T 2.27 Lack of or insufficient documentation

Different forms of documentation can be considered: the product description, the administrator and user documentation regarding the use of the product, and the system documentation.

If the documentation for the IT components used is inadequate or non-existent, this may have a significant impact on both the selection and decision-making processes regarding a product and in terms of the damage occurring during actual operations.

If the documentation is inadequate, error diagnosis and elimination may be delayed considerably or rendered completely impossible after a damage event as a result of the occurrence of a hardware failure or software malfunction.

This also applies to the documentation of cable paths and wiring within the building infrastructure. If the exact locations of some cables are not known because the documentation is inadequate, these cables could be damaged during construction work inside or outside the building. This may lead to long downtimes, resulting in an emergency situation or even life-threatening hazards, for example due to electric shock.

Examples:

• If a program stores working data in temporary files without sufficient documentation of that process, this may lead to a situation in which the temporary files are not properly protected and confidential information is exposed. As a result of a lack of access control to these files or if the areas only used temporarily are subject to improper physical deletion, information may become accessible to unauthorised persons.
• When a new software product is installed, existing configurations are changed. Other programs that have run correctly up to then are now configured incorrectly and could crash. If the changes resulting from the installation of new software were described in detail, the error could be located and eliminated quickly.

• In a large government office, the IT cabling was installed by an external company. The scope of the services to be provided did not include the production of documentation. Since no maintenance agreement was signed with the company after the cabling work was completed, the government agency did not have the necessary documentation available. This resulted in considerable delays whenever the government agency subsequently tried to expand the network (see also T 2.12 Insufficient documentation on cabling).
• In a z/OS installation, automatic batch jobs were started every evening to process application data. The batch jobs needed to be run in the correct order for proper processing of the data. When the automation failed one evening, the jobs had to be started manually. Due to a lack of documentation, the batch jobs were started in the wrong order. This caused abnormal terminations during the processing of the application data, resulting in production delays of several hours.
• Missing data sheets for (volatile) semiconductor memory such as SRAM (Static Random Access Memory) and DRAM (Dynamic Random Access Memory) may result in the incorrect deletion of data from such memory, and therefore in the disclosure of confidential information.
• A company wanted to take some USB sticks (non-volatile memory) out of service. However, the corresponding product descriptions could not be found anywhere. The USB sticks were then treated using the existing deletion tool instead. Unfortunately, it was impossible to take some special manufacturer-specific features into account, and therefore some of the data was not deleted properly and securely.