S 2.85 Approval of standard software

Initiation responsibility: Top Management

Implementation responsibility: Head of IT, Head of Specialised Department

Before the acceptance of the standard software into actual operation comes the formal approval. The approval of a product is the responsibility of top management; however, they can delegate this to the management of the specialist department or the management of the IT division. The specialist department can further restrict the approval provision specified by top management by means of its own restrictions. The use of non-approved software must be prohibited (see S 2.9 Ban on using non-approved hardware and software).

Approval is always preceded by the successful completion of all necessary tests (see S 2.83 Testing standard software). An approval must not take place if unacceptable errors, e.g. serious deficiencies in security, were detected during the tests.

Installation- and configuration provisions must be drawn up for approval. Their level of detail depends on whether installation is to be undertaken by the system administration or the user. The installation- and configuration provisions are results of the tests carried out in the context of procurement (see S 2.83 Testing standard software). If different configurations are permissible, the effects of the individual configurations on security must be explained. In particular, it must be stipulated whether restrictions on product functionality or access rights are to be imposed on all, or just a few, users. The personnel or supervisory board, the data protection officer and the IT security officer must be involved in establishing these marginal conditions at the appropriate time.

Approval should take place in the form of a written approval notice. In the approval notice, statements should be made on the following points:

• program name and version number,
• designation of the IT procedure in which the product is to be used,
• confirmation that the IT components used comply with the technical requirements,
• date of the approval, signature of the person responsible for the approval,
• certificate of non-objection from the IT Security Officer, the Data Protection Officer and the Personnel or Supervisory Board,
• scheduled time of deployment in actual operation,
• for which users the product is being approved,
• installation instructions, in particular the workstations at which it is being installed and with what configuration,
• who is authorised to install it,
• who has access to the installation data media, and
• what training measures have to be undertaken before the product is used.

The approval notice must be brought to the attention of all those involved, in particular copies must be available to the approval authority, the IT division, the specialist department and where necessary the IT user

In addition to this, an organisational arrangement must be made that the approval and any possible tests required will be repeated if basic features, particularly in the area of security functions, have altered as a result of a change of version or patches. Changes of the kind mentioned must be notified to the person responsible for the approval of the product.

Furthermore, it can be specified which standard software products, depending on the place of use and the intended use, will enjoy general approval. It is a prerequisite that they have at least been tested for computer viruses, that the licence questions have been resolved and that they are registered. Examples of this would be:

• Demo versions for test purposes which are made available on special computers
• Public domain software which is installed on special servers
• Games programs on special computers which are installed in staff rooms

Review questions:

• Has it been ensured that standard software is not accepted into actual operation until after formal approval?
• Has it been specified that the approval of software does not take place until after successful completion of all necessary tests?
• Does a written approval notice exist and was this brought to the attention of all those involved?
• Is the approval process repeated in case of a change of version or patches of software?