S 2.358 Documenting the system settings of storage systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The documentation of the system settings for the storage system provides verification that the technical and organisational specifications were implemented and describes the custom configuration for the organisation. The documentation forms the basis for administration during normal operations and for planning and implementing changes. In addition, correct and up-to-date documentation forms the basis of contingency planning.

Data relevant in an emergency must be accessible in all emergency scenarios. Remember, though, that information on the system settings is confidential and must therefore be protected accordingly against unauthorised access.

The following information in particular must be documented:

Organisation:

• A description of the roles defined and the associated rights profiles
• The administrative users of the storage system with the roles assigned to them
• The time when a user ID and user rights were configured, possibly including an expiration date and additional explanations
• The contact data and positions of the users in the organisation
• Specifications for data backups and contingency planning

Technology:

• The location of all storage devices with the specification of the type, purpose and the number of users
• The logical and physical assignments of the storage devices to the servers
• All connections between the storage devices and the network (SAN, LAN, possibly a WAN for remote monitoring)
• A list of which devices can export data via a NAS interface
• A list of all management interfaces (in-band and out-band). This list should also contain an overview of which interfaces are enabled and which services can be accessed using these interfaces.

Administration:

• A graphic diagram of the network (SAN, LAN, possibly WAN) and the connections configured between the storage systems, servers and the administration PC.
• All specifications necessary for enabling and disabling interfaces and services.
• The settings necessary to make data backups
• The log settings
• It is recommended to include a short description ("cookbook") for handling important or regular administration tasks.

The organisational documentation should be checked regularly (at least every 6 months) to see if it reflects the actual rights assignments and if the rights assignments still meet the security requirements and are appropriate for the tasks currently performed by the users.

The technical documentation (or at least samples of the documentation) should be checked more often since it forms the basis for contingency planning.

Review questions:

• Does the documentation of the system settings meet the technical and organisational specifications and does it describe the specific configuration of the storage systems in the organisation?
• Is the data relevant in an emergency available in all emergency scenarios?
• Is confidential data included in the documentation of system settings protected against being accessed by unauthorised persons?
• Are the specifications for data backup and contingency planning documented for storage systems?
• Was the documentation of the storage systems (the rights assignment in particular) checked at least every 6 months?