Managementsysteme/en: Unterschied zwischen den Versionen
Aus HITGuard User Guide
Weitere Optionen
Faha (Diskussion | Beiträge) Die Seite wurde neu angelegt: „:<u>Optional measure properties</u><br> ::These properties have an effect on the creation of measures in their respective management systems.<br> ::*see $A_G…“ |
Übernehme Bearbeitung einer neuen Version der Quellseite |
||
| (200 dazwischenliegende Versionen von 5 Benutzern werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
<span id="managementsystem"></span> | |||
[[Datei:Managementsysteme Übersicht.png|right|thumb|750px|Management systems overview]] | |||
:Management systems | |||
: | Administrators and [[Special:MyLanguage/Benutzer_und_Benutzerrollen|Expert]] Experts can create, edit, and manage management systems via "Administration → Management systems". Experts can only edit the management systems for which they are responsible. | ||
:*In addition to the measures, controls can also be created for further risk monitoring to ensure the effectiveness and sustainability of implemented measures. | '''What is a management system?'''<br> | ||
:A management system bundles data related to a certain topic. Management systems contain beinhalten [[Special:MyLanguage/Aktuelle_Maßnahmen|measures]], [[Special:MyLanguage/Kontrolldefinitionen|controls]], [[Special:MyLanguage/Schutzbedarf|protection needs analyses]], [[Special:MyLanguage/Schwachstellen|gap analyses]], [[Special:MyLanguage/Auditplanung|Audits]], [[Special:MyLanguage/Meldungen| Tickets]] and other elements. These entities only exist inside management systems. [[Special:MyLanguage/Strukturanalyse#Betrachtungsbereiche|Master Data]] will not be restricted to specific management systems. | |||
Expert- Professional- and Observer- [[Special:MyLanguage/Benutzer_und_Benutzerrollen|Users]] are added to management systems. This gives them access to the data in the management system and allows them to perform analyses and assign tasks. The data they manage in the management system is historicized by analysis periods, making it comparable. | |||
'''What purpose do management systems serve?'''<br> | |||
Management systems have three key functions: | |||
# They serve to categorize measures, controls, or risk identifications of selected departments into subject areas. <br> | |||
#* For example: Measures from information security audits are managed in one management system, while measures from quality management audits are managed in another. Both subject areas are and remain separate. <br> | |||
#: | |||
# Management systems define who is responsible for the subject area and who else works with the data. <br> | |||
#* For example: Mr. Smith is responsible for the QM management system, but does not have access to the ISMS management system. Ms. Jones, on the other hand, is responsible for the ISMS management system and occasionally works in QM. She has access to both management systems. | |||
#: | |||
# They are used to assign progress surveys and other data to time periods and to analyze corresponding key figures and trends.<br> | |||
#* For example: Mr. Smith collects progress data from ten departments <i>every six months</i>, while Ms. Smith evaluates her data <i>quarterly</i>. | |||
<!--:That means: | |||
:*Measures to deal with risks can be implemented by employees from different areas of responsibility. Experts from the individual management systems can continuously monitor the progress of the measure developments and report periodically over several analysis periods.--> | |||
<!--:*In addition to the measures, controls can also be created for further risk monitoring to ensure the effectiveness and sustainability of implemented measures. Controls are assigned to the employees of the respective area of responsibility, which are reminded of the execution of the control at predefined intervals. The execution of these - if necessary with indication of evidence - is documented in a comprehensible manner.--> | |||
'''Deleting a management system:''' | '''Deleting a management system:''' | ||
*The deletion of a management system can only be performed by the responsible expert. | *The deletion of a management system can only be performed by the responsible expert. | ||
*The deletion of management systems is only possible as long as no analysis periods are included. | *The deletion of management systems is only possible as long as no active analysis periods are included. | ||
<b>Licenses:</b> | |||
The grid overview in HITGuard shows how many licenses are currently available and how many are in use. This makes it possible to see at a glance whether one is underlicensed or still has licenses for additional management systems. More information about the licenses can be found under [[Special:MyLanguage/Lizenzierung| "Administration → Licensing"]]. | |||
<span id="Stammdaten"></span> | |||
== <span id="stam"></span> Master data == | |||
A management system is configured in the master data. The settings made here affect all work inside the management system.<br> | |||
[[Datei:Stammdaten bearbeiten.PNG|left|thumb|901px|Edit master data]] <br clear=all> | |||
<span id="Stammdaten_bearbeiten"></span> | |||
=== Edit master data === | |||
Here, you enter the name, the responsible person(s) and the team members for a management system.<br> | |||
* For each management system, expert users or teams consisting of experts can be entered as <b>responsible persons</b>. Only these people can later edit the management system and transfer analysis periods. | |||
* The members of the <b>team</b> must be experts, professionals, or observers. These users can collaborate on the data in the management system, even if they cannot edit the management system itself. | |||
<br> | |||
<span id="Einstellungen_zum_Managementsystem"></span> | |||
===<span id="general_settings"> Management system settings=== | |||
[[Datei:MMS_Einstellungen.png|left|thumb|901px|management system settings]] <br clear=all> | |||
Here you can add or remove <b>protection goals</b> for use in the management system. Before doing so, they must be activated in the [[Special:MyLanguage/Risikopolitik#Schutzziele|risk policy]]. If the protection goals have been entered here for use in the management system, this will affect [[Special:MyLanguage/Risikobewertung|risk assessments]] and [[Special:MyLanguage/Schutzbedarf|protection needs analyses]]. <br> | |||
<u>Note:</u> Protection goals created in the risk policy are entered here automatically. If existing protection goals (such as [[Special:MyLanguage/Strukturanalyse#RTO_und_RPO_Erfüllung|RTO and RPO]]) are only activated there, they must still be added manually here. | |||
You can also select the <b>standards and norms</b> to be used in this management system here. Import a new standard under “Administration → [[Special:MyLanguage/Standards_und_Normen|Standards and Norms]]” and it will be added here automatically. | |||
Standards that are not selected or deleted here are still visible in already existing mappings, but can no longer be selected or changed in this management system. They are also not considered when further mapped norm chapters are included in reports (e.g., Compliance report by Standard or Norm). | |||
For example, if the standard "GDPR" is not selected, it cannot be selected for the evaluation of the compliance spider in the risk management dashboard according to "GDPR". | |||
<!--x--> | |||
<!--x--> | |||
Next, you can activate three of the HITGuard add-ons. To use them, the respective Experts, Professionals, and Observers must also be assigned the respective [[Special:MyLanguage/Benutzer_und_Benutzerrollen|permissions]]. | |||
* <b>Data Protection Add-on:</b> Activates the data protection module for this management system. Experts and professionals with data protection permissions can then create and manage processing activities, observer users can view them. Only one data protection module can be activated in one HITGuard installation. | |||
* <b>Case Management Add-on: </b> allows a management system to be used for reporting incidents or as a whistleblower system. | |||
* <b>Audit Management Add-on:</b> Allows you to use this management system to plan, perform, and manage [[Special:MyLanguage/Auditplanung|audits]]. | |||
[[Datei:ManSys Email Einstellungen.PNG|right|thumb|700px|E-mail settings]] | |||
<span id="E-Mail_Einstellungen"></span> | |||
=== <span id="masy_email"></span>E-mail settings=== | |||
*If an e-mail setting is configured here by a technician, then all reminders that originate from this management system will be sent via this e-mail address. If you do not use an e-mail account of your own but the one provided by TogetherSecure, the sender address needs to end in @hitguard.at. | |||
*If no e-mail setting is configured here, then all e-mails will be sent from that address that is stored in the global settings.(see [[Special:MyLanguage/Globale Einstellungen#Email Einstellungen|Global e-mail settings]]) | |||
[[Datei:Intervallschema definieren.PNG|right|thumb|800px|Define interval schema]] | |||
<span id="Intervallschema_definieren"></span> | |||
=== <span id="int"></span>Define interval schema === | |||
The interval schema defines whether analysis periods (see below) should follow a specified rhythm. | |||
*<b>Manual creation: </b> Here, the time limit is defined manually with a from-to date. It is set manually for each new analysis period. | |||
*<b>Start date and interval: </b> Here you can define a fixed interval for the analysis periods (three months in the example). The exact date in the start field is only relevant if you have not yet created an analysis period. If an analysis period already exists, HITGuard will always use the end date of the last analysis period for a new analysis period. | |||
<!--x--> | |||
<!--x--> | |||
<!--x--> | |||
<!--x--> | |||
<span id="Analysezeitraum_und_Historie"></span> | |||
== <span id="analyses_historie"></span> Analysis period and history: == | |||
[[Datei:Aktiver Analysezeitraum.PNG|right|thumb|700px|Active analysis period]] | |||
<span id="Zweck_und_Handhabung"></span> | |||
=== Purpose === | |||
Analysis periods classify data into timespans that can be evaluated. Therefore, analysis periods are regularly closed and a successor analysis period is created. | |||
Some KPIs, such as [[Special:MyLanguage/Maßnahmen_Dashboard#Kritikalität_der_offenen_Maßnahmen|criticality of open measures]], are based on analysis periods. Similarly, you can choose the analysis period that you want to evaluate for some reports, for example the reports for [[Special:MyLanguage/Berichte_für_das_Risikomanagement#Abweichungsanalysen|gap analyses]]. | |||
For two elements in HITGuard, the link to the analysis period is very strict. Because of this strict link, these two elements can block you from creating a successor analysis period. These elements are [[Special:MyLanguage/Fortschrittsmeldungen| progress reports]] and[[Special:MyLanguage/Verarbeitungstätigkeit| processing activities]]. | |||
For both elements, you can use a workflow to request editing by [[Special:MyLanguage/Benutzer_und_Benutzerrollen#Practitioner_(Workflow-Benutzer)|practitioner users]]. As long as this editing is not fully completed — that is, as long as (a) the practitioner has not returned the task and (b) the expert user has not accepted it — you cannot create a successor analysis period. | |||
You can only create a successor analysis period when all progress reports and all processing activities have been fully completed and accepted. | |||
To create a successor analysis period click on the Button to the lower right. Then you can set the date values for the new analysis period, or you let HITGuard fill them in (see [[#int|Intervallschema definieren]]). | |||
<span id="Aktiver_Analysezeitraum"></span> | |||
=== <span id="Aktiver Analysezeitraum"></span> Active analysis period === | |||
Each active analysis period will be defined by a number of entry fields: | |||
* <b>Begin and end:</b> An analysis period can be as short or as long as the organization requires. In principle, the begin and end date can be on the same day; however, the begin date cannot be set to a point after the end. | |||
*<b>Editorial deadline::</b> This date should be set to slightly before the end date of the analysis period, since it is relevant for action management. If Expert or Professional users request a [[Special:MyLanguage/Fortschrittsmeldungen|progress report]] for an action, HITGuard will use this date as the deadline for feedback by default. | |||
<div class="mw-translate-fuzzy"> | |||
*<b>Target score:</b>The target score describes the target state for all gap analyses. When you enter an answer to a test question, it is compared to the target score. If the value of the answer is lower than the set target score, it is considered a deviation and can be [[Special:MyLanguage/ Überprüfung#Abweichungen_behandeln|used]] accordingly. <br> | |||
::<u>Note:</u> The answers “Yes,” “Partially,” and ‘No’ correspond to maturity levels “5,” “3,” and “1.” | |||
:: | </div> | ||
*<b>Included OrgUnits:</b> Organizational units (OUs) can be activated and deactivated in analysis periods by checking or unchecking a box. HITGuard will <i>not</i> offer you the deactivated OUs in the various selection fields. This allows you to focus on certain parts of the organization without being distracted by the deactivated OUs. <br> | |||
Note: You can only deactivate an OU if it has no open [[Special:MyLanguage/Aktuelle_Maßnahmen|measures]], [[Special:MyLanguage/Kontrolldefinitionen|controls]] or [[Special:MyLanguage/Verarbeitungstätigkeit|processing activities]] assigned to it. <br> | |||
When you create new OUs, they are available here. The check mark for the new OU always adopts the check mark setting of its parent OU. If you create an Organizational unitsthat does not have a parent OU, no check mark is set. | |||
In practice, this means that most customers first create an OU that represents their entire organization and then switch to the management system to activate it. All other OUs that they create under the entire organization are then automatically activated. | |||
* <b>Create successor analysis period:</b> When transferring from one analysis period to the next, the old analysis period is closed and a new one is created. All tasks that are not marked as “completed” are transferred to the new analysis period and remain available under [[Special:MyLanguage/Aktuelle_Maßnahmen|measures→ Current measures]]. Completed actions can only be viewed in the next period under [[Special:MyLanguage/Historie|measures → history]]. Actions with the status “Cancelled” and “Discarded” are also removed from the current actions and are then only available in the history. | |||
=== Deleting an analysis period === | |||
*The deletion of an analysis period can only be triggered by the responsible expert. | |||
*The deletion of analysis periods is only supported as long as no progress reports have been created. | |||
*Only the current period to analyze can be deleted at any one time; completed periods can no longer be deleted. | |||
===Past analysis periods=== | |||
*The history lists the analysis periods which have already been completed with start, end and editorial deadline. | |||
: | [[Datei:Managementsysteme Historie.png|left|thumb|700px|Past analysis periods]] | ||
<br clear=all> | |||
<span id="Kürzel_Generierung"></span> | |||
==Code generation== | |||
: | [[Datei:MMS_Kürzel.png|thumb|right|700px]] | ||
Here you can set the default of whether an automatic code should be created for any new elemtents, and for which ones. The structure of the code can also be configured here. When creating a management system, the configuration is taken automatically from the global settings, but it can be changed and adapted here at any time. | |||
*The <b>general prefix</b> is used at the beginning of the code for all selected elements. It is in the code of all elements of this management system. | |||
* | *In the first column, use the check mark to activate the abbreviation generation for this element. | ||
*Prefix: a string of letters, digits, or special characters that clearly labels the element (e.g., M for measure). The default entry can be changed. | |||
*OrgUnits abbr.: decides whether the element's code also includes the code of the organizational unit. Elements that aren't directly associated with any organizational unit do not have this option activated (e.g., hazard situations or processes). | |||
*OrgUnit abbr. suffix: a delimiter between the OrgUnit code and the final digit string (e.g., _ or -). | |||
*Minimum precision: the minimum number of digits to be included in the resulting string. At least 1 and at most 10 can be entered. With a number of 4, the resulting strings would be, for example, 0001, 0026, or 0184. | |||
Aktuelle Version vom 19. Februar 2026, 15:58 Uhr
Administrators and Expert Experts can create, edit, and manage management systems via "Administration → Management systems". Experts can only edit the management systems for which they are responsible.
What is a management system?
- A management system bundles data related to a certain topic. Management systems contain beinhalten measures, controls, protection needs analyses, gap analyses, Audits, Tickets and other elements. These entities only exist inside management systems. Master Data will not be restricted to specific management systems.
Expert- Professional- and Observer- Users are added to management systems. This gives them access to the data in the management system and allows them to perform analyses and assign tasks. The data they manage in the management system is historicized by analysis periods, making it comparable.
What purpose do management systems serve?
Management systems have three key functions:
- They serve to categorize measures, controls, or risk identifications of selected departments into subject areas.
- For example: Measures from information security audits are managed in one management system, while measures from quality management audits are managed in another. Both subject areas are and remain separate.
- For example: Measures from information security audits are managed in one management system, while measures from quality management audits are managed in another. Both subject areas are and remain separate.
- Management systems define who is responsible for the subject area and who else works with the data.
- For example: Mr. Smith is responsible for the QM management system, but does not have access to the ISMS management system. Ms. Jones, on the other hand, is responsible for the ISMS management system and occasionally works in QM. She has access to both management systems.
- They are used to assign progress surveys and other data to time periods and to analyze corresponding key figures and trends.
- For example: Mr. Smith collects progress data from ten departments every six months, while Ms. Smith evaluates her data quarterly.
Deleting a management system:
- The deletion of a management system can only be performed by the responsible expert.
- The deletion of management systems is only possible as long as no active analysis periods are included.
Licenses:
The grid overview in HITGuard shows how many licenses are currently available and how many are in use. This makes it possible to see at a glance whether one is underlicensed or still has licenses for additional management systems. More information about the licenses can be found under "Administration → Licensing".
Master data
A management system is configured in the master data. The settings made here affect all work inside the management system.
Edit master data
Here, you enter the name, the responsible person(s) and the team members for a management system.
- For each management system, expert users or teams consisting of experts can be entered as responsible persons. Only these people can later edit the management system and transfer analysis periods.
- The members of the team must be experts, professionals, or observers. These users can collaborate on the data in the management system, even if they cannot edit the management system itself.
Management system settings
Here you can add or remove protection goals for use in the management system. Before doing so, they must be activated in the risk policy. If the protection goals have been entered here for use in the management system, this will affect risk assessments and protection needs analyses.
Note: Protection goals created in the risk policy are entered here automatically. If existing protection goals (such as RTO and RPO) are only activated there, they must still be added manually here.
You can also select the standards and norms to be used in this management system here. Import a new standard under “Administration → Standards and Norms” and it will be added here automatically.
Standards that are not selected or deleted here are still visible in already existing mappings, but can no longer be selected or changed in this management system. They are also not considered when further mapped norm chapters are included in reports (e.g., Compliance report by Standard or Norm).
For example, if the standard "GDPR" is not selected, it cannot be selected for the evaluation of the compliance spider in the risk management dashboard according to "GDPR".
Next, you can activate three of the HITGuard add-ons. To use them, the respective Experts, Professionals, and Observers must also be assigned the respective permissions.
- Data Protection Add-on: Activates the data protection module for this management system. Experts and professionals with data protection permissions can then create and manage processing activities, observer users can view them. Only one data protection module can be activated in one HITGuard installation.
- Case Management Add-on: allows a management system to be used for reporting incidents or as a whistleblower system.
- Audit Management Add-on: Allows you to use this management system to plan, perform, and manage audits.
E-mail settings
- If an e-mail setting is configured here by a technician, then all reminders that originate from this management system will be sent via this e-mail address. If you do not use an e-mail account of your own but the one provided by TogetherSecure, the sender address needs to end in @hitguard.at.
- If no e-mail setting is configured here, then all e-mails will be sent from that address that is stored in the global settings.(see Global e-mail settings)
Define interval schema
The interval schema defines whether analysis periods (see below) should follow a specified rhythm.
- Manual creation: Here, the time limit is defined manually with a from-to date. It is set manually for each new analysis period.
- Start date and interval: Here you can define a fixed interval for the analysis periods (three months in the example). The exact date in the start field is only relevant if you have not yet created an analysis period. If an analysis period already exists, HITGuard will always use the end date of the last analysis period for a new analysis period.
Analysis period and history:
Purpose
Analysis periods classify data into timespans that can be evaluated. Therefore, analysis periods are regularly closed and a successor analysis period is created.
Some KPIs, such as criticality of open measures, are based on analysis periods. Similarly, you can choose the analysis period that you want to evaluate for some reports, for example the reports for gap analyses.
For two elements in HITGuard, the link to the analysis period is very strict. Because of this strict link, these two elements can block you from creating a successor analysis period. These elements are progress reports and processing activities.
For both elements, you can use a workflow to request editing by practitioner users. As long as this editing is not fully completed — that is, as long as (a) the practitioner has not returned the task and (b) the expert user has not accepted it — you cannot create a successor analysis period.
You can only create a successor analysis period when all progress reports and all processing activities have been fully completed and accepted.
To create a successor analysis period click on the Button to the lower right. Then you can set the date values for the new analysis period, or you let HITGuard fill them in (see Intervallschema definieren).
Active analysis period
Each active analysis period will be defined by a number of entry fields:
- Begin and end: An analysis period can be as short or as long as the organization requires. In principle, the begin and end date can be on the same day; however, the begin date cannot be set to a point after the end.
- Editorial deadline:: This date should be set to slightly before the end date of the analysis period, since it is relevant for action management. If Expert or Professional users request a progress report for an action, HITGuard will use this date as the deadline for feedback by default.
- Target score:The target score describes the target state for all gap analyses. When you enter an answer to a test question, it is compared to the target score. If the value of the answer is lower than the set target score, it is considered a deviation and can be used accordingly.
- Note: The answers “Yes,” “Partially,” and ‘No’ correspond to maturity levels “5,” “3,” and “1.”
- Included OrgUnits: Organizational units (OUs) can be activated and deactivated in analysis periods by checking or unchecking a box. HITGuard will not offer you the deactivated OUs in the various selection fields. This allows you to focus on certain parts of the organization without being distracted by the deactivated OUs.
Note: You can only deactivate an OU if it has no open measures, controls or processing activities assigned to it.
When you create new OUs, they are available here. The check mark for the new OU always adopts the check mark setting of its parent OU. If you create an Organizational unitsthat does not have a parent OU, no check mark is set.
In practice, this means that most customers first create an OU that represents their entire organization and then switch to the management system to activate it. All other OUs that they create under the entire organization are then automatically activated.
- Create successor analysis period: When transferring from one analysis period to the next, the old analysis period is closed and a new one is created. All tasks that are not marked as “completed” are transferred to the new analysis period and remain available under measures→ Current measures. Completed actions can only be viewed in the next period under measures → history. Actions with the status “Cancelled” and “Discarded” are also removed from the current actions and are then only available in the history.
Deleting an analysis period
- The deletion of an analysis period can only be triggered by the responsible expert.
- The deletion of analysis periods is only supported as long as no progress reports have been created.
- Only the current period to analyze can be deleted at any one time; completed periods can no longer be deleted.
Past analysis periods
- The history lists the analysis periods which have already been completed with start, end and editorial deadline.
Code generation
Here you can set the default of whether an automatic code should be created for any new elemtents, and for which ones. The structure of the code can also be configured here. When creating a management system, the configuration is taken automatically from the global settings, but it can be changed and adapted here at any time.
- The general prefix is used at the beginning of the code for all selected elements. It is in the code of all elements of this management system.
- In the first column, use the check mark to activate the abbreviation generation for this element.
- Prefix: a string of letters, digits, or special characters that clearly labels the element (e.g., M for measure). The default entry can be changed.
- OrgUnits abbr.: decides whether the element's code also includes the code of the organizational unit. Elements that aren't directly associated with any organizational unit do not have this option activated (e.g., hazard situations or processes).
- OrgUnit abbr. suffix: a delimiter between the OrgUnit code and the final digit string (e.g., _ or -).
- Minimum precision: the minimum number of digits to be included in the resulting string. At least 1 and at most 10 can be entered. With a number of 4, the resulting strings would be, for example, 0001, 0026, or 0184.