T 2 Threat catalogue Organisational Shortcomings
T 2.1 Lack of, or insufficient, rules
T 2.2 Insufficient knowledge of rules and procedures
T 2.3 Lack of, inadequate, incompatible resources
T 2.4 Insufficient monitoring of security safeguards
T 2.5 Inadequate or non-existent maintenance
T 2.6 Unauthorised admission to rooms requiring protection
T 2.7 Unauthorised use of rights
T 2.8 Uncontrolled use of resources
T 2.9 Poor adjustment to changes in the use of IT
T 2.10 Data media are not available when required
T 2.11 Insufficient route dimensioning
T 2.12 Insufficient documentation on cabling
T 2.13 Inadequately protected distributors
T 2.14 Impairment of IT usage on account of adverse working conditions
T 2.15 Loss of confidentiality of sensitive data in the UNIX system
T 2.16 Non-regulated change of users in the case of laptop PCs
T 2.17 Inadequate labelling of data media
T 2.18 Uncontrolled delivery of data media
T 2.19 Inadequate key management for encryption
T 2.20 Inadequate or incorrect supply of consumables
T 2.21 Inadequate organisation of the exchange of users
T 2.22 Lack of or insufficient evaluation of auditing data
T 2.23 Security flaws involved in integrating DOS PCs into a server-based network - not to apply
T 2.24 Loss of confidentiality of sensitive data of the network to be protected
T 2.25 Reduction of transmission or execution speed caused by Peer-to-Peer functions - not to apply
T 2.26 Lack of, or inadequate, test and release procedures
T 2.27 Lack of or insufficient documentation
T 2.29 Software testing with production data
T 2.30 Inadequate domain planning - not to apply
T 2.31 Inadequate protection of the Windows NT system - not to apply
T 2.32 Inadequate line bandwidth
T 2.33 Siting of Novell Netware Servers in an insecure environment - not to apply
T 2.34 Absence of, or inadequate activation of Novell Netware security mechanisms - not to apply
T 2.35 Lack of auditing under Windows 95 - not to apply
T 2.36 Inappropriate restriction of user environment
T 2.37 Uncontrolled usage of communications lines
T 2.38 Lack of, or inadequate, implementation of database security mechanisms
T 2.40 Complexity of database access
T 2.41 Poor organisation of the exchange of database users
T 2.42 Complexity of the NDS - not to apply
T 2.43 Migration of Novell Netware 3.x to Novell Netware Version 4 - not to apply
T 2.44 Incompatible active and passive network components
T 2.45 Conceptual deficiencies of a network
T 2.46 Exceeding the maximum allowed cable/bus length or ring size
T 2.47 Insecure transport of files and data media
T 2.48 Inadequate disposal of data media and documents at the home workplace
T 2.49 Lack of, or inadequate, training of telecommuters
T 2.50 Delays caused by a temporarily restricted availability of telecommuters
T 2.51 Poor integration of telecommuters into the information flow
T 2.52 Longer response times in the event of an IT system breakdown - not to apply
T 2.53 Inadequate regulations concerning the substitution of telecommuters
T 2.54 Loss of confidentiality through hidden pieces of data
T 2.55 Uncontrolled use of Groupware
T 2.56 Inadequate description of files - not to apply
T 2.57 Inadequate storage of media in the event of an emergency
T 2.58 Novell Netware and date conversion to the year 2000 - not to apply
T 2.59 Operation of non-registered components
T 2.60 Strategy for the network system and management system is not laid down or insufficient
T 2.61 Unauthorised collection of person-related data
T 2.62 Inappropriate handling of security incidents
T 2.63 Uncontrolled use of faxes
T 2.64 Lack of rules for the RAS system - not to apply
T 2.65 Complexity of the SAMBA Configuration - not to apply
T 2.66 Inadequate security management
T 2.67 Incorrect administration of site and data access rights
T 2.68 Lack of, or inadequate, planning of Active Directory
T 2.69 Lack of, or inadequate, planning of the use of Novell eDirectory
T 2.70 Lack of, or inadequate, planning of partitioning and replication in Novell eDirectory
T 2.71 Lack of, or inadequate, planning of LDAP access to Novell eDirectory
T 2.72 Inadequate migration of archive systems
T 2.73 Inadequate audit trail of archive systems
T 2.74 Inadequate indexing keys for archives
T 2.75 Inadequate capacity of archival storage media
T 2.76 Inadequate documentation of archive accesses
T 2.77 Ineffectual transfer of paper data to electronic archives
T 2.78 Ineffectual regeneration of data stocks during archiving
T 2.79 Ineffectual regeneration of digital signatures during archiving
T 2.80 Ineffectual auditing of archiving procedures
T 2.81 Ineffectual destruction of data media during archiving
T 2.82 Poor planning of the archive system location
T 2.83 Flawed outsourcing strategy
T 2.84 Unsatisfactory contractual arrangements with an external service provider
T 2.85 Inadequate provisions for termination of the outsourcing project
T 2.86 Dependency on an outsourcing service provider
T 2.87 Use of insecure protocols in public networks
T 2.88 Negative impact of an outsourcing project on the organisational climate
T 2.89 Insufficient information security in the outsourcing introduction phase
T 2.90 Weaknesses in the connections with an outsourcing service provider
T 2.91 Poor planning of the migration of Exchange
T 2.92 Poor control of browser access to Exchange
T 2.93 Inadequate contingency planning concept with outsourcing
T 2.94 Inadequate planning of the use of IIS - not to apply
T 2.95 Inadequate concept for linking other systems to Exchange
T 2.96 Outdated or incorrect information on a website
T 2.97 Inadequate contingency planning with an Apache web server - not to apply
T 2.98 Incorrect planning and design of the use of routers and switches
T 2.99 Inadequate or incorrect configuration of the zSeries system environment
T 2.100 Errors on applying for and managing Internet domain names
T 2.101 Inadequate contingency planning for a security gateway
T 2.102 Insufficient awareness of IT security
T 2.103 Insufficient training of employees
T 2.104 Incompatibility between external and own IT systems
T 2.105 Violation of statutory regulations and contractual agreements
T 2.106 Disturbance to business processes as a result of security incidents
T 2.107 Uneconomic use of resources as a result of an inadequate security management
T 2.108 Lack of, or inadequate, planning of the use of SAP
T 2.109 Lack of, or inadequate, planning of the storage system
T 2.110 Inadequate organisation of release changes and migration of databases
T 2.111 Exposure of login data relating to change of service providers
T 2.112 Inadequate planning of VoIP
T 2.113 Inadequate planning of network capacity for the use of VoIP
T 2.114 Inconsistent security settings for SMB, RPC, and LDAP under Windows Server
T 2.115 Inappropriate handling of standard security groups in Windows server 2003 and higher
T 2.116 Data loss relating to copying or moving data in Windows server 2003 or higher
T 2.117 Lack of, or inadequate, planning of the use of WLAN
T 2.118 Inadequate regulations for the use of WLAN
T 2.119 Inappropriate selection of WLAN authentication methods
T 2.120 Inappropriate siting of security-related IT systems
T 2.121 Inadequate monitoring of WLANs
T 2.122 Inappropriate use of all-in-one devices
T 2.123 Lack of, or inadequate, planning of the use of directory services
T 2.124 Lack of, or inadequate, planning of partitioning and replication in the directory service
T 2.125 Lack of, or inadequate, planning of access to the directory service
T 2.126 Inadequate logging of changes to an Active Directory
T 2.127 Inadequate planning of data backup methods for domain controllers
T 2.128 Lack of, or inadequate, planning of the use of VPNs
T 2.129 Lack of, or insufficient, rules for the use of VPNs
T 2.130 Inappropriate selection of VPN encryption methods
T 2.131 Inadequate monitoring of VPNs
T 2.132 Poor consideration of business processes in patch and change management
T 2.133 Poorly defined responsibilities for patch and change management
T 2.134 Insufficient resources for patch and change management
T 2.135 Poor communication in patch and change management
T 2.136 A lack of an overview of the information system
T 2.137 Poor and inadequate planning when distributing patches and changes
T 2.138 Poor recovery options for patch and change management
T 2.139 Poor consideration of mobile devices in patch and change management
T 2.140 Inadequate contingency planning concept for patch and change management
T 2.141 Undetected security incidents
T 2.142 Destruction of evidence while handling security incidents
T 2.143 Information losses relating to copying or moving data on Samba shares
T 2.144 Inadequate contingency planning for a Samba server
T 2.145 Inadequate backup of trivial database files under Samba
T 2.146 Loss of functionality of Vista clients due to not reactivating before SP1
T 2.147 Lack of centralisation with peer-to-peer
T 2.148 Poor planning of the virtualisation
T 2.149 Insufficient storage capacity for virtual IT systems
T 2.150 Improper integration of guest tools in virtual IT systems
T 2.151 Lack of manufacturer support of applications regarding the use of virtual IT systems
T 2.152 Lack of, or inadequate, planning of the use of DNS
T 2.153 Improper protection of the transmission route in a terminal server environment
T 2.154 Improper applications for the use on terminal servers
T 2.155 Lack of, or inadequate, planning of OpenLDAP
T 2.156 Compatibility problems when increasing the Active Directory function level
T 2.157 Poor selection or conception of web applications
T 2.158 Deficiencies in the development and extension of web applications
T 2.159 Inadequate protection of personal data in web applications
T 2.160 Lack of or insufficient logging
T 2.161 Loss of confidentiality and integrity regarding logged data
T 2.162 Lack of admissibility regarding the processing of personal data
T 2.163 Breach of limited use regarding the processing of personal data
T 2.164 Breach of the principle of necessity regarding the processing of personal data
T 2.166 Breach of confidentiality regarding the processing of personal data
T 2.167 Lack of or inadequate prior checking
T 2.168 Impairing the rights of persons concerned when processing personal data
T 2.171 Impairing specified control objectives regarding the processing of personal data
T 2.172 Lack of or inadequate protection regarding the processing of personal data abroad