S 2.25 Documentation of the system configuration

Initiation responsibility: Head of IT Section, IT Security management

Implementation responsibility: Administrators

Planning, control, monitoring and contingency planning for IT systems depend on up-to-date documentation of those systems. Only if documentation of the system configuration is up-to-date is orderly recovery of the IT system possible following an emergency.

In the case of network operation, the physical network structure (cf. S 5.4 Documentation on, and marking of, cabling) and the logical network configuration must be documented, as must the access rights of individual users (cf. S 2.31 Documentation on authorised users and rights profiles) and the data backup status. Again, the applications used and their configuration must be documented, also the file structures on all IT systems.

Care should be taken to ensure that documentation is up-to-date and easy to understand so that a deputy could take over the administrative tasks at any time. The system documentation must be kept in such a way that it is available should an emergency occur at any time. If it is maintained in electronic form, it should either be printed out at regular intervals or else it should be stored on a transportable data medium. Access to the documentation should be confined to the responsible Administrators.

The system documentation should cover all the actions to be taken on starting up or shutting down IT systems. This is especially important for networked IT systems. Here, for example, it is often necessary to adhere to a particular sequence when mounting drives or starting up network services.

Additional controls:

• Is the existing documentation up-to-date?

• Is it possible to continue administration on the basis of that documentation?