T 0.18 Bad Planning or Lack of Adaptation
If organisational processes serving direct or indirect information processing are not properly designed, it can lead to security problems. Although every single process step is carried out correctly, damage often occurs because processes altogether are defined in an improper way.
Another possible reason for security problems is dependency on other processes which do not have any apparent relation to information processing. Such dependencies can be easily disregarded during planning and trigger impairments during operation.
In addition, security problems can arise when tasks, roles or responsibility are not clearly assigned. This may cause, amongst other things, processes to be delayed, security procedures to be neglected or regulations to be disregarded.
A danger arises when equipment, products, procedures or other means for implementation of information processing are not deployed properly. The choice of unsuitable products or weak points in application architecture or in network design for instance, can lead to security problems.
Examples:
- If maintenance or repair processes are not designed to meet technical requirements, unacceptable downtimes can occur as a consequence.
- An increased risk can arise from attacks on one's own IT systems if security requirements are not taken into account in the procurement of information technology.
- If required consumable material is not made available on time, the IT procedures dependent on it can come to a halt.
- Weak points can arise if, at the planning stage of an IT procedure, unsuitable transfer protocols are selected.
Information technology and the complete environment of a public body or a company continually change. Be it that employees leave or join, new hardware or software is procured or a supplier declares itself bankrupt. If the subsequent necessary organisational and technical adaptations are not taken into consideration or are considered only inadequately, threats may follow.
Examples:
- Due to structural changes in the building, existing escape routes have been changed. Since the employees were not sufficiently informed, the building cannot be evacuated in the required time.
- When transferring electronic documents, it has been disregarded to use a data format readable for the recipient.