|
|
Initiation responsibility: Agency/company management, Head of IT Section, IT Security Management, line managers
Implementation responsibility: IT Security Management
In order to be able to detect any infringements of the ban on the use of non-approved software, regular checks must be made of the software inventory. If the number of IT systems is very large, random checks may be made. The results of such checks must be documented so as to ensure that any recurrences are detected.
If non-approved software is found during such checks, arrangements should be made for its removal. In order to be able to carry out these checks, the reviewing entity must be vested with adequate powers by the company/agency management. In addition, the reviewing entity must be informed of which software is approved for which IT system (software inventory).
In order to be able to efficiently maintain a software directory where a large number of different packages is in use, an appropriate tool should be used. For the typical client/server environment this should be network-capable.
Prior to specifying procedures for checking of the software inventory, the works council and staff council should be involved.
For IT systems that are not necessary for the actual operation of the IT network, e.g. test systems, instead of regular checks of the software stock event-triggered checks may be carried out. For example, checking on such IT systems can always be carried out when changes are made to the configuration or when the IT system is restored to service after an extended interval. However, a prerequisite to this is that safeguard S 2.9 Ban on using non-approved software is in force for all IT systems.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: July 2001 |