IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.168 IT system analysis before the introduction of
a system management system
Initiation responsibility: Head of IT Section
Implementation responsibility: Administrators
Before a system management system is introduced, the IT systems that are to
be administered in future must be examined and analysed. The resulting
system documentation can then be used as a basis for planning and decisionmaking
for the system management strategy being defined (see S 2.169) . It is
important that if possible all relevant information about the administered
systems should be available at the planning stage so as to rule out the
possibility of wrong decisions being taken because of a lack of information.
Specific requirements that have to be met by the management system being
purchased can also be formulated on the basis of the local circumstances (K.O.
criteria).
The following measures (and subsidiary measures described with them) have
to be taken, ideally during planning and during ongoing operation of the
system in accordance with the Baseline Protection Manual:
- Survey of the existing network environment (see S 2.139)
- Documentation of the system configuration (see S 2.25): All IT systems
should be recorded and documented. Especially in heterogeneous systems,
for example, details of all operating systems in use must be noted so as to
be able to formulate the requirements that the management system has to
satisfy.
- Determining and reviewing the software inventory (see S 2.10): If the
system management tasks are also to include the administration of software
(application management), an inventory should be taken at this stage.
Alternatively, automatic establishment of the software inventory
("autodiscovery", "software discovery") can be formulated as a
requirement for the management system . Which of the two variants is
required in each individual case is dependent on the duties to be performed
in software management. For example, if the management system is
acquired for the purpose of automatic management of an existing software
inventory whose composition is not entirely known (because of software
updates or new software being loaded), the management system must be
capable of detecting the software inventory automatically after it is
installed. If individual software packages are also to be administered at the
application level within the framework of application management, it is
necessary to examine whether the software actively supports this (for
example with a suitable protocol), which means that a prior inventory of
the existing software is required. Requirements then arise as to the
functional scope of the management system being acquired (such as
support for the application administration protocol). If a Web server is to
be administered via an HTTP-based management interface, for example,
the management system must have HTTP-based management functions
itself or provide an expansion interface which allows the integration of
your own developments.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000