HITGuard Release Jänner 2021/en: Unterschied zwischen den Versionen

 == Integration of the online help== The online help has been integrated into HITGuard. You will now find the last item "Help" right after "Administration" in the dark gray menu bar. Under Help > Online Help you can access the detailed user manual for HITGuard

Under Help > First Steps you will also find an introduction to the navigation and interface of HITGuard. When the software is started for the first time, this appears automatically.

In addition, a step-by-step guide has been integrated into HITGuard. This will be successively expanded over the coming months. In the screens where this is already available, an "i" appears in the lower left corner of the software. A click on the "i" starts the step-by-step guide.

Previously, a Practitioner could only report progress on a measure when prompted to do so by the Expert/Professional. This reactive reporting is still possible. In addition, the practitioner (if configured to do so; see 5.2 Configuring proactive progress reporting) can now also proactively report the progress on a measure. To do this, the practitioner simply has to use the new "Report progress" button in the menu under My Tasks > Action Status and can then select the action for which he or she would like to report progress.

In the measure selection, the practitioner will find all open measures assigned to him/her as the responsible person or as the responsible team member or team leader.

When selecting a measure for which a requested progress note already exists for the Practitioner, it opens for processing. If no progress report has been requested yet, a new progress report is created. This must then be returned immediately. No report can be created for tasks for which a returned progress report currently exists that has not yet been accepted by the expert/professional. This task is listed in the selection, but cannot be selected and is marked with "answered".

In the course of reviewing a control, the reviewer can now also upload evidence. This can be useful, for example, if a reviewer wants to comment on evidence and return the revised document to the implementer for re-editing.

Experts/professionals can visually query compliance with various standards on the dashboard. This query has now been extended to include the option of restricting the display to the defined scope of the standard or norm.

Provided that you collect the protection targets RTO and RPO for your analyses and have activated the option "Display in graph" in the risk policy for this, a new feature is available to you.

Note that for the representation described below, you must also complete the collection of recovery time and backup interval (see 5.1 Collection of backup interval as well as recovery time for) on the resources.

If these requirements are met, you can visually evaluate whether the recorded requirements for Recovery Time Objective (RTO; max. reasonable recovery time) and Recovery Point Objective (RPO; max. reasonable data loss) are met by the actual recovery times or backup intervals of the systems.

In the structural analysis, the following selection appears in the analysis mode in the navigation area, which can be used to trigger an analysis for RTO or RPO fulfillment. To start the analysis, select one of the two options and click the "Apply" button:

In the graph, the requirements from the protection needs analyses are displayed on the edges between the organizational unit and resource at the application level. If the requirements for RTO are met or not met by the underlying path, e.g., recovery times, then the requirement is shown in green, otherwise in red.

The resources themselves show in a gray bubble each e.g. for the RTO fulfillment the "Net recovery time" with an "N" of the resource itself as well as the "Gross recovery time" with a "B" for the summed recovery time of the resource chain incl. the respective node.

The illustrated example shows the RTO fulfillment. The logic for RPO fulfillment is very similar, with the difference that the backup times for the entire resource chain are not summed up, but the highest recovery time of a resource in the chain is always shown here in the gross value.

If no times have been entered for a resource yet, a yellow configuration icon is displayed for the resource.

If no times are to be deliberately recorded for a resource, then a gray icon like the following is displayed:

Under Risk Management > Audit Management > Audit, the structuring of the individual tab sheets has been revised. To make them easier to find, the assigned audits have been placed on their own tab sheet.

Under Risk Management > Audit Management > Audit Programs you can create or edit an audit program. If you open an audit program here, you will find a new tab sheet, the "Appointment calendar":

This representation allows the different audits in the audit program to be displayed together in one calendar.

The report administration component has been revised/extended. More reports, variants and options are now available and the menu navigation through this selection has been improved.

The report options under Risk management > Reports > Audit management > Audit plan have been extended and now offer an option "Print compliance report for audit plan". This allows the individual audit result details from the reviews to be evaluated in the report for the respective audit.

The report options under Risk management > Reports > Hazard situations have been expanded and now offer an option "Include deviations". This allows the individual deviations from the checks - if any - to be printed in the report for the respective hazard situation.

In the following reports, the evaluation is now restricted to the scope of the standard or norm:

• Risk management > Reports > Conformity > By standards and norms.
• Risk management > Reports > Standards and norms > Statement of applicability
• Risk management > Reports > Standards and norms > Management summary

If this is not desired and the entire standard or norm is to be considered, then the option "Include non-applicable chapters in statistics" must be activated.

The two reports under Risk Management > Reports > Standards and norms have been extended to the effect that it is now possible to configure whether the statistics (donut diagrams) for the measure and control fulfillments are to be displayed or not. The option "Print statistics" is used for this purpose.

In addition, it is now possible to configure whether the measures and controls are to be printed in detail in the "Statement of Applicability" report. If this is not desired, the report chapters Measures and Controls will be omitted. For this purpose, the option "Print measure and control details" is used.

Note: Option "Use only lowest level chapters as calculation base for statistics" has been removed for both reports. The logic now always behaves as if the "Use only lowest level chapters as calculation base for statistics" option is active. This also applies to calling this report under Administration > Standards and Norms.

If you have not mapped a corresponding structural analysis of the resources used in HITGuard for a data protection impact assessment, or if you want to describe them additionally in text, or if you have a document in which the resources used are explained in detail, you can now also record this information in the DSFA in HITGuard.

The menu item Data Protection > Reports is new and offers a wide range of possible configurations of reports on processing activities, data protection impact assessments and categories of data subjects:

Unter Datenschutz > Berichte > Verarbeitungsregister > Eigene Verarbeitungstätigkeit kann nun ein Bericht generiert werden der wahlweise eine oder mehrere oder alle eigenen Verarbeitungstätigkeiten enthält. Dafür werden die Verarbeitungstätigkeiten in der letztgültigen Version mit dem Status „Bearbeitung abgeschlossen“ angeboten.

Unter Datenschutz > Berichte > Verarbeitungsregister > im Auftrag anderer kann nun ein Bericht generiert werden, der alle Verarbeitungstätigkeiten enthält, die entweder durch eine Organisationseinheit des eigenen Unternehmens oder für einen bestimmten externen Kunden erbracht werden. Dafür werden die Verarbeitungstätigkeiten in der letztgültigen Version mit dem Status „Bearbeitung abgeschlossen“ angeboten.

Unter Datenschutz > Berichte > Verarbeitungsregister > externe Auftragsverarbeiter kann nun ein Bericht generiert werden, der alle Verarbeitungstätigkeiten enthält, die durch externe Auftragsverarbeiter für das Unternehmen erbracht werden. Dafür werden die Verarbeitungstätigkeiten in der letztgültigen Version mit dem Status „Bearbeitung abgeschlossen“ angeboten.

Für Ressourcen können nun Wiederherstellzeit und Backup Intervall als Information zum aktuellen Stand der IST-Analyse abgebildet werden.

Die Wiederherstellzeit wird in Stunden für diese Ressource (unabhängig von den Wiederherstellzeiten benötigter Systeme) erfasst. Dabei kann dokumentiert werden, ob die Wiederherstellzeit z.B. durch einen SLA gesichert ist. Dazu können Kommentare erfasst und Dokumente abgelegt werden.

Auch das Backup Intervall wird in Stunden erfasst. Es ist aber auch möglich für eine Ressource zu kennzeichnen, dann ein Backup dafür nicht relevant ist.

Das proaktive Melden eines Fortschritts durch den Practitioner (zusätzlich zum reaktiven Melden nach Aufforderung durch den Expert) kann über die globalen Einstellungen (Administration > Globale Einstellungen | Optionale Maßnahmeneigenschaften) ein- bzw. ausgeblendet werden.

Unter Administration > Datenimport findet sich die Verwaltung der Importkonfigurationen. Hier können Konfigurationen zu einzelnen Importformaten verwaltet, gepflegt und ausgeführt werden. Nun gibt es auch die Möglichkeit Prozesse zu importieren.

Eine einmal erstellte Importkonfiguration kann immer wieder mit neuen Importdateien ausgeführt werden. Dabei werden auch Felder aktualisiert, wenn die Datensatz-ID vom Fremdsystem konstant verbleibt.

Eine Anleitung zur Durchführung von Datenimports finden Sie hier in unserer Dokumentation.