S 2.219 Continuous documentation of information processing

Initiation responsibility: Top Management, Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

Information processing must be continuously documented in all its phases, all applications and all systems to be able to ensure that IT operations proceed in the proper fashion. This includes the following safeguards:

• up-to-date documentation of all existing IT systems owned and their configuration (see S 2.25 Documentation of the system configuration)

• documentation of the users defined for each of the IT systems and their rights profiles (see S 2.31 Documentation on authorised users and rights profiles); this includes also a description and rationale for all restrictions on the use of IT systems (rights and resources)

• recording of any new hardware and software components added to a system in the system documentation (see also S 2.34 Documentation on changes made to an existing system)

• documentation of all security-related processes such as data backups (see S 6.37 Documentation of the data backup) or the destruction of data media

• documentation of corrective maintenance actions (see S 2.4 Maintenance / repair regulations)

• a description of all errors found and eliminated (see S 2.215 Error handling).

A person should be appointed in writing as being responsible for the system (see S 2.26 Appointment of an administrator and his deputy) and this person's identity should be notified to the users.

For problem cases, it should be documented who can help and where information is to be found (S 6.59 Specification of responsibilities for dealing with security incidents).

Review questions:

• Is information processing documented in all its phases, all applications and all systems?
• Are there rules that apply to the documentation of information processing?