IT Baseline Protection Manual T 2.27 Lack of, or inadequate, documentation
T 2.27 Lack of, or inadequate, documentation
Various forms of documentation may be considered: the product description, the Administrator and user documentation required to use the product, and the system documentation.
If documentation relating to the IT components used is inadequate or lacking, this can have a significant impact both on the selection and decision-making processes regarding a product, and in terms of damage occurring during actual operation.
If the documentation is inadequate, should a damaging event occur such as hardware failure or malfunctioning of software, error diagnosis and rectification may be delayed considerably or rendered completely impractical.
The same applies as regards documentation of cable paths and wiring within the building infrastructure. If, due to inadequate documentation the precise location of cables is not known, these cables could be damaged during construction work outside or within a building. This could entail prolonged downtime periods, resulting in an emergency situation or even life-threatening hazards, e.g. due to electric shock.
Examples:
If a program stores working data in temporary files without sufficient documentation of that process, this can lead to the situation that temporary files are not properly protected and confidential information is exposed. If these files are not sufficiently protected against user access, or if sectors which are only used temporarily are not correctly deleted physically, information can become accessible to unauthorised persons.
When a new software product is installed, existing configurations are changed. Other programs which have run correctly hitherto are then incorrectly parameterised and crash. If the changes resulting from installation of the new software have been fully documented, the error can be located and fixed more quickly.
In a larger-sized agency, cabling for the IT facilities was carried out by an external firm. The scope of the services to be provided did not include the preparation of documentation. Since no maintenance agreement was concluded with that firm after completion of the work, the required documentation was not available to the agency. This resulted in considerable delays when the agency subsequently tried to expand the network.