IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.62 Software acceptance and approval Procedure
Initiation responsibility: Head of IT section
Implementation responsibility: Head of IT section
The use of IT for dealing with certain tasks requires that computerised data
processing works as perfectly as possible, as the individual results can in most
cases not be checked. In the course of a software acceptance process,
therefore, it is checked whether the software works without error, i.e. whether
the software works with the desired degree of reliability and whether it creates
any undesired side effects. With the subsequent approval of the software by
the relevant body, permission is granted to use the software. At the same time,
this body assumes the responsibility for the IT process implemented by the
software.
In regard to software acceptance, a distinction is made between software
which was self-developed or developed by a third party and standard software
adapted for special uses.
Acceptance of self-developed software or software developed by third parties
Before the order to develop software is placed internally or externally, the
software requirements must be defined. These are then used as the basis for
the rough and detailed planning for implementation. Using these documents,
the relevant body, not the body responsible for the software development,
generally draws up an acceptance plan.
In general, test cases and the expected results for the software are determined.
Using these test cases, the software is tested and the difference between the
calculated and expected result is used as an indication for the correctness of
the software.
In order to develop test cases and to implement these tests, the following
should be observed:
- The test cases are developed by the relevant body
- No data of the actual operation should be used for test cases
- Test data, particularly if these are compiled by copying actual data, may
not contain any confidential information; person related data should be
made anonymous or simulated
- The implementation of the tests should have no effect on the actual
operation; if possible, a test computer should be used which is logically or
physically separate
Acceptance should be denied if;
- Serious errors are detected in the software
- Test cases occur where the calculated results do not correspond to the
estimated results
- User manuals or operating instructions are not available or inadequate
- Documentation of the software is not available or inadequate
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000