T 2.133 Poorly defined responsibilities for patch and change management
Clear responsibilities should also be defined within the framework of patch and change management. In the event of situations where the responsibilities are not or improperly defined, significant disadvantages may occur. For example, undefined responsibilities may result in severe security gaps not being closed promptly, since no one wants to assume the responsibility for an emergency patch.
Poorly defined, overlapping, or unclear responsibilities in patch and change management decelerate the classification of the requests for change into categories and the assignment of priorities and therefore the desired distribution of the patches and changes (rollout). The premature approval of a change or patch without testing and without taking into consideration all (technical) aspects may have severe repercussions for security.
In extreme cases, poorly defined responsibilities may adversely affect the entire organisation or large parts of it. Disturbances during operation have repercussions on the availability; the confidentiality and/or integrity is affected adversely if security-relevant patches are not distributed.
Examples:
- In a company, no contact persons are appointed in the specialised department for patch and change management. Therefore, delays regarding the definition of priorities of the requests for change occur again and again. Furthermore, it is very difficult to assess the effects of a change on the business processes. When security gaps in a software were made public, it was not possible to install time-critical emergency patches on time, and so they served as an entrance for a Trojan horse without this being noticed.
- In a government agency, an IT system was changed without any prior coordination with the specialised department. The department did not have any opportunity to prepare for the change or to consent to the change. Additionally, some IT systems of the users, which were necessary to perform important tasks, failed as a consequence of the installation.