T 2.134 Insufficient resources for patch and change management

In order to be able to implement and operate an effective patch and change management, appropriate personnel, time, and financial resources are required. If these resources are not provided, this may have manifold negative repercussions. Insufficient resources may result in the following, for example:

• the required roles are not staffed with the suitable persons,
• the interfaces for certain information, e.g. corresponding contact persons in the specialised areas, are not created, or
• the required capacities for the infrastructure of the test and distribution environments are not provided.

The personnel, time, and financial shortcomings can often be compensated during normal operations, but under serious time pressure, e.g. when emergency patches are installed, these shortcomings will become obvious.

Examples:

• The lack of personnel resources regarding patch and change management may result in the employees responsible being overstrained. The day-to-day work on planned patches and changes is largely smooth, but it is no longer possible to distribute current security patches in a proactive or prompt, reactive manner. Therefore, the organisation is hardly able to react quickly to new basic threats for security.
• If there is not enough time for testing a patch or a change or if there is no or only limited access to a test environment analogue to the productive system, inappropriately tested patches and changes are distributed to a complex environment. As a consequence, stability issues or problems regarding the smooth collaboration of the operating systems, applications, and database management systems involved may occur.