T 2.66 Lack of or Inadequate IT Security Management

The complexity of the IT systems used in many enterprises today and the trend towards networking these systems makes it imperative to proceed in an organised fashion with regard to planning, implementation and monitoring of the IT security process. Experience shows that it is not sufficient simply to arrange for safeguards to be implemented, as often the individuals concerned, especially the IT users, do not have the technical expertise and/or time that are needed to implement them properly. As a result, security measures frequently fail to be implemented at all so that it is impossible to attain a satisfactory level of security. Even if a satisfactory level of security is achieved, it must be continuously nurtured if it is to remain current.

Inadequate IT security management is often a symptom of a poor overall organisation of the IT security process and hence of IT operations as a whole. Examples of specific threats which result from inadequate IT security management include the following:

• Lack of personal responsibility. If no IT security Management Team has been set up in an organisation or if no IT Security Officer has been appointed and personal responsibilities for implementing individual measures have not been clearly defined, then it is likely that many IT users will decline to take responsibility for IT security, maintaining that it is the responsibility of those above them in the organisational hierarchy. Consequently safeguards which at the outset nearly always require extra work on top of one's normal duties remain unimplemented.

• Inadequate support from management. Usually IT Security Officers are not members of an organisation's management team. If the latter does not unambiguously support the IT Security Officers in their work, this could make it difficult to effectively require that the necessary measures are implemented, including by IT users who are above them in the organisational hierarchy. In these circumstances, there is no guarantee that the IT security process will be fully implemented.

• Inadequate strategic and conceptual requirements. In many organisations the job of drawing up an IT security concept is commissioned, its content is known to only a few insiders and its requirements are either deliberately or unconsciously not adhered to in those parts of the organisation where organisational effort would be required in order to implement it. To the extent that the IT security concept contains strategic objectives, these are often viewed simply as a collection of declarations of intent, and insufficient resources are made available to implement them. Frequently it is falsely assumed that in an automated environment security is automatically generated. Sometimes spurts of activity are triggered in response to a damaging incident in the organisation or in other organisations with a similar structure, but at best only a subset of the issues are properly addressed.

• Insufficient or misdirected investment. If the Management of an organisation is not kept informed of the security status of the IT systems and applications and of existing shortcomings through regular IT security reports which lay down clear priorities, it is probable that insufficient resources will be made available for the IT security process or that these will be applied in an inappropriate manner. In the latter case it is possible to have an excessively high level of security in one sub-area and serious deficiencies in another. Another common observation is that expensive technical security systems are incorrectly used, rendering them ineffective or even transforming them into security hazards.

• Impracticability of safeguard concepts. To achieve a consistent level of IT security it is necessary that those in positions of responsibility within an organisation co-operate with each other. Inadequate strategic direction and unclear objectives sometimes result in different interpretations of the importance of IT security. This can have the result that the necessary co-operation is ultimately not forthcoming due to the supposed non-necessity or inadequate prioritisation of the "IT security" task, and hence that the implementability of the IT security measures cannot be taken for granted.

• Failure to update the IT security process. New IT systems or new threats have a direct impact on the IT security position within an organisation. Without an effective review concept, the IT security level will fall over time. Thus, what was once really secure slowly gives way to a dangerous illusion of security because people are often not aware of the new threats.

Verantwortlich für Initiierung:

Verantwortlich für Umsetzung:

Sobald der Maßnahmen- / Gefährdungstitel eingetragen wurde, ist in der Symbolleiste der Buchstabe D anzuklicken, damit die Kopfzeile gefüllt wird.