T 2.135 Poor communication in patch and change management

The persons involved in patch and change management should communicate regularly within the framework of the change process in order to, amongst other things, coordinate the category and the priority of a request for change and in order to find a suitable time for distributing a change (rollout).

If the persons involved in patch and change management communicate poorly or if patch and change management is poorly accepted within the organisation, the consequences may be as follows:

• requests for change are processed in a delayed manner, or
• the decision as to whether a request for change is accepted is made incorrectly.

As a consequence, the level of security may be reduced and serious disturbances in IT operations may occur. In any case, the patch and change process will be inefficient in the event of poor communication, since it is often performed using enormous amounts of time and resources.

An inefficient patch and change process has adverse effects on the organisation's ability to react and may, in extreme cases, result in the creation of security gaps or important business goals not being attained.

Example:

• In a company, the importance of and approach to patch and change management for the organisation was explained insufficiently to the departments involved such as the implementing IT department and the commissioning specialised departments. Therefore, requests submitted to the specialised departments regarding pending changes were only processed slowly. Furthermore, the Head of IT assigned too little time and personnel resources for planning and implementing a patch or change. These shortcomings resulted in the implementation of changes constantly causing errors which in turn caused different security gaps.