Erstellen einer Wissensdatenbank/en: Unterschied zwischen den Versionen

TogetherSecure creates and provides knowledge bases. Also, any user with the expert role in risk management is able to create a new knowledge base or modify an existing one. In other words, a a knowledge base can be created or changed by any expert.

This means, experts can add and hierarchically sort topics. Topics are then assigned review questions, either newly created or from an existing pool of questions. In the next step, threats, justification templates, measures, and/or controls can be created or assigned from existing ones. If, for example, a knowledge base already includes measures and controls (as is the case with BSI IT-Grundschutz), that means appropriate measures and controls have already been thought up for the offered threats. Users are encouraged, however, to evaluate their respective scenarios and create additional measures and/or controls for the treatment of the threats.

To create or edit a knowledge base, navigate to "Administration → Knowledge bases".

Here, all knowledge bases are listed, whether they have been published or not. Only published knowledge bases can be used for reviews. Published knowledge bases are marked with a green tick. If there are multiple versions of a knowledge base, one can be declared the default version (see: edit). It is then marked with a red heart.

Create:

• To create a new knowledge base, click the "Create new knowledge base" button. Then, enter the header information, create topics and their review questions, and finally assign measures, controls, justification templates, and threats.
  

Edit:

• To edit a KB, click on the desired KB. Published knowledge bases are read-only and can therefore no longer be modified. If a KB has been published, you need to create a superseding version or a user adaptation (of a vendor knowledge base). In the same interface, you can also set a KB as the default version if multiple versions of the KB exist.
  
• The superseding version is unpublished and can therefore be edited.

In the header data, briefly describe the purpose of the knowledge base. Depending on whether it is a self developed knowledge base or one for a norm, you need to set the type accordingly, set the effective date, and add the creator (e.g. name or company). Caution: only KBs of the types vendor or norm or standard can be exported.

Type vendor and norm or standard

To create KBs of the type vendor or norm or standard, you need to have a vendor license! These KBs are also the only ones that can be exported.

In self-developed knowledge bases, you can use the checkboxes to configure whether the short version of the copyright is to be displayed/printed in the review assistant and with the review question in a report.

This tab lists all topics contained in a knowledge base in hierarchical order. Topics serve the purpose of structuring a knowledge base. In the following subsection, we will discuss how they establish relationships between individual elements.

To create a new topic, click the plus button in the “Topics” tab. You can open an existing topic by double-clicking it. This will take you to the following screen:

Numbering and title: Here, set the numbering and the title. The numbering should help clarify the KB's structure, e.g. 1, 1.1, 1.2, etc. The title should be informative, so the user immediately knows what questions the topic covers. Note: The topics are automatically sorted alphabetically or in ascending numerical order, respectively. With a larger number of numbered topics, it is advisable to use a leading zero in order to have the sorting order match expectations (e.g., 01, 02, 03 ... 10, 11, etc.).

Description: Here, describe the purpose of the topic. This text field supports HTML formatting.

Supporting documents: Here, record references or links to documents that might be relevant for the preparation of auditing this topic. If the topic is used in a review by knowledge base, the supporting documents are shown in the review assistant. The supporting documents are also printed with the respective review object in audit and review reports.

Parent topic: If the topic is a subordinate one, the parent topic has to be set here so the KB is structured properly.

External ID: This is a unique ID of the data record in third party systems. It is required if data records are to be kept synchronous with a third party system.

Effective date: This should be the date of the latest revision.

Once you have created a topic, you can assign rview questions to it. To do this, select a topic and then scroll down. At the bottom of the page, HITGuard will display an overview of test questions linked to the selected topic. Use the link button to assign existing review questions to the topic, or use the plus button to create new review questions. Once you have assigned a check question, you can also assign measures, controls, and threats to it.

Um eine Prüffrage zu entlinken, können Sie den Button Rechts in der Liste verwenden. Damit wird die Prüffrage nicht gelöscht, sondern nur aus dem Thema entfernt. Sie ist immer noch im Reiter "Prüffragen" gelistet und kann mit Themen verknüpft werden.

By default, the test questions are sorted according to the Sort Order. This column is hidden by default. This is also the order in which they will appear in gap analyses. The arrows next to the plus button can be used to adjust the sort order of the test questions.

To organize review questions hierarchically, double-click the review question you want to make a sub-question and select the parent question (only a single level is supported, meaning sub-questions cannot have further sub-questions). You can then choose when the subordinate question should be displayed, depending on which answer is selected for the structure question. You can also control which answers are entered if the question is not displayed.

In reports, structural questions (i.e. parent questions) are displayed in italics, and their corresponding subordinate questions are listed below them. Structural questions are not taken into account in the evaluation of reports; that is, they are not included in the score.

You can assign additional elements (measures, controls, justification templates, and threats) by clicking on a review question. You will then be presented with additional overviews for the respective elements at the bottom of the screen. You can access these templates later if you want to create measures and controls immediately for those review questions that were answered negatively. Justification templates can be used to explain an answer. If threats are assigned, this audit question will be listed under those threats for analysis purposes.

Editing:

• The overview lists for assigning measures, controls, justification templates, and threats work exactly the same way as the form for assigning audit questions: You can create, link, unlink, and reorder items.
• We discuss the creation of individual elements on this page in the respective subsections below.
• If you double-click on an element, as shown in the screen above, the edit screen for that element opens, and you can edit its properties.

This tab shows a list of all review questions that exist in the KB. However, they do not show a hierarchy here, this is only displayed under the topics. This tab also lets you create new review questions.

To create a review question, click the "Create new question" button shown above. To edit or delete a question, double-click the desired question. Then the question can be edited or deleted (via the "trash can" icon). The behaviour of sub-questions can only be changed in the topics tab.

Properties:

• Numbering and title: The numbering should be logical and comprehensible, e.g. an abbreviation of the topic and a serial number (DSO_01.00). The title should be informative, so the user immediately knows what the question is about.

• Question: Pose a clearly formulated question here.

• Description: If necessary, further describe the question here. For example, you might describe the basic conditions that need to be fulfilled for a question to be answered positively.

• Hint for auditors: Information for auditors can be recorded here. This could, for instance, be links to documents the answers should be compared to, or a checklist with the exam steps. This information is only shown in gap analyses that have been opened either in "Risk management → Vulnerabilities" or from an audit. (It is not displayed if the analysis has been opened in the context of "My tasks".)

• Type of question: Choose whether it is a technical or a process question, or an information gathering. Technical questions are answered with Yes, No, or Partly and process questions with a maturity level from 0 to 5.

Note: Information gatherings in reviews are seen as answered if the comment was filled in and/or at least one file was uploaded as evidence.

• Answer types and unnecessary: This option allows you to limit the answer types for the question. This is only possible for technical questions. The option "unnecessary" dictates whether a question has to be answered or not. Note that setting a structural question as unnecessary will affect its sub-questions, as their behaviour in response to an unnecessary structural question can be configured. Information gatherings are not subject to evaluation, but can be marked as Unnecessary.

• Assigned protection targets and weightings (not for information gatherings):
  

Choose, which protection targets are affected if a question reveals a gap.
Example:

Review question about server room security

• Has the door been furnished with a security lock?

If this question is answered No, major risks concerning confidentiality, integrity, and availability can develop.

Protection target	weighting	explanation
Confidentiality	4	break-in and theft of a hard-drive
Availability	4	the burglar could destroy something
Integrity	3	the burglar could make changes to a system

• Norm mapping: If the question touches one or more norm chapters, this should be recorded here. This allows the creation of a compliance report for a norm.

• Effective date: The effective date should be the date of creation or that of the latest revision.

• Author's notes: Clicking "Add note" allows the author to record a note for themselves. They could, for example, add to-dos or links to external sources. This information is only visible for the editor of a KB. It has no effect on assessments and is of a purely editorial nature. It is also not exported or imported with a KB.

• External ID: With this ID a review question can be updated through an import. For this, the ID needs to match the ID of the review question in the import. This field should only be set manually if the review question originates in an external system but the questions were created manually before the import and are now to be kept up to date with imports.

This tab lists all measures in the KB. It also allows the creation of new measures.

To create a measure, click the "Create new measure" button shown above. To edit or delete a measure, double-click the desired measure. Then the measure can be edited or deleted (via the "trash can" icon).

Properties:

• Numbering and title: The numbering should be logical and comprehensible. The title should be informative, so the user immediately knows what the measure is about.

• Description: Describe the measure here, i.e. explain what needs to be done to implement the measure.

• Norm mapping: If the measure touches one or more norm chapters, this should be recorded here. This allows the creation of a compliance report for a norm.

• Effective date: The effective date should be the date of creation or that of the latest revision.

• External ID: With this ID a measure can be updated through an import. For this, the ID needs to match the ID of the measure in the import. This field should only be set manually if the measure originates in an external system but the measures were created manually before the import and are now to be kept up to date with imports.

This tab lists all controls in the KB. It also allows the creation of new controls.

To create a control, click the "Create new control" button shown above. To edit or delete a control, double-click the desired control. Then the control can be edited or deleted (via the "trash can" icon).

Properties:

• Numbering and title: The numbering should be logical and comprehensible. The title should be informative, so the user immediately knows what the control examines.

• Description: Describe the control here, i.e. explain what needs to be done to implement the control.

• Recurring control: An interval can be set here to repeat the control every X years/months/etc.

• Norm mapping: If the control touches one or more norm chapters, this should be recorded here. This allows the creation of a compliance report for a norm.

• Effective date: The effective date should be the date of creation or that of the latest revision.

• External ID: With this ID a control can be updated through an import. For this, the ID needs to match the ID of the control in the import. This field should only be set manually if the control originates in an external system but the controls were created manually before the import and are now to be kept up to date with imports.

This tab lists all justification templates in the KB. It also allows the creation of new justification templates.

To create a justification template, click the "Create new justification template" button shown above. To edit or delete a justification template, double-click the desired justification template. Then the justification template can be edited or deleted (via the "trash can" icon).

Properties:

• Numbering and title: The numbering should be logical and comprehensible. The title should be informative, so the user immediately knows what purpose the justification template serves.

• Description: You can enter a text here that can be used as template for a justification in a gap analysis.

• Effective date: The effective date should be the date of creation or that of the latest revision.

• External ID: With this ID a justification template can be updated through an import. For this, the ID needs to match the ID of the justification template in the import. This field should only be set manually if the justification template originates in an external system but the justification templates were created manually before the import and are now to be kept up to date with imports.

This tab lists all threats in the KB. It also allows the creation of new threats.

To create a threat, click the "Create new threat" button shown above. To edit or delete a threat, double-click the desired threat. Then the threat can be edited or deleted (via the "trash can" icon).

Properties:

• Numbering and title: The numbering should be logical and comprehensible. The title should be informative, so the user immediately knows what the threat is, e.g. missing or insufficient security when processing personal data.

• Description: Describe the threat here, i.e. explain what exactly it is that poses a threat.

• Assigned protection targets and weightings:
  

Choose, which protection targets are affected if a threat were to occur.
Example:

Threat: break-in

• A burglar could get into the server room and steal a hard-drive containing sensitive information.

If this happened, great damage concerning confidentiality, integrity, and availability could be done.

Protection target	weighting	explanation
Confidentiality	4	break-in and theft of a hard-drive
Availability	4	the burglar could destroy something
Integrity	3	the burglar could make changes to a system

• Norm mapping: If the threat touches one or more norm chapters, this should be recorded here. This allows the creation of a compliance report for a norm.

• Effective date: The effective date should be the date of creation or that of the latest revision.

• External ID: With this ID a threat can be updated through an import. For this, the ID needs to match the ID of the threat in the import. This field should only be set manually if the threat originates in an external system but the threats were created manually before the import and are now to be kept up to date with imports.