T 2.132 Poor consideration of business processes in patch and change management

In companies and government agencies, the information security processes, as well as the security safeguards, should be based on the business goals and the business processes of the organisation. Changes to IT systems performed within the framework of patch and change management may reduce the efficiency of individual security safeguards and may therefore lead to the overall security being endangered. Inappropriate patches and changes may, amongst other things, impair the smooth course of the business processes or even cause the IT systems involved to fail completely. Even when using the most comprehensive testing procedure, it cannot be ruled out that a patch or a change turns out to be faulty in specific constellations during later productive operations.

If, in the course of the patch and change process, the effect, category, or priority of a submitted request for change (RfC) is assessed incorrectly regarding the business processes, the level of security aimed at may be reduced. Such misjudgements are predominantly the result of poor coordination between the persons responsible for IT and the competent specialised departments.

By installing changes and patches, security gaps may be closed, but major damage may also be caused. For example, a faulty patch may cause a larger security gap or reduce the availability of an application and/or a business process.

Examples:

• In a financial management company, the prompt rollout of security patches not coordinated with the specialised departments again and again results in limitations regarding the availability of a business-critical reporting application. As a consequence, an important reporting deadline with the regulatory authority cannot be met and the company is fined.
• In a company, a new version of a trading software for communicating with external partners is developed and updated. Since the server-side component is much more comprehensive now and must communicate with more clients, the SSL encryption used previously was not implemented in the new version, and the partners were not notified about this. Since the partners are contractually required to use the software, the communication important for the business processes is not encrypted.