Wissensdatenbanken/en: Unterschied zwischen den Versionen

What is a knowledge base?

• Knowledge bases contain portable know-how for risk identification (through topics, audit questions, threats) and risk treatment (measures and controls).
• This makes it possible to perform deviation analyses guided by this know-how and thus to check and document compliance/fulfillment of requirements.
• In addition to questions on risk identification, they also contain measures and control proposals to reduce, control, or eliminate these very risk situations.
• Furthermore, knowledge bases on a norm or standard basis can be used to check compliance requirements.

Difference to standards and norms:

• Standards and norms provide no usable know-how and are pure "tables of contents" of a standard.
• They are used to evaluate the impact of risks, review results, measures, and controls on a norm or standard.

Options:

• Import knowledge base
• Create a knowledge base
• Editing/user adaptation of knowledge bases
• Successor versions of knowledge bases
• Updating review objects
• Merging knowledge bases
• Translating knowledge bases

Norm or standard knowledge bases can only be imported, not exported.

They contain copyrighted content and can not be modified!

The review questions of these knowledge bases map to the respective norm or standard. This allows the degree of compliance with a norm or standard to be determined. The degree of compliance can be viewed under "Risk management dashboard → Compliance Coverage" or in compliance reports.

These knowledge bases contain copyright-protected content! They can only be imported, not exported.

Although the content is protected, user adjustments can be made!

During user customization, the review questions defined by the manufacturer cannot be customized! If you do not want to handle them, the review question must be set to "unnecessary". However, the knowledge base can be extended with your own topics and review questions without any restrictions.

So customizing a knowledge base makes sense if certain topics or questions are not covered that would be important or interesting for your business, or you do not want to cover certain knowledge base topics.

Manufacturer and standard knowledge bases can be created and exported by owning a manufacturer license.

These are knowledge bases created by you. In these, you can maintain and prepare the content yourself. For example, you could create and manage databases for internal audits or for collecting answers to questionnaires.

These knowledge bases, as long as they are not published, can be adapted without further ado. Once published, a successor version must be created for editing.

Knowledge bases can be translated into different languages. These language versions can be used in the course of vulnerability analyses and consequently in reports. The language used is the one set by the user at the top right (right next to the logout button).

For translating, see Translating knowledge bases.

Versioning distinguishes between self developed knowledge bases and user adaptations of vendor knowledge bases.

You can maintain multiple versions of self-developed knowledge bases.

If an in-house development no longer meets your requirements, a new version adapted to the requirements can be created. To do this, click on "Create successor version" in the mask for viewing the knowledge base. For more information, see Successor versions of knowledge bases.

Self-developed knowledge base versions consist of only one number. Subsequent versions increase this number by 1.

The version number X.Y for imported knowledge bases behaves as follows:

• X: imported knowledge bases always have a number. For example 1, 2 or 3 but not 1.1,2.1 or 3.3.
• Y: if a customization of an imported knowledge base is created, the number after the dot is increased by 1.

In the overview is displayed: KB Z in version 5 and KB W in version 2.3. In the knowledge base itself you will then see KB W in version 2 customization no. 3.

If several versions of a knowledge base are available, it is possible to set one version as the preferred version.

The knowledge base must be published, then in the mask for viewing the knowledge base there is a button labeled "Set as preferred version".

In the overview of knowledge bases, preferred ones are marked with a heart.

Important: Only preferred versions can be selected in gap analyses!

Only knowledge bases of the types "Vendor" or "Standard/Norm" tht you have created yourself can be exported. Knowledge bases of the type "Self developed" cannot be exported.

To export, click on "Export" in the knowledge base view screen in published KBs.

The file generated by this can then be imported to other systems as desired.

If knowledge bases are provided with a copyright, this is displayed in the measures, controls and test questions of the knowledge base. Furthermore, these are also provided with a copyright in the reports.

If a newer version of an existing knowledge base is imported, all test objects that were created with the older version can be updated to the newer version semi-automatically. For more information, see Updating review objects.

The knowledge base is divided into five key elements:

• Topics
• Audit questions
• Measures
• Controls
• Justification templates
• Threats
• Risks/Opportunities

All of these elements are templates. When using HITGuard, you can create corresponding elements based on these templates. Within the knowledge base the individual elements are structured and related to one another shown below:

• Topics organize the knowledge base at the highest and broadest level. These topics can be structured hierarchically, meaning you can create parent and child topics. Topics are used to organize all other elements, but primarily they structure review questions. By assigning review questions to a topic, you create question sets that you can then use in vulnerability or gap analyses.
  

• Questions are templates for review questions in gap assessments (which you can find under risk management > vulnerabilities). In the knowledge base templates you can set the You can define the range of possible answers. When the templates are then used as review questions in a gap analysis, you can then use them to track which criteria your organization does or does not meet. For example, you can answer the check question “Has a risk management guideline been developed?” with ‘YES’ or ‘NO’. Note: In the knowledge base, under the “Questions” tab, you will find only a pool of possible review questions. This pool is unstructured and can only be structured with topics. Check questions cannot be assigned individually to vulnerability analyses. Check questions can only be assigned with a topic.

• If a review question is answered negatively, we refer to it as a “gap.” For these deviations, you can then create threats, measures, and controls in HITGuard. In the knowledge base, you can create templates for these and then link them to the review question. For example, the following templates could be linked to the question “Has a risk management guideline been developed?”:

• Threat: “Inadequate internal regulations”
• Measure: “Develop a risk management guideline”
• Control: “Annual review to ensure the guideline is up to date”

• For review questions that are typically answered with a standard response, you can save justification templates and then use them during audits. You can maintain these template texts in the tab "justification templates".

• Schließlich können Sie Risiken und Chancen in der Wissensdatenbank vorbereiten. Diese sind zur Zeit nicht mit anderen Elementen verknüpft. Sie können die vorbereiteten Risiken aber importieren, indem Sie ein neues Risiko unter Risikomanagement > Risiken und Chancen anlegen und dann auf den Buch-Button neben der Bezeichnung klicken.

In order to make the finding of the previous occurrence of a review question, measure, control, or threat visible, there is the link "Links" at the respective element in the edit form, provided that the element has at least one link.

Topics contained in the knowledge base are used to structure the knowledge base. They contain review questions. Typically, a topic contains several review questions that cover similar things, for example technical components (such as cabling) or organizational procedures (such as an emergency preparedness concept).

Topics act as templates for review objects. When a topic from a knowledge base is added to a gap analysis, a review object on the basis of the topic is created.

To create topics, see Create topics.

Review questions serve to determine possible vulnerabilities in the context of a review. A review question can be assigned to several topics. Review questions can be structured hierarchically by using structure questions.

To create a review question, see Create review question.

Measures, controls and threats can be assigned to a review question. This ensures that if the answered question deviates from the desired target state, measures and controls are suggested to address the associated potential risk.

• Review questions that are assigned to topics can be extended by sub-questions in the knowledge base. If a question has one or more sub-questions, the main question becomes a structural question and is only used for structuring. That is: a structural question answered with "No" or "Partly" represents no deviation!
  
• Depending on the answer to the structural question, different review questions can be displayed. For example, two specific review questions may be displayed in case of a "Yes" answer and three other specific review questions may be displayed in case of a "No" answer. However, a negative answer to sub-questions will result in gaps.

If a superordinate question is created, the options "Will be displayed if" and "Answer if not displayed" are available.

• The option "Will be displayed if" defines which answer the superordinate question must have in order for the sub-question to be offered for answering. This means that if only the option "Yes" is selected for the review question under "Will be displayed if", this sub-question will only be displayed for answering if the superordinate question is answered with "Yes".
• The option "Answer if not displayed" defines which answer the sub-question should receive if it is not displayed for answering. If no selection is made here, the review question will not be answered automatically in this case.

In reports, structural questions are formatted in italics and their corresponding sub-questions are indented below them.

Measures in a knowledge base are possible measures that can be selected on the basis of the gap identified during a review in the context of the risks to be addressed. They are intended to help reduce or eliminate one or more gaps.

To create a measure, see Create measure.

Controls in a knowledge base are possible controls that are available for selection based on the identified gap for the assigned risk. They are intended to help monitor the risk or to control the execution of implemented measures.

To create a control, see Create control.

If a review question is normally justified with a standard answer, a justification template can be created for this question, which can then be used for reviews.

To create a justification template, see Create justification template.

Threats are mainly used for analyses. For example, a report can be generated in which all deviating review questions are listed for a threat.

To create a review question, see Create threat.

Mit Risiken, die in Wissensdatenbanken vorbereitet werden, können Sie später Abweichungen und andere Elemente gesammelt darstellen. Damit die Risiken später leichter identifizierbar sind, können Sie die Risiken mit "Kategorien" ausstatten. Beachten Sie, dass mit dem Import eines Risikos keine Risikokategorien in der Risikopolitik angelegt werden. Sie können ein Risiko aus der Wissensdatenbank anlegen, wenn Sie ein Risiko anlegen. Klicken sie dazu auf den Buch-Button, der ihnen angeboten wird.

• Wissensdatenbanken können Referenzen zu einem oder auch zu mehreren Standards haben. Dadurch kann mit einer Frage die Erfüllung der Anforderungen aus mehreren Standards adressiert werden.
• Eigene Wissensdatenbanken, z. B. eine Checkliste oder ein Auditierungsfragebogen, der regelmäßig zur Anwendung kommen soll, können erstellt werden.
• Verwendete Wissensdatenbanken sollten ausführlich getestet werden, um sicherzustellen, dass alle gewünschten (Norm-)Anforderungen adressiert wurden. Dabei können KPIs wie „Compliance Erfüllung“ oder der Risikomanagementbericht zu Konformität nach Standards und Normen unterstützen.