Reference:GMICT F 0094:2010
Version:1.0
Effective:3 September 2010 /
Software Installation Request & Assessment (Line of Business Software)Form
This document is part of the GMICT Policy FrameworkTerms are defined in the Vocabulary Standard.
Reference Number[1]------/-----
1.Requestor Details[i]
Name (Block Capitals)Position
Identity Card No.
Domain (e.g. CORP, etc) and User Account Name (Kindly refer to the CIO’s office in case of difficulties)
Contact details (E-mail and telephone)
Section and Department
2.Software[ii] Details
NameVersion Number
Software Type (Mark one in each of the three columns below as appropriate)
- In-house
- Off-the-shelf
- Commercial
- Procured
- Bespoke
- Open Source
Software Website URL
Unclassified
Page 1 of 6
GMICT F 0094:2010 / Software Installation Request & Assessment (Line of Business Software)Formversion 1.0 /3.Installation Location
PC Name(s) and corresponding Inventory number(s) of the PC(s) on which the software is to be installed.PC Names / Inventory Numbers
4.Business Case
Kindly explain why the software is needed and which specific software functions/features are required. Attach documentation as appropriate.5.Endorsement of Request by Head of Department
NamePosition
Contact details (E-mail and telephone)
Approved:[ ] Yes [ ] No
Comments (if any)
Signature
Date
6.Assessment by the Chief Information Officer[iii]
6.1 Request Justification Assessment
1 / Is there anequivalentLine of Business softwarethat may have already been approved? / [ ] Yes [ ] No2 / If the reply to Question (1) is ‘Yes’, and use of such software is still required, kindly provide justification for the software’s use in the space provided below.
6.2 Security Assessment
1 / Does the software require the opening of non-standard ports[iv]? / [ ] Yes[v] [ ] No2 / Does the software require changes in the standard Desktop Configuration (including Desktop Restrictions)? / [ ] Yes[vi] [ ] No
3 / Does the software circumvent any security system and application controls? Examples include – a software that allows caching of credentials or one that disablessecurity services/applications. / [ ] Yes[vii] [ ] No
6.3 Technology Assessment[viii]
1 / Does the software conform to the Adopted Technologies Specifications (GMICT X 0071)? / [ ] Yes [ ] No2 / Will the software be used to write data to proprietary file formats? / [ ] Yes [ ] No
3 / If the reply to Question (2) is ‘Yes’ , is the format already in use within Government or by the appropriate person/ team related to this business case? / [ ] Yes [ ] No
4 / If the reply to Question (3) is ‘No’, will the files created by the software be intended only for the user(s) of the same software package? / [ ] Yes [ ] No[ix]
5 / If the reply to Question (4) is ‘No’ and the software is to be approved, kindly provide justification for the software’s use in the space provided below.
6.4Business Assessment
1 / Are there any software support arrangements in place in case such services are needed? / [ ] Yes [ ] No[x]2 / Are there any patch management arrangements in place? / [ ] Yes [ ] No[xi]
3 / Are there any risks / constraints in licensing which may potentially compromise the integrity of Government e.g. cost obligations for use? / [ ] Yes[xii] [ ] No
4 / If risks / constraints in licensing have been identified, kindly list them below.
7.Outcome
Chief Information Officer’s Decision:
Installation Approved: [ ] Yes [ ] NoOn Temporary Basis : [ ] Yes [ ] No
If on Temporary Basis, kindly state duration [ ]
Comments:
Name / Signature / Date
Chief Information Officer
Kindly retain this form for auditing purposes.
Kindly, also, take note of the Software Installation Conditions listed in the
Software Installation Procedure (GMICT R 0094).
8.Very Important Notes
Unclassified
Page 1 of 6
[1]CIO Office Use ONLY - This unique number shall be assigned by the CIO’s Office and shall be referred to in the Software Asset Register, should the software be approved for installation. It shall take the following format XXXX 99999/YYYY, where XXXX represents the Ministry acronym, 99999 is a serial number, and YYYY represents the year.
[i]To the Requestor of the software
The Chief Information Officer or his/her delegate shall assess and decide on this request only after Sections 1 to 5 have been duly filled in accordingly.No software is to be procured prior to the final outcome given (Refer to Section 8) and communicated accordingly by the CIO or his/her delegate.
[ii]To the Requestor of the software and to the CIO/CIO office
The following types of software may not be allowed for installation. An Exemption Request shall need to be rasided accordingly:
- Key logger
- Key generator
- Password generator
- Network sniffing
- Vulnerability/scanning tools
- Proxy
- DNS
- E-mail client
- VPN client
- Tethering
[iii]To the CIO/ CIO Office with respect to Sections6and 7 .
- The following Sections are to be filled in by the CIO or his/her delegate ONLY.
- Where possible and/or where available, a trial/demo version of the software is used to conduct the assessment.
- It would be necessary to conduct the Security Assessment on a PC that has a Desktop Configuration environment as that of a normal user.
- This form, together with any related documentation shall be retained by the CIO’s Office for auditing purposes by MITA.
- Installation of the software without the assessment as requested in this Form shall still imply that the Software Installation Conditions, as listed in the Software Installation Procedure, GMICT R 0094, are accepted.
[iv]Section 6.2 (Security Assessment), Question (1) The standard ports are 80 (http) and 443 (https) outgoing to the Internet.
[v]Section 6.2 (Security Assessment), Question (1) - A positive outcome to this question shall by default imply that the software cannot be installed. An Exemption Request shall need to be raised accordingly. The process need no longer be followed.
[vi]Section 6.2 (Security Assessment), Question (2)– A positive outcome to this question shall by default imply the following:
a)An Exemption Request shall need to be raised if changes involve any of the following folders:
- C:\(root folder)
- C:\Windows and its subfolders
- C:\Program files (root)
- End-point security installations (solution as provided by Symantec Corp.)
The process need no longer be followed.
b)No Exemption Request is required to amend the rights on:
- the software application folder
- local PC registry keys
provided that such changes are done to folders or permissions directly associated with the installed programs. Such changes are however to be recorded on the Software Asset Register.
[vii]Section 6.2 (Security Assessment), Question (3)– A positive outcome to this question shall by default imply that the software cannot be installed. An Exemption Request shall need to be raised accordingly. The process need no longer be followed.
[viii]Section 6.3 (Technology Assessment)– The questions below are intended as a guide towards the use of software that makes use of open standards. It is strongly recommended that, unless absolutely necessary, alternatives to the chosen software package are considered if the software forces the use of proprietary file formats that are not currently in use within Government.
[ix]Section 6.3 (Technology Assessment), Question (3)– A negative outcome to this question (only), would indicate that the software is restricted to the use of proprietary formats and their intended use may cause issues. This answer should be actively considered for not installing the software; however, should this be absolutely necessary, justification may be provided in Question (4) for its approval.
[x]Section 6.4 (Business Assessment), Question (1)– A negative outcome to this question should be actively considered for not installing the software.
[xi]Section 6.4 (Business Assessment), Question (2)– A negative outcome to this question should be actively considered for not installing the software.
[xii]Section 6.4 (Business Assessment), Question (3)– A positive outcome to this question should be actively considered for not installing the software.