Kritikalität einer Organisationseinheit feststellen/en: Unterschied zwischen den Versionen
Aus HITGuard User Guide
Weitere Optionen
Faha (Diskussion | Beiträge) Die Seite wurde neu angelegt: „Determine criticality of an organizational unit“ |
Faha (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
||
| (33 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
The protection needs analysis reveals how critical an organizational unit actually is. Protection needs are defined as those IT risks that occur from the perspective of the IT service recipient and thus jeopardize the business and the implementation of the company's goals. | |||
To identify this, structured interviews are usually conducted with the business. | |||
To conduct a protection needs assessment, either an Expert or Professional must be able to conduct an interview with a functional area manager and collect data on the following questions: | |||
# | # What data do they process in your department? | ||
# | # How do you classify this data? | ||
# | # What business services (processes) do you need for daily business? | ||
# | # How do you classify these business services? | ||
# | # How long can you get along without the data in case of a system failure and how much data loss on a time axis back into the future would be tolerable? | ||
# | # What processing does your department go through? | ||
== | == Protection needs analysis == | ||
=== | === Question 1: What data do they process in your department? === | ||
The types of data used in the organizational unit must be determined. This could be, for example, accounting data, customer data or personnel data. Responsible persons must be identified and recorded for this data. Usually the responsible persons are found within the department or in a superior superior. Sometimes, however, it can happen that another department is named because data is processed for it. | |||
Data types can be used by different organizational units. The data classification of the data types should be uniform throughout the company (e.g. Secret, Internal or Confidential). Only one responsible person can be defined per data type. Hierarchies among the data are also feasible. For example, the umbrella term financial data can also be subdivided into cost accounting data, balance sheet data, accounting data, wage data, etc. The persons responsible for this data can be other persons. The persons responsible for these data can be other persons than the person responsible for the financial data. Because the latter has delegated the responsibility, for example. | |||
=== | === Question 2: How do you classify this data? === | ||
The classification aims at the protection goals of the data: | |||
* | * How do you classify this data in terms of its '''confidentiality'''? --> Data class and from this results the associated possible [[Special:MyLanguage/Risikopolitik#Schadensausma.C3.9Fe|Damage extent]]. Furthermore, you should record possible scenarios for a damage and provide additional concrete damage information (if possible) in EUR or also classify the damage if it is not of a purely monetary nature (e.g. image damage). | ||
* | * Capturing the sensitivity of the data during the interview is especially useful for personal data. | ||
* | * The retention period for the data can also be determined here. | ||
=== | === Question 3: What business services do you need for daily business operations? === | ||
* Business | * Business applications (ERP, DMS, financial accounting, etc.) | ||
* | * Clinical administrative applications (patient administration, therapy planning, patient documentation, etc.) | ||
* | * Medical systems with integration of medical devices | ||
* | * Communication systems (mail, intranet, internet, Skype, telephony, fax etc.) | ||
* | * Data storage services (file-share, collaboration platforms, cloud services, etc.) | ||
* | * and '''what data is related to these applications''' (created, edited, viewed, ...) | ||
=== | === Question 4: How do you classify these business services? === | ||
Here, the classification is done for the protection goals that target systems: | |||
* | * How do you classify a loss of integrity or authenticity? | ||
* | * How do you classify a loss of availability with respect to the application: | ||
:- | :- short term intraday availability loss during business hours? (2-4h) | ||
::: | ::: not workable | limited workable | ||
::: | ::: Risk class regarding risk impact (medium damage / worst case) | ||
:- | :- all day application availability loss during business hours? (8-24h) | ||
::: | ::: not workable | limited workable | ||
::: | ::: Risk class regarding risk impact (medium damage / worst case) | ||
:- | :- a longer-term loss of availability of the application during business hours? (>1 day; up to 2 days or more) | ||
::: | ::: not workable | limited workable | ||
::: | ::: Risk class in terms of risk impact (medium damage / worst case). | ||
* etc | * etc | ||
Here in particular, business services are used by different departments. It is therefore necessary to evaluate which department places which requirements on the respective service. The requirement of the department with the greatest risk potential for each protection goal is drawn for the service. IT operations must be aligned with this requirement. | |||
Services | Services that are used by very many or all departments (even if they are only slightly critical for the respective department) are then considered to be more important and are also aligned accordingly than if they are used, for example, by only one or by a very small number of departments and are thereby classified as very critical. Essential is thereby also the weighting of the activity of the department on the operational operating result if it concerns a supporting department like e.g. quality management or the production management. | ||
=== | === Question 5: How long can you go without the data, in the event of a system failure and how much data loss on a time axis back to the future would be tolerable? === | ||
Lastly, you should also determine RPO / RTO / response times for the applications: | |||
*'''Recovery Time Objective (RTO)''' - | *'''Recovery Time Objective (RTO)''' - How long can a business process/system be down? The RTO is the time taken from the time of damage to complete recovery of business processes (recovery of: Infrastructure - Data - Reprocessing of data - Resumption of activities) may elapse. The time period here can range from 0 minutes (systems must be available immediately), to several days (in individual cases weeks). | ||
*'''Recovery Point Objective (RPO)''' - | *'''Recovery Point Objective (RPO)''' - How much data loss can be accepted? The RPO is the time period that is allowed between two backups, i.e. how much data/transactions can be lost at most between the last backup and the system failure. If no data loss is acceptable, the RPO is 0 seconds. | ||
=== | === Question 6: What processing does your department go through? === | ||
* | * What data is processed in it (personal data)? | ||
* | * Which applications are used for it? | ||
* | * Which other departments participate in it? From which other departments do they depend for their work (deliver, receive, bidirectional)? | ||
== | == Results from the protection needs analysis == | ||
* | * Dependency between business - systems - data - processing activities. | ||
* | * Which data are processed in which applications | ||
* | * Which data is exchanged via which communication systems Which data is stored where | ||
* | * Ranking of data types according to protection goals and risk classification | ||
* | * Ranking of processing activities by protection objectives and risk ratings | ||
* | * Ranking of business IT services according to protection goals and risk classification | ||
* | * Ranking of Med. adm. Services according to protection objectives and risk classification | ||
* | * Ranking of Med. clin. Services according to protection goals and risk classification | ||
* | * Ranking of communication services according to protection goals and risk classification | ||
* | * Ranking of data repositories according to protection goals and risk classification | ||
* | * Key figures for backup and emergency planning | ||
This information can subsequently be helpful in order to: | |||
* | * Conduct risk analyses in a targeted manner depending on protection goals / risk classifications. | ||
* | * create guidelines | ||
* | * Create training programs | ||
* | * Emergency planning and business continuity management | ||
== | == Visualization of the protection needs analysis in the graph == | ||
A protection needs analysis has different statuses, just like other checks. Depending on the status, the protection needs analysis is displayed differently in the graph. | |||
* | * If the evaluation is "activated", thin lines with default value 0 of the dependency are displayed in the graph. | ||
* | * In case of evaluation "completed", the strokes are displayed according to the percentage rating of the damage extent class in the risk policy. | ||
Aktuelle Version vom 15. November 2021, 07:13 Uhr
The protection needs analysis reveals how critical an organizational unit actually is. Protection needs are defined as those IT risks that occur from the perspective of the IT service recipient and thus jeopardize the business and the implementation of the company's goals.
To identify this, structured interviews are usually conducted with the business.
To conduct a protection needs assessment, either an Expert or Professional must be able to conduct an interview with a functional area manager and collect data on the following questions:
- What data do they process in your department?
- How do you classify this data?
- What business services (processes) do you need for daily business?
- How do you classify these business services?
- How long can you get along without the data in case of a system failure and how much data loss on a time axis back into the future would be tolerable?
- What processing does your department go through?
Protection needs analysis
Question 1: What data do they process in your department?
The types of data used in the organizational unit must be determined. This could be, for example, accounting data, customer data or personnel data. Responsible persons must be identified and recorded for this data. Usually the responsible persons are found within the department or in a superior superior. Sometimes, however, it can happen that another department is named because data is processed for it.
Data types can be used by different organizational units. The data classification of the data types should be uniform throughout the company (e.g. Secret, Internal or Confidential). Only one responsible person can be defined per data type. Hierarchies among the data are also feasible. For example, the umbrella term financial data can also be subdivided into cost accounting data, balance sheet data, accounting data, wage data, etc. The persons responsible for this data can be other persons. The persons responsible for these data can be other persons than the person responsible for the financial data. Because the latter has delegated the responsibility, for example.
Question 2: How do you classify this data?
The classification aims at the protection goals of the data:
- How do you classify this data in terms of its confidentiality? --> Data class and from this results the associated possible Damage extent. Furthermore, you should record possible scenarios for a damage and provide additional concrete damage information (if possible) in EUR or also classify the damage if it is not of a purely monetary nature (e.g. image damage).
- Capturing the sensitivity of the data during the interview is especially useful for personal data.
- The retention period for the data can also be determined here.
Question 3: What business services do you need for daily business operations?
- Business applications (ERP, DMS, financial accounting, etc.)
- Clinical administrative applications (patient administration, therapy planning, patient documentation, etc.)
- Medical systems with integration of medical devices
- Communication systems (mail, intranet, internet, Skype, telephony, fax etc.)
- Data storage services (file-share, collaboration platforms, cloud services, etc.)
- and what data is related to these applications (created, edited, viewed, ...)
Question 4: How do you classify these business services?
Here, the classification is done for the protection goals that target systems:
- How do you classify a loss of integrity or authenticity?
- How do you classify a loss of availability with respect to the application:
- - short term intraday availability loss during business hours? (2-4h)
- not workable | limited workable
- Risk class regarding risk impact (medium damage / worst case)
- - all day application availability loss during business hours? (8-24h)
- not workable | limited workable
- Risk class regarding risk impact (medium damage / worst case)
- - a longer-term loss of availability of the application during business hours? (>1 day; up to 2 days or more)
- not workable | limited workable
- Risk class in terms of risk impact (medium damage / worst case).
- etc
Here in particular, business services are used by different departments. It is therefore necessary to evaluate which department places which requirements on the respective service. The requirement of the department with the greatest risk potential for each protection goal is drawn for the service. IT operations must be aligned with this requirement.
Services that are used by very many or all departments (even if they are only slightly critical for the respective department) are then considered to be more important and are also aligned accordingly than if they are used, for example, by only one or by a very small number of departments and are thereby classified as very critical. Essential is thereby also the weighting of the activity of the department on the operational operating result if it concerns a supporting department like e.g. quality management or the production management.
Question 5: How long can you go without the data, in the event of a system failure and how much data loss on a time axis back to the future would be tolerable?
Lastly, you should also determine RPO / RTO / response times for the applications:
- Recovery Time Objective (RTO) - How long can a business process/system be down? The RTO is the time taken from the time of damage to complete recovery of business processes (recovery of: Infrastructure - Data - Reprocessing of data - Resumption of activities) may elapse. The time period here can range from 0 minutes (systems must be available immediately), to several days (in individual cases weeks).
- Recovery Point Objective (RPO) - How much data loss can be accepted? The RPO is the time period that is allowed between two backups, i.e. how much data/transactions can be lost at most between the last backup and the system failure. If no data loss is acceptable, the RPO is 0 seconds.
Question 6: What processing does your department go through?
- What data is processed in it (personal data)?
- Which applications are used for it?
- Which other departments participate in it? From which other departments do they depend for their work (deliver, receive, bidirectional)?
Results from the protection needs analysis
- Dependency between business - systems - data - processing activities.
- Which data are processed in which applications
- Which data is exchanged via which communication systems Which data is stored where
- Ranking of data types according to protection goals and risk classification
- Ranking of processing activities by protection objectives and risk ratings
- Ranking of business IT services according to protection goals and risk classification
- Ranking of Med. adm. Services according to protection objectives and risk classification
- Ranking of Med. clin. Services according to protection goals and risk classification
- Ranking of communication services according to protection goals and risk classification
- Ranking of data repositories according to protection goals and risk classification
- Key figures for backup and emergency planning
This information can subsequently be helpful in order to:
- Conduct risk analyses in a targeted manner depending on protection goals / risk classifications.
- create guidelines
- Create training programs
- Emergency planning and business continuity management
Visualization of the protection needs analysis in the graph
A protection needs analysis has different statuses, just like other checks. Depending on the status, the protection needs analysis is displayed differently in the graph.
- If the evaluation is "activated", thin lines with default value 0 of the dependency are displayed in the graph.
- In case of evaluation "completed", the strokes are displayed according to the percentage rating of the damage extent class in the risk policy.