S 2.25 Documentation of the system configuration
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
Planning, control, monitoring and contingency planning for IT usage depend on up-to-date documentation of the existing IT system. Only if documentation of the system configuration is up-to-date is orderly recovery of the IT system possible following an emergency.
In the case of network operation, the physical network structure (see S 5.4 Documentation on, and marking of, cabling) and the logical network configuration must be documented, as must the access rights of individual users (see S 2.31 Documentation on authorised users and rights profiles) and the data backup status. Again, the applications used and their configuration must be documented, as well as the file structures on all IT systems.
Care should be taken to ensure that documentation is up-to-date and easy to understand so that a deputy could take over the administrative tasks at any time. The system documentation must be kept in such a way that it is available should an emergency occur at any time. If it is maintained in electronic form, it should either be printed out at regular intervals or else it should be stored on a transportable data medium. Access to the documentation should be confined to the administrators responsible.
The system documentation should cover all the actions to be taken on starting up or shutting down IT systems. This is especially important for networked IT systems. Here, for example, it is often necessary to adhere to a particular sequence when mounting drives or starting up network services.
Review questions:
- Is the current configuration of the applications, systems, and networks documented?
- Does the standard documentation also cover the current data backup status?
- Is the system documentation composed in such a way that it can also be understood by a deputy?