S 2.216 Approval procedure for IT components

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

The purchase, installation and operation of IT components of all kinds must be co-ordinated and approved. Procedures must be defined as to how IT components are accepted, approved, installed and used. This affects, for example, the use of modems, disk drives, software and mobile phones. A corresponding procedure for the area of standard software is described in module S 1.10 Standard software. The entire life cycle of standard software is considered here: drawing up of a requirements catalogue, pre-selection of a suitable product, testing, approval, installation, licence administration and deinstallation. This module will likewise provide orientation regarding the development of an analogous procedure for other IT components.

Within the framework of the approval procedure for new IT components,

Moreover, during the approval procedure installation and configuration instructions which include documentation of all the security-related settings, must be drawn up. After the initial installation of IT components these will require ongoing maintenance (see also S 4.78 Careful modifications of configurations). Prior to entry into service of new IT components (as far as possible) administrators and users must be trained in their use.

The installation and use of non-approved IT components must be forbidden and adherence to this ban must be checked at regular intervals.

Review questions:

© Federal Office for Information Security. All rights reserved.