T 2.2 Insufficient knowledge of rules and procedures

The specification of rules alone does not ensure they will be followed, nor does it ensure trouble-free operations. All employees, especially the office managers, must be familiar with the applicable rules. Damage resulting from a lack of knowledge of existing rules must not be excused simply by saying: "I didn't know I was responsible for that." or "I didn't know what to do."

Examples:

• If the employees are not informed as to how to properly handle mobile data media and the emails they receive, there is a risk of malware spreading throughout the entire company or government agency. This could also result in confidential data accidentally getting into the hands of unauthorised persons.
• In a federal agency, differently coloured waste paper bins were used with one colour intended for the disposal of the documents to be destroyed. Most of the employees were not informed of this colour scheme.
• In a federal agency, there were numerous rules for performing data backups which were agreed to verbally over time between the IT Security Officer and the IT department. Upon enquiry, it turned out that the employees concerned knew nothing about the "agreements" and had no one to contact in case of questions. The rules regarding data backups were not documented either. As a result, many users made backups of the local data on their workstation computers even though continuous data backups were only supposed to be performed centrally on the servers.
• In a computer centre, a new rule was introduced stating that in the event of problems with the burglar detection or fire alarm systems, the gatehouse should also be manned at night. The security guard service was not informed of this new rule by the security officer responsible for this. As a result, the computer centre was insufficiently protected at night for several weeks.