Software is the user interface most commonly used by hackers who wish to manipulate data. It is subject to several restrictions and threats which may place an organisation’s operation in jeopardy. This section is specifically dedicated to malicious software (or ‘malware’).
Unsuitable software environment
To run correctly and fulfil its roles, IT hardware must have the appropriate software. It involves:
- making a list of the software needed for the company to operate, as well as any software dependency (library of functions). (Draft and enforce a Sectoral policy on the Classification and control of resources).
- establishing configuration types for software equipment.
- backing up the necessary software (and updates) in a digital library available upon installation.
- managing software licences. (Draft and enforce a Sectoral policy on Compliance – Intellectual property).
Use of unapproved software
The use of unapproved software may lead to the infringement of rights related to the software used or to the introduction of computerised processing that may prejudice the company. It is, therefore, important to ensure that the company’s IT environment is not disrupted by unsuitable software, by which we mean unauthorised to attain the organisation’s objectives. It is important to ensure that:
- users respect the Charter for the use of IT resources.
- the software usage policy is restrictive and defined at the operating system level (in other words, that a white list of executable applications has been drawn up). (Draft and enforce a Sectoral policy on the Organisation of security – Authorisation procedure for the addition of tools).
- user accounts do not automatically have administrator permissions. (Draft and enforce a Sectoral policy on Access control – Access control policy and Access rights management).
Unavailability of administrators
Administration of a computerised resource (hardware and/or software) allows you to react to events related to its environment and to adapt the system accordingly. It is, therefore, important to ensure that the resource is operable, in particular for solutions provided by third parties, especially those where a single supplier is the only one with knowledge of the administration procedure. Make sure that:
- an administrator is accessible and available at all times. (Draft and enforce a Sectoral policy on the Organisation of security – Attribution of responsibilities).
- an administration procedure has been made available by the service provider. (Draft and enforce a Sectoral policy on Physical and environmental security – Maintenance).
- trustworthy administrators have been recruited. (Draft and enforce a Sectoral policy on Human factors – Security as a mission).
- training is given to the administrators. (Draft and enforce a Sectoral policy on Human factors – Training and information).