|
|
Initiation responsibility: Agency/company management, Head of IT Section, IT Security Management
Implementation responsibility: Head of IT Section
Provisions must be laid down on how software may be accepted, approved, installed and used (c.f. S 2.62 Software acceptance and approval procedure and Chapter 9.1 "Standard Software"). Installation or use of non-approved software must be prohibited and as far as possible prevented by technical means. For example, this can be achieved under Windows 95 by restricting the user environment (see S 2.104 System guidelines for restricting usage of Windows 95). This is to prevent introduction of programs with undesirable effects. In addition, uncontrolled use of the system beyond the defined range of functions is to be prevented. Where necessary, this ban on use can be extended also to the use of private hardware and private data (floppy disks, removable hard disk, PC, laptop).
Which versions of executable files have been approved must be documented (including creation date and file size). The approved programs must be checked regularly for changes.
The ban on the use of software that has not been approved should be specified in writing and all staff should be informed about it. Prior approval should be required for any exemptions to be granted.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 2001 |