CHAPTER 04: Purchasing and maintaining commercial software
Section 01 Purchasing and Installing Software
Section 02 Software Maintenance & Upgrade
Policy 040101 Specifying User Requirements for Software
POLICY STATEMENT
“All requests for new applications systems or software enhancements must be presented to IT and IT Procurement Committee with a Business Case with the business requirements presented in a User Requirements Specification document.”
Policy 040102 Selecting Business Software Packages
POLICY STATEMENT
“The organization should generally avoid the selection of business critical software which, in the opinion of management, has not been adequately proven by the early adopters of the system. The selection process for all new business software must additionally incorporate the criteria upon which the selection will be made. Such criteria must receive the approval of IT and IT Procurement Committee.”
Policy 040103 Selecting Office Software Packages
POLICY STATEMENT
“All office software packages must be compatible with the organization’s preferred and approved computer operating system and platform.”
Policy 040104 Implementing New / Upgraded Software
POLICY STATEMENT
“The implementation of new or upgraded software must be carefully planned and managed, ensuring that the increased Information Security risks associated with such projects are mitigated using a combination of procedural and technical control techniques.”
Section 02: Software Maintenance & Upgrade
Policy 040201 Applying ‘Patches’ to Software
POLICY STATEMENT
“Patches to resolve software bugs may only be applied where verified as necessary and with management authorization. They must be from a reputable source and are to be thoroughly tested before use.”
Policy 040202 Upgrading software
POLICY STATEMENT
“Upgrades to software must be properly tested by qualified personnel before they are used in a live environment.”
Policy 040203 Responding to Vendor Recommended Upgrades to Software
POLICY STATEMENT
“The decision whether to upgrade software is only to be taken after consideration of the associated risks of the upgrade and weighing these against the anticipated benefits and necessity for such change.”
Policy 040204 Operating System Software Upgrades
POLICY STATEMENT
“Necessary upgrades to the Operating System of any the organization’s computer systems must have the associated risks identified and be carefully planned, incorporating tested fall-back procedures. All such upgrades are to be undertaken as a formal project.”