Menü aufrufen
Toggle preferences menu
Persönliches Menü aufrufen
Nicht angemeldet
Ihre IP-Adresse wird öffentlich sichtbar sein, wenn Sie Änderungen vornehmen.

Berichte für Maßnahmen/en: Unterschied zwischen den Versionen

Aus HITGuard User Guide
Isan (Diskussion | Beiträge)
Keine Bearbeitungszusammenfassung
Isan (Diskussion | Beiträge)
Keine Bearbeitungszusammenfassung
 
(22 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:


<span id="Berichte_für_Maßnahmen"></span>
HITGuard offers the possibility to generate reports for measures under "Measures → Reports".
==Measure reports==
[[Datei:B__Massnahmen.png|left|thumb|900px|Reports]]<br clear=all>
 
To create a report, first choose a type of report. Subsequently, choose which data to include in the report (e.g. risks or reviews). Most reports also have additional report options which allow further specification of the report's contents.</p>Knowledge bases can be made available in different languages due to stored translations for used knowledge bases. For example, to generate a report with the English texts, the language must be changed using the flag icon at the top right of the screen, next to the logout button. This will load all content for the reports in the desired language, provided that a translation in that language is available for the knowledge base.</p><b>Download options:</b><br>The reports are available for download as PDF or DOCX files. Click the pink button to generate and download a report. Then, choose whether the report should be downloaded as a PDF or DOCX.</p>Additionally, there is the option to generate and archive the reports including revision information. In doing this, the report can be viewed, generated anew, or downloaded again by an expert under "Administration → Report archive". More information about this can be found under [[Special:MyLanguage/Berichtsarchiv | "Administration → Report archive"]].</p>When generating reports with revision information in the archive, there is also the option to send the report by e-mail to various recipients right away. More information about this can be found in the report archive and under [[Special:MyLanguage/Berichtsarchiv | "Administration → Report archive"]].</p><b>Remembering report options:</b>Some of the report options can be found for various reports. For these, the selected options are remembered within the management system and for the individual user, and then also applied for other reports with that same option. For example, if the option "Table of contents" is selected, then it will already be selected when accessing any other report pages that use this option.</p><b>Licenses:</b></br>If no valid license for HITGuard is available, this will be displayed in the footer of the report! To change this, an expert or administrator has to request/upload a license under [[Special:MyLanguage/Lizenzierung | "Administration → Licensing"]].</p>The following reports are offered in the measures section of HITGuard:
 
=== Measure report for standard/norm ===
This report lists the linked measures for a selected standard/norm.
{| class="wikitable"
! colspan="2" | <b>Report options</b>
|-
!Selection of the analysis period
|This option determines which analysis period the report elements come from.
|-
!Table of contents
|This option determines whether a table of contents is included in the report.
|-
!Progress overview
|Includes the progress overview for each measure in the report.
|-
!Progress protocol
|Includes the progress protocol for each measure in the report.
|-
!Remarks
|Determines whether the measure remarks are included in the report.
|-
!Include not applicable chapters in the statistics
|Determines whether chapters marked as not applicable in the management system are considered in the report.
|-
!Appendix with explanations
|Adds an appendix with different explanatory texts.
|-
|}
 
[[Datei:Berichte Maßnahmenbericht zu Standard.png|left|thumb|900px|Create measure report for standard/norm]]<br clear=all>
 
===Measure report===
This report shows details for one or more selected measures.</p>
Example measure report: [[Media:Maßnahmenbericht.pdf | Measures with progress overview and protocol (DE)]]
{| class="wikitable"
! colspan="2" | <b>Report options</b>
|-
!Selection of the analysis period
|This option determines which analysis period the report elements come from.
|-
!Table of contents
|This option determines whether a table of contents is included in the report.
|-
!Progress overview
|Includes the progress overview for each measure in the report.
|-
!Progress protocol
|Includes the progress protocol for each measure in the report.
|-
!Remarks
|Determines whether the measure remarks are included in the report.
|-
!List attachments/evidences
|Prints the file names of attachments/evidences in the report..
|-
!Attachments/evidences as zip-file
|The report is downloaded in a zip-folder along with any attachments/evidences.
|-
!Appendix with explanations
|Adds an appendix with different explanatory texts.
|-
|}
[[Datei:Berichtseite_Maßnahmen.png|left|thumb|901px|Create measure report]]<br clear=all>
 
===Progress report===
On this page you can create, view, and download reports for measures within a specific analysis period for selected organizational units.</p>The reports offer an evaluation of the measures and the project progress. The evaluation of the measures deals with their criticality and recommends an implementation timeframe on the basis of that. The evaluation of the project progress shows, using traffic light colors, the evaluation of the progress of individual measures and the project as a whole. Completed measures are displayed as crossed out text in this report, suspended ones in italics.</p>Reports already created are listed to the left. A click on such an entry shows the report's revision information and it can be generated anew, if any modification is necessary. Clicking the blue name in the list opens an online preview of the report. If the name is blac, the report was prepared but not yet generated. Clicking the download symbol downloads a generated report.
 
[[Datei:Maßnahmen Berichte.png|left|thumb|900px|Measure reports]]<br clear=all>
 
In the tab Data selection, you can configure which organizational units are to be included in the report. The list "Included OUs" shows all organizational units that are currently considered for the report. The list "Current OUs" shows all organizational units that are available in the current analysis period of the active management system. Current OrgUnits that are not yet selected, can be added to to the included OUs via drag & drop.
 
[[Datei:Maßnahmen Berichte Datenselektion.png|left|thumb|900px|Data selection]]<br clear=all>
 
==== Evaluation systematics ====
The following evaluation systematics are applied in the detail report for measures and also added to the report as an appendix.</p>
 
<u><b>Evaluation of the measures</u></b><br>Every measure is evaluated as to its criticality. How critical a measure is depends on the potential damage of the recognized vulnerability and the probability of occurrence of the event. The criticality of the measure results in the urgency of that vulnerability's correction.</p><b>Measure criticality</b><br>The criticality of a measure depends on the affected IT system and the data related to that. This can be ascertained by means of the business impact analysis and risk analyses carried out. If there is no such analysis for the affected serice, the following consideration is to be made:
# If the measure affects IT core services (such as, e.g., the network, the firewall, e-mail services or even physical security such as access to the server room), then the criticality level HIGH is to always be assumed.
# For all IT services not covered by point 1), the following deliberation is to be made:
#* The threat potential is LOW, if
#** monetary damages of up to EUR 300K for the company are possible,
#** an image loss of partially external ramification could occur,
#** the physical integrity of persons cannot be guaranteed, even if the occurrence is unlikely.
#* The threat potential is MEDIUM, if
#** monetary damages from over EUR 300K to up to EUR 5 million for the company are possible,
#** an image loss with customers and partners could occur, that would have to be compensated with mid-term measures,
#** the physical integrity of persons cannot be guaranteed, and the occurrence is not unlikely.
#* The threat potential is HIGH, if
#** monetary damages of over EUR 5 million for a company are possible,
#** negative media coverage cannot be ruled out (with unavoidable mid- to long-term consequences),
#** there is definitely danger to the life and limb of persons.
# If no associated risk analysis is available, the probability of occurrence of the threat must also be considered. If the probability of occurrence of the risk is estimated to be very unlikely (or would have to be triggered by a chain of events) or compensating measures for the reduction of the risk have already been taken, then the risk level can be reduced. If a vulnerability can be exploited externally, the risk level may not be reduced.</p>
 
<b>Recommended implementation timeframe</b><br>The criticality of the measure informs the resulting proposed start date for the implementation of the measure.
# HIGH: immediately after conveying the audit findings
# MEDIUM: 1 to at most 2 months after conveying the audit findings
# LOW: 2 to at the most 4s months after conveying the audit findings</p>
 
<b>KO measures</b> always count as HIGH and are those that must be implemented immediately as the vulnerabilities are linked to a very high attack potential.</p>Of course, not the same effort can be assumed for the implementation of every measure. Projects are therefore classified as follows, depending on their planned duration and the estimated project days:
# SMALL: <1 month duration; <= 2 PD effort
# MEDIUM: <3 months duration; <= 10 PD effort
# LARGE: >3 months duration; > 10 PD effort</p>
Therefore, only a recommended timeframe is given here.</p>
Considering the factors criticality and effort, the following maximum reocmmended implementation timeframe is given:
{| class="wikitable"
|-
!
!colspan="3" | Effort
|-
! Criticality  !! LARGE  !! MEDIUM  !! SMALL 
|-
| LOW  || 4 months + project effort || 7 months || 5 months
|-
| MEDIUM  || 2 months + project effort || 5 months || 3 months
|-
| HIGH  || project effort  || 3 months || 1 month
|}
 
In projects with a large effort, it should be ensured that short-term risk-reducing measures are implemented at the start of the project in any case. The project duration of any following long-term solution is then to be planned considering the economic factors of the project and the economic situation of the company as a whole.</p>
<u><b>Evaluation of the project progress</u></b></p>
<b>Evaluation of the progress of individual measures</b><br>
So long as a task is within its defined period, the traffic light showing the project progress is green. When a measure is counted as overdue for the first time, the light becomes yellow. If in the next reporting period the task is still not finished, the light turns red and stays red for as long as it takes to implement the measure or until a follow-up audit resets the evaluation of the project progress. New implementation dates can be agreed in this audit. The "Recognized at"-date, however, always shows when a measure was first opened.</p>
<b>Evaluation of the progress in the project as a whole</b><br>
The progress of the project as a whole is also evaluated via traffic light colors.
* NONE
** If 0 findings have been reported as finished in the current reporting period.</br>CAUTION: If “None” is written in red instead of black, this means that there is an impending delay regarding the implementation of findings. Otherwise, it can also mean that measures are being worked on at the moment, but due to their high-effort nature they simply take longer.
* LOW
** If less than or exactly 10% of findings have been reported as completed in the current reporting period and/or
** more than 33% of findings are overdue.
* MEDIUM
** If more than 10% but less than or exactly 20% of findings have been reported as completed in the current reporting period and/or
** more than 20% but less than 33% of findings are overdue.
* HIGH
** If more than 20% of findings have been reported as completed in the current reporting period and/or
** no more than 20% of findings are overdue.</p>
 
<u>Completed/Suspended measures</u></br>
A crossed out line is a task that is finished in the current analysis period and will not show up in the next report. A line in italics is a task suspended with justification.
 
<!--


HITGuard offers the possibility to generate reports for measures under "Measures → Reports".
HITGuard offers the possibility to generate reports for measures under "Measures → Reports".
Zeile 8: Zeile 150:
<br clear=all>
<br clear=all>


To create a report, first choose a type of report. Subsequently, choose which data to include in the report (e.g. hazard situations or audits). Most reports also have additional report options which allow further specification of the report's contents.
To create a report, first choose a type of report. Subsequently, choose which data to include in the report (e.g. risk or audit). Most reports also have additional report options which allow further specification of the report's contents.


<b>Languages:</b><br>
<b>Languages:</b><br>
Zeile 17: Zeile 159:


Additionally, there is the option to generate and archive the reports including revision information. In doing this, the report can be viewed, generated anew, or downloaded again by an expert under "Administration → Report archive". More information about this can be found under <b>[[Special:MyLanguage/Berichtsarchiv | "Administration → Report archive"]]</b>.
Additionally, there is the option to generate and archive the reports including revision information. In doing this, the report can be viewed, generated anew, or downloaded again by an expert under "Administration → Report archive". More information about this can be found under <b>[[Special:MyLanguage/Berichtsarchiv | "Administration → Report archive"]]</b>.
When generating reports with revision information in the archive, there is also the option to send the report by e-mail to various recipients right away. More information about this can be found in the <b>[[Special:MyLanguage/Berichtsarchiv | report archive]]</b> and under <b>[[Special:MyLanguage/Textbausteine | "Administration → Text blocks"]]</b>.


<b>Remembering report options:</b>
<b>Remembering report options:</b>
Zeile 25: Zeile 169:


The following reports are offered in the measures section of HITGuard:
The following reports are offered in the measures section of HITGuard:
<span id="Maßnahmenbericht_zu_Standard/Norm"></span>
=== Measure report for standard/norm ===
This report lists the linked measures for a selected standard/norm.
<big><b>Report options</b></big>
* <u>Management system (compliance manager only)</u>: This option controls for which management system the report is generated.
* <u>Analysis period</u>: This option controls which analysis period the measures included in the report come from.
* <u>Progress overview</u>: It is possible to configure whether an overview of the progress development of the measure is added in the report.
::* The '''current progress''' shows the reported progress percentage of the most recent accepted progress report.
::* The '''progress growth''' shows the percentage change of the progress as compared to the previous analysis period.
::* For '''progress reports''', the amount of accepted progress report of the measure is displayed.
::* The '''duration''' indicates for how long the measure is or was to be processed. It shows the duration in days from the audit date to the date of the report or the date the measure was marked as completed. If no audit date was set, the duration cannot be calculated.
::* '''Overdue''' indicates for how long the measure is or was overdue. It shows the duration in days from the deadline to the date of the report or the date the measure was marked as completed. If no deadline was set, this timespan cannot be calculated.
*<u>Progress protocol</u>: It is possible to configure whether the protocol of the progress reports of the measure is added in the report.
* <u>Include not applicable chapters in the statistics</u>: This will add chapters marked as not applicable in the management system in the report.
The remaining options are used to configure the additional report contents, such as table of contents and appendices.
[[Datei:Berichte Maßnahmenbericht zu Standard.png|left|thumb|901px|Create measure report for standard/norm]]
<br clear=all>
<span id="Maßnahmenbericht"></span>
===Measure report===
This report shows details for one or more selected measures.
[[Media:Maßnahmenbericht.pdf | Example measure report: measures with progress overview and protocol (DE)]]
<big><b>Report options</b></big>
* <u>Management system (compliance manager only)</u>: This option controls for which management system the report is generated.
* <u>Analysis period</u>: This option controls which analysis period the measures included in the report come from.
* <u>Progress overview</u>: It is possible to configure whether an overview of the progress development of the measure is added in the report.
::* The '''current progress''' shows the reported progress percentage of the most recent accepted progress report.
::* The '''progress growth''' shows the percentage change of the progress as compared to the previous analysis period.
::* For '''progress reports''', the amount of accepted progress report of the measure is displayed.
::* The '''duration''' indicates for how long the measure is or was to be processed. It shows the duration in days from the audit date to the date of the report or the date the measure was marked as completed. If no audit date was set, the duration cannot be calculated.
::* '''Overdue''' indicates for how long the measure is or was overdue. It shows the duration in days from the deadline to the date of the report or the date the measure was marked as completed. If no deadline was set, this timespan cannot be calculated.
*<u>Progress protocol</u>: It is possible to configure whether the protocol of the progress reports of the measure is added in the report.
The remaining options are used to configure the additional report contents, such as table of contents and appendices.
[[Datei:Berichtseite_Maßnahmen.png|left|thumb|900px|Create measure report]]
<br clear=all>


===Progress report===
===Progress report===
On this page you can create, view, and download reports for measures within a specific analysis period for selected organizational units.
On this page you can create, view, and download reports for measures within a specific analysis period for selected organizational units.


The reports offer an evaluation of the measures and the project progress. The evaluation of the measures deals with their criticality and recommends an implementation timeframe on the basis of that. The evaluation of the project progress shows, using traffic light colors, the evaluation of the progress of individual measures and the project as a whole. Finished measures are displayed as crossed out text in this report, suspended ones in italics.
The reports offer an evaluation of the measures and the project progress. The evaluation of the measures deals with their criticality and recommends an implementation timeframe on the basis of that. The evaluation of the project progress shows, using traffic light colors, the evaluation of the progress of individual measures and the project as a whole. Completed measures are displayed as crossed out text in this report, suspended ones in italics.


Reports already created are listed to the left. A click on such an entry shows the report's revision information and it can be generated anew, if any modification is necessary. Clicking the blue name in the list opens an online preview of the report. If the name is blac, the report was prepared but not yet generated. Clicking the download symbol downloads a generated report.
Reports already created are listed to the left. A click on such an entry shows the report's revision information and it can be generated anew, if any modification is necessary. Clicking the blue name in the list opens an online preview of the report. If the name is blac, the report was prepared but not yet generated. Clicking the download symbol downloads a generated report.
Zeile 120: Zeile 309:
** If 0 findings have been reported as finished in the current reporting period.</br>CAUTION: If “None” is written in red instead of black, this means that there is an impending delay regarding the implementation of findings. Otherwise, it can also mean that measures are being worked on at the moment, but due to their high-effort nature they simply take longer.
** If 0 findings have been reported as finished in the current reporting period.</br>CAUTION: If “None” is written in red instead of black, this means that there is an impending delay regarding the implementation of findings. Otherwise, it can also mean that measures are being worked on at the moment, but due to their high-effort nature they simply take longer.
* LOW
* LOW
** If less than or exactly 10% of findings have been reported as finished in the current reporting period and/or
** If less than or exactly 10% of findings have been reported as completed in the current reporting period and/or
** more than 33% of findings are overdue.
** more than 33% of findings are overdue.
* MEDIUM
* MEDIUM
** If more than 10% but less than or exactly 20% of findings have been reported as finished in the current reporting period and/or
** If more than 10% but less than or exactly 20% of findings have been reported as completed in the current reporting period and/or
** more than 20% but less than 33% of findings are overdue.
** more than 20% but less than 33% of findings are overdue.
* HIGH
* HIGH
** If more than 20% of findings have been reported as finished in the current reporting period and/or
** If more than 20% of findings have been reported as completed in the current reporting period and/or
** no more than 20% of findings are overdue.
** no more than 20% of findings are overdue.


<u>Finished/Suspended measures</u></br>
<u>Completed/Suspended measures</u></br>
A crossed out line is a task that is finished in the current analysis period and will not show up in the next report. A line in italics is a task suspended with justification.
A crossed out line is a task that is finished in the current analysis period and will not show up in the next report. A line in italics is a task suspended with justification.


<span id="Maßnahmenbericht_zu_Standard/Norm"></span>
-->
=== Measure report for standard/norm ===
 
This report lists the linked measures for a selected standard/norm.
 
<big><b>Report options</b></big>
* Management system (compliance manager only)
:: This option controls for which management system the report is generated.
* Analysis period
:: This option controls which analysis period the measures included in the report come from.
* Progress overview
:: It is possible to configure whether an overview of the progress development of the measure is added in the report:
::* The '''current progress''' shows the reported progress percentage of the most recent accepted progress report.
::* The '''progress growth''' shows the percentage change of the progress as compared to the previous analysis period.
::* For '''progress reports''', the amount of accepted progress report of the measure is displayed.
::* The '''duration''' indicates for how long the measure is or was to be processed. It shows the duration in days from the audit date to the date of the report or the date the measure was marked as completed. If no audit date was set, the duration cannot be calculated.
::* '''Overdue''' indicates for how long the measure is or was overdue. It shows the duration in days from the deadline to the date of the report or the date the measure was marked as completed. If no deadline was set, this timespan cannot be calculated.
*Progress protocol
:: It is possible to configure whether the protocol of the progress reports of the measure is added in the report.
* Include not applicable chapters in the statistics
:: This will add chapters marked as not applicable in the management system in the report.
 
The remaining options are used to configure the additional report contents, such as table of contents and appendices.
 
[[Datei:Berichte Maßnahmenbericht zu Standard.png|left|thumb|901px|Create measure report for standard/norm]]
<br clear=all>
 
<span id="Maßnahmenbericht"></span>
===Measure report===
 
This report shows details for one or more selected measures.
 
[[Media:Maßnahmenbericht.pdf | Example measure report: measures with progress overview and protocol (DE)]]
 
<big><b>Report options</b></big>
* Management system (compliance manager only)
:: This option controls for which management system the report is generated.
* Analysis period
:: This option controls which analysis period the measures included in the report come from.
* Progress overview
:: It is possible to configure whether an overview of the progress development of the measure is added in the report:
::* The '''current progress''' shows the reported progress percentage of the most recent accepted progress report.
::* The '''progress growth''' shows the percentage change of the progress as compared to the previous analysis period.
::* For '''progress reports''', the amount of accepted progress report of the measure is displayed.
::* The '''duration''' indicates for how long the measure is or was to be processed. It shows the duration in days from the audit date to the date of the report or the date the measure was marked as completed. If no audit date was set, the duration cannot be calculated.
::* '''Overdue''' indicates for how long the measure is or was overdue. It shows the duration in days from the deadline to the date of the report or the date the measure was marked as completed. If no deadline was set, this timespan cannot be calculated.
*Progress protocol
:: It is possible to configure whether the protocol of the progress reports of the measure is added in the report.
 
The remaining options are used to configure the additional report contents, such as table of contents and appendices.
 
[[Datei:Berichtseite_Maßnahmen.png|left|thumb|900px|Create measure report]]
<br clear=all>

Aktuelle Version vom 20. März 2024, 14:03 Uhr

HITGuard offers the possibility to generate reports for measures under "Measures → Reports".

Reports


To create a report, first choose a type of report. Subsequently, choose which data to include in the report (e.g. risks or reviews). Most reports also have additional report options which allow further specification of the report's contents.

Knowledge bases can be made available in different languages due to stored translations for used knowledge bases. For example, to generate a report with the English texts, the language must be changed using the flag icon at the top right of the screen, next to the logout button. This will load all content for the reports in the desired language, provided that a translation in that language is available for the knowledge base.

Download options:
The reports are available for download as PDF or DOCX files. Click the pink button to generate and download a report. Then, choose whether the report should be downloaded as a PDF or DOCX.

Additionally, there is the option to generate and archive the reports including revision information. In doing this, the report can be viewed, generated anew, or downloaded again by an expert under "Administration → Report archive". More information about this can be found under "Administration → Report archive".

When generating reports with revision information in the archive, there is also the option to send the report by e-mail to various recipients right away. More information about this can be found in the report archive and under "Administration → Report archive".

Remembering report options:Some of the report options can be found for various reports. For these, the selected options are remembered within the management system and for the individual user, and then also applied for other reports with that same option. For example, if the option "Table of contents" is selected, then it will already be selected when accessing any other report pages that use this option.

Licenses:
If no valid license for HITGuard is available, this will be displayed in the footer of the report! To change this, an expert or administrator has to request/upload a license under "Administration → Licensing".

The following reports are offered in the measures section of HITGuard:

Measure report for standard/norm

This report lists the linked measures for a selected standard/norm.

Report options
Selection of the analysis period This option determines which analysis period the report elements come from.
Table of contents This option determines whether a table of contents is included in the report.
Progress overview Includes the progress overview for each measure in the report.
Progress protocol Includes the progress protocol for each measure in the report.
Remarks Determines whether the measure remarks are included in the report.
Include not applicable chapters in the statistics Determines whether chapters marked as not applicable in the management system are considered in the report.
Appendix with explanations Adds an appendix with different explanatory texts.
Create measure report for standard/norm


Measure report

This report shows details for one or more selected measures.

Example measure report: Measures with progress overview and protocol (DE)

Report options
Selection of the analysis period This option determines which analysis period the report elements come from.
Table of contents This option determines whether a table of contents is included in the report.
Progress overview Includes the progress overview for each measure in the report.
Progress protocol Includes the progress protocol for each measure in the report.
Remarks Determines whether the measure remarks are included in the report.
List attachments/evidences Prints the file names of attachments/evidences in the report..
Attachments/evidences as zip-file The report is downloaded in a zip-folder along with any attachments/evidences.
Appendix with explanations Adds an appendix with different explanatory texts.
Create measure report


Progress report

On this page you can create, view, and download reports for measures within a specific analysis period for selected organizational units.

The reports offer an evaluation of the measures and the project progress. The evaluation of the measures deals with their criticality and recommends an implementation timeframe on the basis of that. The evaluation of the project progress shows, using traffic light colors, the evaluation of the progress of individual measures and the project as a whole. Completed measures are displayed as crossed out text in this report, suspended ones in italics.

Reports already created are listed to the left. A click on such an entry shows the report's revision information and it can be generated anew, if any modification is necessary. Clicking the blue name in the list opens an online preview of the report. If the name is blac, the report was prepared but not yet generated. Clicking the download symbol downloads a generated report.

Measure reports


In the tab Data selection, you can configure which organizational units are to be included in the report. The list "Included OUs" shows all organizational units that are currently considered for the report. The list "Current OUs" shows all organizational units that are available in the current analysis period of the active management system. Current OrgUnits that are not yet selected, can be added to to the included OUs via drag & drop.

Data selection


Evaluation systematics

The following evaluation systematics are applied in the detail report for measures and also added to the report as an appendix.

Evaluation of the measures
Every measure is evaluated as to its criticality. How critical a measure is depends on the potential damage of the recognized vulnerability and the probability of occurrence of the event. The criticality of the measure results in the urgency of that vulnerability's correction.

Measure criticality
The criticality of a measure depends on the affected IT system and the data related to that. This can be ascertained by means of the business impact analysis and risk analyses carried out. If there is no such analysis for the affected serice, the following consideration is to be made:

  1. If the measure affects IT core services (such as, e.g., the network, the firewall, e-mail services or even physical security such as access to the server room), then the criticality level HIGH is to always be assumed.
  2. For all IT services not covered by point 1), the following deliberation is to be made:
    • The threat potential is LOW, if
      • monetary damages of up to EUR 300K for the company are possible,
      • an image loss of partially external ramification could occur,
      • the physical integrity of persons cannot be guaranteed, even if the occurrence is unlikely.
    • The threat potential is MEDIUM, if
      • monetary damages from over EUR 300K to up to EUR 5 million for the company are possible,
      • an image loss with customers and partners could occur, that would have to be compensated with mid-term measures,
      • the physical integrity of persons cannot be guaranteed, and the occurrence is not unlikely.
    • The threat potential is HIGH, if
      • monetary damages of over EUR 5 million for a company are possible,
      • negative media coverage cannot be ruled out (with unavoidable mid- to long-term consequences),
      • there is definitely danger to the life and limb of persons.
  3. If no associated risk analysis is available, the probability of occurrence of the threat must also be considered. If the probability of occurrence of the risk is estimated to be very unlikely (or would have to be triggered by a chain of events) or compensating measures for the reduction of the risk have already been taken, then the risk level can be reduced. If a vulnerability can be exploited externally, the risk level may not be reduced.

Recommended implementation timeframe
The criticality of the measure informs the resulting proposed start date for the implementation of the measure.

  1. HIGH: immediately after conveying the audit findings
  2. MEDIUM: 1 to at most 2 months after conveying the audit findings
  3. LOW: 2 to at the most 4s months after conveying the audit findings

KO measures always count as HIGH and are those that must be implemented immediately as the vulnerabilities are linked to a very high attack potential.

Of course, not the same effort can be assumed for the implementation of every measure. Projects are therefore classified as follows, depending on their planned duration and the estimated project days:

  1. SMALL: <1 month duration; <= 2 PD effort
  2. MEDIUM: <3 months duration; <= 10 PD effort
  3. LARGE: >3 months duration; > 10 PD effort

Therefore, only a recommended timeframe is given here.

Considering the factors criticality and effort, the following maximum reocmmended implementation timeframe is given:

Effort
Criticality LARGE MEDIUM SMALL
LOW 4 months + project effort 7 months 5 months
MEDIUM 2 months + project effort 5 months 3 months
HIGH project effort 3 months 1 month

In projects with a large effort, it should be ensured that short-term risk-reducing measures are implemented at the start of the project in any case. The project duration of any following long-term solution is then to be planned considering the economic factors of the project and the economic situation of the company as a whole.

Evaluation of the project progress

Evaluation of the progress of individual measures

So long as a task is within its defined period, the traffic light showing the project progress is green. When a measure is counted as overdue for the first time, the light becomes yellow. If in the next reporting period the task is still not finished, the light turns red and stays red for as long as it takes to implement the measure or until a follow-up audit resets the evaluation of the project progress. New implementation dates can be agreed in this audit. The "Recognized at"-date, however, always shows when a measure was first opened.

Evaluation of the progress in the project as a whole
The progress of the project as a whole is also evaluated via traffic light colors.

  • NONE
    • If 0 findings have been reported as finished in the current reporting period.
      CAUTION: If “None” is written in red instead of black, this means that there is an impending delay regarding the implementation of findings. Otherwise, it can also mean that measures are being worked on at the moment, but due to their high-effort nature they simply take longer.
  • LOW
    • If less than or exactly 10% of findings have been reported as completed in the current reporting period and/or
    • more than 33% of findings are overdue.
  • MEDIUM
    • If more than 10% but less than or exactly 20% of findings have been reported as completed in the current reporting period and/or
    • more than 20% but less than 33% of findings are overdue.
  • HIGH
    • If more than 20% of findings have been reported as completed in the current reporting period and/or
    • no more than 20% of findings are overdue.

Completed/Suspended measures
A crossed out line is a task that is finished in the current analysis period and will not show up in the next report. A line in italics is a task suspended with justification.