S 2.10 Audit of the hardware and software inventory

Initiation responsibility: Supervisor, IT Security Officer, Head of IT, Top Management

Implementation responsibility: IT Security Officer

In order to be able to detect any infringements of the ban on the use of non-approved software, regular checks of the hardware and software inventory must be carried out. If the number of IT systems is very large, random checks may be made. The results of such checks must be documented in order to detect repeated violations.

If non-approved hardware is found during such checks, it must be ensured that the IT components are no longer operated contrary to regulations. In addition, it must be determined who is responsible for operating such non-approved components to be able to take appropriate action. In specific cases of suspicion, when checking the hardware, attention must be paid to manipulations and additional devices that are used, for example, to record keyboard strokes.

If non-approved software is found during such checks, arrangements should be made for its removal. In order to be able to carry out these checks, the reviewing authority must be vested with adequate powers by the top management. In addition, the reviewing authority must be informed of which software is approved for which IT system (software inventory list).

In order to be able to efficiently maintain a software inventory list where a large number of software products are usually used, an appropriate tool should be used. For the typical client/server environment, this tool should be network-capable.

Prior to specifying procedures for checking the hardware and software inventory, the Personnel and/or Supervisory Board should be involved.

For IT systems that are not necessary for the actual operation of the IT network, e.g. test systems, instead of regular checks, event-triggered checks may be carried out. For example, checking on such IT systems can always be carried out when changes are made to the configuration or when the IT system is restored to service after an extended interval. However, a prerequisite to this is that safeguard S 2.9 Ban on using non-approved hardware and software is in force for all IT systems.

Review questions:

• Is the hardware and software inventory checked at regular intervals?
• Is a software inventory list available?
• When non-approved hard- and software is found: Is the continued operation of hard- and software contrary to regulations prevented immediately?
• When non-approved hard- and software is found: Is the person responsible for operating non-approved hard- and software determined?
• When non-approved hardware is found: Are further checks of the IT system for other manipulations and additional devices carried out in cases of concrete suspicion?
• When carrying out checks for non-approved software: Is the reviewing authority vested by the organisation's top management with adequate powers?