T 2.107 Uneconomic use of resources as a result of an inadequate security management

Information security is a prerequisite for ensuring the proper function of all business processes and procedures in an organisation. At the same time, though, achieving complete information security is practically impossible due to the variety of issues involved. For this reason, it is essential for the security management to set the right priorities and invest in those areas that bring the greatest benefits to the organisation. This is a decision that can only be made with the help of a security management process that applies to the entire organisation.

With the help of security management, the actual security requirements of the organisation are specified and the risks of not complying with these requirements are examined. The following must then be decided on the basis of these risks and requirements:

• If resources will be invested in safeguards,
• If the reorganisation or reassignment of the corresponding tasks reduces the time and expense required for protection to a reasonable level, and
• If risks will be accepted

These are fundamental considerations for the approach to follow in terms of information security and must be recorded in corresponding documentation. Accordingly, a lack of or inadequate security management can lead to the following errors:

• In many cases, an organisation will invest in expensive security solutions without providing the corresponding basic organisational regulations required. Authorities and responsibilities, when not clearly defined, can still lead to serious security incidents in spite of a high investment.
  
  Practical example: In one company, an expensive firewall was purchased, but the administrators only received inadequate training on the product, and the corresponding responsibilities were not clearly defined. Due to this, the firewall was not secure and was not properly configured to meet the security needs of the company. This resulted in security incidents because different administrators would repeatedly release services while certain functions remained unused for the most part.
• In many cases, investments are made in information security in those areas of an organisation which have the corresponding resources available and in which the persons responsible for information security were especially aware of the issues involved. Other areas that were important to performing the specialised tasks and reaching the business goals were ignored due to a lack of resources or a lack of interest by the persons responsible.
  
  Practical example: To increase the availability of the accounting application, an expensive cluster system was purchased. However, due to a lack of financial resources for new systems, the applications needed by the Customer Service department were still run on an old server that could fail at any time. The availability of the customer service application is very important to the company, but this fact was not taken into account because no priorities were specified for the allocation of financial resources.
• When investing in individual areas, it is necessary to consider the entire security concept.
  
  Practical example: A department was provided with a new security solution. However, power supply was poorly protected by an old UPS that had not been tested for a long time. The result is that there were still significant security gaps in the overall system.
• The overall level of protection can drop when emphasis is only placed on increasing the level of protection provided to individual basic values.
  
  Practical example: Due to the use of a high-quality encryption routine when generating invoices, the speed of the workflows was significantly reduced. The selection process did not take into account that the availability of the systems is at least as important as their confidentiality.
• The inconsistent and uncoordinated use of IT products can result in high financial and personnel expenditures.
  
  Practical example: In one large company, there are several different areas that independently examine information security. It turned out that two different areas had purchased a corporate license for a virus scanning program. In addition, it was discovered that different encryption products were used for the same purpose throughout the entire company. This lead to problems in administration and to an increased susceptibility to error.