T 2.60 Strategy for the network system and management system is not laid down or insufficient
If no cross-organisation management strategies are defined for the fields of network management and/or system management, poorly coordinated individual sub-domains, especially in medium and large-scale networks with several management domains, may cause severe problems due to misconfiguration that may even cause the entire system to crash on a network level.
For this reason, defining and enforcing a management strategy is absolutely necessary. In the following, some examples for problems caused by a missing or poor strategy for network and system management can be found.
Missing requirements analysis before defining the management strategy
In order to be able to define a network and/or system management strategy, a requirements analysis must be performed in advance. In the absence of determined management requirements (e.g: What are the manageable network switching elements? How dynamic is the software inventory to be managed?), requirements regarding the management strategy cannot be formulated. Since the management strategy additionally influences the software product to be procured, this may result in the wrong decisions being made.
For example, if a management product with too small a scope of functions is introduced, this gap in the functionality may cause an additional security problem, since the required function must be provided "manually". In larger systems, this may easily result in misconfigurations.
Procurement of non-manageable components
If a computer cluster is administrated with the help of a network and/or system management system, it must be ensured when procuring new components that these can be integrated into the respective management system so that they can be incorporated in management. If this is not the case, this at least results in additional administrative effort, since the defined management strategy must also be enforced on the components not administered with the help of the management system. However, since these components are not integrated into the automated administrative procedures of the management system in particular, misconfigurations may occur. This entails a security risk related to uncoordinated configurations.
Uncoordinated managing of adjacent areas (communities, domains)
If a computer network administrated with the help of a management system has several administrative areas each of which is supported by a separate system manager, their competences must be defined unambiguously by the management strategy. If this is not the case, security problems may occur if individual components are managed in an uncoordinated manner.
For example, if individual components such as network switching elements are incorrectly administered by two administrative areas (this may occur if no different SNMP passwords (community strings) are used) on the one hand, the uncoordinated setting of configuration parameters may cause security gaps.
If, on the other hand, components (e.g. printers) are used jointly by two administrative areas and if the trust relationship of one of the administrative areas (e.g. Windows NT network sharing) was not configured properly, this may cause accidental security problems if unauthorised persons are also granted access.
Non-integrated management software
When administrating medium and large-scale systems, it may happen that new components are to be integrated into the system upon introduction of the management system, the administration of which requires functions not supported by the management system used. This applies specifically to the field of application management. If management software that cannot be integrated into the management system used (e.g. using a programming interface or using so-called gateways) is now used for administrating the new component, coordinated integration into the management system is not possible. Thus, the new component is not subject to "automated" management, making "manual" administration necessary. The specified management strategy must now be implemented for two systems, which may however result in misconfigurations which could cause security gaps.