T 3.3 Non-compliance with IT security measures

It is a relatively common occurrence that, due to negligence and insufficient checks, people fail to implement the security measures, either completely or in part, that have been recommended to them or that they are required to implement. This can cause damage which otherwise could have been prevented or at least minimised. Depending on the function of the person in question and the importance of the safeguard ignored, the resulting damage could even be very serious.

Security safeguards are frequently disregarded due to the lack of awareness of security issues. A typical indicator of a lack of awareness is the ignoring of recurring error messages after a certain time once the users become accustomed to the error messages.

Examples:

• Storing documents, DVDs, USB sticks, or other information media in a locked desk does not adequately protect them against unauthorised access when the key is kept in the same office, e.g. on top of a cabinet or under the keyboard.
• Although it is widely known that the purpose of data backups is to minimise potential damage, it is still common for damage to be caused by the unintended deletion of data that subsequently could not be restored due to inadequate backups. This is indicated in particular by the cases of damage caused, for example, by malicious software reported to the BSI.
• Entry to a computer centre is only supposed to be possible through a door protected by an access control system (e.g. authentication using a chip card reader, PIN, or biometric procedures). However, the emergency exit door, which is not equipped with security mechanisms, is used as an additional entrance and exit even though it is only supposed to be opened in an emergency.
• In a z/OS system, batch jobs were run on a daily basis to back up the RACF database. The correct execution of these procedures was required to be checked daily by the responsible administrators. However, since the backups ran for several months without any problems, no one checked the backup procedure any more. Only after the RACF databases of the production system malfunctioned and they wanted to restore the databases using the backups was it established that these batch jobs had not run for several days. The result was that there were no up-to-date backups available and the changes made during the last few days had to be entered subsequently by hand. In addition to the considerable amount of additional administrative work, this incident also introduced an uncertainty factor since it was impossible to reconstruct all definitions with certainty.