Managementsysteme/en: Unterschied zwischen den Versionen

Administrators and Experts can create, edit, and manage management systems via "Administration → Management systems". Experts can only edit the management systems for which they are responsible.

What is a management system?

A management system is a contentwise bundling of elements, meaning measures and progress reports, controls, determinations and gaps, audits and reviews, etc.

The elements are assigned to a team of responsible experts and professionals in terms of monitoring and workflow handling (e.g. information security management team or data protection team). Also, all elements managed in it are historized in terms of analysis periods and thus made comparable.

What purpose do management systems serve?

Management systems have two central functions:

1. They serve to assign measures, controls, risk identifications, etc. from selected departments to subject areas and to define responsible experts who, for example, supervise the progress of the measures.
   Example:
   • Information security management Reporting: Measures from the Information Security Management Audits are managed by Ms. XY
   • Qality management Reporting: Measures from the Quality Management Management Audits are handled by Mr. Mustermann.
     
2. They are used to assign the feedback from the progress evaluations of the various tasks to time periods and to analyze the corresponding key figures and trends.
   Example:
   • Mr. Mustermann collects progress data on ten departments every six months.
   • Ms. XY collects progress data of two divisions quarterly.

That means:

• Measures to deal with risks can be implemented by employees from different areas of responsibility. Experts from the individual management systems can continuously monitor the progress of the measure developments and report periodically over several analysis periods.

• In addition to the measures, controls can also be created for further risk monitoring to ensure the effectiveness and sustainability of implemented measures. Controls are assigned to the employees of the respective area of responsibility, which are reminded of the execution of the control at predefined intervals. The execution of these - if necessary with indication of evidence - is documented in a comprehensible manner.

Deleting a management system:

• The deletion of a management system can only be performed by the responsible expert.
• The deletion of management systems is only possible as long as no active analysis periods are included.

Licenses:

The overview shows how many licenses are currently available and how many are in use. This makes it possible to see at a glance whether one is underlicensed or still has licenses for additional management systems. More information about the licenses can be found under "Administration → Licensing".

A management system is configured in the master data. The settings made here affect the measures and reports to be created.

• Here, the name, the responsible person(s) and the team members for a management system are defined and entered. There can only be one responsible person per management system. Only professionals and experts can be responsible for a management system. Management systems can only be edited by the responsible person or the administrators once they have been created.

Evaluation schema Evaluation schemas are a way to evaluate reviews according to a different schema, like the target maturity schema.

Possible evaluation schemes are:

• Yes/No/Partial
• CMMI process model
• Grade system (1-4)

This option is not available for selection by default. To get this option for selection, contact our team.

If protection targets are activated here, they are activated by default in the risk policy of risk management. This in turn has an impact on risk assessments and analyses. These protection targets can then be used within the management system. Protection targets can be managed and created by experts under "Risk Management → Risk Policy". (See protection targets)

The standards and norms that are to be used in this management system can be configured here.

Standards that are not selected here are visible in existing mappings, but can no longer be selected or changed in this management system.

For example, if the standard " GDPR " is not selected, it cannot be selected for the evaluation of the compliance spider in the risk management dashboard according to " GDPR ".

The interval schema is used to define whether analysis periods should follow a predefined rhythm.
Analysis periods can be:

• Manually set: Here, the time restriction is defined manually with a from-to date. This is set individually for each period.
• Start date plus interval: Here, a year is divided into three analysis periods. For example, starting with 2/1 to 5/31/2021; 6/1 to 9/30/2021 and 10/1 to 1/31/2022.

The current setting for progress message reminders is displayed here. This setting ensures that an implementer of a task is reminded of its implementation via e-mail before the period expires.

This setting must be made directly in the database!

If you want to change this setting, please contact our team.

For these measures progress reports can be requested at any time.

If all progress messages have been accepted, the analysis period can then be carried over and the process starts again.

Analysis periods can be created in two different ways. (see Define interval scheme)

• The deletion of an analysis period can only be triggered by the responsible expert.
• The deletion of analysis periods is only supported as long as no progress messages have been created.
• Only the current period to analyze can be deleted at any one time; completed periods can no longer be deleted.

History

• The history lists the analysis periods which have already been completed with start, end and editorial deadline.

• In der Historie werden die Analysezeiträume, die schon abgeschlossen wurden, mit Beginn, Ende und Redaktionsschluss aufgelistet.

Hier kann festgelegt werden, ob und für welche Elemente bei der Erstellung automatisch ein Kürzel generiert werden soll. Die Zusammensetzung des Kürzels kann ebenfalls hier festgelegt werden. Die Einstellung wird beim Erstellen des Managementsystems aus den Globalen Einstellungen übernommen, kann hier jedoch jederzeit verändert und angepasst werden.

• Das allgemeine Präfix wird bei allen selektierten Elementen vorangestellt.
• In der ersten Spalten kann für alle Elemente, die mit einem automatischen Kürzel generiert werden sollen, ein Häkchen gesetzt werden.
• Präfix: eine Buchstaben-, Zahlen-, oder Sonderzeichenfolge, die das Element deutlich kennzeichnet (z.B. M für Maßnahme). Der Default-Eintrag kann verändert werden.
• OrgEh Kürzel: entscheidet, ob das Kürzel des Elements auch das Kürzel der Organisationseinheit enthalten soll. Bei Elementen, die keiner Organisationseinheit zugewiesen sind, ist diese Option deaktiviert (z.B. Gefährdungslagen oder Prozesse).
• OrgEh Suffix: ein Trennzeichen zwischen dem OrgEh Kürzel und der laufenden Nummer (z.B. _ oder -).
• Minimale Präzision: die Mindestzahl von Stellen der fortlaufenden Nummer. Es kann mindestens 1 und maximal 10 eingetragen werden. Bei einer Anzahl von 4 wären die resultierenden Nummern bspw. 0001, 0026 oder 0184.