IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.85 Approval of standard software
Initiation responsibility: Agency/company management
Implementation responsibility: Head of Specialist Department, Head of IT
Section
Before the acceptance of the standard software into actual operation comes the
formal approval. Agency or company management are responsible for the
approval of a product; however, they can delegate this to the management of
the specialist department or the management of the IT Division. The specialist
department can further restrict the approval provision specified by agency or
company management by means of its own restrictions. The use of nonapproved
software must be prohibited (see S 2.9 Ban on using non-approved
software).
Approval is always preceded by the successful completion of all necessary
tests (see S 2.83 Testing Standard Software). An approval must not take place
if unacceptable errors, e.g. serious deficiencies in security, were detected
during the tests.
Installation- and configuration provisions must be drawn up for approval.
Their level of detail depends on whether installation is to be undertaken by the
system administration or the user. The installation- and configuration
provisions are results of the tests carried out in the context of procurement
(see S 2.83 Testing Standard Software). If different configurations are
permissible, the effects of the individual configurations on security must be
explained. In particular, it must be stipulated whether restrictions on product
functionality or access rights are to be imposed on all, or just a few, users. The
staff- or works council, the data privacy officer and the IT security officer
must be involved in establishing these marginal conditions at the appropriate
time.
Approval should take place in the form of a written approval notice. In the
approval notice, statements should be made on the following points:
- Program name and version number,
- Designation of the IT procedure in which the product is to be used,
- Confirmation that the IT components used comply with the technical
requirements,
- Date of the approval, signature of the person responsible for the approval,
- Certificate of non-objection from the IT security officer, the data privacy
officer and the staff- or works council,
- Scheduled time of deployment in actual operation,
- For which users the product is being approved,
- Installation instructions, in particular the workstations at which it is being
installed and with what configuration,
- Who is authorised to install it,
- Who has access to the installation data media and
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000