S 4.107 Use of the vendor resources

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Most manufacturers of IT systems or IT components provide the users of their products with various support and information offerings. These offerings include, for example, assistance with the elimination of problems (support, hotline, updates, patches etc.) and information options regarding security solutions (web sites, newsgroups, mailing lists etc.). Some of these offerings are free of charge, some are not.

Service providers

The offerings are typically made by the respective manufacturers, for standard software in particular. However, there are also numerous offerings by service providers. This applies especially to open source software, for which the developers often do not offer any commercial and contractually guaranteed support. Many open source software developers, however, appoint qualified external service providers in their information offerings. Employees of the service providers are often also involved in the development of the open source software. Thus, the service providers are able to offer support services of a quality equal to the services provided by classic manufacturer support. Manufacturers of proprietary software often work closely with service providers and indicate these service providers as partners or certify their services.

When procuring IT systems or products, consideration should be already given to which support offerings should be used, particularly if this results in running costs. Furthermore, consideration should also be given to whether the manufacturers themselves or service providers are commissioned. When selecting a service provider, it must be ensured that a larger service provider can support several applications. However, larger service providers are often not sufficiently specialised to be able to offer support services of the same quality for each product.

It should be ensured that it is checked at regular intervals for all used IT systems and products whether new information on security problems and possible solutions on the part of the manufacturers or other sources are available. This is particularly important for all server operating systems, since a security gap on a server can cause significantly more damage than on a client.

Security-specific updates

Security-specific updates should only be obtained from trusted bodies, for example manufacturers, developers, trusted service providers or CERTs (see also S 2.35 Obtaining information on security weaknesses of the system). The updates must be checked using cryptographic procedures if the files are provided accordingly in encrypted and/or signed form.

To ensure that it is possible at any time to access security-related information, an overview should be maintained for all operating systems used and all important IT products. This overview should indicate under what WWW addresses security-specific updates and patches and/or information can be found. In most cases, these addresses can be found in the product documentation. This information is often directly referred to on the web sites of manufacturers or providers. Experience has shown that links change frequently so that it is important to check them regularly for correctness and to update them if required.

Review questions:

• Was it checked which support services are offered for a product and whether it makes sense to use them?
• Is it checked at regular intervals for all used IT systems and products whether new information on security problems and possible solutions on the part of the manufacturers or other sources are available?
• Have safeguards been taken to protect the integrity of patches and updates?
• Is there a current overview of the IT products used and the respective support options?