S 4.134 Choice of suitable data formats

Initiation responsibility: Head of IT Section

Implementation responsibility: Head of IT Section, users

There are a number of different data formats which are supported by the different IT applications. However, these are generally not compatible and therefore are not interchangeable. Unfortunately IT applications covering the same set of tasks (e.g. word processing systems) often cannot handle the data formats used by similar alternative products. This problem is aggravated by the fact that often application programs cannot process the data formats of their predecessors after a version upgrade.

Therefore when purchasing new application programs it is necessary to investigate which data formats are supported and how widespread the supported data formats are. As many important processes are to be permanently electronically stored, it is equally important to enquire what "service life" is expected of a given data format. In general, whenever the system changes, a check should be made as to whether all the stored data can still be handled by the new IT systems or IT applications.

Every time an application program is used, consideration should be given as to which format the processed data should be stored in. Who will need to be able to read this data and at what point in time should always be considered here.

When selecting data formats for file exchange, it is necessary to also consider whether these could contain any unwanted additional information (see also S 4.64 Verification of data before transmission / elimination of residual information). Files which have been created in certain data formats can also bring with them other security-relevant problems such as macros and, with them, a danger of macro viruses (see S 4.44 Checking of incoming files for macro viruses).

Example

With word processing it has proved expedient to store files created with Microsoft Word in rich text format (RTF). RTF files can be read by more word processing programs and cannot contain macro viruses.

Additional controls:

• Are there any recommendations as to which data formats should be used for data exchange, archiving or other application areas?

• When new programs are procured, does anyone enquire as to whether these are compatible with the data formats supported up to now?