S 2.379 Software development by end users

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

Many of the standard programs used allow users to develop their own programs, for example to make routine tasks easier to perform. A typical example of this is programming macros under Microsoft Word or Access or the provision of programming interfaces under Microsoft Outlook.

The willingness of the employees to write such programs and the creativity they display when programming should be welcomed in general. However, every organisation should consider how they want to handle macro and software development by end users.

The following must be noted:

• The users writing such macros and programs generally are not trained programmers.
• The users need to abide by the security policies of the organisation.
• How can other users benefit from the software developed (and who will then provide user support)?
• How will the programs, which are usually created spontaneously, be maintained and documented?

First, every organisation should make a policy decision of whether or not it wants to generally allow software to be developed in-house. The decision made must be documented in the security policies in all cases.

If the organisation does not want to allow software to be developed in-house, then it would make sense to disable programming capabilities when installing standard programs (wherever this is possible).

On the other hand, if the development of software in-house is required, then corresponding user guidelines should be developed for this software to ensure that minimum requirements for the security, documentation and quality of the software developed are met.

Such a guideline should specify the following in particular:

• The existing regulations regarding data protection and information security must be followed.
• The software developed in-house must be documented in detail.
• For the software developed in-house, only the software products approved for this purpose (e.g. the macro functions of a specific Microsoft Office package) must be used. The installation of additional applications or development environments is not allowed without the permission of the IT department.

It also takes a certain amount of work time to develop software in-house. For this reason, it should be ensured that other users will be able to benefit from the software developed in-house, and that the software will be maintained over the long term in this case. Furthermore, a contact person for problems with the software developed in-house should be specified. The current version of the software developed in-house should also be available to all users. For this reason, it makes sense to forward all software developed in-house that may be of interest to the other employees to the IT department. The IT department can then check if organisation-wide deployment is reasonable, can make any additional changes necessary before deployment, and offer user support for the software.

Macro programming must be protected against unauthorised changes. In addition, only trusted macros may be used. Moreover, transferring development results to unauthorised persons should be prevented. Macro extensions should only be used in the productive system after they have been tested in an isolated test environment and are considered to be secure.

Review questions:

• Is there a procedure for handling software or macros developed by the end users?
• Has it been ensured that all software developed in-house is properly documented?
• Has it been ensured that the latest versions of all software developed in-house are available to the users?