Berichte für das Risikomanagement/en: Unterschied zwischen den Versionen

HITGuard offers the possibility of generating various risk management reports under "Risk management → Reports".

To create a report, first choose a type of report. Subsequently, choose which data to include in the report (e.g. hazard situations or audits). Most reports also have additional report options which allow further specification of the report's contents.

Languages:
Knowledge bases can be made available in different languages due to stored translations for used knowledge bases. For example, to generate a report with the English texts, the language must be changed using the flag icon at the top right of the screen, next to the logout button. This will load all content for the reports in the desired language, provided that a translation in that language is available for the knowledge base.

Download options:
The reports are available for download as PDF or DOCX files. Click the pink button to generate and download a report. Then, choose whether the report should be downloaded as a PDF or DOCX.

Additionally, there is the option to generate and archive the reports including revision information. In doing this, the report can be viewed, generated anew, or downloaded again by an expert under "Administration → Report archive". More information about this can be found under "Administration → Report archive".

Licenses:
If no valid license for HITGuard is available, this will be displayed in the footer of the report! To change this, an expert or administrator has to request/upload a license under "Administration → Licensing".

The following reports are offered in the risk management section of HITGuard:

In this report, details on hazard situations are presented. In addition, the hazard situations are positioned in a risk matrix according to their criticality.

The measures and controls to be taken or already taken can be displayed for the individual hazard situations. Furthermore, the development of the hazard situations over time can be displayed.

Users with the Compliance Manager role will also see measures and controls from all other management systems.

Risk report example of hazard situations without M/C incl. development over time

Risk report example of hazard situations incl. open M/C

Risk report example of hazard situations incl. all M/C

Risk report example responsible person(s) without suspended M/C

Risk report example structural elements without suspended M/C

Generate hazard situation report:

To generate a hazard situation report, you have to navigate to "Risk Management → Reports → Hazard situations". There you have several options to generate the report:

1. Hazard situations

   • You can generate a hazard situation report for one or more hazard situations.
   • However, you can only generate hazard situation reports in management systems to which you are assigned.

2. Responsible person(s) (Compliance Manager only)

   • You can generate a hazard situation report in which all hazard situations are listed for which a specific team or a responsible person is responsible.

3. Structural elements

   • You can list all the risk locations assigned to the selected structural elements.

After that, just click on the pink download button to generate the report.

Report options

With the report options, you can specify what status measures/controls have to be in in order to appear in the report.

Additionally, you can decide whether or not to show the development over time of the hazard situations in the report and whether or not to add the deviations linked with the respective hazard situations.

In this report, the results of either one or multiple protection needs analyses are displayed. Choices can be made regarding the summary of the results as well as their details. Additionally, it's possible to add an appendix with explanations for the basis of the assessment in the protection needs analysis.

Generate protection needs report:

To generate a protection needs analysis, you have to navigate to "Risk management → Reports → Protection needs". Then, choose which protection needs analysis to generate the report for and configure this via the report options.

To generate the report click on the pink download button.

Report options:

• Summary:

Selecting this option adds a summary of all results in the form of a crosstab to the report.

• Summary details:

In addition to the crosstab, the upper section of the summary includes a list of all interviews that form part of the crosstab's data source.

• Interview results:

In addition to the crosstab of an individual interview, the rationale for the assessments of the individual protection needs is added.

• Table of contents:

Decides whether the table of contents is printed or not.

• Appendix with explanations:

This report contains calculations of statistics, key figures or other content requiring explanation. An appendix with explanations is therefore generated by default. If this is not desired, this report option can be deactivated.

In this report, the results of either one or multiple gap analyses are displayed. When choosing the reviews, take note that they are limited by the chosen analysis period. An array of report options allow you to configure the reports to be displayed the way you need them.

Gap report example: reviews without proposals ZR 5

Gap report example: responsible with pProposals ZR 3

Gap report example: organizational unit all audit questions without proposals ZR 2

Create deviation report:

To generate a deviation report navigate to "Risk Management → Reports → Gap Analyses". There, you have several options to generate such a report:

1. Reviews

   • This report contains all information about the selected reviews.
   • The selection shows only reviews from the current management system in the selected analysis period (with the report options to the right).

2. Responsible(s) (only Compliance Manager)

   • This report contains all reviews the selected person(s) or team(s) is/are responsible for.

3. Organizational unit (only Compliance Manager)

   • This report contains all reviews that have been created for an organizational unit.
   • The selection shows only organizational units for which reviews exist in the current management system and within the selected analysis period.

It is possible to create a report for several analysis periods. To do this, you must go through each analysis period in which you want to have reviews available and select the reviews.

Caution: If you select a new analysis period, the reviews from the previous ones will no longer be displayed, but will remain selected.

After that, click on the respective pink download button to generate the gap report.

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available reviews come from.

• Target score:

This option shows, when a response to a question constitutes a gap. If the response is below the defined value, it is a gap.

The remaining options specify which information is added regarding the questions and what characteristics questions need to have in order to be printed in the report.

You can also choose to add the measures and controls linked with the review questions.

Various measures and control reports can be created here.

In this report, the measures and controls to be taken or those that have been taken are presented for a hazard situation.

Users with the role of "Compliance Manager" are also shown measures and controls from all other management systems.

Report options

• Analysis period

This option controls which analysis period the measures/controls included in the report come from.

• Measures

It is possible to configure in which status the measures must be in order to appear in the report.

• Controls

It is possible to configure in which status the controls must be in order to appear in the report.

The remaining options are used to configure the additional report contents, such as table of contents and attachments.

This report lists the linked measures for a selected standard.

Report options

• Management system (Compliance Manager only)

This option controls for which management system the report is generated.

• Analysis period

This option controls which analysis period the measuresincluded in the report come from.

• Measures

It is possible to configure in which status the measures must be in order to appear in the report.

• Include not applicable chapters in the statistics

This will add chapters marked as not applicable in the management system in the report.

The remaining options are used to configure the additional report contents such as table of contents and attachments.

This report lists the linked controls for a selected standard.

Report options

• Management system (Compliance Manager only)

This option controls for which management system the report is generated.

• Analysis period

This option controls which analysis period the controls included in the report come from.

• Controls

It is possible to configure in which status the controls must be in order to appear in the report.

• Include not applicable chapters in the statistics

This will add chapters marked as not applicable in the management system in the report.

• Analysezeitraum

Diese Option steuert, aus welchem Analysezeitraum die Kontrollen, die im Bericht berücksichtigt werden, kommen.

• Statistik

Durch diese Option wird für jede Kontrolldefinition die Durchführungsstatistik der Kontrollen angedruckt.

• Durchführungsprotokoll

Durch diese Option wird für jede Kontrolle das Durchführungsprotokoll angedruckt.

• ISAE Kontrollberichtsvorlage

Wenn diese Option selektiert ist, wird das ISAE Testprotokoll je Kontrolldefinition angedruckt. In diesem Fall wird eine Kontrolldefinition pro Seite gedruckt.

• Nicht anwendbare Kapitel in die Statistik aufnehmen

Dadurch werden Kapitel, die im Managementsystem mit nicht anwendbar markiert sind, im Bericht angeführt.

The remaining options are used to configure the additional report contents, such as table of contents and attachments.

This report lists the execution log of all controls in chronological order for the selected control definition(s).

Report options

• Statistik

Durch diese Option wird für jede Kontrolldefinition die Durchführungsstatistik der Kontrollen angedruckt.

• Durchführungsprotokoll

Durch diese Option wird für jede Kontrolle das Durchführungsprotokoll angedruckt.

The options are used to configure the additional report contents, such as table of contents and appendices.

Here, you can generate reports to show the conformity with a standard or norm as well as the results of gap analyses.

These reports show a distinct average score for each requirement or norm chapter. This average score is calculated as follows:

• For requirements:

All review questions are weighted equally. This means, if a requirement has 10 review questions, 5 of which are at score 3, 3 are at 4 and 2 are at 2, then the average score is: (5*3+3*4+2*2)/10 and comes out to 3.1.

• For standard/norm chapters:

A distinction is made between primary and secondary chapter levels.

• At the lower level, norm chapters map onto requirements. This means, that the average score for the requirements is calculated as shown above. In the next step, the averages of the requirements are summed up and divided by the number of requirements. Therefore, a chapter with 3 requirements that have a level of 2.5, 3.3 and 4.1, respectively, the average score is: (2.5+3.3+4.1)/3 and comes out to 3.3.
• At the upper level, chapters map onto secondary chapters as well as requirements, potentially. The average score of the primary chapter stems from the sum of the averages of its direct secondary chapters and the sum of the mapped requirements. This means, if a primary chapter has 2 secondary chapters with a level of 4 each and 3 chapters with 2, 3 and 4, respectively, then the average score for the primary chapter is: (4+4+2+3+4)/5 and comes out to 3.4.

The purpose of this report is to graphically illustrate the fulfillment of the prerequisites based on individual reviews. The fulfillment of the prerequisite points is presented visually in the form of spider diagrams, pie charts or tachometers.

Create report of conformity by reviews:

1. Reviews:

   • You can generate a conformity report from one or more reviews.

2. Responsible: (only Compliance Manager)

   • You can generate a compliance report for one responsible person or team, where all reviews assigned to this responsible person or team are analyzed.

3. Organizational units: (only Compliance Manager)

   • You can generate a compliance report for an organizational unit, where all reviews assigned in this organizational unit are analyzed.

Conformity report example: by reviews

Conformity report example: responsible person

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available reviews come from.

This allows for generating a report that spans multiple analysis periods. If you change the analysis period, the previous reviews are not displayed but remain selected. They are only displayed within their respective analysis period.

• Target score level:

This option shows, when a response to a question constitutes a gap. If the response is below the defined value, it is a gap.

The remaining options specify which information is added regarding the questions and what characteristics questions need to have in order to be printed in the report.

The remaining options allow for further configurations, such as which review questions to add, whether or not to include only completed reviews (relevant for commpliance managers when choosing the responsible person/organizational unit), how the table of content is to be structured and whether the audit title should be displayed (if available).

The purpose of this report is to graphically illustrate the fulfillment of the prerequisites in each requirement area of the standard. The fulfillment of the prerequisite items will be visually represented in the form of spider diagrams, pie charts, or tachometers. After selecting a standard, a list of applicable knowledge bases and their various versions will appear. From this, choose all knowledge bases and versions thereof which are to be part of the report's data basis.

For display purposes, questions answered Yes, No, or Partially are converted to scores. "No" corresponds to score 1, "Partial" corresponds to score 3, and "Yes" corresponds to score 5.

Create conformity report by standard:

First, the desired norm or standard must be selected for which a conformity report is to be generated. Then you have to select which knowledge bases should be considered for the report.

The selected knowledge databases form the basis for the evaluations in the report. Only knowledge databases that have a mapping to the selected standard and at least one review object (of a gap analysis) has this mapping are displayed. If a test object exists in several versions, only the one with the highest version is considered. If a restriction is also made to an OrgEh, the highest version of the review object that is linked to the OrgEh is used.

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This option controls for which analysis period the conformity report should be created. This ensures that only test objects up to and including the selected analysis period are taken into account. Test objects from more recent analysis periods (newly created or re-evaluated) will not be included in the report.

• Target score:

This option shows, when a response to a question constitutes a gap. If the response is below the defined value, it is a gap.

• Questions:

These options specify which information is added regarding the questions and what characteristics questions need to have in order to be printed in the report.

• Organizational unit:

This options allows for limiting the conformity report to the selected organizational unit and those below it in the hierarchy.This means that only review objects that are linked to the selected OrgEh in are relevant for the evaluation in the report.

• Evaluation:

This options sets the type of evaluation displayed.

• Not applicable chapters:

This option allows you to exclude those chapters that have been marked as "not applicable" for the management system from the report.

Here, you can create reports about standards and norms.

The chapter applicability for the reports is calculated as follows:

Scenario 1:

• Chapter 1 - without measures
  • Chapter 1.1 - with a measure
  • Chapter 1.2 - with a measure

The applicability of chapter 1 is 100%, because all chapters below have assigned measures.

Scenario 2:

• Chapter 1 - with a measure
  • Chapter 1.1 - without measures
  • Chapter 1.2 - without measures

The applicability of chapter 1 is 100%. As the measure is assigned to the super-chapter, it also counts towards the sub-chapters.

Scenario 3:

• Chapter 1 - without measures
  • Chapter 1.1 - with a measure
  • Chapter 1.2 - without measures

The applicability of chapter 1 is 50%, because only half of its sub-chapters have measures assigned to them.

This report shows which chapters of the standard are "applicable" or "not applicable" in the management system. It also includes the justification for each chapter's applicability and the measures and controls associated with the chapters.

• Donut charts show the number and status of assigned measures & controls. The total number of chapters in the evaluation corresponds to the number of chapters at the lowest level. If a measure or control has been assigned to a chapter, it is also assigned to all its sub-chapters. Thus, if a super-chapter has assigned a measure or control, it behaves in the same way as if all sub-chapters had assigned that measure or control.
• In the donut diagrams, the scope of the standard is taken into account. If this has been restricted, chapters marked as not applicable are not taken into account. This can be cancelled by activating the option Include not applicable chapters in the statistics.

The data basis can thereby be restricted to an earlier analysis period. In this case, only measures and controls that already existed in the selected analysis period are taken into account.

With the option "Include mapped standard chapters", the database can be extended to mapped standard chapters. This means that if standard S1 has a chapter C that is mapped to standard S2 chapter C (S1.C => S2.C) and a report is generated from standard S1, the report will also include actions and controls that are mapped to standard S2 chapter C. This behavior also applies to chapters mapped from S2.C.

Measures:

• Green = Completed measures
• Orange = Suspended measures
• Blue = Open measures

Measures for chapters:

• Red = Chapter without measures
• Blue = Chapter with open measures
• Green = Chapter with completed measures

Controls to chapters:

• Orange = Suspended controls to chapters
• Green = Active controls to chapters
• Red = Chapters without controls

Create Statement of applicability (SOA)

To generate an SOA, choose a standard/norm and configure the SOA via the report options. Click on the pink download button to generate the report.

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available measures and controls come from.

The remaining options specify which information is added to the report. For example, "Show statistic" controls whether the donut diagrams are displayed.

This report provides a management overview of the measures and controls assigned to a standard/norm.

• Donut charts show the number and status of assigned measures & controls. The total number of chapters in the evaluation corresponds to the number of chapters at the lowest level. If a measure or control has been assigned to a chapter, it is also assigned to all its sub-chapters. Thus, if a super-chapter has assigned a measure or control, it behaves in the same way as if all sub-chapters had assigned that measure or control.
• A bar chart shows the number of measures & controls by main chapters. The number is the sum of the measures or controls assigned to the main chapter and each sub-chapter below it. A measure or control assigned several times is only counted once per main chapter.
• The report takes into account the scope of the standard. If the scope is limited, chapters marked as not applicable are not taken into account. This can be cancelled by activating the option Include not applicable chapters in the statistics.

The data basis can thereby be restricted to an earlier analysis period. In this case, only measures and controls that already existed in the selected analysis period are taken into account.

Management Summary example report

Create management summary

To generate a management summary, choose a standard/norm and configure the management summary via the report options. Click on the pink download button to generate the report.

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available measures and controls come from.

The remaining options specify which information is added to the report. For example, "Statistic" controls whether the donut diagrams are displayed.

Here, you can create reports for RTO and RPO fulfillment. Find more information about RTO and RPO under "Risk management → Structural analysis".

This report shows whether or not the requirements derived from the various protection needs analyses (PNAs) for the resources can be met in terms of the maximum justifiable recovery time in each case.

The report can be generated without restriction to a resource. Then it is shown how well the requirements derived from all PNAs are met for all involved resources with regard to the maximum justifiable recovery time.

If the report is restricted to a resource (e.g., a specific hardware component), only resources that require this resource (e.g., specific applications and databases) to be able to work functionally are included in the evaluation. Only PNAs that define requirements for these resources are then considered.

Create RTO-Fulfillment report

To generate a RTO fulfillment report, first choose the resource for which the RTO fulfillment is to be analyzed and configure the report via the options.

Then, click the pink download button to generate the report.

Report options

This report contains calculations of statistics, key figures or other content requiring explanation. An appendix with explanations is therefore generated by default. If this is not desired, this report option can be deactivated.

It can also be decided whether fulfilled or not fulfilled requirements should appear in the report or not.

It is also possible to configure how much information about the relevant resources is printed in the report.

This report shows whether the requirements derived from the various protection needs assessments (PNAs) for the resources in terms of maximum acceptable data loss can be met in each case or not.

The report can be generated without restriction to a resource. Then it is shown how well the requirements derived from all PNAs are met for all involved resources with regard to the maximum acceptable data loss.

If the report is restricted to one resource (e.g., a specific hardware component), only resources that require this resource (e.g., specific applications and databases) to be able to work functionally are included in the evaluation. Only PNAs that define requirements for these resources are then considered.

Create RPO-Fulfillment report

To generate an RPO-Fulfillment report, first select the resource for which RPO-Fulfillment is to be analyzed and configure the report using the report options.

Then, click the pink download button to generate the report.

Report options

This report contains calculations of statistics, key figures or other content requiring explanation. An appendix with explanations is therefore generated by default. If this is not desired, this report option can be deactivated.

It can also be decided whether fulfilled or not fulfilled requirements should appear in the report or not.

It is also possible to configure how much information about the relevant resources is printed in the report.