S 2.138 Structured data storage

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, IT users

Poorly structured data storage can lead to a wide variety of problems. For this reason, all IT users should be instructed on how to store data in clear, well-structured patterns. Appropriate structures should be specified by the administrators on all servers. This is also a prerequisite for achieving a differentiated allocation of access rights.

Program and work files should always be stored in separate sectors. This also makes it easier to perform data backups and ensure correct access protection. In the case of most application programs, no or very few configuration files are modified following installation. If possible, all files which are modified regularly should be stored in separate directories, so that only these directories need to be included in the regular data backups.

In the case of networked systems, it is also necessary to determine which programs and files should be stored on local hard disks or on a network server. Both options have advantages as well as disadvantages, and must be evaluated in accordance with the existing organisational structure as well as the hardware and software in use. For example, files needing to fulfil high availability requirements and the related application programs should be stored on workstation computers instead of the network server. In this case, appropriate contingency measures also need to be implemented for these workstation computers.

Task-specific or project specific directories should be created in order to facilitate the allocation of files. As few files as possible should be stored in personal directories.

To prevent the existence of different versions of basic files required for ongoing activities, such as letter templates, forms, project plans etc., such files should be managed centrally. For example, these files should be stored on a server so that all users have read-access to them, but only one person is authorised to modify each individual file.

The following example shows how data can be structured on a server by specifying directory paths:

\

\bin

\bin\program1

\bin\program2

\bin\program3

\user

\user\user1

\user\user2

\projects

\projects\p1

\projects\p1\texte

\projects\p1\bilder

\projects\p2

\projects\p2\projectplan

\projects\p2\sub-project1

\projects\p2\sub-project2

\projects\p2\sub-project3

\projects\p2\result

\standardforms

A regular check is required as to whether

• Data can be removed from the production system through archiving or deletion

• Access rights can be withdrawn after staff members have left a project group

• The latest versions of forms, templates etc. are stored on all IT systems

These checks should be performed regularly by users on their IT systems and the directories managed by them, and by the server administrators. The checks should be made at least once every quarter, otherwise staff members will no longer be able to recall the contents and origin of the files.

Additional controls:

• Are the directories used for holding data exclusively task-related or project-related?

• When was a check last made as to whether old files can be archived or deleted?