Architecture is the design and structure of a system or a process, such as an IT system or a business process. Architecture documentation is the document that describes and explains the architecture, such as its components, functions, relationships, requirements, constraints, orstandards. Architecture documentation can help to understand, communicate, and improve the system or the process1.
An environment that lacks documentation of the architecture faces a great risk of unknown vulnerabilities, which are the weaknesses or flaws in the system or the process that could be exploited by threats or attackers, but are not identified or addressed by the organization. Unknown vulnerabilities can pose a serious risk to the organization, because they can:
Compromise the confidentiality, integrity, and availability of the system or the process, and the information or resources that it handles or supports
Cause financial, operational, reputational, or legal damages or losses to the organization, such as data breaches, fraud, errors, delays, or fines
Remain undetected or unresolved for a long time, and increase the exposure or impact of the risk over time
Require more resources or efforts to mitigate or recover from the risk, and reduce the efficiency or effectiveness of the risk management process23
Lack of documentation of the architecture can increase the risk of unknown vulnerabilities, because it can:
Prevent or hinder the identification and assessment of the vulnerabilities, and the evaluation and prioritization of the risks
Impede or delay the implementation and enforcement of the controls or safeguards to prevent or reduce the vulnerabilities, and the monitoring and reporting of the risk status and progress
Obstruct or limit the communication and coordination among the stakeholders, and the awareness and accountability of the risk owners and users
Restrict or hamper the review and improvement of the system or the process, and the learning and feedback of the risk management4
The other options are not the greatest risks associated with an environment that lacks documentation of the architecture, but rather some of the possible causes or consequences of it.Legacy technology systems are outdated or obsolete systems that are still in use by the organization, but are no longer supported or maintained by the vendors or developers. Legacy technology systems can be a cause of lack of documentation of the architecture, as they may have been developed or acquired without proper documentation, or the documentation may have been lost or discarded over time. Network isolation is the separation or segregation of a network or a system from other networks or systems, either physically or logically, to prevent or limit the access or communication between them. Network isolation can be a consequence of lack of documentation of the architecture, as it may result from the inability or difficulty to integrate or connect the system or the process with other systems or processes. Overlapping threats are threats that affect more than one system or process, or have similar or related sources or causes, such as natural disasters, cyberattacks, or human errors. Overlapping threats can be a consequence of lack of documentation of the architecture, as they may arise from the lack of understanding or coordination of the system or the process with other systems or processes. References =
Architecture Documentation - ISACA
Vulnerability - ISACA
The Risks of Not Having a Vulnerability Management Program
The Importance of Architecture Documentation - ISACA
[The Risk of Poor Document Control - ComplianceBridge]
[CRISC Review Manual, 7th Edition]
