Software Installation Request & Assessment (Line of Business Software)

/ Government of Malta
Reference:GMICT F 0094:2013
Version:3.0
Effective:8 November 2013 /

Software Installation Request & Assessment (Line of Business Software)Form

This document is part of the GMICT Policy Framework

Terms are defined in the Vocabulary.
Reference Number[1]------/-----

1.Requestor Details[i]

Name (Block Capitals)
Position
Identity Card No.
Domain (e.g. CORP, etc) and User Account Name (Kindly refer to the CIO’s office in case of difficulties)
Contact details (E-mail and telephone)
Section and Department

2.Software[ii] Details

Name
Version Number
Software Type (Mark one in each of the three columns below as appropriate)

• In-house

/ [ ] /

• Off-the-shelf

/ [ ] /

• Commercial

/ [ ]

• Procured

/ [ ] /

• Bespoke

/ [ ] /

• Open Source

/ [ ]
Software Website URL

Unclassified

Page 1 of 5

GMICT F 0094:2013 / Software Installation Request & Assessment (Line of Business Software)Formversion 3.0 /

3.Installation Location

PC Name(s) and corresponding Inventory number(s) of the PC(s) on which the software is to be installed.
PC Names / Inventory Numbers

4.Business Case

Kindly explain why the software is needed and which specific software functions/features are required. Attach documentation as appropriate.

5.Endorsement of Request by Head of Department

Name
Position
Contact details (E-mail and telephone)
Approved:[ ] Yes [ ] No
Comments (if any)
Signature
Date

6.Assessment by the Chief Information Officer[iii]

6.1 Request Justification Assessment

1 / Is there anequivalentLine of Business softwarethat may have already been approved? / [ ] Yes [ ] No
2 / If the reply to Question (1) is ‘Yes’, and use of such software is still required, kindly provide justification for the software’s use in the space provided below.

6.2 Security Assessment

1 / Are the controls provided by software and the environment within which the software operates, commensurate with the classification[2] of the data processed by the software? / [ ] Yes [ ] No[iv]
2 / Does the software require changes in the standard Desktop Configuration (including Desktop Restrictions)? / [ ] Yes[v] [ ] No
3 / Does the software circumvent any security system and application controls? Examples include – a software that allows caching of credentials or one that disablessecurity services/applications. / [ ] Yes[vi] [ ] No

6.3 Technology Assessment[vii]

1 / Does the software conform to the Adopted Technologies Specifications (GMICT X 0071)? / [ ] Yes [ ] No
2 / Will the software be used to write data to proprietary file formats? / [ ] Yes [ ] No
3 / If the reply to Question (2) is ‘Yes’ , is the format already in use within Government or by the appropriate person/ team related to this business case? / [ ] Yes [ ] No
4 / If the reply to Question (3) is ‘No’, will the files created by the software be intended only for the user(s) of the same software package? / [ ] Yes [ ] No[viii]
5 / If the reply to Question (4) is ‘No’ and the software is to be approved, kindly provide justification for the software’s use in the space provided below.

6.4Business Assessment

1 / Are there any software support arrangements in place in case such services are needed? / [ ] Yes [ ] No[ix]
2 / Are there any patch management arrangements in place? / [ ] Yes [ ] No[x]
3 / Are there any risks / constraints in licensing which may potentially compromise the integrity of Government e.g. cost obligations for use? / [ ] Yes[xi] [ ] No
4 / If risks / constraints in licensing have been identified, kindly list them below.

7.Outcome

Information on this Form is only as accurate and complete as the information available at the time of assessment.

Chief Information Officer’s Decision:

Installation Approved: [ ] Yes [ ] No
On Temporary Basis : [ ] Yes [ ] No
If on Temporary Basis, kindly state duration [ ]
Comments:
Name / Signature / Date
Chief Information Officer

Kindly retain this Form for auditing purposes.

Kindly, also, take note of the Software Installation Conditions listed in theSoftware Installation Procedure (GMICT R 0094).

8.Very Important Notes

Unclassified

Page 1 of 5

[1]CIO Office Use ONLY - This unique number shall be assigned by the CIO’s Office and shall be referred to in the Software Asset Register, should the software be approved for installation. It shall take the following format XXXX 99999/YYYY, where XXXX represents the Ministry acronym, 99999 is a serial number, and YYYY represents the year.

[2]Classification in accordance with the guidelines set out in Section 3 of the Cabinet Office’s Manual of Procedures for the Handling of Classified Information in the Malta Public Service

[i]To the Requestor of the software

The Chief Information Officer or his/her delegate shall assess and decide on this request only after Sections 1 to 5 have been duly filled in accordingly.No software is to be procured prior to the final outcome given (Refer to Section 8) and communicated accordingly by the CIO or his/her delegate.

[ii]To the Requestor of the software and to the CIO/CIO office

Types of software, as listed in the Security Classified List (shown on Section 1, Figure 1 of the Software Installation Procedure - GMICT R 0094),may not be allowed for installation. An Exemption Request shall need to be raised accordingly.

[iii]To the CIO/ CIO Office with respect to Sections6and 7 .

• The following Sections are to be filled in by the CIO or his/her delegate ONLY.
• Where possible and/or where available, a trial/demo version of the software is used to conduct the assessment.
• It would be necessary to conduct the Security Assessment on a PC that has a Desktop Configuration environment as that of a normal user.
• This form, together with any related documentation shall be retained by the CIO’s Office for auditing purposes by MITA.
• Installation of the software without the assessment as requested in this Form shall still imply that the Software Installation Conditions, as listed in the Software Installation Procedure, GMICT R 0094, are accepted.

[iv]Section 6.2 (Security Assessment), Question (1) - A negative outcome to this question shall by default imply that the software cannot be installed. An Exemption Request shall need to be raised accordingly. The process need no longer be followed.

[v]Section 6.2 (Security Assessment), Question (2)– A positive outcome to this question shall by default imply the following:

a)An Exemption Request shall need to be raised if changes involve any of the following folders:

• C:\(root folder)
• C:\Windows and its subfolders
• C:\Program files (root)
• End-point security installations (solution as provided by Symantec Corp.)

The process need no longer be followed.

b)No Exemption Request is required to amend the rights on:

• the software application folder
• local PC registry keys

provided that such changes are done to folders or permissions directly associated with the installed programs. Such changes are however to be recorded on the Software Asset Register.

[vi]Section 6.2 (Security Assessment), Question (3)– A positive outcome to this question shall by default imply that the software cannot be installed. An Exemption Request shall need to be raised accordingly. The process need no longer be followed.

[vii]Section 6.3 (Technology Assessment)– The questions below are intended as a guide towards the use of software that makes use of open standards. It is strongly recommended that, unless absolutely necessary, alternatives to the chosen software package are considered if the software forces the use of proprietary file formats that are not currently in use within Government.

[viii]Section 6.3 (Technology Assessment), Question (3)– A negative outcome to this question (only), would indicate that the software is restricted to the use of proprietary formats and their intended use may cause issues. This answer should be actively considered for not installing the software; however, should this be absolutely necessary, justification may be provided in Question (4) for its approval.

[ix]Section 6.4 (Business Assessment), Question (1)– A negative outcome to this question should be actively considered for not installing the software.

[x]Section 6.4 (Business Assessment), Question (2)– A negative outcome to this question should be actively considered for not installing the software.

[xi]Section 6.4 (Business Assessment), Question (3)– A positive outcome to this question should be actively considered for not installing the software.