Kritikalität einer Organisationseinheit feststellen/en: Unterschied zwischen den Versionen

The protection needs analysis reveals how critical an organizational unit actually is. Protection needs are defined as those IT risks that occur from the perspective of the IT service recipient and thus jeopardize the business and the implementation of the company's goals.

To identify this, structured interviews are usually conducted with the business.

To conduct a protection needs assessment, either an Expert or Professional must be able to conduct an interview with a functional area manager and collect data on the following questions:

1. What data do they process in your department?
2. How do you classify this data?
3. What business services (processes) do you need for daily business?
4. How do you classify these business services?
5. How long can you get along without the data in case of a system failure and how much data loss on a time axis back into the future would be tolerable?
6. What processing does your department go through?

The types of data used in the organizational unit must be determined. This could be, for example, accounting data, customer data or personnel data. Responsible persons must be identified and recorded for this data. Usually the responsible persons are found within the department or in a superior superior. Sometimes, however, it can happen that another department is named because data is processed for it.

Data types can be used by different organizational units. The data classification of the data types should be uniform throughout the company (e.g. Secret, Internal or Confidential). Only one responsible person can be defined per data type. Hierarchies among the data are also feasible. For example, the umbrella term financial data can also be subdivided into cost accounting data, balance sheet data, accounting data, wage data, etc. The persons responsible for this data can be other persons. The persons responsible for these data can be other persons than the person responsible for the financial data. Because the latter has delegated the responsibility, for example.

The classification aims at the protection goals of the data:

• How do you classify this data in terms of its confidentiality? --> Data class and from this results the associated possible Damage extent. Furthermore, you should record possible scenarios for a damage and provide additional concrete damage information (if possible) in EUR or also classify the damage if it is not of a purely monetary nature (e.g. image damage).

• Capturing the sensitivity of the data during the interview is especially useful for personal data.

• The retention period for the data can also be determined here.

• Business applications (ERP, DMS, financial accounting, etc.)
• Clinical administrative applications (patient administration, therapy planning, patient documentation, etc.)
• Medical systems with integration of medical devices
• Communication systems (mail, intranet, internet, Skype, telephony, fax etc.)
• Data storage services (file-share, collaboration platforms, cloud services, etc.)
• and what data is related to these applications (created, edited, viewed, ...)

Here, the classification is done for the protection goals that target systems:

• How do you classify a loss of integrity or authenticity?
• How do you classify a loss of availability with respect to the application:

- short term intraday availability loss during business hours? (2-4h)

not workable | limited workable

Risk class regarding risk impact (medium damage / worst case)

- all day application availability loss during business hours? (8-24h)

not workable | limited workable

Risk class regarding risk impact (medium damage / worst case)

- a longer-term loss of availability of the application during business hours? (>1 day; up to 2 days or more)

not workable | limited workable

Risk class in terms of risk impact (medium damage / worst case).

• etc

Here in particular, business services are used by different departments. It is therefore necessary to evaluate which department places which requirements on the respective service. The requirement of the department with the greatest risk potential for each protection goal is drawn for the service. IT operations must be aligned with this requirement.

Services that are used by very many or all departments (even if they are only slightly critical for the respective department) are then considered to be more important and are also aligned accordingly than if they are used, for example, by only one or by a very small number of departments and are thereby classified as very critical. Essential is thereby also the weighting of the activity of the department on the operational operating result if it concerns a supporting department like e.g. quality management or the production management.

Lastly, you should also determine RPO / RTO / response times for the applications:

• Recovery Time Objective (RTO) - How long can a business process/system be down? The RTO is the time taken from the time of damage to complete recovery of business processes (recovery of: Infrastructure - Data - Reprocessing of data - Resumption of activities) may elapse. The time period here can range from 0 minutes (systems must be available immediately), to several days (in individual cases weeks).

• Recovery Point Objective (RPO) - Wie viel Datenverlust kann in Kauf genommen werden? Bei der RPO handelt es sich um den Zeitraum, der zwischen zwei Datensicherungen liegen darf, das heißt, wie viele Daten/Transaktionen dürfen zwischen der letzten Sicherung und dem Systemausfall höchstens verloren gehen. Wenn kein Datenverlust hinnehmbar ist, beträgt die RPO 0 Sekunden.

• Welche Daten werden darin verarbeitet (personenbezogene Daten)?
• Welche Applikationen werden dafür verwendet?
• Welche anderen Abteilungen nehmen daran teil? Von welchen anderen Fachbereichen sind sie in ihrer Arbeit abhängig (liefern, erhalten, bidirektional)

• Abhängigkeit zwischen Fachbereich –Systeme – Daten - Verarbeitungstätigkeiten
• Welche Daten werden in welchen Applikationen verarbeitet
• Welche Daten werden über welche Kommunikationssysteme ausgetauscht Welche Daten werden wo abgelegt
• Reihung der Datenarten nach Schutzzielen und Risikoeinstufung
• Reihung von Verarbeitungstätigkeiten nach Schutzzielen und Risikoeinstufungen
• Reihung der Business IT Services nach Schutzzielen und Risikoeinstufung
• Reihung der Med. adm. Services nach Schutzzielen und Risikoeinstufung
• Reihung der Med. klin. Services nach Schutzzielen und Risikoeinstufung
• Reihung der Kommunikationsservices nach Schutzzielen und Risikoeinstufung
• Reihung der Datenablagen nach Schutzzielen und Risikoeinstufung
• Kennzahlen für Backup und Notfallplanung

Diese Informationen können in weiterer Folge hilfreich sein um:

• Risikoanalysen zielgerichtet abhängig von Schutzzielen / Risikoeinstufungen durchzuführen
• Richtlinien zu erstellen
• Schulungsprogramme zu erstellen
• Notfallplanung und Business Continuity Management

Eine Schutzbedarfsanalyse hat unterschiedliche Stati, wie andere Überprüfungen auch. Abhängig vom Stati wird die Schutzbedarfsanalyse unterschiedlich im Graphen dargestellt.

• Bei Bewertung „aktiviert“ werden dünne Striche mit default-Wert 0 der Abhängigkeit im Graph dargestellt.
• Bei Bewertung „abgeschlossen“ werden die Striche entsprechend der prozentuellen Wertung der Schadensausmaßklasse in der Risikopolitik dargestellt.