IT Baseline Protection Manual S 2.170 Requirements to be met by a system management system
S 2.170 Requirements to be met by a system management system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
The purpose of a system management system is to provide support to an administrator of a local network (or virtual local network). A system management system therefore has to satisfy certain prerequisites in order to be able to give the administrator appropriate support. The requirements that any such system has to meet, however, are substantially dependent on the planned use (see S 2.169 Developing a system management strategy) and on the chosen architecture of the system management system (see S 2.171 Selection of a suitable system management product).
A system management system should provide the following functions:
User management
This includes adding, changing and deleting user accounts and group accounts.
Policy management
It should be possible to manage access rights both for access to and from the local network and for access to and from the Internet.
Software management
The system management system should allow the addition, deletion and updating of software components.
As well as this, the automatic detection of installed software may be important, especially during the introductory phase. Although the administration of software licenses would be desirable, this is rarely supported by today's systems (see also application management below. Exception: licenses may be available in the form of files, so it may be possible to manage the license files within the framework of the file distribution mechanisms of a management system).
Determination, modification and administration of system configuration data
Administration of application data
It must be possible to manage files in a database system or configuration files belonging to an application so as to allow the distribution of a new version of a database, for example, or the distribution of new configuration files.
Monitoring of system components
This may also make sense for external components which are not subject to an administration system of their own, for example for the router of an Internet service provider (ISP) via which an Internet connection is implemented.
Application management
It should be possible to manage software at the application level, for example to manage HTTP access rights to the data on a WWW server (the realm). This form of management is generally hardly supported at all, because the co-operation of the application itself is required for this.
Ideally, a system of this type would allow the delegation of administrative tasks, such that for example a system administrator could grant a workgroup system administrator the right to install software on the workgroup's computers. This mechanism is necessary in medium- to large-sized networks, in particular.
Network and system administration is normally performed by the same administrative units within a company or agency. As the division of duties between network administration and system administration is not clear in some areas, it is advisable to have regard for the extent to which an existing network management system can be integrated into the system management system that is being procured.
In addition to these mainly functional requirements, there are also technical requirements among the criteria that are relevant to the selection of system management software (see S 2.171 ). Of these, the following are particularly worth pointing out here:
The management system must be capable of supporting the operating systems of all of the computers used for management and all of the computers being managed (operating-system-specific components of the management system, graphical user interface).
If a local database system is already in place, the management system should have the possibility of storing its management information in the existing database system.
The management system should be expandable. This relates on the one hand to the components of the management system (e.g. a modular concept with the possibility of purchasing and integrating additional modules at any time), but also to the function of the management system (e.g. programming API, to be able to connect in-house components).
Generally speaking the criteria for the categorisation of requirements described in S 2.171 can be used within the framework of this safeguard. For selected categories the requirements are obtained by specifying a stipulation within the scope of the particular "range of values".