S 4.78 Careful modifications of configurations
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
All changes made to an IT system during actual operation should be considered as critical, and appropriate caution must be exercised when performing such changes.
Before any change is made to an IT system, the old configuration should be backed up, so that it is readily available if the new configuration poses any problems.
In the case of networked IT systems, users must be duly informed about impending maintenance work in a suitable manner, for example, by means of an entry in the intranet or via e-mail, so that they can plan for a temporary system shutdown and correctly localise any problems which might occur after the changes have been made.
Changes to a configuration should always be performed in individual steps. Regular checks should be made as to whether these steps have been executed correctly, and whether the affected IT system and applications are still fully functional.
If changes are made to system files, a re-start should be performed subsequently in order to check whether the IT system can still be started correctly. All data carriers required for emergency starting such as boot diskettes or boot CD-ROMs should be kept handy in case a problem occurs.
Data backups should be prepared of all potentially affected files and directories prior to any changes to configuration. If possible, complex changes to a configuration should not be made in the original files, but in copies. All changes which have been performed should be examined by a colleague before being incorporated into regular operations.
In the case of IT systems which need to fulfil high availability requirements, replacement systems should be used, or at least restricted IT operations should be ensured. Ideally, the procedures specified in the emergency handbook should be followed in this case.
All changes made to a configuration should be noted down step-by-step, so that if a problem occurs, the functionality of the IT system can be restored by a successive reversal of the changes (see also S 2.34 Documentation on changes made to an existing IT system).
Review questions:
- Will the users be informed in a suitable manner of pending maintenance work?
- Are backups prepared of all files to which changes must be made?