IT Baseline Protection Manual T 2.2 Insufficient knowledge of rules and procedures
T 2.2 Insufficient knowledge of rules and procedures
Drawing up rules and procedures does not of itself guarantee the smooth flow of IT operations. Each individual in the organisation must be aware of the rules and procedures that apply to him. The damage which can result from inadequate knowledge of existing rules and procedures cannot be excused by saying, "I did not know that I was responsible for that," or "I didn't know what to do."
Examples
If employees are not informed of the procedure for handling incoming floppy disks and e-mails, there is a danger that a computer virus could be spread throughout the company/agency.
Within a federal agency differently coloured waste paper bins were introduced, with one colour intended for documents requiring disposal. Most employees were not aware of the significance of the waste paper bin colour.
In a federal agency there were a number of rules regarding the carrying out of data backups which had been verbally agreed over a period of time between the IT Security Officer and the IT Department. On enquiry it turned out that the IT users concerned knew nothing about the "agreements" and had no point of contact to discuss them with. The rules regarding data backups were not documented either. As a result many users unnecessarily took local backups.
In a computer centre a new rule was introduced that in the event of problems with the intruder detection or fire alarm systems the porter's lodge would be manned by night as well. The security guard service, which organised its own rotas, was not informed of this new rule by the security officer. As a result, the computer centre was unprotected for several weeks.