T 2.136 A lack of an overview of the information system

Without an overview of the most important information, business processes, and IT structures requiring protection in an organisation it is impossible to achieve comprehensive security management or properly functioning IT operations. The overview must not only contain the technical components, but also how they are networked, the corresponding building infrastructure, and the mutual dependencies among the various components.

Without detailed information on which IT systems and applications are used where in an organisation and which business processes and specialised tasks they support, it is also impossible to implement effective patch and change management. For this reason, an up-to-date and full inventory of all service-related elements such as network components, servers, clients, and applications as well as how they are interrelated is needed at all times. The level of detail of the inventory is also very important. Adding too much detail can make it confusing and increase the time and expense required to maintain it. In contrast, a superficial or incomplete inventory of the relevant elements can mean that the patch and change process will miss relevant elements and not supply them with updates. In this case, it is only a matter of time until the security objectives of the organisation are violated.

Examples:

• One company administered a large amount of information for patch and change management in a database. When a new version of the software for the IT systems administered needed to be installed, the first step performed by the change manager during the update was to compare the installed version number to the new version number. Due to a lack of personnel resources, though, no one updated the documentation of the software versions currently installed. As a result of this, outdated software versions containing serious security vulnerabilities were missed and not updated. These vulnerabilities could be exploited by an attacker to read confidential information.
• In another company, the software versions and licenses were not administered properly. The company then never realised that the manufacturer of several important applications did not provide security patches any more for the versions of the software used in the company. It was subsequently impossible to promptly close any security gaps discovered.