9.1 Standard software
Standard software is software offered on the market and which is generally available from specialist outlets, e.g. catalogues. It is characterised by the fact that it is intended to be installed by the user and that it can be easily adapted to suit the specific needs of the user.
This chapter deals with an approach to handling standard software with regard to security. The entire lifecycle of standard software is considered: drawing up a requirements catalogue, preselection of a suitable product, test, release, installation, licence administration and deinstallation.
The quality management system of the developer of the standard software is not covered in this chapter. It is assumed that the software has been developed in accordance with the usual quality standards.
The described procedure serves as orientation for establishing a security process as far as standard software is concerned. If applicable, the procedures listed here can also be compared with a process already carried out, or they can be partly reduced for present interests.
The following typical threats are assumed for "standard software" as part of IT baseline protection:
Recommended Countermeasures (S)
For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.
The safeguards package for the module "Standard software" is presented in the following. Depending on the nature and scope of the standard software, it must be considered whether only individual safeguards have to be reduced. S 2.79 to S 2.89 provide a detailed description of how the lifecycle of standard software can be shaped. These are supplemented by the other safeguards stated.
© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000
Last Update on 6 April 2000