Menü aufrufen
Toggle preferences menu
Persönliches Menü aufrufen
Nicht angemeldet
Ihre IP-Adresse wird öffentlich sichtbar sein, wenn Sie Änderungen vornehmen.

Protection needs

Aus HITGuard User Guide
Version vom 15. November 2021, 07:18 Uhr von Faha (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „Extents of damage can be created and managed by experts under Special:MyLanguage/Risikopolitik#Schadensausma.C3.9Fe|"Risk Management → Risk Policy → Exte…“)

What is a protection needs analysis?

The protection needs analysis determines the protection needs for data or resources (IT systems, buildings, software, etc.) of organizational units or processes. The results of this analysis, the protection needs of the data and processes, can be examined in the structural analysis, for example, to identify risks and create measures and controls.


As can be seen in the figure above, professionals and experts can find protection requirement analyses that have been created in the current management system under "Risk management → Protection needs". All protection requirement analyses are displayed, regardless of whether they are completed, in progress or in draft status. Likewise, protection requirement analyses can be created here.

You can download a report on one or more protection needs analyses as a PDF. This contains all marked protection needs analyses.

Create / edit protection needs analysis

create:

  • Protection needs analyses can be created under "Risk Management → Protection Needs" via the "Plus Button"=.

Edit:

  • To edit a protection requirement analysis, open the required protection requirement analysis under "Risk management → Protection requirement" by double-clicking on it.
  • Completed protection needs analyses can be viewed, but no longer edited!

Header data of the protection needs analysis


The following section describes the mapping in more detail:

Header data of the protection needs analysis


Select OrgEh / Process:

  • In a protection needs analysis, either organizational units or processes can be analyzed. What is to be analyzed is selected via the Audit item.

Audit:

  • If this protection needs analysis is carried out in the course of an audit, you can relate the audit to the protection needs analysis here. If the protection needs analysis arises as a result of an audit, the fields Principal Auditor, Interviewee, and Start and End Date of Audit are populated. (For more on audits, see Audit management).

OrgEh / Process:

  • Depending on whether an OrgEh or a process is analyzed, either the organizational unit or the process is selected here.
  • This can no longer be changed after the first save!

Designation:

  • Here is entered how the protection needs analysis should be named.

Description:

  • The purpose of the protection needs assessment should be described here.

Principal investigator:

  • The main examiner responsible for the protection needs analysis is entered here. He selects the resources and/or data that will be analyzed in the course of the protection needs analysis. He determines further examiners as well as interview partners.

Other reviewers:

  • These are individuals who are included as subject matter experts for the protection needs assessment review.

Interviewers:

  • Interviews about resources and data are conducted with these individuals during the course of a protection needs assessment. In the course of a self-assessment, they are tasked with identifying potential harm. (see type)

Start and end date:

  • The planned time span of the protection needs analysis is entered here.

Type:

  • Interview: The protection needs analysis is conducted together with the interviewee. The interviewee himself cannot change anything in the protection needs analysis, but has insight into the analysis.
  • Self-assessment: the interviewee is tasked with determining possible damage in the event of violations of protection goals. The assessor requests a response via the "Request response" button (if the protection needs analysis has been activated) and reviews it after it has been answered.

Change log:

  • Here is recorded with at what time the protection needs analysis was processed, when the status changed and when it was completed.

Status and deletion of a protection needs analysis


A protection requirement analysis can be in different status variations. If the email notifications are active in the management system, all persons relevant in the workflow are prompted to perform their tasks when the status changes. This would be, for example, the interviewee when an examiner requests a response or the examiner himself when he returns the response.

Draft

  • When the protection needs analysis is saved for the first time or deactivated from the "In Progress" status, it is in the "Draft" status. From here, the protection needs analysis can be activated, i.e. set to the "In Progress" status.

In progress

  • If the review is activated, it will be set to "In Progress" status. Now it is time for the main reviewer to perform the protection needs analysis or to request a response from the interviewees by "Request response" (only for Self-Assessment type).
  • It can be returned to "Draft" status by "Deactivate Review".
  • It can be moved to "Closed" status by "Close Review".


Requested (only for Self-Assessments type) .

  • If the protection needs assessment is requested by the principal investigator, it is placed in the "requested" status. The interviewees will now be prompted to perform the Protection Needs Assessment via an email.
  • It can be placed in "answered" status by "submit review".

Answered (only for Self-Assessment type) .

  • If the protection needs assessment is returned by the interviewee with "Submit Review", it is set to the status "Answered". The reviewers are now prompted by an email to check the response.
  • It can be returned to "requested" status by "Request Response". The interviewee should then revise their response.
  • It can be put back into "draft" status by "disable review". The reviewers will be informed of this.
  • It can be moved to "closed" status by "close review".

Closed

  • If the protection needs analysis is set to the "closed" status by "Complete review", the protection needs analysis becomes read-only and it can no longer be edited. This sets and weights the links between the resources and/or data to the OrgEh or process in the structural analysis.

Delete a protection needs analysis.

  • By "Delete review" you can delete protection needs analyses that are still not completed. Completed protection needs analyses cannot be deleted!

Select resources and/or data for analysis


The second step is to select the resources and/or data that will be analyzed in the protection needs analysis.

To add resources or data to the analysis, the "Select resources/data" button must be clicked. A dialog opens where the resources or data to be analyzed can be selected.

The tab can be used to switch between resources and data.


Analyze possible damage


The following figure shows the third step of the protection needs analysis.


In this step, the resources and/or data are analyzed for possible damage that could occur if a protection goal is violated. Violations are evaluated by the extent of damage.

The damage scales selected here are used in the structural analysis to set connections between the org unit or process and the assessed resource or data and to weight their protection goals. This makes it possible in the structural analysis to examine the organizational unit or the process for dependencies and to identify hazard situations.

To evaluate all resources and data, it is necessary to switch between the added resources and data through the tab.

The protection targets to be evaluated are specified by the management system and can be configured by experts under "Administration → Management Systems → used Protection Targets".


Extents of damage can be created and managed by experts under "Risk Management → Risk Policy → Extents of Damage".