Schutzbedarf/en: Unterschied zwischen den Versionen

What is a protection needs assessment?

The protection needs analysis determines the protection needs for data or resources (IT systems, buildings, software, etc.) of organizational units or processes. The results of this analysis, the protection needs of the data and processes, can be examined in the structural analysis, for example, to identify risks and create measures and controls.

As can be seen in the figure above, professionals and experts can find protection requirement analyses that have been created in the current management system under "Risk management → Protection requirements". All protection requirement analyses are displayed, regardless of whether they are completed, in progress or in draft status. Likewise, protection requirement analyses can be created here.

You can download a report on one or more protection needs analyses as a PDF. This contains all marked protection needs analyses.

create:

• Protection needs analyses can be created under "Risk Management → Protection Needs" via the "Plus Button"=.

Edit:

• To edit a protection requirement analysis, open the required protection requirement analysis under "Risk management → Protection requirement" by double-clicking on it.
• Completed protection needs analyses can be viewed, but no longer edited!

The following section describes the mapping in more detail:

Select OrgEh / Process:

• In a protection needs analysis, either organizational units or processes can be analyzed. What is to be analyzed is selected via the Audit item.

Audit:

• If this protection needs analysis is carried out in the course of an audit, you can relate the audit to the protection needs analysis here. If the protection needs analysis arises as a result of an audit, the fields Principal Auditor, Interviewee, and Start and End Date of Audit are populated. (For more on audits, see Audit management).

OrgEh / Process:

• Depending on whether an OrgEh or a process is analyzed, either the organizational unit or the process is selected here.
• This can no longer be changed after the first save!

Designation:

• Here is entered how the protection needs analysis should be named.

Description:

• The purpose of the protection needs assessment should be described here.

Principal investigator:

• The main examiner responsible for the protection needs analysis is entered here. He selects the resources and/or data that will be analyzed in the course of the protection needs analysis. He determines further examiners as well as interview partners.

Other reviewers:

• These are individuals who are included as subject matter experts for the protection needs assessment review.

Interviewers:

• Interviews about resources and data are conducted with these individuals during the course of a protection needs assessment. In the course of a self-assessment, they are tasked with identifying potential harm. (see type)

Start and end date:

• The planned time span of the protection needs analysis is entered here.

Type:

• Interview: The protection needs analysis is conducted together with the interviewee. The interviewee himself cannot change anything in the protection needs analysis, but has insight into the analysis.
• Self-assessment: the interviewee is tasked with determining possible damage in the event of violations of protection goals. The assessor requests a response via the "Request response" button (if the protection needs analysis has been activated) and reviews it after it has been answered.

Change log:

• Here is recorded with at what time the protection needs analysis was processed, when the status changed and when it was completed.

A protection requirement analysis can be in different status variations. If the email notifications are active in the management system, all persons relevant in the workflow are prompted to perform their tasks when the status changes. This would be, for example, the interviewee when an examiner requests a response or the examiner himself when he returns the response.

Draft

• When the protection needs analysis is saved for the first time or deactivated from the "In Progress" status, it is in the "Draft" status. From here, the protection needs analysis can be activated, i.e. set to the "In Progress" status.

In progress

• If the review is activated, it will be set to "In Progress" status. Now it is time for the main reviewer to perform the protection needs analysis or to request a response from the interviewees by "Request response" (only for Self-Assessment type).
• It can be returned to "Draft" status by "Deactivate Review".
• It can be moved to "Closed" status by "Close Review".

Requested (only for Self-Assessments type) .

• If the protection needs assessment is requested by the principal investigator, it is placed in the "requested" status. The interviewees will now be prompted to perform the Protection Needs Assessment via an email.
• It can be placed in "answered" status by "submit review".

Answered (only for Self-Assessment type) .

• If the protection needs assessment is returned by the interviewee with "Submit Review", it is set to the status "Answered". The reviewers are now prompted by an email to check the response.
• It can be returned to "requested" status by "Request Response". The interviewee should then revise their response.
• It can be put back into "draft" status by "disable review". The reviewers will be informed of this.
• It can be moved to "closed" status by "close review".

Closed

• If the protection needs analysis is set to the "closed" status by "Complete review", the protection needs analysis becomes read-only and it can no longer be edited. This sets and weights the links between the resources and/or data to the OrgEh or process in the structural analysis.

Delete a protection needs analysis.

• By "Delete review" you can delete protection needs analyses that are still not completed. Completed protection needs analyses cannot be deleted!

Im zweiten Schritt werden die Ressourcen und/oder Daten ausgewählt, die in der Schutzbedarfsanalyse analysiert werden.

Um Ressourcen bzw. Daten zur Analyse hinzuzufügen, muss der "Ressourcen/Daten auswählen"-Button geklickt werden. Im Anschluss öffnet sich ein Dialog, indem die Ressourcen bzw. Daten, die analysiert werden sollen, ausgewählt werden können.

Über den Reiter kann zwischen Ressourcen und Daten gewechselt werden.

Die nachfolgende Abbildung zeigt den dritten Schritt der Schutzbedarfsanalyse.

In diesem Schritt werden die Ressourcen und/oder Daten auf mögliche Schäden analysiert, im Falle der Verletzung eines Schutzzieles auftreten können. Bewertet werden Verletzungen durch Schadensausmaße.

Durch die hier gewählten Schadensausmaße werden in der Strukturanalyse Verbindungen zwischen der OrgEh oder dem Prozess und der bewerteten Ressource bzw. den Daten gesetzt und ihre Schutzziele gewichtet. Dadurch ist es in der Strukturanalyse möglich, die Organisationseinheit oder den Prozess auf Abhängigkeiten zu untersuchen und Gefährdungslagen zu erkennen.

Um alle Ressourcen und Daten zu bewerten, muss durch den Reiter zwischen den hinzugefügten Ressourcen und Daten gewechselt werden.

Die zu bewertenden Schutzziele werden vom Managementsystem vorgegeben und können unter "Administration → Managementsysteme → verwendete Schutzziele" von Experten konfiguriert werden.

Schadensausmaße können unter "Risikomanagement → Risikopolitik → Schadensausmaße" von Experten erstellt und verwaltet werden.