S 2.86 Guaranteeing the integrity of standard software

Initiation responsibility: Top Management

Implementation responsibility: Head of IT

It must be guaranteed that the standard software approved can only be installed in an unchanged condition. This is to prevent the possibility of intentional or unintentional changes occurring in the interim period, e.g. as a result of computer viruses, bit errors due to technical errors or manipulation in configuration files.

Installation must only be allowed to take place, therefore, using original data media or numbered copies of the original data medium. An alternative to the local installation from data media is the installation via a local network of a version approved specifically for this purpose. It should be guaranteed that only authorised persons have access.

If the data capacity allows (e.g. CD-ROM), backup copies should be made of the original data media. Original data media and all copies must be kept protected from unauthorised access (see S 6.21 Backup copy of the software used). The copies made should be numbered and included in inventory lists. Copies which are no longer needed must be deleted. Before installation, a computer virus test must be carried out.

As an option, a checksum (see S 4.34 Using encryption, checksums, or digital signatures) can be created using the original data media or using a reference version installed during the test. With the aid of this, before installation the integrity of the data media used for it, or the versions deposited in local networks can be checked, as can correct installation. In addition to this, installed programs can also be provided with checksums for protection against unauthorised changes to the approved configuration. In this way infections by as yet unknown computer viruses can be detected. It can also be determined whether a virus infection occurred before or after installation.

Review questions:

© Federal Office for Information Security. All rights reserved.