T7.6.3 - RESTRICTIONS ON CHANGES TO SOFTWARE PACKAGES Implementation Guidance
The entity shall restrict the changes to software packages.
Back to T7.6.3 - P2 - RESTRICTIONS ON CHANGES TO SOFTWARE PACKAGES
As far as possible, and practicable, vendor-supplied software packages should be used without modification. Where a software package needs to be modified the following points should be considered:
- A. The risk of built-in controls and integrity processes being compromised
- B. Whether the consent of the vendor should be obtained
- C. The possibility of obtaining the required changes from the vendor as standard program updates
- D. The impact if the entity becomes responsible for the future maintenance of the software as a result of changes
If changes are necessary the original software should be retained and the changes applied to a clearly identified copy. A software update management process should be implemented to ensure the most up-to-date approved patches and application updates are installed for all authorized software. All changes should be fully tested and documented, so that they can be reapplied if necessary to future software upgrades. If required, the modifications should be tested and validated by an independent evaluation body.
Back to T7.6.3 - P2 - RESTRICTIONS ON CHANGES TO SOFTWARE PACKAGES
