoration of the
production environment at any time?
These tests should consider all the backups (including
documentation and parameters files) of legitimate elements.

Exista teste regulate prin care copiile de rezerv ale

configuraiilor permit restaurarea eficient a mediului de
producie n orice moment?
Aceste teste ar trebui s ia n considerare toate copiile de
rezerv (inclusiv documentaia i fiierele parametrii) ale
elementelor legitime.

12C03-05 Are the production routines which ensure backups protected,

against illicit or undue modification, by secure mechanisms?
Such mechanisms might be electronic seal or any equivalent
modification detection system.

Sunt rutinele de producie care asigur backup-uri

protejate mpotriva modificrilor ilicite sau nejustificate,
prin mecanisme sigure?
Astfel de mecanisme ar putea fi sigiliu electronic sau orice
alt sistem de detectare-modificare echivalent.

12C03-06 Are regular tests made of the readability of backups?

Sunt testele periodice realizate din lizibilitatea backupurilor?

12C03-07 Are all software backup plans and procedures subject to

regular audit?

Sunt toate planurile i procedurile software de backup

supuse unui audit regulat?

12C04

Disaster Recovery Plans

Planurile de recuperare n caz de dezastre

12C04-01 Have all the scenarios which may impact the

telecommunications infrastructure and services been
considered and, for each scenario, the consequences in
terms of service unavailability for users?
ToIP creates additional requirements for power supply
continuity and ability to reconfigure of terminal equipments

Aufost luate in considerare toate scenariile care ar putea

avea un impact asupra infrastructurii i serviciilor de
telecomunicaii i, pentru fiecare scenariu, consecinele n
ceea ce privete indisponibilitatea pentru utilizatorii
serviciului?
ToIP creeaz cerine suplimentare pentru continuitate n
alimentarea cu energie i capacitatea de a reconfigura
echipamentele terminale

12C04-02 For each scenario, and in agreement with the users, have a
list and schedule of service resume been defined?
Loss of information, means to reconstruct them and
temporary operational procedures must be considered.

Pentru fiecare scenariu, i n acord cu utilizatorii, au fost

definite o list i un rezumat al programului de
mentenanta?
Pierderea de informaii, mijloacele pentru a le reconstrui i
proceduri operaionale temporare trebuie s fie luate n
considerare .

12C04-03 Has an activity recovery solution been defined and

implemented to resolve each scenario identified above, in
accordance with user requirements?

A fost definit i pus n aplicare o soluie de recuperare a

activitatii pentru a rezolva fiecare scenariu identificat mai
sus, n conformitate cu cerinele utilizatorului?

12C04-04 Are the technical, organizational and human resources

sufficient to address the organization's requirements for IT
continuity?
This means being able to correct personnel deficiencies

Sunt resursele tehnice, organizatorice i umane suficiente

pentru a rspunde cerinelor organizaiei pentru
continuitatea IT?
Acest lucru nseamn a fi capabil a corecta deficienele
de personal

12C04-05 Are the technical, organizational and human resources

educated to address the organization's requirements for
continuity?
This implies to train appropriately all concerned staff.

Sunt resursele tehnice, organizatorice i umane educate

pentru a rspunde cerinelor organizaiei de continuitate?
Acest lucru implic instruirea n mod adecvat a
personalului n cauz.

12C04-06 Are all these solutions described in detail in Disaster

Recovery Plans including the conditions for triggering the
plan, the actions to execute, the priorities, the actors to
mobilize and their contact details?

Sunt toate aceste soluii descrise n detaliu n planurile de

recuperare n cazul dezastrelor, inclusiv condiiile de
declanare a planului, aciunile de executie, priorit ile,
actorii care sa se mobilizeze i s datele de contact ale
acestora?

12C04-07 Are these plans tested at least once a year?

Sunt aceste planuri testate cel putin o data pe an?

12C04-08 Are above tests able to guarantee that the staff capacity and
the recovery systems can cope, under full operational load,
the minimum service levels required by users?
The tests required to obtain this guarantee are preferably full
scale tests of each variant of scenario, involving all users.
The results of the tests have to be registered and analyzed in
order to improve the capability of the organization to answer
to the situations considered.

Sunt testele de mai sus n msur s garanteze c,

capacitatea personalului i sistemele de recuperare pot
face fa, sub sarcin operaional deplin, nivelurilor
minime de serviciu cerute de utilizatori?
ncercrile necesare pentru a obine aceast garanie
sunt, de preferin, teste complete de scal ale fiecrei
variante de scenariu, care implic toi utilizatorii.
Rezultatele testelor trebuie s fie nregistrate i analizate,
n scopul de a mbunti capacitatea organizaiei de a
rspunde la situaiile avute n vedere.

12C04-09 If the recovery solutions include delivery of hardware

components (which cannot be triggered during tests), is there
a contractual commitment by the manufacturer or any
relevant third party (leaser, broker, distributor) to deliver the
replacement hardware within fixed and anticipated time limits
as stated in the recovery plan?

n cazul n care soluiile de recuperare includ livrarea de

componente hardware (care nu poate fi declanat n
timpul ncercrilor), exist un angajament contractual de
la productor sau oricare alta parte tera relevanta
(Locatorului, broker, distribuitor) pentru a livra hardware-ul
de nlocuire n termene fixe i anticipate asa cum este
declarat n planul de redresare?

12C04-10 Has the unavailability or failure of the recovery facility been

Indisponibilitatea sau defectarea instalaiei de recuperare
considered and has a replacement solution been defined and a fost luat n considerare i are o soluie de nlocuire
validated (second level recovery)?
definita i validata (al doilea nivel de recuperare)?

12C04-11 Has this (second level recovery) solution been validated?

A fost validata aceast soluie (a doua recuperare nivel)?
12C04-12 Is the recovery solution usable for an unlimited duration and, Este soluia de recuperare utilizabil pentru o durat
if not, has a follow on replacement solution been established? nelimitat i, n cazul n care nu, are o urmrire pe soluia
de nlocuire ce a fost stabilit?
12C04-13 Are the existence, the pertinence and the updates of the
services Recovery Plans regularly controlled?

Sunt existena, pertinena i actualizarea planurilor de

servicii de recuperare controlate n mod regulat?

12C04-14 Is the updating of the above procedures within the recovery

plan subject to regular audit?

Este actualizarea procedurilor de mai sus inclusa n

cadrul planului de redresare ce face obiectul auditului
periodic?

12C05

Management of critical systems (regarding maintenance

continuity)
12C05-01 Have the consequences of the disappearance of a supplier
been analyzed (in the case of failure, a bug or change
requirement) and has a list of critical systems been
established?
This is valid for hardware, software or service providers

Managementul sistemelor critice (n ceea ce privete

continuitatea ntreinerii)
Au fost analizate consecinele dispariiei unui furnizor (n
caz de eec,eroare sau cerina schimbrii) i a fost
stabilit o list de sisteme critice?
Acest lucru este valabil pentru hardware, software sau
servicii.

12C05-02 For all critical systems, has a corrective solution been

analyzed to cope with the failure or disappearance of a
supplier (consignment of maintenance documentation or
source code with a trusted third party, hardware replacement
by standard market solutions etc.)?

Pentru toate sistemele critice, a fost analizat o soluie de

corecie pentru a face fa eecului sau dispariiei unui
furnizor (lot de documentaie de ntreinere sau codul
surs cu o ter parte de ncredere, de nlocuire a
sistemului hardware prin soluii standard de pe pia
etc.)?

12C05-03 Is there a guarantee that the corrective solutions could be

made operational within time delays compatible with the
continuity of the business and accepted by the users?

Exist o garanie c soluiile corective ar putea fi

operaionale n termen, cu ntrzieri compatibile cu
continuitatea activitii i acceptate de ctre utilizatori?

12C05-04 Have variants to the primary solution been considered in case Variante la soluia primar au fost luate n considerare n
it might encounter unforeseen difficulties?
cazul n care s-ar putea ntmpina dificulti neprevzute?
12C05-05 Is there a regular review of critical systems and corrective
solutions envisaged?

Exist o revizuire periodic a sistemelor critice i solu ii

corective avute n vedere?

12D

Use of end-user telecommunication

equipment

Utilizarea echipamentelor de
telecomunicaii de catre utilizatorii finali

Control of the compliance of user configurations

Controlul respectrii configuraiilor utilizatorilor

12D01

12D01-01 Has a list of the telecommunication software authorized on

the users' stations been established?
This list should indicate the reference versions authorized
and possibly the parameterization options

A fost stabilit o list a software-ului de telecomunicaii

autorizate pe staiile utilizatorilor?
Aceast list trebuie s indice versiunile de referin
autorizate i, eventual, opiunile de parametrizare

12D01-02 Are these lists protected against untimely or illicit alteration by Sunt aceste liste protejate mpotriva alterrii intempestiv
a robust sealing process?
sau ilicite printr-un proces solid de etanare?
12D01-03 Are the rights provided to users preventing them to modify the Drepturile oferite utilizatorilor i mpiedic pe acestia s
specific telecommunication (telephone, audio or video
modifice telecomunicaiile specifice (telefon, audio sau
conferencing, etc. )configurations of their equipment?
video conferine etc.) configuraiile sau echipamentul lor?
12D01-04 Is the conformity of the telecommunication configurations for Este conformitatea configuraiilor de telecomunicaii
user workstations regularly controlled relatively to the
pentru staiile de lucru ale utilizatorilor n mod regulat
authorized options?
controlate la opiunile autorizate?
12D01-05 Does the inhibition of the control process trigger an alarm to a Inhibarea procesului de control declaneaz o alarm
manager?
catre un manager?
12D01-06 Are the processes of control themselves subject to regular
audits?
12D02

Sunt procesele de control supuse unor auditari periodice?

Training and awareness setting for users

Formare i stabilirea gradului de contientizare pentru

utilizatori
12D02-01 Are the users made aware of the risks of tapping resulting
Sunt utilizatorii contieni de riscurile de transvazare care
from the use of telecommunication equipment and services? rezult din utilizarea echipamentelor i a serviciilor de
telecomunicaii?
12D02-02 Are the users informed of risks resulting from the malevolent
usage, locally or remotely, of their communication equipment?
In addition to the use of their colleagues' equipment without
their knowing.

Sunt utilizatorii informai cu privire la riscurile care rezult

din utilizarea ruvoitor, local sau de la distan, a
echipamentelor lor de comunicare?
n plus, fa de utilizarea echipamentelor colegilor lor, fr
acordul acestora.

12D02-03 Are the deactivation procedures explained to users at the

installation or replacement time of their equipment?
12D02-04
Are the control and security procedures documented?
12D02-05
Are all the users trained about these procedures?
12D03 Utilization of cryptographic equipment

Sunt procedurile de dezactivare explicate utilizatorilor la

momentul instalrii sau nlocuirea echipamentului lor?

12D03-01

Are the encryption capabilities explained to all the staff?

12D03-03 Have the user functions requiring a protection of the
telecommunication exchanges been analyzed?
12D03-04 Have encryption functions been installed on all the
corresponding user equipment?
12E01

Sunt toi utilizatorii instruii cu privire la aceste proceduri?

Utilizarea echipamentelor criptografice

Sunt cerintele de criptare a mecanismelor schimburilor

Are encryption of exchanges mechanisms settable in
stabilite n conformitate cu cerinele de baz de nonaccordance to the non-disclosure requirements established? divulgare stabilite?

12D03-02

12E

Sunt documentate procedurile de control i de securitate?

Control of administrative rights

Management of privileged access rights granted on
equipments and systems (administrative rights)

Sunt capacitile de criptare explicate ntregului personal?

Funciile de utilizator necesit o protecie a schimburilor
de telecomunicaii ce a fost analizat?
Funciile de criptare au fost instalate pe toate
echipamentele de utilizare corespunztoare?

Controlul drepturilor administrative

Gestionarea drepturilor de acces privilegiat acordate
pe echipamente i sisteme (drepturi administrative)

12E01-01 Have profiles been defined, within telecommunication

operations staff, corresponding to each type of activity
(system administration, administration of security equipment,
system monitoring, management of data storage and backup
functions etc.)?

Au fost definite profiluri, n cadrul personalului

operaiunilor de telecomunicaii, corespunztoare fiecrui
tip de activitate (administrare de sistem, administrare de
echipamente de securitate, monitorizarea sistemului,
gestionarea de stocare a datelor i funcii de backup,
etc)?

12E01-02 For each profile have the necessary rights and privileges
been defined?

Pentru fiecare profil drepturile i privilegiile necesare au

fost definite?

12E01-03 Does the process of attributing special rights require the Procesul de atribuire a drepturilor speciale necesit
formal authorization of management (or the manager autorizarea formal a managementului (sau managerul
responsible for external service providers) at a sufficiently responsabil pentru furnizorii externi de servicii), la un nivel
high level?
suficient de ridicat?

12E01-04 Is the process of attributing special rights allocated only in Este procesul de atribuire a drepturilor speciale alocate
relation to the profile of the holder?
numai n raport cu profilul titularului?
12E01-05 Is the process of granting (modification or revocation) of Este procesul de acordare (modificare sau revocare) a
special rights to an individual strictly controlled?
drepturilor speciale la un individ strict controlat?
A strict control requires a formal recognition of the signature Un control strict necesit o recunoatere formal a
(electronic or not) of the requestor, that there be a tight semnturii (electronic sau nu) a solicitantului, c exist un
control of access in order to attribute or modify such rights control strict al accesului, n scopul de a atribui sau
and that any modification of special rights be logged and modifica astfel de drepturi i care s fie conectat la orice
audited.
modificare a drepturilor speciale i auditate.
12E01-06 Is there a systematic process of removal of special rights at Exist un proces sistematic de eliminare a drepturilor
the time of departure of telecommunication operations staff? speciale la momentul plecrii personalului opera iunilor de
telecomunicaii?
12E01-07 Is there a systematic process of removal of special rights at Exist un proces sistematic de eliminare a drepturilor
the time of rle change of telecommunication operations speciale n momentul schimbrii rolului personalului
staff?
operaiunilor de telecomunicaii?
12E01-08 Is there a regular audit, at least once a year, of all special Exist un audit regulat, cel puin o dat pe an, a tuturor
rights attributed ?
drepturilor speciale atribuite
12E02

Authentication and control of the access rights of

administrators and operational personnel

Autentificarea i controlul drepturilor de acces ale

administratorilor i personalului operaional

12E02-01 Is the authentication protocol used for administrators or Este protocolul de autentificare utilizat pentru
holders of special rights considered to be secure?
administratorii sau deintorii de drepturi speciale
An authentication protocol is considered secure if it is not considerat a fi sigure?
susceptible to being broken by a listening device on the Un protocol de autentificare este considerat sigur n cazul
network or rendered inoperable by specialists tools (in n care nu este susceptibil de a fi rupt de un dispozitiv de
particular password crack tools ). Such security usually uses ascultare n reea sau inoperabil prin instrumente
cryptographic methods.
specializate (n special instrumente parola de crack). O
astfel de securitate utilizeaz de obicei metode
criptografice.

12E02-02 Are the rules, for instance in the case of passwords, Sunt regulile, de exemplu, n cazul parolelor, considerate
considered to be very strict?
a fi foarte stricte?
Strict rules impose the use of tested non-trivial passwords, Reguli stricte impun utilizarea unor parole netriviale
using a mixture of different types of characters and of a testate, folosind un amestec de diferite tipuri de caractere
reasonable length (ten characters). It is desirable that these i cu o lungime rezonabil (zece caractere). Este de dorit
rules have been approved by the Information Security Officer ca aceste norme au fost aprobate de ctre ofierul de
securitate al informatiei.
12E02-03 Is there a consistent control of the administrator's rights, of its Exist
un
control
consecvent
al
drepturilor
context, and of the suitability of this context with the administratorului, a contextului su, precum i a
requested access, as per formal rules of access control?
caracterului adecvat al acestui context, cu accesul
solicitat, conform regulilor formale de control al accesului?

12E02-04 Are authentication parameters under strict control?

Sunt parametrii de autentificare sub un control strict?
A strict control requires that the list of people able to change Un control strict impune ca lista de oameni capabili s
authentication rules, the credentials themselves and the schimbe regulile de autentificare, acreditrile n sine,
surveillance rules of connection attempts be strictly limited, precum i normele de supraveghere a tentativelor de
that there be a reinforced access control in order to be able to conectare s fie strict limitat, c exist un control al
modify these rights and that any modification of these rights accesului consolidat pentru a putea modifica aceste
be logged and audited and that there be a general audit at drepturi i c orice modificare s fie nregistrata i
least once a year of all authentication parameters.
auditata aceste drepturi i s existe un audit general cel
puin o dat pe an, a tuturor parametrilor de autentificare.

12E02-05 Are the processes that guarantee authentication under strict Sunt procesele care garanteaz autentificarea sub control
control?
strict?
A strict control requires that the software used has been Un control strict impune ca software-ul utilizat a fost
validated and undergoes a regular test for integrity (seal) and validat i este supus unui test regulat pentru
that there is an audit at least once a year of the authentication integritate(sigiliu) i c exist un audit cel pu in o dat pe
procedures and processes.
an, a procedurilor i a proceselor de autentificare.
12E02-06 Is there a regular audit of the security parameters attached to Exist un audit periodic al parametrilor de securitate
protecting profiles and rights?
ataate la protejarea profilurilor i a drepturilor?

12E03

Surveillance of system administrators' actions over the

equipments and systems
12E03-01 Has a detailed analysis been carried out of the events and
operations carried out with administrative rights which may
potentially have an impact on system security (configuration
of security systems, access to sensitive information, usage of
sensitive tools, download or modification of administrative
tools etc.)?

Supravegherea aciunilor administratorilor de sistem,

asupra echipamentelor i a sistemului
A fost efectuata o analiz detaliat a evenimentelor i
operaiunilor efectuate cu drepturi administrative care pot
avea un impact potenial asupra securitii sistemului
(configurarea sistemelor de securitate, acces la informaii
sensibile, utilizarea de instrumente sensibile de
descrcare sau de modificare a instrumentelor
administrative, etc. )?

12E03-02 Are these events recorded as well as all parameters which

may be useful for their subsequent analysis?

Aceste evenimente sunt nregistrate, precum i toi

parametrii ce pot fi utili pentru analiza ulterioar a
acestora?

12E03-03 Is there a system able to detect any modification or deletion

of a past record and to immediately trigger an alarm to a
manager?

Exist un sistem capabil s detecteze orice modificare

sau tergere a unei nregistrri anterioare i care sa
declaneze imediat o alarm unui manager?

12E03-04 Is there a summary of these records enabling management to Exist un rezumat al acestor evidene care s permit
detect abnormal behavior?
conducerii s detecteze un comportament anormal?
12E03-05 Is there a system enabling the detection of any modification
of recording parameters and to immediately trigger an alarm
to a manager?

Exist un sistem care s permit detectarea oricrei

modificri a parametrilor de nregistrare i care sa
declaneze imediat o alarm unui manager?

12E03-06 Does any inhibition of the recording and processing of the

logged events system trigger an alarm to a manager?

O inhibare a nregistrrii i prelucrrii sistemului

evenimentelor nregistrate declaneaz o alarm la un
manager?

12E03-07 Are all records or summary analyses protected against any

falsification or destruction?

Sunt toate nregistrrile sau sintezele analizelor protejate

mpotriva oricrei falsificare sau distrugere?

12E03-08 Are all records or summary analyses kept for a long period?

Sunt toate nregistrrile sau rezumatul analizelor pstrate

pentru o perioad lung de timp?

12E03-09 Are the procedures, which record and process privileged

operations, regularly audited?

Sunt procedurile, care nregistreaz i proceseaz

operaiuni privilegiate, auditate n mod regulat?

variant
R-V2

R-V3 R-V4

Max Min Typ ISO 27002 Comments

E1 9.2.1

E2

E3

E2

E2

E2

R1

R1

C1

E1 10.1.2;
10.3.1

E2 10.3.1

E2 9.2.1

E2 10.3.2

E2

E2 10.3.2

E3

E3

E3 10.3.2

E3 10.3.2;
11.4.4

E3 10.3.2;
11.4.4

E2 10.3.2

R1

E3 6.1.4; 12.4.1

E3 6.1.4; 12.4.1

C1

E2 9.2.4

E2

E3

E3

E3

C1

E2 11.4.4

E2 11.4.4

E3 11.4.4

E3 11.4.4

E2

C1

E2 10.1.1

E2 10.1.1

E2 10.1.1

E2 10.1.1

R1

C1

C1 10.2.1

E2 10.2.1

E1 10.2.2

E2 10.2.2

E2 10.2.2

E3 10.2.3

E2

E1

E2 11.4.4

E2 10.7.4;
12.6.1

E3 10.10.6

R1 10.7.4

E3 15.2.2

R1 15.2.2

R1 15.2.2

C1

R2

E1

R1

R2

R2

E2

R2

E3

C1

E1 9.2.4

E2

E2

E3

R1

E3

E3

C1

E1

E2

E2

E2

E3

R1

E3

C1

E1 10.5.1

E2 10.5.1

E2 10.5.1

E2 10.5.1;
14.1.5

R1 10.5.1

R2 10.5.1

C1

E1 14.1.3

E2 14.1.3

E1 14.1.3

E2 14.1.3

E2 14.1.3

E1 14.1.3

E2 14.1.5

E2 14.1.5

E2

E2

E3

E3

C1

C1

E2

E2

E2

E3

C1

E2

R2

E2

C1

C2

C1

E1

E2

E2
2
E2

4
4

E2

E2
4
E2

E2
4

E2

E1 10.1.3;
11.2.2

E1 10.1.3

E2 10.1.3

E2 10.1.3
3

R1 11.2.2

E2 11.2.4

E2 11.2.4

C1 11.2.4

E2

E2

E2

R1

R1

C1

E2 10.10.4

E2 10.10.4

4
4

E3 10.10.4

3
2

E3 10.10.4
E3 10.10.4

E3 10.10.4

E2 10.10.4

E2 10.10.4

C1 10.10.4