Berichte für das Risikomanagement/en: Unterschied zwischen den Versionen

HITGuard offers the possibility of generating various risk management reports under "Risk management → Reports".

To create a report, first choose a type of report. Subsequently, choose which data to include in the report (e.g. hazard situations or audits). Most reports also have additional report options which allow further specification of the report's contents.

Languages:
Knowledge bases can be made available in different languages due to stored translations for used knowledge bases. For example, to generate a report with the English texts, the language must be changed using the flag icon at the top right of the screen, next to the logout button. This will load all content for the reports in the desired language, provided that a translation in that language is available for the knowledge base.

Licenses:
If no valid license for HITGuard is available, this will be displayed in the footer of the report! To change this, an expert or administrator has to request/upload a license under "Administration → Licensing".

The following reports are offered in the risk management section of HITGuard:

In this report, details on hazard situations are presented. In addition, the hazard situations are positioned in a risk matrix according to their criticality.

The measures and controls to be taken or already taken can be displayed for the individual hazard situations. Furthermore, the development of the hazard situations over time can be displayed.

Users with the Compliance Manager role will also see measures and controls from all other management systems.

Risk report example of hazard situations without M/C incl. development over time

Risk report example of hazard situations incl. open M/C

Risk report example of hazard situations incl. all M/C

Risk report example responsible person(s) without suspended M/C

Risk report example structural elements without suspended M/C

Generate hazard situation report:

To generate a hazard situation report, you have to navigate to "Risk Management → Reports → Hazard situations". There you have several options to generate the report:

1. Hazard situations

   • You can generate a hazard situation report for one or more hazard situations.
   • However, you can only generate hazard situation reports in management systems to which you are assigned.

2. Responsible person(s) (Compliance Manager only)

   • You can generate a hazard situation report in which all hazard situations are listed for which a specific team or a responsible person is responsible.

3. Structural elements

   • You can list all the risk locations assigned to the selected structural elements.

After that, just click on the pink download button to generate the report.

Report options

With the report options, you can specify what status measures/controls have to be in in order to appear in the report.

Additionally, you can decide whether or not to show the development over time of the hazard situations in the report and whether or not to add the deviations linked with the respective hazard situations.

In this report, the results of either one or multiple protection needs analyses are displayed. Choices can be made regarding the summary of the results as well as their details. Additionally, it's possible to add an appendix with explanations for the basis of the assessment in the protection needs analysis.

Generate protection needs report:

To generate a protection needs analysis, you have to navigate to "Risk management → Reports → Protection needs". Then, choose which protection needs analysis to generate the report for and configure this via the report options.

To generate the report click on the pink download button.

Report options:

• Summary:

Selecting this option adds a summary of all results in the form of a crosstab to the report.

• Summary details:

In addition to the crosstab, the upper section of the summary includes a list of all interviews that form part of the crosstab's data source.

• Interview results:

In addition to the crosstab of an individual interview, the rationale for the assessments of the individual protection needs is added.

• Appendix with explanations:

This report contains calculations of statistics, key figures or other content requiring explanation. An appendix with explanations is therefore generated by default. If this is not desired, this report option can be deactivated.

In this report, the results of either one or multiple gap analyses are displayed. When choosing the reviews, take note that they are limited by the chosen analysis period. An array of report options allow you to configure the reports to be displayed the way you need them.

Gap report example: reviews without proposals ZR 5

Gap report example: responsible with pProposals ZR 3

Gap report example: organizational unit all audit questions without proposals ZR 2

Create deviation report:

To generate a deviation report navigate to "Risk Management → Reports → Gap Analyses". There, you have several options to generate such a report:

1. Reviews:

   • You can select and analyze multiple reviews.
   • You can create gap reports on reviews only in management systems to which you are assigned.
   • When selected, only reviews of the current management system in the selected analysis period will be displayed.

2. Responsible person(s): (Compliance Manager only)

   • You can analyze all reviews for which a team or person is responsible.

3. Organizational unit: (Compliance Manager only)

   • You can analyze all reviews created within an organizational unit.
   • When selected, only organizational units for which reviews exist in the current management system and in the selected analysis period are displayed.

It is possible to create a report for several analysis periods. To do this, you must go through each analysis period in which you want to have reviews available and select the reviews.

Caution: If you select a new analysis period, the reviews from the previous ones will no longer be displayed, but will remain selected.

After that, click on the respective pink download button to generate the gap report.

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available reviews come from.

• Target maturity level:

This option shows, when a response to a question constitutes a gap. If the response is below the defined value, it is a gap.

The remaining options specify which information is added regarding the questions and what characteristics questions need to have in order to be printed in the report.

You can also choose to add the measures and controls linked with the review questions.

In this report, the measures and controls to be taken or that have been taken are presented for each risk. It is also possible to generate reports on the status of the measures and controls mapped to a standard or to create a report for management. In this report, you receive a summary of the measures and controls mapped to a standard.

Measures and control report example

Measures report for a standard

Management Summary example report

Prepare measure and control report:

To generate a gap report, navigate to "Risk Management → Reports → Measures and Controls". There, you will find several options to generate a measures and controls report:

1. Risks

   • You can generate a measures and controls report from a single risk.
   • However, you can only generate risk reports in management systems where you are assigned.
   • You have the option to include or exclude measures or controls through the reporting options.

2. Standards/Norm

   • You can generate a measure, control or summary management report on a standard or norm. These reports display all measures and controls - mapped to a standard.

Then click on the respective pink download button to generate the measures and control report.

>

Here, you can generate reports to show the conformity with a standard or norm as well as the results of gap analyses.

These reports show a distinct average maturity level for each requirement or norm chapter. This average maturity level is calculated as follows:

• For requirements:

All review questions are weighted equally. This means, if a requirement has 10 review questions, 5 of which are at maturity level 3, 3 are at 4 and 2 are at 2, then the average maturity level is: (5*3+3*4+2*2)/10 and comes out to 3.1.

• For standard/norm chapters:

A distinction is made between primary and secondary chapter levels.

• At the lower level, norm chapters map onto requirements. This means, that the average maturity level for the requirements is calculated as shown above. In the next step, the averages of the requirements are summed up and divided by the number of requirements. Therefore, a chapter with 3 requirements that have a level of 2.5, 3.3 and 4.1, respectively, the average maturity level is: (2.5+3.3+4.1)/3 and comes out to 3.3.
• At the upper level, chapters map onto secondary chapters as well as requirements, potentially. The average maturity level of the primary chapter stems from the sum of the averages of its direct secondary chapters and the sum of the mapped requirements. This means, if a primary chapter has 2 secondary chapters with a level of 4 each and 3 chapters with 2, 3 and 4, respectively, then the average maturity level for the primary chapter is: (4+4+2+3+4)/5 and comes out to 3.4.

The purpose of this report is to graphically illustrate the fulfillment of the prerequisites based on individual reviews. The fulfillment of the prerequisite points is presented visually in the form of spider diagrams, pie charts or tachometers.

Create report of conformity by reviews:

1. Reviews:

   • You can generate a conformity report from one or more reviews.

2. Responsible: (only Compliance Manager)

   • You can generate a compliance report for one responsible person or team, where all reviews assigned to this responsible person or team are analyzed.

3. Organizational units: (only Compliance Manager)

   • You can generate a compliance report for an organizational unit, where all reviews assigned in this organizational unit are analyzed.

Conformity report example: by reviews

Conformity report example: responsible person

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available reviews come from.

This allows for generating a report that spans multiple analysis periods. If you change the analysis period, the previous reviews are not displayed but remain selected. They are only displayed within their respective analysis period.

• Target maturity level:

This option shows, when a response to a question constitutes a gap. If the response is below the defined value, it is a gap.

The remaining options specify which information is added regarding the questions and what characteristics questions need to have in order to be printed in the report.

The remaining options allow for further configurations, such as which review questions to add, whether or not to include only completed reviews (relevant for commpliance managers when choosing the responsible person/organizational unit), how the table of content is to be structured and whether the audit title should be displayed (if available).

The purpose of this report is to graphically illustrate the fulfillment of the prerequisites in each requirement area of the standard. The fulfillment of the prerequisite items will be visually represented in the form of spider diagrams, pie charts, or tachometers.

For display purposes, questions answered Yes, No, or Partially are converted to maturity levels. "No" corresponds to maturity level 1, "Partial" corresponds to maturity level 3, and "Yes" corresponds to maturity level 5.

Create conformity report by standard:

First, choose the norm or standard you wish to generate the report for. Then, configure the report options. Finally, click the pink download button to generate the report.

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available reviews come from.

This allows for generating a report that spans multiple analysis periods. If you change the analysis period, the previous reviews are not displayed but remain selected. They are only displayed within their respective analysis period.

• Target maturity level:

This option shows, when a response to a question constitutes a gap. If the response is below the defined value, it is a gap.

The remaining options specify which information is added regarding the questions and what characteristics questions need to have in order to be printed in the report.

• Organizational unit:

This options allows for limiting the conformity report to the selected organizational unit and those below it in the hierarchy.

• Evaluation:

This options sets the type of evaluation displayed.

• Not applicable chapters:

This option allows you to exclude those chapters that have been marked as "not applicable" for the management system from the report.

Here, you can create reports about standards and norms.

The chapter applicability for the reports is calculated as follows:

Scenario 1:

• Chapter 1 - without measures
  • Chapter 1.1 - with a measure
  • Chapter 1.2 - with a measure

The applicability of chapter 1 is 100%, because all chapters below have assigned measures.

Scenario 2:

• Chapter 1 - with a measure
  • Chapter 1.1 - without measures
  • Chapter 1.2 - without measures

The applicability of chapter 1 is 100%. As the measure is assigned to the super-chapter, it also counts towards the sub-chapters.

Scenario 3:

• Chapter 1 - without measures
  • Chapter 1.1 - with a measure
  • Chapter 1.2 - without measures

The applicability of chapter 1 is 50%, because only half of its sub-chapters have measures assigned to them.

This report shows which chapters of the standard are "applicable" or "not applicable" in the management system. It also includes the justification for each chapter's applicability and the measures and controls associated with the chapters.

• Donut charts show the number and status of assigned measures & controls. The total number of chapters in the evaluation corresponds to the number of chapters at the lowest level. If a measure or control has been assigned to a chapter, it is also assigned to all its sub-chapters. Thus, if a super-chapter has assigned a measure or control, it behaves in the same way as if all sub-chapters had assigned that measure or control.
• In the donut diagrams, the scope of the standard is taken into account. If this has been restricted, chapters marked as not applicable are not taken into account. This can be cancelled by activating the option Include not applicable chapters in the statistics.

The data basis can thereby be restricted to an earlier analysis period. In this case, only measures and controls that already existed in the selected analysis period are taken into account.

Measures:

• Green = Completed measures
• Orange = Suspended measures
• Blue = Open measures

Measures for chapters:

• Red = Chapter without measures
• Blue = Chapter with open measures
• Green = Chapter with completed measures

Controls to chapters:

• Orange = Suspended controls to chapters
• Green = Active controls to chapters
• Red = Chapters without controls

Create Statement of applicability (SOA)

To generate an SOA, choose a standard/norm and configure the SOA via the report options. Click on the pink download button to generate the report.

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available measures and controls come from.

The remaining options specify which information is added to the report. For example, "Statistic" controls whether the donut diagrams are displayed.

This report provides a management overview of the measures and controls assigned to a standard/norm.

• Donut charts show the number and status of assigned measures & controls. The total number of chapters in the evaluation corresponds to the number of chapters at the lowest level. If a measure or control has been assigned to a chapter, it is also assigned to all its sub-chapters. Thus, if a super-chapter has assigned a measure or control, it behaves in the same way as if all sub-chapters had assigned that measure or control.
• A bar chart shows the number of measures & controls by main chapters. The number is the sum of the measures or controls assigned to the main chapter and each sub-chapter below it. A measure or control assigned several times is only counted once per main chapter.
• The report takes into account the scope of the standard. If the scope is limited, chapters marked as not applicable are not taken into account. This can be cancelled by activating the option Include not applicable chapters in the statistics.

The data basis can thereby be restricted to an earlier analysis period. In this case, only measures and controls that already existed in the selected analysis period are taken into account.

Management Summary example report

Create management summary

To generate a management summary, choose a standard/norm and configure the management summary via the report options. Click on the pink download button to generate the report.

Report options

• Management system: (only Compliance Manager)

This option controls which management system the available reviews come from.

This allows for generating a report that spans multiple management systems.

• Analysis period:

This options controls what analysis period the available measures and controls come from.

The remaining options specify which information is added to the report. For example, "Statistic" controls whether the donut diagrams are displayed.

Here, you can create reports for RTO and RPO fulfillment. Find more information about RTO and RPO under "Risk management → Structural analysis".

This report shows whether or not the requirements derived from the various protection needs analyses (PNAs) for the resources can be met in terms of the maximum justifiable recovery time in each case. The report can be generated without restriction to a resource. Then it is shown how well the requirements derived from all PNAs are met for all involved resources with regard to the maximum justifiable recovery time. If the report is restricted to a resource (e.g., a specific hardware component), only resources that require this resource (e.g., specific applications and databases) to be able to work functionally are included in the evaluation. Only PNAs that define requirements for these resources are then considered.

Create RTO fulfillment report

To generate a RTO fulfillment report, first choose the resource for which the RTO fulfillment is to be analyzed and configure the report via the options.

Then, click the pink download button to generate the report.

Report options

This report contains calculations of statistics, key figures or other content requiring explanation. An appendix with explanations is therefore generated by default. If this is not desired, this report option can be deactivated.

Es kann ebenfalls entschieden werden, ob erfüllte oder nicht erfüllte Anforderungen im Bericht aufscheinen sollen oder nicht.

Außerdem kann konfiguriert werden, wieviel Information zu den relevanten Ressourcen im Bericht angedruckt wird.

Dieser Bericht zeigt, ob die aus den diversen Schutzbedarfsanalysen abgeleiteten Anforderungen an die Ressourcen hinsichtlich des maximal vertretbaren Datenverlusts jeweils erfüllt werden können oder nicht. Dabei kann die Erfüllung wahlweise für eine bestimmte Ressource (Auswahl der Ressource im Dropdown) oder die gesamte Struktur (keine Auswahl einer spezifischen Ressource über das Dropdown) ausgewertet werden.

RPO-Erfüllungsbericht erstellen

Zum Generieren eines RPO-Erfüllungsbericht muss zuerst die Ressource, für die die RPO-Erfüllung analysiert werden soll, ausgewählt werden und der Bericht über die Berichtsoptionen konfiguriert werden.

Then, click the pink download button to generate the report.

Berichtsoptionen

This report contains calculations of statistics, key figures or other content requiring explanation. An appendix with explanations is therefore generated by default. If this is not desired, this report option can be deactivated.

Es kann ebenfalls entschieden werden, ob erfüllte oder nicht erfüllte Anforderungen im Bericht aufscheinen sollen oder nicht.

Außerdem kann konfiguriert werden, wieviel Information zu den relevanten Ressourcen im Bericht angedruckt wird.