Tan, John Randolph S.

BSIE 5

Managing and Using Hardware Documentation

'Documentation' refers to both the operator manuals and the technical documentation that should be provided by the supplier / vendor.

Information Security Issues

Key Actions Ensure you receive all operational and technical manuals for each piece of equipment. Store the documentation accessibly but safely. Systems users must be trained according to the supplier's manuals.

If equipment is operated incorrectly mistakes and damage may result.

A failure to follow the recommended schedule of maintenance runs the risk of system malfunction, which could possibly jeopardize your business operation.

Ensure all regular maintenance is carried out and monitored. Adopt procedures which ensure that your operators complete all maintenance for which they are responsible according to the manufacturer's recommendation.

Failure to operate equipment in accordance with the instructions can invalidate the warranty.

Ensure you receive all operational and technical manuals for each piece of equipment.

Ensure that such manuals are readily available and form the basis of all training.

Failure to complete and return the manufacturer's warranty card may invalidate the warranty and hence limit the manufacturer's liability.

Failure to complete and return the manufacturer's warranty card may invalidate the warranty and hence limit the manufacturer's liability.

Maintaining a Hardware Inventory or Register

A register / data base of all computer equipment used within your organisation is to be established and maintained.

Information Security Issues Theft of equipment is most likely to result in additional cost to the organization and could compromise data security.

Key Actions Establish an inventory and implement procedures for updating it. Ensure that you have a procedure to advise the acquisition of new hardware, the disposal of old items, and any changes of location. Periodically verify the correctness of the inventory by checking that a sample of hardware is physically present.

Inadequate insurance could render your organization liable to loss in the event of a claimable event.

Establish an inventory and implement procedures for keeping it up-to-date.

Ensure that you periodically review the adequacy of your insurance cover. Establish an inventory and, in conformance with your IT Plan, 'ear mark' equipment for replacement and plan accordingly

Shortcomings in the planning of equipment replacement, can make it difficult to plan ahead for new technology.

Where documentation is poor, or perhaps non existent, the planning and performance of upgrades to equipment can be both time consuming and also fraught with problems.

Establish an inventory and implement procedures for keeping it up to date.

Record key information, especially hardware specifications and system software names and versions.

Software Maintenance & Upgrade

- Applying 'Patches' to Software

- Upgrading Software - Responding to Vendor Recommended Upgrades to Software - Interfacing Applications Software / Systems
- Supporting Application Software - Operating System Software Upgrades

- Recording and Reporting Software Faults

Applying 'Patches' to Software

Patches are software bug 'fixes', that is, they resolve problems reported by users. Usually available for downloading on the vendor's Web site, their use requires consideration of the relevant security issues.

Information Security Issues

If

Key Actions
Verify

a patch is applied incorrectly or without adequate testing, your system and its associated information can be placed at risk, possibly corrupting your live data files.

that the patches are necessary and come from an authorized source, normally the software developers.

If a patch is applied incorrectly or without adequate testing, your system and its associated information can be placed at risk, possibly corrupting your live data files.

Always test patched versions of software prior to release for live use. See System Testing
The testing and implementation of patches should not compromise your software library updating procedures. Apply patches only with management authorization. Monitor these procedures so that patches cannot 'slip through the net'. Ensure you receive updates to the system documentation.

If a patch is applied incorrectly or without adequate testing, your system and its associated information can be placed at risk, possibly corrupting your live data files.

Upgrading Software
The status of software is rarely static. Software companies are either releasing bug fixes (patches), or introducing new versions with enhanced functionality.

Information Security Issues The new version may simply fail to perform as expected and / or may have key features removed, enhanced or otherwise modified potentially disrupting your business operations.

Key Actions Consider all such releases as brand new code which must be tested properly. Your Test Plan should include Regression Testing to test all the key features - not only those which have been changed or updated.

Users of an older version of the software can be prevented from reading files created using a later release of the software.

Always ensure that the newer version can read and write files in the older format. Investigate 'save options' accordingly

Do not permit upgrades to take place informally. Schedule them as a project and inform users accordingly. New software versions released following the merger of software companies may contain unanticipated (new) code and / or bugs. Consider all such software as brand new code which must be tested properly.