T 3.3 Non-compliance with IT security measures

Due to negligence and insufficient checks, persons frequently fail to perform, in part or full, recommended or prescribed IT security measures. Damage may be caused which otherwise could have been prevented, or at least minimised. Depending upon the position of the given person and on the importance of the disregarded measure, severe damage could occur here.

IT security measures are frequently disregarded due to the lack of security awareness. A typical sign is the disregarding of recurrent error messages after a certain habituation period.

Examples:

• The keeping of floppy disks in a locked desk does not afford sufficient protection against unauthorised access if the key is kept in the office e.g. on top of a cupboard or inside a card box.

• Passwords which need to be kept secret are kept on a piece of paper near a terminal or a PC.

• Although the purpose of data backups to minimise potential damage is widely known, losses of data do occasionally occur when unexpected deletion of data takes place and recovery is not possible due to lack of backups. This is particularly illustrated by the damage reported to BSI, resulting from computer viruses, for instance.

• Access to a computer centre should take place exclusively through a door secured by an entry control system (e.g. magnetic strip reader). However, the emergency exit door can be used as an additional entrance and exit although it may only be opened in an emergency