If organisational procedures that are used directly or indirectly for information processing are
not designed properly, security problems may arise. Although each individual process step is
carried out correctly, damage is often caused because processes are incorrectly defined in their
entirety.
Another possible cause for security problems is dependencies with other processes which are
not obviously related to information processing themselves. These dependencies may be easily
overlooked during the planning phase and thus cause impairments during operations.
Moreover, there may be security problems when tasks, roles or responsibilities are not clearly
assigned. Amongst other things, this may result in procedures being delayed, security
safeguards neglected or rules disregarded.
There is also a risk if devices, products, procedures or other means are not used properly to
realise information processing. The selection of an unsuitable product or vulnerabilities, for
example in the application architecture or in the network design, may lead to security
problems.
Examples:
• If maintenance or repair processes are not adjusted to the technical requirements, this
may result in unacceptable downtimes.
• An increased risk may arise from attacks to the organisation's own IT systems if
security-related requirements are not taken into account when purchasing information
technology.
• If the consumables required are not provided in a timely manner, the IT procedures
that depend on them may come to a standstill.
• Vulnerabilities may occur if unsuitable transmission protocols are selected when
planning an IT procedure.
Information technology and the entire environment of a public authority or company are
constantly changing. Such changes can include the addition or relocation of an employee, the
purchasing of new hardware or software, or a company supplying operating resources
declaring bankruptcy. Threats can result from not taking necessary organisational and
technical adjustments into consideration, or only doing so to an insufficient extent.
Examples:
• Due to changes made to the construction of a building, the existing escape routes were
changed. Since the employees were not adequately informed of the altered escape
routes, the building could be evacuated in the required time.
• When transmitting an electronic document, no one checked if the document was sent
in a data format that could be read by the recipient.