Reviews and other verification actions e.g. during audits, that target data systems, must be planned in advance and agreed with the appropriate testers and management. This aims to minimize the impact of actions on operational processes.
When planning practices, the following points must be taken into account:
- inspection requests are approved with the appropriate responsible person
- the scope of technical tests is agreed in advance and their the implementation is monitored
- tests are restricted to read-only use as far as possible or are only implemented by experienced system administrators
- fulfilment of security requirements is ensured in advance on devices that require access to systems
- tests that may affect the availability of important systems, are performed outside office hours
- the actions taken during the inspections and the access rights granted for them are recorded in a log