S 2.219 Continuous documentation of information processing

Initiation responsibility: Agency/company management, Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section, IT Security Management

Information processing must be continuously documented in all its phases, all applications and all systems must be documented in order to be able to ensure that IT operations proceed in the proper fashion. This includes:

• Up-to-date documentation of all existing IT systems owned and their configuration (see also S 2.25 Documentation of the system configuration).

• Documentation of the users defined for each of the IT systems and their rights profiles (see S 2.31 Documentation on authorised users and on rights profiles). This includes also a description and rationale for all restrictions on the use of IT systems (rights and resources).

• Any new hardware or software components must be listed in the system documentation (see S 2.34 Documentation of changes made to an existing IT system),

• Documentation of all security-relevant processes such as backups (see S 6.37 Documenting data backup procedures).

• Documentation of corrective maintenance actions (see S 2.4 Maintenance/repair regulations).

• A description of all errors found and fixed (see S 2.215 Error handling).

A person should be appointed in writing as being responsible for the system (see S 2.26 Appointment of an Administrator and his Deputy) and this person's identity should be notified to the users.

For problem cases it should be documented who can help and where information is to be found (see S 6.59 Specification of responsibilities for dealing with security incidents).

Additional controls:

• Are all phases of information processing, all applications and all systems documented?

• Are there established procedures for documentation of information processing?