S 2.85 Approval of standard software

Initiation responsibility: Agency/company management

Implementation responsibility: Head of Specialist Department, Head of IT Section

Before the acceptance of the standard software into actual operation comes the formal approval. Agency or company management are responsible for the approval of a product; however, they can delegate this to the management of the specialist department or the management of the IT Division. The specialist department can further restrict the approval provision specified by agency or company management by means of its own restrictions. The use of non-approved software must be prohibited (see S 2.9 Ban on using non-approved software).

Approval is always preceded by the successful completion of all necessary tests (see S 2.83 Testing Standard Software). An approval must not take place if unacceptable errors, e.g. serious deficiencies in security, were detected during the tests.

Installation- and configuration provisions must be drawn up for approval. Their level of detail depends on whether installation is to be undertaken by the system administration or the user. The installation- and configuration provisions are results of the tests carried out in the context of procurement (see S 2.83 Testing Standard Software). If different configurations are permissible, the effects of the individual configurations on security must be explained. In particular, it must be stipulated whether restrictions on product functionality or access rights are to be imposed on all, or just a few, users. The staff- or works council, the data privacy officer and the IT security officer must be involved in establishing these marginal conditions at the appropriate time.

Approval should take place in the form of a written approval notice. In the approval notice, statements should be made on the following points:

• Program name and version number,

• Designation of the IT procedure in which the product is to be used,

• Confirmation that the IT components used comply with the technical requirements,

• Date of the approval, signature of the person responsible for the approval,

• Certificate of non-objection from the IT security officer, the data privacy officer and the staff- or works council,

• Scheduled time of deployment in actual operation,

• For which users the product is being approved,

• Installation instructions, in particular the workstations at which it is being installed and with what configuration,

• Who is authorised to install it,

• Who has access to the installation data media and

• What training measures have to be undertaken before the product is used.

The approval notice must be brought to the attention of all those involved, in particular copies must be available to the Approval Authority, the IT Division, the Specialist Department and where necessary the IT user.

In addition to this, an organisational arrangement must be made that the approval and any possible tests required will be repeated if basic features, particularly in the area of security functions, have altered as a result of a change of version or patches. Changes of the kind mentioned must be notified to the person responsible for the approval of the product.

Furthermore, it can be specified which standard software products, depending on the place of use and the intended use, will enjoy general approval. It is a prerequisite that they have at least been tested for computer viruses, that the licence questions have been resolved and that they are registered. Examples of this would be:

• Demo versions for test purposes which are made available on special computers,

• Public domain software which is installed on special servers,

• Games programs on special computers which are installed in staff rooms.

Additional controls:

• Where are the approval notices administered and deposited?

• Are installation instructions available?

• Is there a guarantee that all software is subjected to the approval procedure?