T 2.1 Lack of, or insufficient, rules

The importance of organisational rules and requirements for IT security objectives increases with both the scope of information processing and the protection requirements of the information to be processed.

Starting from the assignment of responsibilities through to the distribution of control functions, the spectrum of rules can be very broad. The consequences of a lack of or insufficient rules are illustrated in T 2.2 ff.

Often existing rules are not modified after changes of a technical, organisational or personnel nature that have a significant impact on IT security. Out-of-date rules can impede smooth IT operations. Problems can also arise as a result of the fact that rules are written in a manner that is incomprehensible or without the contextual information needed, so that they are misunderstood.

The following examples illustrate the potentially harmful effects of shortcomings in this area:

• Poor resource management could seriously impair scheduled operations in a computer centre e.g. simply because an order for printer paper has been forgotten.

• Hand-held fire extinguishers once purchased need to be maintained systematically so that they are ready for operation in case of fire.

Letzte Aktualisierung: July 2001