Schutzbedarf/en: Unterschied zwischen den Versionen

What is a protection needs analysis?

The protection needs analysis determines the protection needs for data or resources (IT systems, buildings, software, etc.) of organizational units or processes. The results of this analysis, the protection needs of the data and processes, can be examined in the structural analysis, for example, to identify risks and create measures and controls accordingly.

As can be seen in the figure above, professionals and experts can find protection requirement analyses that have been created in the current management system under "Risk management → Protection needs". All protection requirement analyses are displayed, regardless of whether they are completed, in progress or in draft status. Likewise, protection requirement analyses can be created or reassessed here, and workflow plans can be created.

You can download a report on one or more protection needs analyses as a PDF. This contains all marked protection needs analyses.

Create a new protection needs analysis to gather the protection needs requirements for one, some or all of an organizational unit's or process's resources and/or data categories with a defined set of participants.

Create:

• Protection needs analyses can be created under "Risk Management → Protection needs" via the "Plus" button.

Edit:

• To edit a protection needs analysis, open the required protection needs analysis under "Risk management → Protection needs" by double-clicking on it.
• Completed protection needs analyses can be viewed, but no longer edited!

The following section describes the mapping in more detail:

Select OrgUnit/Process:

• In a protection needs analysis, either organizational units or processes can be analyzed. What is to be analyzed is selected via the audit item.
• This selection can only be changed as long as no resources were assigned in step 2. To be able to change the selection, the assigned resources must first be removed in step 2.

Note: If an organizational unit or a process already have a relationship to resources and/or data categories in the structural analysis, those will automatically be proposed to be added in step 2 of the protection needs analysis. Any protection needs analyses already done are also considered here. In addition, it's possible to adopt the previous analysis' results with the click of a button. The results can also be adopted later for each resource/data category.

Caution: Resources and data categories that already have an as yet open protection needs analysis in connection with the selected organizational unit or process are not automatically proposed and cannot be added manually either. To add them, any open protection needs analyses in the respective constellation must be closed first.

Audit:

• If this protection needs analysis is carried out in the course of an audit, you can relate the audit to the protection needs analysis here. If the protection needs analysis arises as a result of an audit, the fields lead auditor, interview partner, and start and end date of the audit are populated. Alternatively, the header data can be incorporated via the button on the right. (For more on audits, see Audit planning).

OrgUnit/Process:

• Depending on whether an OrgUnit or a process is analyzed, either the organizational unit or the process is selected here.
• This can no longer be changed after the first save!

Function:

• Is only displayed, if it was activated under "Audit management → Settings"
• Functions allow you to optionally further define the context of a review.
• Functions can be created and managed under "Audit management → Functions".

Name:

• The name of the protection needs analysis is entered here.

Description:

• The purpose of the protection needs analysis should be described here.

Lead auditor:

• The main examiner responsible for the protection needs analysis is entered here. They select the resources and/or data that will be analyzed in the course of the protection needs analysis. They determine additional examiners as well as interview partners.

Co-auditors/Companion(s):

• These are individuals who are included as subject matter experts for the protection needs analysis.

Interview partners:

• Interviews about resources and data are conducted with these individuals during the course of a protection needs analysis. In the course of a self assessment, they are tasked with identifying potential damages (see type).
• The users are pre-filled with those set as responsible for the selected organizational unit or process.

Start and end date:

• The planned time span of the protection needs analysis is entered here.

Type:

• Interview: The protection needs analysis is conducted together with the interview partner. The interview partner themselves cannot change anything in the protection needs analysis, but has insight into the analysis.
• Self assessment: the interview partner is tasked with determining possible damage in the event of violations of protection targets. The auditor requests a response via the "Request response" button (if the protection needs analysis has been activated) and reviews it after it has been answered.

Workflow plans:

• This shows, how many workflow plans the protection needs analysis is a part of, either actively or paused. Links can be set anew or deeleted here and existing links can be paused. Deactivated workflow plans are not offered for linking.

Created by workflow plan:

• If the protection needs analysis was created by a workflow, the respective workflow is shown here. You can navigate into the workflow with a simple click and take a look at its details.

Change log:

• Here, it is recorded at what time the protection needs analysis was edited, when the status changed, and when it was completed.

A protection needs analysis can have different status variations. If the e-mail notifications are active in the management system, all persons relevant in the workflow are prompted to perform their tasks when the status changes. This would be, for example, the interview partner when an auditor requests a response or the auditor themselves when the response is returned.

Draft

• When the protection needs analysis is saved for the first time or deactivated from the "In progress" status, it is in the "Draft" status. From here, the protection needs analysis can be activated, i.e. set to the "In progress" status.

In progress

• If the review is activated, it will be set to the status "In progress". Now it is time for the lead auditor to perform the protection needs analysis or to request a response from the interview partner(s) by "Request response" (only for the type self assessment).
• It can be returned to the "Draft" status by selecting "Deactivate review".
• It can be moved to the "Closed" status by selecting "Close review".

Requested (only for self assessments)

• If the protection needs analysis is requested by the lead auditor, it is placed in the status "Requested". The interview partner(s) will now be prompted via e-mail to perform the protection needs analysis.
• It can be placed in the status "Answered" status by selecting "Submit review".

Answered (only for self assessments)

• If the protection needs analysis is returned by the interview partner via "Submit review", it is set to the status "Answered". The auditors are now prompted via e-mail to check the response.
• It can be returned to the status "Requested" by selecting "Request response" again. The interview partner should then revise their response.
• It can be put back into the status "Draft" by selecting "Disable review". The auditors will be informed of this.
• It can be moved to the status "Closed" by selecting "Close review".

Closed

• If the protection needs analysis is set to the status "Closed" by selecting "Complete review", the protection needs analysis becomes read-only and it can no longer be edited. This sets and weights the links between the resources and/or data to the OrgUnit or process in the structural analysis.

Delete a protection needs analysis.

• By "Delete review" you can delete protection needs analyses that are not completed yet. Completed protection needs analyses cannot be deleted!

The second step is to select the resources and/or data that will be analyzed in the protection needs analysis.

To add linked resources or data categories and possibly adopt their previous results, the first button must be clicked. To add resources or data to the analysis, the second button must be clicked. A dialog opens where the resources or data to be analyzed can be selected.

The tab can be used to switch between resources and data.

Tip:

Changes (creation/update/deletion) to resources and data categories lead to an automatic update of open protection needs analyses. This allows you to create or modify resources and data categories in a separate browser tab and then use them in the PNA right away, without havingt to reload it.

The following figure shows the third step of the protection needs analysis (e.g., 2.1 or 2.2).

In this step, the resources and/or data are analyzed for possible damage that could occur if a protection target is violated. Violations are evaluated by the extent of damage. If there are results from earlier analyses, the justifications can be taken over with a double click into the respective line. The button in the top right corner allows you to adopt all results with one click.

The extents of damage selected here are used in the structural analysis to set connections between the OrgUnit or process and the assessed resource or data and to weight their protection targets. This makes it possible in the structural analysis to examine the organizational unit or the process for dependencies and to identify risks.

To evaluate all resources and data, it is necessary to switch between the added resources and data via the bar to the left or the "Next" button.

The protection targets to be evaluated are specified by the management system and can be configured by experts under "Administration → Management Systems → Used protection targets".

Extents of damage can be created and managed by experts under "Risk management → Risk policy → Extents of damage".

A protection needs analysis can be reassessed so long as there is no more current/younger PNA which evaluates at least one same resource or data category for the OrgUnit/process.

There are different ways of creating a reassessment:

1. Plus button: Create a new protection needs analysis for an organizational unit/a process for which there already exists a closed protection needs analysis. In this case the tool automatically proposes the evaluated resources and/or data categories for adoption in step 2. Any results can be adopted optionally.
2. Revaluate button: Create a revaluation via the revaluate button in the overview of protection needs analyses. In this case the tool creates a new protection needs analysis on the basis of the previous one. Here, too, previous results can be adopted. The current date is taken for the date, the begin and end time of the original protection needs analysis are taken for the time.

Adopt results:

• If activated, the results of the base protection needs analysis are adopted in the creation of the new one. These are the evaluations of the protection targets that were recorded.
  

Beispiel: Wann möchte ich eine neue Schutzbedarfsanalyse erstellen und wann eine Neubewertung? In der Regel sollte die erste Schutzbedarfsanalyse gemeinsam als Interview ausgefüllt werden, damit alles genau besprochen werden kann und Fragen geklärt werden können. Auch bei Hinzukommen neuer Personen zum Teilnehmerkreis oder bei einer Veränderung in den verknüpften Ressourcen und/oder Datenkategorien, kann ein gemeinsamer Interviewtermin eine gute Idee sein. Dafür wird jedenfalls eine neue Schutzbedarfsanalyse erstellt, auch wenn vorherige Ergebnisse übernommen werden. Ist diese erste Hürde einmal geschafft, können regelmäßige, z.B. jährliche, Neubewertungen derselben Ressourcen und/oder Datenkategorien einfach als Self Assessment verschickt werden. In diesem Fall nehmen die gleichen Personen am Gespräch Teil und werden die gleichen Ressourcen und/oder Datenkategorien besprochen wie zuvor. Es wird quasi nur nachgesehen, ob sich in der Zwischenzeit, z.B. im vergangenen Jahr, etwas an den Schutzbedarfen geändert hat. Dabei unterstützen die neuen Workflowpläne.

A click on the purple button above the overview of protection needs analyses opens a list of all created workflow plans.

A new workflow plan can be created with the "plus" button.
An existing workflow plan can be copied with the "copy" button.
Existing workflow plans can be opened with a double click.

Name:

• Enter the name of your workflow plan here.

Description:

• State the purpose of the workflow plan here.

Inform management system responsible persons:

• If this checkmark is set, in addition to the user responsible for the workflow plan, the users responsible for the management system are also informed via e-mail about the upcoming and executed workflow.

Next execution:

• Determine when the workflow shall trigger the next time. At that point, new protection needs analyses on the basis of the linked protection needs analyses are created as self assessments and sent to the interview partner for answering.

Recurring workflow:

• If the workflow plan is to occur regularly, this can be configured here.

This tab shows all past workflows of the plan, which have already been executed. It is displayed whether the workflow functioned as planned or failed and what any problems may have been.

Protection needs analyses

This tab shows all linked protection needs analyses. This comprises the protection needs analyses used as templates as well as the new protection needs analyses created from them. At this point, individual protection needs analyses can be paused or reactivated in the workflow plan. An instant reassessment can be triggered for an individual protection needs analysis right here. Paused protection needs analyses are suspended for one cycle, but are then active again. If there are problems or conflicts with a protection needs analysis, this is also displayed here.

Ergebnisse übernehmen

• Wenn aktiviert, werden bei der Erstellung der Neubewertung die Ergebnisse der jeweiligen Schutzbedarfsanalyse übernommen. Dabei handelt es sich um die Bewertungen der Schutzziele, die zwischen der Organisationseinheit bzw. dem Prozess und den verknüpften Ressourcen und Datenkategorien erfasst wurden.
• Dieses Häkchen kann beim Hinzufügen der Schutzbedarfsanalyse zum Workflowplan oder danach direkt in der Übersicht der verknüpften Schutzbedarfsanalysen gesetzt werden.

Relationships in the structural analysis generally lead to the highest protection need. These dependences can be reduced with a protection needs analysis. One should therefore start with the analysis of those assets/resources/services that are most important to the organization and evaluate them regarding the requirements of the management system first.