S 2.34 Documentation on changes made to an existing IT system

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

In order to ensure smooth operation, the administrator must have, or be able to obtain, an overview of the system. In case of unforeseen absence of the administrator, such an overview must also be available to his deputy. It also is the prerequisite for making checks of the system (e.g. for problematic settings, consistency in changes).

Therefore, the changes made by administrators to a system should be documented. If possible this should be automated. This applies, in particular, to changes made to system directories and files.

When installing new operating systems or in case of updates, the changes made should be documented especially carefully. The activation of new or the modification of existing system parameters may also fundamentally change the behaviour of the IT system (particularly security functions).

Under Unix, executable files to which also users other than the owner have access, or the owner of which is root, must be approved and documented by the system administrator (cf. also S 2.9 Ban on using non-approved software). In particular, lists of the approved versions of these files are to be kept, which in addition must, as a minimum, contain the creation date, the size of each file, and information on any set s-bits. They are the prerequisite for regular security checks and for investigations after any loss of integrity.

Additional controls:

• Are log-books kept of system changes?

• Are the records up to date and complete?

• Can the administration functions be continued on the basis of those records?