Trustworthy Information Systems Handbook: Section 9
Criteria Group 1: system documentation
Questions to Ask
- What is the system’s unique identifier and/or common name?
- What is the agency and department responsible for the system?
- What is the agency and department responsible for applications?
- What is the name and contact information of the person(s) responsible for system administration?
- What is the name and contact information of the person(s) responsible for system security?
- Has a formal risk assessment of the system been completed? Date? Performed by? Methodology? Findings?
- Were design reviews and system tests run prior to placing the system in production? Were the tests documented?
- Is application software properly licensed for the number of copies in use?
- If connected to external systems lacking commensurate security measures, what mitigation procedures are in place?
- What other systems might records be migrated to?
Criteria Group 1:System administrators should maintain complete and current documentation of the entire system.
1A. System documentation should include, but is not limited to:
1. hardware (procurement, installation, modifications, and maintenance)
2. software (procurement, installation, modifications, and maintenance)
3. communication networks (procurement, installation, modifications, and maintenance)
4. interconnected systems
a. list of interconnected systems (including the Internet)
b. names of systems and unique identifiers
d. names and titles of authorizing personnel
e. dates of authorization
f. types of interconnection
g. indication of system of record
h. sensitivity levels
i. security mechanisms, security concerns, and personnel rules of behavior
Did You Know:
- “Agencies shall take reasonable measures to ensure that only agency authorized computer equipment is installed on or connected to state systems and that only approved software is installed or executed on state computer resources.” (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.
- System documentation, including specifications, program manuals, and user guides, should be covered in retention schedules, and retained for the longest retention time applicable to the records produced in accordance with the documents.
- Unique names and identifiers should remain the same over the lifetime of the units to allow tracking.
- When a system is installed at more than one site, steps should be taken to ensure that each site is running an appropriate, documented, up-to-date version of the authorized configuration.
- Audit trails of hardware and software changes should be maintained such that earlier versions of the system can be reproduced on demand.
- A process should be implemented to ensure that no individual can make changes to the system without proper review and authorization.
1B. Policy and procedure documentation should include, but is not limited to:
1. programming conventions and procedures
2. development and testing activities, including tools
- Periodic functional tests should include anomalous as well as routine conditions, and be documented such that they can be repeated by any knowledgeable programmer.
3. applications and associated procedures such as methods of entering/accessing data, data modification, data duplication, data deletion, indexing techniques, and outputs
4. identification of when records become official
5. record formats and codes
6. routine performance of system back-ups. Each back-up should be documented with back-ups being appropriately labeled, stored in a secure, off-line, off-site location, and subjected to periodic integrity tests.
7. routine performance of quality assurance and control checks, as well as performance and reliability testing of hardware and software on a schedule established through consultation with the manufacturers
- Identification devices (e.g., security cards) should be included in periodic testing runs to ensure proper functioning and to verify the correctness of identifying information and system privilege levels.
- Each type of storage medium used should undergo regular statistical sampling following established procedures outlining sampling methods, identification of data loss and corresponding causes, and the correction of identified problems.
8. migration of records to new systems and media as necessary. All record components should be managed as a unit throughout the transfer.
9. standard training for all users and personnel with
access to equipment
Did You Know:
- “The agency head shall ensure that agency employees understand the importance of security measures and their role in sharing the responsibility for the security and integrity of state computerized information resources.”
- “Agencies shall make a copy of the state Security Policy available to each agency employee and shall make all employees, contractors, and information users aware of their responsibilities under the state Security Policy and the agency security plan.”
- “The agency head shall ensure that each agency employee is aware that violation of the principles of the state Security Policy or the agency security plan could be cause for disciplinary action or termination from employment.”
(Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.
‹ ‹back: Section 9
TIS Handbook last updated July 2002, Version 4.