S 2.9 Ban on using non-approved hardware and software

Initiation responsibility: Top Management, Head of IT, IT Security Officer

Implementation responsibility: Head of IT

It is common for employees to also use their own hardware and software such as mobile phones, PDAs or cameras for company purposes or at least on the company premises. Since, due to standard interfaces such as USB and extensive plug-and-play functionality, additional hardware becomes increasingly easy to use, rules have to be specified for its use. The use of external USB storage media (such as hard drives, memory sticks) or private PDAs, for example, can affect information security.

For this reason, it must be defined how hardware and software may be accepted, approved, installed and/or used. Safeguards to be implemented for this purpose include: S 2.216 Approval procedure for IT components, S 2.62 Software acceptance and approval procedure and module S 1.10 Standard software and S 4.4 Handling of drives for removable media and external data storage.

Installation or use of non-approved hardware and software must be prohibited and as far as possible prevented by technical means. Under most operating systems this can be achieved by by restricting the user environment. This is to prevent introduction of programs with undesirable effects. In addition, uncontrolled use of the system beyond the defined range of functions is to be prevented. It may be useful (in order to prevent macro viruses, for example) to extend this ban on use to reading or copying private data.

For software, it must be documented which versions of executable files have been approved (including creation date and file size). The approved programs must be checked regularly for changes.

The ban on the use of hardware and software that has not been approved should be specified in writing and all staff should be informed about it. Prior approval should be required for any exemptions to be granted.

Review questions:

© Federal Office for Information Security. All rights reserved.