Structural analysis

There are several views in the structural analysis to avoid confronting the user with an oversized and confusing graph. Therefore, there are the following four views:

• Organization view

The organization view focuses on the organizational structure of the company/group/association. From this perspective, the aim is to find answers to questions such as "On which systems is the organizational unit most dependent in terms of availability?", "How great is the risk in terms of confidentiality for the organizational unit across all systems?" (classically the results of business impact analyses), "What types of data are processed in the organizational unit?

• Resource View

The resource view represents the technology landscape, which depicts IT systems, medical devices, building security, etc. Risk analysis is also performed via this representation. Here, deviations in the risk assessment in the technical as well as organizational area become recognizable and from this, measures for the elimination of the deviations are to be planned.

• Data View

The data view shows in which organizational units which data is processed, who the data owners are and how the data is classified (data classes or distinction between personal and non-personal data). Furthermore, the representation shows through which resources the data runs and in which processes it is processed.

• Process View

The process view reveals which processes exist, what data they process, what resources are associated with them, and how much an organizational unit depends on a process and vice versa.

The organizational structure is described in Organizational Units.

A company consists of organizational units that participate in the individual processing steps, which in turn take place in one or more organizational units. The creation and processing of data in these organizational units during the individual process steps is predominantly IT-supported using IT systems.

Assumption: The more critical the organizational unit, the greater the potential damage, the greater the requirements for availability, confidentiality, and integrity of data or systems.

Therefore, the following information must be collected in any case:

• Modeling of the organizational structure (Organizational Units).
• Survey of the business impact of the business IT services on the daily work of the business unit (Determine criticality of an organizational unit)

The view of the IT systems, which can be divided into several categories, shows many interdependencies exist. Furthermore, not all components of the system may be designed to be equally secure. The dependencies between systems designed with different levels of security mean that the systems influence each other. These interactions are to be raised over a risk evaluation and can be represented in the structural analysis in form of a graph. You can find more about this under Resources.

Example:

A hospital information system (HIS) has an interface into SAP. SAP is dependent on the HIS to a certain extent with regard to the protection goal of availability (not 100%, but e.g. 30%) because without the patient master data, which it receives from the HIS several times a day via the interface and which is entered in the HIS when a patient is admitted, it cannot perform billing for this patient. The HIS, on the other hand, is independent of the SAP. However, the HIS requires a database server to be functional. It is 100% dependent on this server.

Datei:Example resource view.PNG

The data view shows the structure under the managed data categories. The creation and structuring of data categories is described in the Data Categories chapter.

If this view is linked to the process view, it is easy to see which data is processed in which processes.

In the process view you can see all processes with their hierarchy. The creation and structuring of processes is described in chapter Processes.

The following figure shows the configuration area of the structural analysis on the right:

• You can switch between the "Design mode" and the "Analysis mode" by clicking on the switch button. This button always shows the currently active mode.

• Double-clicking on a view changes it to the main view. The underlined view is always the main view. All entities are always displayed from the main view!

• In the individual views you can select which elements should be displayed in the current context.

• In the organization layer there is an additional option for selecting all organizational units active in the management system.

• In the organization layer there is an additional option for selecting all organizational units active in the management system.

• Change in the menu configurations must be clicked on "Apply" to make the change effective.

• The cloud icons allow you to save the current configuration or load an existing one.

Important: Select damage extent classification!

• If more than one damage extent classification exists, then they are selectable here. Only SBA protection target weightings of the current damage extent classification are displayed. Furthermore, the Protection target weighting of a protection target is displayed, if available.

By clicking on a hazard situation, a dialog opens through which you can switch to the detail page of the hazard situation.

In addition to the main view, individual or all entities from other views can also be displayed. The combination of views is freely configurable, i.e. there are no restrictions on how the views can be combined. To add another view to the main view, you have to select the check mark in the navigation area of the structure analysis for the desired view and then click on "Apply".

The combination of views is especially practical when connections between different entity types are to be created or analyzed. These combined views can be saved as configurations for reuse, for example, to analyze the impact of a measure.

Important:

• Depending on whether you are working in design or analysis mode, all or only explicitly selected entities (namely those to which relationships already exist from the main view) are displayed from the additionally selected views.

In more extensive views, the search is supported to quickly get to a specific node.

To do this, enter the search term of the node in the "Find node..." field and complete your entry with the Enter or Enter key. The search then centers the first node found. If the Enter or Enter key is pressed again, the next node found is centered, and so on. When the end of the search result is reached, a message is displayed. If the Enter key is pressed again, the first search result is displayed again.

The search is case-insensitive. Special word beginnings, endings or phrases can be found with an asterisk (*):

• sap* finds "SAP MM" and "SAP HCM" and "SAP FI/CO," for example,
• sap*co finds "SAP FI/CO",
• *mm finds "SAP MM" and "HR master".
• fi* finds "SAP FI/CO" and "Finance".

Configurations save all settings that were available at the time of saving. I.e. it saves which view was the main view, which views or entities were additionally displayed, how the protection targets are displayed and whether the hazard layers should be displayed.

Configurations can be used above all to divide large and complex structures into different configurations and thus display them in a clear manner. This makes working with large structures much easier.

Example of the use of a configuration:

• A protection needs analysis was performed and the impact was analyzed in the structural analysis. The next step is to define and implement measures for the hazard situations that have arisen. If the previously performed structural analysis is stored in a configuration, the same analysis can be performed again with comparably little effort and thus the effects of the measures can be analyzed.

Durch einen Rechtsklick auf einen Knoten im Graphen, öffnet sich ein Kontextmenü in dem die Option "Zeige Abhängigkeiten" vorkommt.

Diese Option ermöglicht es die Strukturanalyse auf die für den ausgewählten Knoten relevanten Elemente einzuschränken. Dies kann dabei helfen einen besseren und übersichtlicheren Überblick auf die Abhängigkeiten zu bekommen und erleichtert auch das Analysieren.

Ein Beispiel zum Verdeutlichen: Ich interessiere mich gerade nur für die Ressource SAP MM und möchte wissen, wovon diese Ressource abhängt, ich tue mir aber schwer dies zu erkennen, da so viele Knoten angezeigt werden.

Ich kann auf SAP MM einen Rechtsklick machen und wähle "Zeige Abhängigkeiten" aus. Dadurch werden alle nicht relevanten Knoten ausgeblendet und ich bekomme eine viel besseren Überblick.

In design mode, you can place elements from the selected views in connections and define their dependencies based on protection goals. However, you cannot edit connections or protection goal weights if they have been defined by a protection needs analysis. To edit them, you must perform a new protection needs analysis.

In design mode, all entities from the selected views are displayed. This has the purpose that relationships can be created between all elements.

You can move elements individually or several elements at the same time. To move an element individually you have to move the mouse pointer over the desired element and click and hold the left mouse button.

To move multiple elements you have two options:

1. Hold down the left mouse button until a cross appears. Then drag the rectangle over the elements you want to move.
2. Hold down CTRL to select multiple elements by clicking on them.

To connect elements with each other there are several possibilities:

1. Right-click on an element and select "Add relationship". Then select other element. (Starting point to end point)
   

   Datei:Create node with right click.gif

   
   
2. Hold down "Alt" and select element 1, then click on the second element.
   

   Datei:Create node alt.gif

   
   
3. For data, processes, and organizational units, if you double-click the item, you can select a parent item in the mask or unlink it from the parent item.
   

   Datei:Create node data-category.gif

   
   
4. For resources, if you double-click on the element, you can create new connections or edit existing ones via the "Relationships" tab in the mask.
   

   Datei:Create Node Resource.gif

   
   

The connection with resources always happens with protection goals. However, you can adapt these protection goals. Exceptions are protection goals that have been weighted by protection needs analyses. These can only be changed by a new protection needs analysis (to create protection goals see protection goals).

To edit the protection targets of a connection you have to either double-click on the connection arrows or double-click on the element and switch to the "Relations" tab. With the latter option, no weightings can be set. Here, a 100% weighting is always assumed.

Right-click into the empty space in the structure analysis to create new resources, organizational units, processes or data categories. If you now select an element to create, the respective mask for creating the new element opens.

Double-click on an element to open its "edit" mask. Here you can also delete the elements.

For more details see Resources, Organizational Unit, Processes, Data Category create / edit / delete.

The analysis mode is used to analyze the company structure. You can analyze which elements are dependent on each other and in what way. For this you can choose how the dependency should be displayed:

• What do I depend on?
• What do I depend on?

Additionally you can define a threshold value. This determines from which percentage dependency a connection between 2 elements should be displayed.

Analysis mode displays only entities from the selected views that are related to an entity from the main view.

This can be used to analyze how much other entities, in terms of their protection goals, depend on an entity.

It is also possible to examine how risks affect the entire structure. It is also possible to examine how they affect the individual protection goals. This makes it possible to quickly identify how a risk affects other entities.

Entities on which the selected entity does not depend are grayed out.

This can be used to examine how much an entity, in terms of its protection goals, depends on other entities.

The dependency can be examined on a protection goal basis either bundled or individually for each protection goal. By changing the threshold value, you can set the percentage weighting of the protection goal from which you depend on an entity.

Entities on which the selected entity does not depend are displayed in gray.

In der Strukturanalyse kann auch die Erfüllung der RTO (Recovery Time Objective) und RPO (Recovery Point Objective) analysiert werden.

Achtung:

Damit RTO bzw. RPO-Erfüllung in der Strukturanalyse untersucht werden kann, muss unter "Risikomanagement → Risikopolitik → Schutzziele" das Schutzziel RTO bzw. RPO aktiviert werden.

Die RTO bzw. RPO-Erfüllung zeigt, ob die Schutzbedarfsanforderung hinsichtlich RTO bzw. RPO für die jeweiligen Ressourcen eingehalten werden kann. Dafür wird im Graphen die Kante zu den Ressourcen mit einem SOLL und IST gewichtet. Dabei stammt der SOLL-Wert aus einer Schutzbedarfsanalyse . Das IST wird aus den jeweiligen abhängigen Ressourcen berechnet, das heißt es wird die maximale Zeit aller abhängigen Ressourcen für die RTO bzw. RPO ermittelt.

Ablauf

• Schutzbedarfsanalyse

Um analysieren zu können, ob die RPO bzw. RTO für eine Ressource eingehalten wird, muss zuerst eine Schutzbedarfsanalyse für die Ressourcen mit einer Organisationseinheit oder einem Prozessverantwortlichen durchgeführt werden. Daras ergibt sich die SOLL- bzw. keine Anforderung.

• Ressourcen bewerten

Damit das IST für RTO bzw. RPO berechnet werden kann, müssen die Ressourcen von denen die zu untersuchende Organisationseinheit bzw. Prozess abhängig ist nach RTO bzw. RPO bewertet werden. Hierfür gibt es drei Möglichkeiten:

• nicht bewertet:

RTO bzw. RPO wurde noch nicht bewertet / eingetragen. Diese Werte gehen nicht in die Berechnung ein, werden aber als noch nicht bewertet markiert (gelbes Zahnrad bei RTO und gelbe Uhr bei RPO).

• undefiniert / nicht relevant:

Die RTO bzw. RPO ist für die Berechnung nicht weiter relevant. Diese Werte gehen ebenfalls nicht in die Berechnung ein, werden aber mit einem grauen Symbol markiert um darzustellen, das diese Werte bewusst nicht hinterlegt wurden.

• RTO Wiederherstellzeit bzw. das RPO Backup Intervall liegt vor:

Die RTO bzw. RPO wurde für Ressourcen bereits ermittelt. Diese Werte können dann bei den Ressourcen hinterlegt werden.

Für RTO gibt es zusätzlich noch die Option, dass die Wiederherstellzeit von Ressourcen Dritter z.B. durch eine SLA gesichert sind. Es kann diese SLA bei der Ressource hinterlegt werden.

N / B bedeutet Netto bzw. Brutto. Netto ist der Wert der bei der direkt bei der Ressource eingetragen ist. Brutto ist die maximale Zeit die durch alle abhängigen Pfade erreicht wird (nur längster Pfad relevant).

• RTO bzw. RPO-Erfüllung analysieren:

Um die Erfüllung analysieren zu können, müssen in der Strukturanalyse mindestens die Organisationssicht und die Ressourcensicht ausgewählt werden. Sind diese ausgewählt, muss in den Analysemodus gewechselt werden (Schalter ganz oben im rechten Menü). Im Analysemodus kann nun RTO bzw. RPO-Erfüllung ausgewählt werden.

Werden zu viele nicht relevante Ressourcen bzw. Organisationseinheiten angezeigt, kann man auf die zu untersuchende Organisationseinheit rechts klicken und im Kontextmenü den Punkt "Zeige Abhängigkeiten" auswählen. Dadurch werden alle nicht relevanten Knoten ausgeblendet.

Organizational units or business processes use resources (business applications, communication services, medical administrative applications, etc.). Therefore, several applications can be assigned to several organizational units. The protection needs analysis weights the relationship between the respective organizational unit and the resource (e.g. very low risk to catastrophic risk).

The application has different weightings for different business areas with regard to its protection goals. The most critical weighting specifies how technically demanding the resource must be designed with regard to its protection goals, e.g., availability, confidentiality, or integrity. In this way, critical risks can be defined for the applications based on the weighting of their protection goals.

'Example:

Confidential customer data is stored on a hard disk. This data is rarely used in the HIS, so its availability has been weighted to 20%. However, the confidentiality is 100% because it is confidential data. This allows, for example, the risks of theft and server failure to be identified. By weighting, it can be seen that theft of confidential data is much more critical than server failure. That is, theft would be a critical risk, but server failure would not.

Resources may be interdependent. There may be resources that are not functional or have limited functionality if another resource is not available. Resources require, for example, an IT infrastructure, data storage and possibly medical devices in order to be functional.

These dependencies can also be bidirectional. This would be the case, for example, if two resources (e.g. applications) actively exchange data. If one of them were to fail, this would affect the other resource.

All these dependencies can be analyzed via structural analysis.

Structural elements (business applications or IT infrastructure services) can be interrelated. Between two related structural elements, there is one type of relationship per protection objective. The direction of the relationship and the weighting of the dependency are defined for each protection objective. By default, the weighting of the relationship is 100%, but a different weighting can also be set. All these relations can be uni- or bidirectional. This defines the dependencies of the objects to each other.

Example: A hospital information system (HIS) and a laboratory information system (LIS) are related to each other

Protection goal availability: The LIS is 100% dependent on the HIS. If the HIS is not functioning, the LIS cannot access the patient master data and work cannot be performed. The HIS, on the other hand, is only 10% dependent on the LIS in our example. If the LIS is not functioning, the HIS cannot retrieve the laboratory values, but all other functions are available without restriction.