T 2.1 Lack of, or insufficient, rules

The application of universal organisational rules and specifications for information security objectives become more and more important as the scale of information processing and the protection requirements for the information to be processed increase.

The scope of the rules can be very wide, ranging from questions of areas of responsibility to the distribution of control functions. Examples of the consequences of insufficient or non-existent rules are described in the other threats presented in Threat Catalogue T2.

It is often the case that the existing rules are not modified accordingly after technical, organisational or personnel changes having a significant impact on information security have been made. Outdated rules can impede smooth IT operations. Problems can also arise from rules that are formulated incomprehensibly or without any context, resulting in misunderstood rules.

The following examples clearly illustrate how insufficient or non-existent rules can lead to damage:

• Poor resource management can seriously impair the scheduled flow of operations in a computer centre, for example simply because an order for printer paper was forgotten.
• Hand-held fire extinguishers need to be maintained regularly after purchase to ensure that they are also ready for use in case of fire.
• After a flood on one floor, water damage was detected in the Server room one floor below as well. Due to inadequate key management, the damage caused by the water in the Server room could not be repaired immediately because no one knew where the key to the Server room was at the time. This resulted in significantly more water damage.