T 2.4 Insufficient monitoring of security safeguards

After introducing safeguards to help achieve information processing security (e. g. classification of information, data backup, access control, rules regarding the conduct during emergencies), it is also necessary to ensure they are implemented consistently. If the security measures are not monitored or monitoring is inadequate, then it is impossible to determine whether the security measures are being followed or are proving effective. This impedes the ability to react to the respective situation in a timely and appropriate manner.

In addition, there are some security measures the effectiveness of which can only be seen when appropriate controls are implemented. For example, these include logging functions the security properties of which only become apparent when the logged data is analysed.

Examples:

• In order to prepare crimes, the lock cylinders in the outside doors and gates are often replaced by unauthorised persons. Accesses that are rarely used or intended for use as emergency exits only are often just checked to ensure that they open freely in in the direction of egress within the framework of patrols. The function of the lock cylinders is often left unchecked.
• In a government agency, some of the Unix servers are used for external data communications. Due to the primary importance of these IT systems, the security policy specifies that the integrity of all Unix servers must be checked weekly. Since no one controlled on a regular basis whether or not these checks were actually performed, it only became apparent during the investigation of a security incident that the IT department was not performing the integrity checks. The reason given for not performing the checks was insufficient personnel in the department.
• In one company, the z/OS Security Auditor position was not filled and left unoccupied. As a result, the RACF configuration settings stopped meeting the security requirements of the company over time. Only after a production failure did the company notice that some users had more rights than required for their jobs. One of these users accidentally stopped an application that was important to production.