Implementation responsibility: Procurer, Head of Specialist Department , Head of IT Section
Following the completion of all tests, the test results must be submitted to the procurer. The decision in favour of a product must now be made by the procurer with the involvement of the Head of the Specialist Department and the Head of IT Sector on the basis of the test results and the price-performance ratio resulting from them. In this connection, the particular aspect to be set in relation to the purchase price is the level of performance of the individual products compared to the Requirements Catalogue. Also, additional functions of the products which were not listed in the Requirements Catalogue but which are nevertheless significant to their use, should be taken into account in reaching the decision.
Drawing up of installation instructions
After a decision is taken in favour of a product, installation instructions must subsequently be drawn up for the selected product. During testing, the configuration of the product was so determined to permit secure and efficient production working. This is the way to guarantee user-friendliness, correctness and security in the workplace.
In order to guarantee the right configuration of the product in actual operation, specific parameters must be specified. Some of these must be accompanied by organisational provisions.
For some features of a product the following section shows, by way of example, what can be specified in the context of installation instructions.
Example:
User-friendliness:
Drivers X, Y and Z (screen, printer, mouse, network) must be installed with the product to create an acceptable working environment for the user (screen flicker-free, reasonable editing, etc.).
The settings at which individual functions have the greatest processing speed must be specified if other criteria such as security are not at variance with them (the size of the swapping-out files must be fixed at at least 10 MB, the verification option must be activated for data backup, although verification requires additional time).
Security:
Security function parameters must be pre-set (e.g. the minimum length of passwords must be 6 characters, backups must be created each day, logging must be activated to its full extent, rights of access to personl-related log files must be arranged only for the data privacy officer, ...).
If several procedures are being supported which are relevant to security (e.g. encryption algorithm, hash functions), the ones that must be selected are those which attain an appropriate level of protection (RSA, with a code length of at least 768 bits, must be used as asymmetrical encryption, Triple-DES must be used as a symmetrical encryption function).
Function:
Only the functions X, Y and Z must be activated, functions which are unwanted or not required must be turned off.
The automatic data backup function must be activated using the parameter "every 10 minutes".
Organisation:
Installation must be carried out by the administrator.
Provisions for operation must be made (e.g. the user must be responsible for making his own backups, passwords must be changed after 30 days).
Marginal conditions:
The configuration of the platform on which the standard software product is to be used must be described and specified, especially if this removes system-related weaknesses in the platform.
Additional controls:
Are all the particulars for a successful installation contained in the installation instructions?
Are particulars included of how the product is de-installed again?