Pau Lo
asked on
Voip assessment
What should be coverered/reviewed in a voip/telephony IT audit? WOuld prefer comments as opposed to links. And what you pereive to be the biggest risks to voip/telephony - if this is your filed of expertese?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- Redundancy: if your primary voip server fails, how much will the business suffer? How long would it take to have a replacement? Is it necessary to have a redundant box?
- Backup and restore: does your VOIP solution implement an effective and efficient way of backing the data and restoring it?
- Survivability: if there are remote sites where you deploy phones using a WAN link to connect to their server, what would happen if the link goes down? Is there a solution to have basic calling features in that scenario?
- Emergency dialling: for example, if there is an access code in place for outbound calls, call it 9 for example, how will users dial 911? 9911or just 911?. Also it is important to make sure that the circuits used for emergency dialling allow the 911 service to identify the real location of the emergency. VOIP trunks tend to be tricky.
- Network infrastructure: VOIP is a very large topic. The underlying network requires preparation to make it work, specially when you want to pull out toll bypass and intersite calling. This item includes voice vlans, DHCP offers with the necessary options (TFTP servers, NTP servers, SIP proxies), bandwidth calculation, Quality of Service, Call Admission Control, Power over Ethernet considerations and so forth.
These are some items I can think of, but I think they are a mouthful.
Regards,
- Backup and restore: does your VOIP solution implement an effective and efficient way of backing the data and restoring it?
- Survivability: if there are remote sites where you deploy phones using a WAN link to connect to their server, what would happen if the link goes down? Is there a solution to have basic calling features in that scenario?
- Emergency dialling: for example, if there is an access code in place for outbound calls, call it 9 for example, how will users dial 911? 9911or just 911?. Also it is important to make sure that the circuits used for emergency dialling allow the 911 service to identify the real location of the emergency. VOIP trunks tend to be tricky.
- Network infrastructure: VOIP is a very large topic. The underlying network requires preparation to make it work, specially when you want to pull out toll bypass and intersite calling. This item includes voice vlans, DHCP offers with the necessary options (TFTP servers, NTP servers, SIP proxies), bandwidth calculation, Quality of Service, Call Admission Control, Power over Ethernet considerations and so forth.
These are some items I can think of, but I think they are a mouthful.
Regards,
ASKER
Great points, what about management control of 'calls' which is what it is for at the end of the day, excessive or inappropriate use etc
VOIP systems have Class of Control, or Class of Restriction. This means you can categorize calls, and then allow certain users with appropriate calling privileges that will route some calls while blocking others.
You can also enforce Forced Authorisation Codes so that certain patterns (international, services, etc) require the caller a code with the necessary weight to allow the call through.
Some VOIP systems, like Cisco, have a hard time when it comes to inbound calling restriction. Many times I have seen users harassed by external callers, and the only way to achieve call blocking based on the caller number (one specific number alone) is to have H.323 gateways. Other systems like Asterisk and OpenSIPS have less issues or none at all on these regards.
Finally, if you have Call Detail Records, and a nice analysis tool, like this one for illustration purposes:
http://www.cdr-stats.org/screenshot/
Then you will be able to tell if a user is abusing of the system or things like that.
You can also enforce Forced Authorisation Codes so that certain patterns (international, services, etc) require the caller a code with the necessary weight to allow the call through.
Some VOIP systems, like Cisco, have a hard time when it comes to inbound calling restriction. Many times I have seen users harassed by external callers, and the only way to achieve call blocking based on the caller number (one specific number alone) is to have H.323 gateways. Other systems like Asterisk and OpenSIPS have less issues or none at all on these regards.
Finally, if you have Call Detail Records, and a nice analysis tool, like this one for illustration purposes:
http://www.cdr-stats.org/screenshot/
Then you will be able to tell if a user is abusing of the system or things like that.
ASKER
Aside from the security issues / elements of IT audit, is there any other key areas to review around voip/telephony?