Schwachstellen/en: Unterschied zwischen den Versionen

What is a review?

In HITGuard, a review is understood to be the recording of deviations from a target state. For example, a review can be an audit by an external auditor. The findings that the auditor may have handed over to you in the form of a report can be entered in HITGuard as a so-called "test result".

Inspection results can also arise from a check with HITGuard. This is done by using knowledge databases in the "deviation analyses". Here, a check is guided by structured questionnaires, with the help of which deviations from the desired target state are determined.

The target state is referred to as the target maturity level in HITGuard and can be set separately for each management system. Only experts or administrators can set and change the target maturity level under "Administration → Management Systems".

Under "Risk management → Vulnerabilities → Reviews | Test objects | Deviations | Need for clarification", professionals and experts can find all reviews that have been created in the management system. All reviews are displayed, regardless of whether they are completed, in progress, or in draft status. New reviews can also be created or requested here. Furthermore, the reviews can also be downloaded as PDF files.

Audit result:

• An audit result means, for example, the findings that were handed out by the auditor in the course of an audit, possibly in the form of a report.
• These findings can be entered via "Audit result +".

Deviation analysis:

• Deviation analyses are questionnaire-based reviews (WDB) on specific topics. These questionnaires can be used, for example, to determine the degree of compliance with a standard. In addition to the questionnaire topics, other review results can be recorded.
• If a translation of the WDB is available in the currently selected language (flag on the top right, next to the logout button), it will be applied.
• To create a deviation analysis, click on the "Deviation Analysis +" button.

In terms of procedure, the only difference between the two inspection options is that an inspection result cannot handle inspection objects based on knowledge bases.

To edit a review, double-click on it in the overview.

For more information on creating or editing a review, whether deviation analysis or review result, see Create/Edit Review.

The following section explains how the navigation in the review wizard works.

The navigation in the wizard for performing checks works as follows:

• Clicking on "Next" takes you to the next step or to the next check question.

• Clicking on "Back" takes you to the last step or to the last test question.

• Clicking in the navigation tree on the left side will take you to the desired location.

• At the bottom left of the navigation mask, the test questions can be displayed in the navigation tree via a "Test questions" checkbox.

• If you show the test questions, you can also navigate to them via the tree.

• "Save" and "Close" behave self-explanatory.

Regardless of the type of review you perform (variance analysis using a knowledge base or recording review results) the processing steps in the Perform Review Wizard are essentially the same:

1. Create and save review
2. Add topics or test objects and activate review
3. Answering the test objects or the possibility to request an answer in the "Self-Assessment" by the interview partner
4. Check responses or identified deviations
5. Complete the review

A review can be performed by an expert. However, he also has the option of requesting the answer to the review from his interview partner in HITguard. Via workflow support, the interview partner receives a request for this and can complete the response and then return it to the expert. The expert checks the results and can mark the review as completed and archive it. The handling of deviations from the review is possible at any time, even if a review has already been completed.

A review can be in different statuses. If the email notifications are active in the management system, all persons relevant in the workflow are prompted to perform their tasks when the status changes. This would be, for example, the interviewee if a reviewer requests a response or the reviewer himself if he returns the response.

The status of the review can be changed via the blue button in the upper right corner.

Draft

• When the review is saved for the first time or deactivated from the "In Progress" status, it is in the "Draft" status.
• "Draft" means that the review is not yet active and no one has been informed about the review by the system.
• From this status, the review can be activated, i.e. set to the "In Progress" status.

In progress

• If the review is activated, it will be set to "In Progress" status. As a result, the interview partner and reviewer will see it under "My Tasks."
• Now it is time for the main reviewer to perform the review or request a response by "Request Response" from interview partners (only for Self-Assessment type).
• It can be set back to "Draft" status by "Deactivate Review".
• It can be set to "Closed" status by "Close Review".

Requested (only for Self-Assessments type) .

• If the review is requested by the principal investigator, it will be set to "Requested" status. The interviewee will be prompted to perform the review via an email.
• The interviewee can set the status to "Answered" by clicking on "Submit Review" after the review has been conducted.

Answered (only for Self-Assessment type) .

• If the review is returned by the interviewee with "Submit Review", it will be set to the status "Answered". The reviewers will be prompted by an email to check the response.
• It can be returned to the "Requested" status by "Request Response". The interviewee must revise their response.
• It can be put back into "Draft" status by "Deactivate Review" (Only reviewers will be notified).
• It can be moved to "Closed" status by "Close Review".

Closed

• If the review is set to the "Closed" status by "Close review", it is read-only and it can no longer be edited.

Delete a review.

• By "Delete review" you can delete reviews that are still not completed.
• Attention: By deleting, the check objects created by this check as well as deviations already assigned to risks will also be deleted!

The type of review can be changed only in the "Draft" status.

If the wrong type was set and the check was activated, the check must first be reset to the "Draft" status by "Deactivate check".

Under "Risk Management → Vulnerabilities → Audits | Audit Objects | Deviations | Need for Clarification", you will find all the audit objects that were created in the course of audits in the current management system.

Clicking on a test object opens the detailed view.

Here you can see how the test object was answered. Likewise, if several versions of the test object are available, you can view how the assessment of the test object has developed from one version to the next. Only the header data of a test object can be edited via this mask. This means that this mask cannot be used to answer a test object.

Due to the implementation of measures, it can happen that test objects are proposed for partial automatic re-evaluation. This always happens if the measure was either created in the course of a check for a test object or linked to a test object, the "after" value of the vulnerability reduction was set and the measure is implemented. If a measure is implemented, the linked test objects are marked with "Re-evaluation recommended".

To avoid having to perform a new check every time a measure is implemented, HITGuard offers the option of subjecting these marked test objects to a semi-automatic re-evaluation. This means that HITGuard automatically updates the deviation of the respective test questions of the test objects. In this process, the test questions that are affected by the implementation of measures are set to the "after" value of the vulnerability reduction.

Execution:

1. Select test object.
2. Click the orange arrow "Initiate partial automatic re-evaluation".
3. Select the deviations to be updated.
4. Click the orange arrow "Perform re-evaluation for selected deviations".

Under "Risk Management → Vulnerabilities → Audits | Audit Objects | Deviations | Need for Clarification", you will find all deviations that were identified during the performance of audits.

The columns "Measure missing", "Target value missing", "Target value too low" can be used to find out against which deviations nothing or too little has been done. These deviations are tagged in the grid. If a deviation does not have a tag, this means that attempts are being made to correct the deviation.

Here you have the option to assign deviations that have not yet been assigned to a hazard layer.

Double-clicking on a deviation opens the check at the point where the deviation was detected. Here, measures and controls for the deviation can now be defined. For more information, see Answer review questions.

What the target maturity level is and where it is set can be found under Management systems. Wherever deviations occur, there is an additional form of sorting: the target maturity weighting. This is possible, for example, under "Risk Management → Vulnerabilities → Deviations".

If activated, the sorting of protection goals is based on the target maturity weighting. The greater the deviation from the target maturity level and the greater the weighting of the protection target, the greater the target maturity weighting: target maturity weighting = deviation level * weighting of the protection target.

Note: A response of "No" corresponds to maturity level 1, "Partially" corresponds to maturity level 3.

Examples for illustration: Protection goal weighting: Mean (3).

• Maturity of deviation = 2, Target maturity = 4 => Degree of deviation = 2, Target maturity weighting = 2 * 3 = 6.
• Maturity of deviation = 4, target maturity = 4 => degree of deviation = 0, target maturity weighting = 0 * 3 = 0.

Under "Risk Management → Vulnerabilities → Audits | Audit Objects | Deviations | Need for Clarification" you will find all audit questions / audit results that were marked with "Need for Clarification" in the course of an audit.

This marking is necessary in practice if you cannot yet clarify how the question is to be answered when answering a test question. This can happen if, for example, you would need to consult another person or otherwise research the information. Following a series of checks, the system evaluates which questions still need to be researched. This is exactly what the "Need for clarification" view is for.

If you click on a test question/result, you will be redirected to it.

It is also possible to export a list of all test questions/results requiring clarification via the Export button (next to the search bar). This provides an easy-to-use list of the test questions that require clarification.