S 2.9 Ban on using non-approved hardware and software
Initiation responsibility: Top Management, Head of IT, IT Security Officer
Implementation responsibility: Head of IT
It is common for employees to also use their own hardware and software such as mobile phones, PDAs or cameras for company purposes or at least on the company premises. Since, due to standard interfaces such as USB and extensive plug-and-play functionality, additional hardware becomes increasingly easy to use, rules have to be specified for its use. The use of external USB storage media (such as hard drives, memory sticks) or private PDAs, for example, can affect information security.
For this reason, it must be defined how hardware and software may be accepted, approved, installed and/or used. Safeguards to be implemented for this purpose include: S 2.216 Approval procedure for IT components, S 2.62 Software acceptance and approval procedure and module S 1.10 Standard software and S 4.4 Handling of drives for removable media and external data storage.
Installation or use of non-approved hardware and software must be prohibited and as far as possible prevented by technical means. Under most operating systems this can be achieved by by restricting the user environment. This is to prevent introduction of programs with undesirable effects. In addition, uncontrolled use of the system beyond the defined range of functions is to be prevented. It may be useful (in order to prevent macro viruses, for example) to extend this ban on use to reading or copying private data.
For software, it must be documented which versions of executable files have been approved (including creation date and file size). The approved programs must be checked regularly for changes.
The ban on the use of hardware and software that has not been approved should be specified in writing and all staff should be informed about it. Prior approval should be required for any exemptions to be granted.
Review questions:
- Are there rules for the acceptance, approval, installation, and use of hardware and software?
- Have all employees been informed of the ban on using non-approved hardware and software?
- Are all employees notified of this ban on use?
- For exemptions to be granted: Is prior approval required?
- Is the use of non-approved hardware and software prevented as far as possible by technical means?
- Are approved programs checked regularly for changes?