What are the first implementation steps for a management system in HITGuard?

Note: Usually, you will take these first steps together with one of our consultants as part of your initial training when first implementing the tool in your organization.

HITGuard offers different ways of implementing a management system. Beside the creation of the necessary users, the following basic doings should always be done at the very beginning:

Initially, the basic configuration of HITGuard should be done, including the notification and design options. These can be found under Administration → Global settings, where many of these settings can be adjusted centrally. In part, it is possible to later adapt these settings for each individual management sytem. Aside from basic settings like the default tool language and how e-mails are sent from the tool to users, form settings such as the code generation should also be configured prior to starting work. This makes cooperation among multiple users easier.

In the beginning, you should model at least the part of the organization that is necessary for the start and first analyses. The organizational units, resources, processes, and data categories can be created manually or imported.

Further information: Organizational units | Resources | Processes | Data categories
Find more about the import of structure elements here.

Management systems are used in HITGuard to section the tool into different topic and task areas. They offer central functions, such as the management of analysis periods and the activation of organizational units within them.

The respective organizational units are offered for selection in measures or controls in each management system and analysis period for which they were activated.

Note: If further organizational units are created after the creation of a management system, whose parent organizational unit has not been assigned to any analysis period, these must be activated manually.

More on management systems and their administration can be found here.

The risk policy as a central tool of the risk management should be the first of the module-specific menu items to be configured. Settings made here can influence the configuration of management systems. As soon as HITGuard is actively used, it may therefore be complicated to make adjustments to some parts of the risk policy, as this might interfere with the daily operations of the users.

HITGuard is essentially operational with this set of basics taken care of. Further settings can be made at any time and the existing settings can be further adjusted. Additional elements can be created and the contained information expanded. However, basically, HITGuard can already be used at this point.

There is no prescribed way of how exactly one should work with HITGuard day-to-day. We still recommend the following approach as per the PDCA cycle:

Plan	Recording and modelling of company assets Analysis of the protection needs of critical assets Risk identification and definition of measures and controls
Do	Measures tracking and control execution
Check	Monitoring and review of implementation progress and compliance
Act	Improvement through revaluation with a higher degree of requirement (target score)