IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.86 Guaranteeing the integrity of standard
software
Initiation responsibility: Agency/company management
Implementation responsibility: Head of IT section
It must be guaranteed that the standard software approved can only be
installed in an unchanged condition. Accordingly, the possibility of desired or
unintentional changes occurring in the interim period, e.g. as a result of
computer viruses, bit errors due to technical errors or manipulation in
configuration files, should be prevented.
Installation must only be allowed to take place, therefore, using original data
media or numbered copies of the original data medium. An alternative to the
local installation from data media is the installation via a local network of a
version approved specifically for this purpose. It should be guaranteed that
only authorised persons have access.
If the data capacity allows (e.g. CD-ROM), backup copies should be produced
of the original data media. Original data media and all copies must be kept
protected from unauthorised access (see S 6.21 Backup Copy of Software
Used). The copies produced should be numbered and included in inventory
lists. Copies which are no longer needed must be deleted. Before installation,
a computer virus test must be carried out.
As an option, a checksum (cf. S 4.34 Using Encryption, Checksums or Digital
Signatures) can be created using the original data media or using a reference
version installed during the test. With the aid of this, before installation the
integrity of the data media used for it, or the versions deposited in local
networks can be checked, as can correct installation. In addition to this,
installed programs can also be provided with checksums for protection against
unauthorised changes to the approved configuration. In this way infections by,
as yet unknown computer viruses, can be detected. It can also be determined
whether a virus infection has occurred before or after installation.
Additional controls:
- In what way is the integrity of the standard software guaranteed?
- Is monitoring carried out periodically to check the integrity of the installed
programs?
- Are attempts at manipulation of programs and data detected?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000