S 2.84 Deciding on and developing the installation instructions for standard software

Initiation responsibility: Top Management

Implementation responsibility: Head of Specialised Department, Purchasing Department, Head of IT

Following the completion of all tests, the test results must be submitted to the Purchasing Department. The decision in favour of a product must now be made by the Purchasing Department with the involvement of the Head of the Specialised Department and the Head of IT on the basis of the test results and the price-performance ratio resulting from them. In this connection, the particular aspect to be set in relation to the purchase price is the level of performance of the individual products compared to the requirements catalogue. Additional functions of the products which were not listed in the requirements catalogue but which are nevertheless significant to their use, should also be taken into account in reaching the decision.

Drawing up installation instructions

After a decision is taken in favour of a product, installation instructions must subsequently be drawn up for the selected product. During testing, the configuration of the product was so determined to permit the secure and efficient operation of production. This is the way to guarantee user-friendliness, correctness and security in the workplace.

In order to guarantee the appropriate configuration of the product in actual operation, specific parameters must be specified. Some of these must be accompanied by organisational provisions.

For some features of a product, the following section shows, by way of example, what can be specified in the context of installation instructions.

Example:

User-friendliness:

• The driver X, Y and Z (screen, printer, mouse, network) must be installed to create an acceptable working environment for the user (screen flicker-free, reasonable editing etc.).
• The settings at which individual functions have the greatest processing speed must be specified if other criteria such as security do not speak against them (the size of the paging files must be fixed at at least 10 MB, the verification option must be activated for data backup, although verification requires additional time).

Security:

• Security function parameters must be pre-set (e.g. the minimum length of passwords must be determined (see also S 2.11 Provisions governing the use of passwords), data backups must be created each day, logging must be activated to its full extent, access rights to personal log files must be arranged only for the Data Privacy Officer ...).
• If several security-related procedures are supported (e.g. encryption algorithm, hash functions), procedures must be selected with which an appropriate level of protection is achieved (for the selection, see S 2.164 Selection of a suitable cryptographic procedure).

Function:

• Only the functions X, Y and Z must be activated and functions which are unwanted or not required must be turned off.
• The automatic data backup function must be activated using the parameter "every 10 minutes".

Organisation:

• Installation must be carried out by the administrator.
• Provisions for operation must be made (e.g. the users must be responsible for making their own data backups, passwords must be changed after 30 days).

General conditions:

• The configuration of the platform on which the standard software product is to be used must be described and specified, especially if this removes system-related vulnerabilities in the platform.

Review questions:

• Are installation instructions drawn up for the selected products, which are also take into account the setting of security parameters?