S 2.34 Documentation on changes made to an existing IT system

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

To guarantee smooth operation, the administrator must have or be able to obtain an overview of the system. The administrator's substitute must also have access to an overview of the system in case the administrator is unexpectedly absent. The overview is also a prerequisite for conducting examinations of the system (for example to look for problematic settings, examine the consistency after making changes, etc.).

For this reason, the changes made to the system by the administrators must be documented, if possible automatically. This applies especially to changes made to system directories and system files.

When installing a new operating system or updating an existing operating system, the changes made must be documented particularly carefully. It is possible for the activation of new system parameters or for changes to existing system parameters to significantly alter the response of the IT system (especially of its security functions).

In Unix, executable files that can be accessed by other users as well as the owner or that are owned by root must be approved and documented by the system administrator (see also S 2.9 Ban on using non-approved hardware and software). In particular, lists of the released versions of these files must be maintained that contain their dates of creation, their sizes, and any necessary s-bit settings at a minimum for each file. The lists are needed to perform the regular security checks and for checks performed after a loss of integrity.

Review questions:

• Are system changes sufficiently documented and in a manner understandable for a competent person?