HITGuard Release Jänner 2021/en: Unterschied zwischen den Versionen

 == Integration of the online help== The online help has been integrated into HITGuard. You will now find the last item "Help" right after "Administration" in the dark gray menu bar. Under Help > Online Help you can access the detailed user manual for HITGuard

Under Help > First Steps you will also find an introduction to the navigation and interface of HITGuard. When the software is started for the first time, this appears automatically.

In addition, a step-by-step guide has been integrated into HITGuard. This will be successively expanded over the coming months. In the screens where this is already available, an "i" appears in the lower left corner of the software. A click on the "i" starts the step-by-step guide.

Previously, a Practitioner could only report progress on a measure when prompted to do so by the Expert/Professional. This reactive reporting is still possible. In addition, the practitioner (if configured to do so; see 5.2 Configuring proactive progress reporting) can now also proactively report the progress on a measure. To do this, the practitioner simply has to use the new "Report progress" button in the menu under My Tasks > Action Status and can then select the action for which he or she would like to report progress.

In the measure selection, the practitioner will find all open measures assigned to him/her as the responsible person or as the responsible team member or team leader.

When selecting a measure for which a requested progress note already exists for the Practitioner, it opens for processing. If no progress report has been requested yet, a new progress report is created. This must then be returned immediately. No report can be created for tasks for which a returned progress report currently exists that has not yet been accepted by the expert/professional. This task is listed in the selection, but cannot be selected and is marked with "answered".

In the course of reviewing a control, the reviewer can now also upload evidence. This can be useful, for example, if a reviewer wants to comment on evidence and return the revised document to the implementer for re-editing.

Experts/professionals can visually query compliance with various standards on the dashboard. This query has now been extended to include the option of restricting the display to the defined scope of the standard or norm.

Provided that you collect the protection targets RTO and RPO for your analyses and have activated the option "Display in graph" in the risk policy for this, a new feature is available to you.

Note that for the representation described below, you must also complete the collection of recovery time and backup interval (see 5.1 Collection of backup interval as well as recovery time for) on the resources.

If these requirements are met, you can visually evaluate whether the recorded requirements for Recovery Time Objective (RTO; max. reasonable recovery time) and Recovery Point Objective (RPO; max. reasonable data loss) are met by the actual recovery times or backup intervals of the systems.

In the structural analysis, the following selection appears in the analysis mode in the navigation area, which can be used to trigger an analysis for RTO or RPO fulfillment. To start the analysis, select one of the two options and click the "Apply" button:

In the graph, the requirements from the protection needs analyses are displayed on the edges between the organizational unit and resource at the application level. If the requirements for RTO are met or not met by the underlying path, e.g., recovery times, then the requirement is shown in green, otherwise in red.

The resources themselves show in a gray bubble each e.g. for the RTO fulfillment the "Net recovery time" with an "N" of the resource itself as well as the "Gross recovery time" with a "B" for the summed recovery time of the resource chain incl. the respective node.

The illustrated example shows the RTO fulfillment. The logic for RPO fulfillment is very similar, with the difference that the backup times for the entire resource chain are not summed up, but the highest recovery time of a resource in the chain is always shown here in the gross value.

If no times have been entered for a resource yet, a yellow configuration icon is displayed for the resource.

If no times are to be deliberately recorded for a resource, then a gray icon like the following is displayed:

Under Risk Management > Audit Management > Audit, the structuring of the individual tab sheets has been revised. To make them easier to find, the assigned audits have been placed on their own tab sheet.

Under Risk Management > Audit Management > Audit Programs you can create or edit an audit program. If you open an audit program here, you will find a new tab sheet, the "Appointment calendar":

This representation allows the different audits in the audit program to be displayed together in one calendar.

The report administration component has been revised/extended. More reports, variants and options are now available and the menu navigation through this selection has been improved.

The report options under Risk management > Reports > Audit management > Audit plan have been extended and now offer an option "Print compliance report for audit plan". This allows the individual audit result details from the reviews to be evaluated in the report for the respective audit.

The report options under Risk management > Reports > Hazard situations have been expanded and now offer an option "Include deviations". This allows the individual deviations from the checks - if any - to be printed in the report for the respective hazard situation.

In the following reports, the evaluation is now restricted to the scope of the standard or norm:

• Risk management > Reports > Conformity > By standards and norms.
• Risk management > Reports > Standards and norms > Statement of applicability
• Risk management > Reports > Standards and norms > Management summary

If this is not desired and the entire standard or norm is to be considered, then the option "Include non-applicable chapters in statistics" must be activated.

The two reports under Risk Management > Reports > Standards and norms have been extended to the effect that it is now possible to configure whether the statistics (donut diagrams) for the measure and control fulfillments are to be displayed or not. The option "Print statistics" is used for this purpose.

In addition, it is now possible to configure whether the measures and controls are to be printed in detail in the "Statement of Applicability" report. If this is not desired, the report chapters Measures and Controls will be omitted. For this purpose, the option "Print measure and control details" is used.

Note: Option "Use only lowest level chapters as calculation base for statistics" has been removed for both reports. The logic now always behaves as if the "Use only lowest level chapters as calculation base for statistics" option is active. This also applies to calling this report under Administration > Standards and Norms.

If you have not mapped a corresponding structural analysis of the resources used in HITGuard for a data protection impact assessment, or if you want to describe them additionally in text, or if you have a document in which the resources used are explained in detail, you can now also record this information in the DSFA in HITGuard.

The menu item Data Protection > Reports is new and offers a wide range of possible configurations of reports on processing activities, data protection impact assessments and categories of data subjects:

Under Data Protection > Reports > Processing Register > Own Processing Activity, a report can now be generated that optionally contains one or more or all own processing activities. For this purpose, the processing activities are offered in the latest valid version with the status "Processing completed".

Under Data Protection > Reports > Processing Register > on behalf of others, a report can now be generated containing all processing activities performed either by an organizational unit of one's own company or for a specific external customer. For this purpose, the processing activities are offered in the latest valid version with the status "Processing completed".

Under Data Protection > Reports > Processing Register > External Processors, a report can now be generated containing all processing activities performed for the company by external processors. For this purpose, the processing activities are offered in the latest valid version with the status "Processing completed".

For resources, recovery time and backup interval can now be mapped as information on the current status of the ACTUAL analysis.

The recovery time is recorded in hours for this resource (independent of the recovery times of required systems). It can be documented whether the recovery time is secured by an SLA, for example. Comments can be recorded and documents filed for this purpose.

The backup interval is also recorded in hours. However, it is also possible to indicate for a resource that a backup is not relevant for it.

Proactive reporting of progress by the Practitioner (in addition to reactive reporting when prompted by the Expert) can be turned on or off via the global settings (Administration > Global Settings | Optional Action Properties).

The administration of import configurations can be found under Administration > Data Import. Here, configurations for individual import formats can be managed, maintained and executed. Now there is also the possibility to import processes.

Once an import configuration has been created, it can be run again and again with new import files. In doing so, fields are also updated if the record ID from the third-party system remains constant.

Instructions on how to perform data imports can be found here in our documentation.