S 2.168 IT system analysis before the introduction of a system management system

Initiation responsibility: Head of IT Section

Implementation responsibility: Administrators

Before a system management system is introduced, the IT systems that are to be administered in future must be examined and analysed. The resulting system documentation can then be used as a basis for planning and decision-making for the system management strategy being defined (see S 2.169 ) . It is important that if possible all relevant information about the administered systems should be available at the planning stage so as to rule out the possibility of wrong decisions being taken because of a lack of information. Specific requirements that have to be met by the management system being purchased can also be formulated on the basis of the local circumstances (K.O. criteria).

The following measures (and subsidiary measures described with them) have to be taken, ideally during planning and during ongoing operation of the system in accordance with the Baseline Protection Manual:

• Survey of the existing network environment (see S 2.139 )

• Documentation of the system configuration (see S 2.25 ): All IT systems should be recorded and documented. Especially in heterogeneous systems, for example, details of all operating systems in use must be noted so as to be able to formulate the requirements that the management system has to satisfy.

• Determining and reviewing the software inventory (see S 2.10 ): If the system management tasks are also to include the administration of software (application management), an inventory should be taken at this stage. Alternatively, automatic establishment of the software inventory ("autodiscovery", "software discovery") can be formulated as a requirement for the management system . Which of the two variants is required in each individual case is dependent on the duties to be performed in software management. For example, if the management system is acquired for the purpose of automatic management of an existing software inventory whose composition is not entirely known (because of software updates or new software being loaded), the management system must be capable of detecting the software inventory automatically after it is installed. If individual software packages are also to be administered at the application level within the framework of application management, it is necessary to examine whether the software actively supports this (for example with a suitable protocol), which means that a prior inventory of the existing software is required. Requirements then arise as to the functional scope of the management system being acquired (such as support for the application administration protocol). If a Web server is to be administered via an HTTP-based management interface, for example, the management system must have HTTP-based management functions itself or provide an expansion interface which allows the integration of your own developments.

In addition to documentation of the current situation, future planning for the IT system must also be taken into account because a management system should also be designed to allow for changes to the IT system in the future (e.g. scalability).