T 2.140 Inadequate contingency planning concept for patch and change management

The patch and change management contributes to the technical implementation of an organisation's information security. The IT systems used by this process must usually be considered to be critical for IT operations. For example, this includes the central servers for the distribution of patches and changes, the databases with the current configurations of the IT system as well as the backup servers for the creation of restore points. If the server distributing the patches and changes fails, for example, it might be possible that recently released critical updates can no longer be installed promptly.

In addition, the lack of data backups of the IT systems' current configurations can mean that it is no longer ensured in the event of an emergency that important IT components can be reset quickly to their original state.

Example:

• To support patch and change management, a company uses an application storing the restore points on a backup server at regular intervals. When a system was to be restored from a backup server in the event of an emergency, it turned out that the system had no longer been able to take backups for some time, as the hard disk no longer had sufficient free storage space, but no one had responded to the corresponding error messages of the system. Therefore, it was first only possible to carry out the restoration using an outdated software version, on which several other security patches had to be installed.