T 2.4 Insufficient monitoring of IT security measures

Following the introduction of measures which are aimed at achieving IT security (e.g. data backups, access control, rules regarding conduct during emergencies), these must also be consistently implemented. If monitoring of IT security measures is absent or only inadequate, it is not possible to establish either abuse or effectiveness. This makes it impossible to respond promptly and in a manner appropriate to the situation.

In addition, there are security measures which are only effective when appropriate controls are implemented. These include, for example, logging functions whose security characteristics only become apparent when the logged data is analysed.

Examples

• The administration console for a computer system is connected to a console printer. All user inputs from the console are to be logged to the printer. It is only by analysing the printouts that any improper action by administrative staff can be detected. Unless such an analysis is carried out by an independent person, logging will be ineffective.

• As a prelude to committing a criminal offence, cylinder locks in external doors and gates are replaced. Access routes which are seldom used or are only envisaged as emergency accesses are frequently checked only to ensure that they permit free exit. The cylinder lock is not tried out.

• In a public agency some UNIX servers are used for external data communications. Due to the central importance of these IT systems the IT security concept specifies that UNIX servers are to be integrity checked on a weekly basis. It is only when investigating a security incident that it comes to light that the IT department has not been performing these integrity checks. The reason given was insufficient manpower resources in the department.