HITGuard Release Oktober 2020/en: Unterschied zwischen den Versionen

Since the new features to the data protection module made it necessary to assess hazard situations in HITGuard according to different damage extent classifications (1), Risk Management > Risk Policy was extended by some configuration options.

1: For information security management, the assessment of damage from an operational perspective is of primary interest. For risk assessment in data protection, however, the damage must be assessed from the perspective of the data subject.

If you want to use different damage extent classes in one or more management systems, then create an additional damage extent classification for this purpose. You can then create new damage extent classes for this damage extent classification.

Classes and classifications can be defined by the expert by clicking on the plus next to the classes / classifications:

Don't forget: Assign the newly created damage extent classification under "Administration > Management systems" to the desired management system under "General settings" as classification.

The menu item Protection target characteristics is new and is only visible if several damage extent classifications are maintained. Since protection goals can have different meanings in different damage extent classifications, it is possible to name them specifically for the respective classifications. For example, the protection goal "confidentiality" can be interpreted as privacy in the context of the data protection classification (see figure). This means that whenever the protection goal of confidentiality is used in data protection, the protection goal "privacy" is displayed.

For the representation in the management system for information security management, in which the standard damage extent classification is used for operational risk assessments, the protection goal can still be mapped in with confidentiality or alternatively named, e.g., operational confidentiality (see figure).

Another new feature is that a separate risk matrix can be configured for each extent of damage classification. To do this, switch between the respective extent of damage classifications to maintain the colors of the respective risk matrix.

Die neuen Schutzzielausprägungen finden sich nun auch in der Strukturanalyse. Hier kann gewählt werden, nach welcher Schadensklassifikation der Graph dargestellt werden soll. Abhängig davon werden die Schutzzielausprägungen für die jeweilige Schadensausmaßklassifikation sichtbar bzw. auch die differenziert durchgeführten Bewertungen und Einstufungen im Graph:

A hazard situation is evaluated with probability of occurrence and extent of damage. If a hazard situation has been marked as private, then it is to be evaluated according to the damage extent classification, which is provided for the management system by default. If the hazard situation is not marked as private, i.e. it is shared with other management systems, then this hazard situation is also visible for management systems in which a different extent of damage classification may apply. In those management systems, the hazard situation is then also visible, but is not yet evaluated for the time being. It must first be assigned the damage extent class that is appropriate in the classification of the respective classification.

In the last release, the extension of the temporal history for the change of the hazard situation was already introduced as a new feature:

A new feature in this release (in addition to the possibility of adding this history manually) is the display of the risk development on the risk management dashboard (menu item Risk management) via a time strip. You can move between the points in time at which there were changes with a mouse click and thus track the change in the risk situation:

All hazard layers of your management system and all those hazard layers of other management systems that have not been privately marked and are therefore visible to you are displayed.

As already explained in the presentation 1.4. of the temporal development of the hazard situations on the dashboard, the extension of the temporal history for the change of the hazard situation was introduced as a new feature in the last release.

There is now a further addition: the historical entries can be supplemented manually. The purpose of this is to be able to subsequently record past changes to the - previously non-historical - hazard situation.

CAUTION! If you want to use the effects described in representation 1.4. of the temporal development of the hazard layers on the dashboard and want to represent the development of the hazard layers over time, then you must add the temporal developments for your already existing hazard layers. However, since the last release, each new change to the hazard layer is now historically documented.

Furthermore, note that due to the extension to differentiable damage extent classes in HITGuard, your history regarding changes to the damage extent classes of a hazard situation will only be visible as a log entry to those management systems that use the same damage extent classification.

New evaluation options can be found under Risk Management > Reports > Standards and norms.

A new evaluation option is the Statement of Applicability (SOA) report. The SOA report presents which chapters of the standard are applicable or not applicable incl. justification and which measures and controls are linked to these chapters. The collection of this information is new and is described in chapter 4.1 Maintaining the scope and applicability to a standard(s).

An already known evaluation option, the management summary on standards and norms, can now also be found here. Until now, this report was only available directly via the administration for experts. The report provides a management overview of the total, type and status of measures and controls assigned to a specific standard. By default, the report aggregates the results on the first chapter level of the standard(s) for a better overview of the overall situation. The report can optionally be adapted to a more granular presentation of the results via the checkbox "Print only the lowest chapter level".

You can now select multiple hazard layers and display them together in one report. You can select all the hazard layers of your management system and all those hazard layers of other management systems that have not been marked private and are therefore visible to you.

The Controls dashboard opens via the Controls menu item. There is a new feature here. If you want to see which of the e.g. failed or completed controls is hidden behind the percentage of controls in the pie chart, then a dialog opens by double-clicking on the pie slice. This shows you the relevant controls and allows you to jump to the control log by double-clicking.

Based on practical use cases, we have implemented a customer request with this feature. In the context of a review, the "Detected on event" is now populated with the title of the review and the "Detected on" date with the start date of the review when a task is created.

We have received the suggestion from our customers that it is sometimes difficult for experts to recognize which controls are to be carried out or checked by them personally. In this case, the orange flags gave too little information. Therefore, we have added two columns that can be displayed in the Practitioner view. These columns are called "to be performed by me" and "to be checked by me". Ranking the table according to these columns quickly provides information about where there is still work for the expert to do.

The data protection impact assessment (DPIA) can be found in the management system activated for the Data Protection module under Data Protection > DPIA.

For a processing activity (VT) or a group of VTs with a similar risk, it can be documented here whether a DPIA must be performed. This is done in the course of a so-called DPIA requirement test.

The wizard that can be called in HITGuard under DPIA combines the DPIA requirement check and the following actual DPIA. First, the requirement check is created and then, depending on the check result, the documentation step can be completed or the DPIA can be performed in HITGuard.

To assess whether a DSFA is necessary, three cases are distinguished in the requirements test:

1. It is an exception to the DSFA.
2. The necessity of the DSFA is predetermined.
3. Threshold analysis is performed to determine whether DSFA is necessary.

If in case 1, an exception to the DPIA is identified, the documentation can be completed. If, in case 2, a requirement for a DPIA is identified as legally prescribed, the DSFA must be performed in any case. And in step 3, a threshold value analysis can be recorded in order to be able to make a comprehensible decision as to whether a DPIA is necessary.

If a DPIA is required, the user can upload a DPIA already created in the form of a report for filing. If a DSFA is not yet available, it must be performed using the further wizard steps.

In doing so, you record information about the processing. This information can be about data, resources, processes, the necessity and proportionality of the processing, and the personal rights of the data subjects. In addition, you can document the risk assessment and the corresponding action plan as well as the consultations that were carried out.

A detailed description of the DPIA can be found in the HITGuard online help.

In order to quickly see whether a data protection impact assessment (DPIA) or the required necessity test for a processing activity (DP) exists, the DP has been adapted in step 6. Here you can see at a glance whether a linked DPIA exists and in which processing status it is currently located:

In addition, the "DPIA" and "DPIA status" columns can be displayed in the VT overview. This makes it easy to see whether a DPIA or necessity check has already been performed for the VT or whether documentation work is still required here:

In addition to the key data for the preparation of the DPIA, this report shall contain the name of the processing activity, the purpose of the processing, a detailed description of the processing activity, information on compliance with the Code of Conduct, the assessment of the necessity and proportionality of the processing with regard to its purpose, the point of view of the data subjects, information on the risk assessment or related action planning, the advice of the Data Protection Officer and any information on consultation with the data protection authority.

In addition to the information from the standard DPIA report just described, contact information around controllers, processors and joint processors is also printed here.

For standards and norms, the scope in the context of the selected management system can now be recorded as text for which the respective standard/ norm applies:

In addition, for each chapter of the standard, including the indication of a reason, it is possible to define whether it is applicable or not applicable in the scope.

If you maintain knowledge databases yourself or manage user adaptations of manufacturer databases, then you will have often asked yourself how you can recognize whether a test question, measure or control is already used in another place. To make this easy to see, you will now find the display of their links in the title bar of a test question, measure or control. If you click on the link, you will also see a list of the links.

Under Administration > Management System it is possible to set per management system which damage extent classification is used by default. This setting can be found at the bottom of the first configuration tab under "General settings":