Menü aufrufen
Toggle preferences menu
Persönliches Menü aufrufen
Nicht angemeldet
Ihre IP-Adresse wird öffentlich sichtbar sein, wenn Sie Änderungen vornehmen.

Risikobewertung/en: Unterschied zwischen den Versionen

Aus HITGuard User Guide
Isan (Diskussion | Beiträge)
Keine Bearbeitungszusammenfassung
Isan (Diskussion | Beiträge)
Keine Bearbeitungszusammenfassung
Zeile 28: Zeile 28:
The assessment/review of hazard situations can be delegated to the registered advisor (see workflow button). They will then find the hazard situation under their tasks to assess/review.
The assessment/review of hazard situations can be delegated to the registered advisor (see workflow button). They will then find the hazard situation under their tasks to assess/review.


<div class="mw-translate-fuzzy">
Within the hazard situation itself:
Within the hazard situation itself:
* the key data are displayed.
* the key data are displayed.
Zeile 34: Zeile 33:
* the measures/controls assigned to the deviations are listed.
* the measures/controls assigned to the deviations are listed.
* the measures/controls that are manually assigned to the hazard situation are listed.
* the measures/controls that are manually assigned to the hazard situation are listed.
</div>


<div class="mw-translate-fuzzy">
<div class="mw-translate-fuzzy">

Version vom 11. Mai 2022, 11:31 Uhr

In this overview, all hazard situations from the different management systems are displayed. It is also possible to display only the hazards of the current management system. Furthermore, hazard layers can be set to private, so that they are only displayed in the management system in which they were created.

If you click on a hazard location, you can edit or view it. Then it is possible to view which deviations, measures or controls are assigned to this hazard layer.

Caution:

  • A hazard situation that is not "private" can be assessed separately for each management system that uses different damage extent classifications. That is, assessments apply only to management systems that use the same extent-of-damage classifications.
Hazards
Risk Indicator


Hazard situation

A hazard situation can be a collection of deviations that form a concrete danger for the linked entities.

Deviations occur in the course of a review. This is the case, for example, when review questions of review objects are answered "negatively" or below the target maturity level. Subsequently, the deviations can be assigned to hazard situations.

The review objects containing the review questions can also be associated with entities (resources, data categories, processes and/or organizational units). This association creates a specific hazard situation for the affected entities, which is visible in the structural analysis.

Hazard situations can also be recorded freely.

Freely recorded hazard situations normally have no linked deviations, but such deviations can be assigned to them. Freely entered hazard situations can, for example, be a list of risks that was already maintained before HITGuard was implemented, e.g. with Excel. Such lists can be imported using the Data importer.

Hazard situations can then be evaluated by selecting a probability of occurrence and an extent of damage. This results in the risk score according to which the hazard situation is displayed in the risk management dashboard, for example. This evaluation is done according to the extent of damage classification. This means: if a hazard situation was evaluated in one management system with classification "Standard", it can be evaluated differently in another management system with classification "Privacy" (as long as it is not marked as "Private").

The assessment/review of hazard situations can be delegated to the registered advisor (see workflow button). They will then find the hazard situation under their tasks to assess/review.

Within the hazard situation itself:

  • the key data are displayed.
  • all deviations assigned to the hazard situation are displayed.
  • the measures/controls assigned to the deviations are listed.
  • the measures/controls that are manually assigned to the hazard situation are listed.

Furthermore, every change in the hazard situation/risk assessment is logged. This documentation can be found in the menu item "Development over time".

Important: These should be post-documented for hazard situations created before HITGuard Release October 2020. More on this can be found under Time evolution.

Hazard situation menu navigation


Detect / edit hazard situation

Mask for recording / editing hazard situations


Abbreviation:

  • In the abbreviation, enter the abbreviated title of the hazard situation.

Status:

  • Active: The hazard situation still exists.
  • Closed: The hazardous situation has been resolved.
  • Accepted: They are aware of the hazard situation, but will not fix it at this time for various reasons.
  • Changes here are logged (Time evolution).

Private:

  • If you set the hazard location to private, the hazard location will only be displayed in the created management system. Otherwise, it is visible in any management system and can be evaluated for any damage extent classification.
  • However, measures, controls, and deviations are only visible in the respective management systems in which they were created, regardless of whether the hazard location was marked as private.

Workflow Button:

  • Request review
This allows clerks to request a review/reassessment of the hazard situation. Advisors will find requested reviews under their tasks in "My Tasks → Hazard Situation".
  • Accept review
If the review is returned by the advisor, it can be accepted here. If the review does not fit, it can also be requested again.

Designation and description:

  • In the designation, you must enter how the hazardous situation should be named.
  • In the description you should describe/explain the hazard situation.

Notes:

  • Here it can be explained how it came to the assessment of the hazard situation.

Probability of occurrence:

Extent of damage:

  • Here you can enter how big is the potential damage that can be caused by the hazard situation.
  • Only damage extents of the classification of the current management system are available.
  • Changes here are logged (Time evolution).

Responsibility and Advisors:

  • The person in charge is the primary contact for the hazard situation.
  • The person advisors are responsible for risk handling. If a review of the hazard situation is requested, the advisors are responsible for the review.

Assigned protection goals and weightings:

  • Here you can record which protection goals are affected to what extent when the hazard situation occurs.
    Example:
Hazard situation: Break-in in the server room.
Protection goal Weighting Explanation
Confidentiality 4 Break-in to steal a hard disk
availability 4 The burglar could destroy something
integrity 3 He could also change something in the system

Norm mapping:

  • If the hazard situation deals with one or more norm chapters they should be entered here.

Affected structural elements:

  • All structural elements are listed here that are related to the hazard location by the deviations.
  • By opening the drop-down menu, structural elements can be linked to the hazard location. Furthermore, it can be seen here from which test object the automatically set links come.
  • Example:
The hazard location "Temperature problems in server rooms", for example, is linked to the structural element "Server room" via a deviation when checking the server rooms.

ID in third-party systems:

By this ID the hazard layer can be updated by an import of a hazard layer. For this, the ID must match the ID of the hazard layer of the import. This field should only be set manually if the hazard layer actually originates from a third-party system, but the hazard layer was already created manually before an import and the hazard layer is to be updated by imports in the future.

Assigned deviations

This tab lists all deviations that are assigned to the hazard layer. This is normally the result of the deviation handling of a check. However, you can also assign existing deviations to the threat layer here.

Target maturity weighting:

  • If enabled, the sorting of protection targets is based on the target maturity weighting. The greater the deviation from the target maturity level and the greater the weighting of the protection target, the greater the target maturity weighting. More about the target maturity weighting can be found here.

Caution: Only deviations of the current management system are displayed. Just because the hazard situation in this management system has no deviations does not mean that none exist.

Assigned deviations


Display of deviations:

  • Black: Deviations assigned to this hazard location that have not been corrected.
  • Green: Deviations assigned to this hazard location that have been remediated or indicated as having at least the target maturity level.
  • Gray: These are historical deviations. These were identified in previous reviews and assigned to the hazard layer. In the meantime, the test items of these reviews have already been subject to a reassessment.
  • Moved to Hazard Location xx: The deviation was originally assigned to the currently presented hazard location. In a further step, the assignment changed to another hazard layer, hazard layer xx.

Assign deviations

Click on "Assign deviations" to open a screen for assigning deviations.

Mask for assigning deviations


Measures / controls

In the respective tab, all measures/controls are listed that are assigned to the hazard situation. The measures/controls either come directly from the link to a deviation, are selected from the available ones (blue button) or are created here specifically for the hazard situation.

If the measures/controls come from a deviation, the link to the hazard situation cannot be broken.

If a deviation is gray, this can have two causes:

  1. The test object has been re-evaluated and the deviation has been found to be corrected.
  2. The deviation has been assigned to another hazard situation.

Caution: Only measures/controls of the current management system are displayed. Just because the hazard situation has no measures/controls in this management system does not mean that it has no measures/controls in other management systems.

Create Measure
Create control

Assigned measures


Mask for assigning controls


Time evolution

For each change in the probability of occurrence, extent of damage and/or status, the person making the change must make an entry to the change log with the reason and date for their change. Only when this is entered can the change be made. A log subsequently appears in the temporal evolution of the hazard situation. Changes to the extent of damage assessment only appear in the management systems that use the same extent of damage classification.

Important: Time developments can also be entered manually. To do this, click on the "Plus" button in the overview.

Development over time


Entries in this overview can be edited by double-clicking on the respective entry.

Adjust justification


Create change entry manually