Risk Policy
Weitere Optionen
All settings and configurations made here are globally valid. I.e. they affect all management systems and can only be edited by experts or administrators.
Protection targets
Each standard as well as each management system pursues a given purpose. Goals are defined to ensure their protection.
Manufacturer-specific protection targets (acc. to ISO 27001, ISO 80001):
- Confidentiality
- Availability
- Integrity
The manufacturer-specific protection targets are subsequently used in risk assessments and structural analyses. These objectives are mapped in the knowledge databases to examination questions or, if required, to other risks or measures. Although these protection targets can be renamed or deactivated, they cannot be deleted. They are marked under "Risk management → Risk policy → Protection targets" as "Manufacturer-specific protection targets".
Additional protection targets can be freely defined and edited by experts.
An example for a protection target:
Import manufacturer-specific protection targets
Since some manufacturer-specific protection targets are only required for certain industries, not all defined protection targets are supplied as standard. However, these can be imported if required. To do this, simply click on the arrow next to the plus and select the desired target for import.
This function is needed, for example, to import knowledge bases created by HITGuard that require a protection target that is not delivered by default.
Probabilities of occurrence
The probability of occurrence is the estimated probability of the occurrence of a specific event in a given future period (e.g. 1x in 30 years).
As the figure below shows classes of probabilities of occurrence can be freely defined. The number of categories, the name of the occurrence probability classes as well as their description and stored occurrence probabilities (in frequency per period) are freely configurable.
Risk factor:
- The risk factor serves as a multiplier for calculating the risk ratio of a risk. The risk factor of the selected probability of occurrence is multiplied by the risk factor of the selected extent of damage, thus determining the risk ratio.
- The risk ratio serves to rank the risks. The higher the risk index, the greater the significance of the risk.
Example based on and extended to TR719 (80001):'
| Probability of - occurrence classes |
Definition |
|---|---|
| Extremely rare | At least once in 30 years. |
| It is very unlikely that unintended effects will occur. | |
| Very rare | At least once in 10 years. |
| It is unlikely that unintended effects will occur. | |
| Rare | At least once in three years. |
| There may be unintended effects from time to time. | |
| Probably | At least once a year |
| It is likely that unintended effects will occur. | |
| Frequently | At least once a month |
| Unintended effects often occur. | |
| Very frequent | At least once a week or more |
| Unintended effects occur very frequently or almost always. |
Criteria for extent of damage
Damage is not necessarily of a monetary nature. It can be determined, for example, by loss of effectiveness, image damage or patient damage. For this reason, HITGuard offers the possibility to freely configure criterias for the extent of damage. These criterias can then be mapped to extent of damage classes and thus be used for protection needs analysis.
Criteria for the extent of damage can be defined under "Risk management → Risk policy → Criteria for extent of damage".
Extent of damage
Extent of loss is divided into classes. The loss severity classes are based on the risk-bearing capacity of the company. The highest loss severity class should therefore be based on the maximum loss that the company can bear.
If you want to use different damage extent classes in one or more management systems, then create an additional damage extent classification for this purpose. You can then create new damage extent classes for these.
Then assign the newly created classification to the desired management system as a classification under "Administration → Management systems" under "General settings".
Classes and classifications can be defined by administrators and experts by clicking on the plus next to the classes / classifications. (see figure)
Monetary damage:
- Here you define how high the monetary damage of a class is.
PNA Edge weight:
- This value represents the dependency that the extent of damage represents in a protection needs analysis in percent and is used in the graph as the edge weight.
- The basis for determining the value can be, for example, the lower limit, upper limit or the mean value of a protection needs class.
- Example:
Damage extent class PNA edge weight insignificant 10% Low 20% Moderately 40% Up 60% Catastrophic 100%
Risk factor:
- see here
Add criterion:
- Here the criteria already created can be mapped to an extent of damage class. Furthermore, in the context of the class it should be described what kind of damage must occur to fulfill a criterion.
Examples for damage extent classes:
| Damage extent class | Definition |
|---|---|
| Low | Monetary damage: > 5.000 Euro and <= 25 Euro |
| Patient harm: minor and short-term inconvenience | |
| Effectiveness loss: no or very limited impact on operations/procedures | |
| Data and system security: disclosure of a relevant threat or vulnerability has negligible effect | |
| Moderate | Monetary damage: > 25,000 euros and <= 100,000 euros |
| Patient damage: temporary and minor injuries, medical intervention required | |
| Effectiveness loss: very limited or nuisance effect on operations/measures | |
| Data and system security: disclosure of sensitive information could have negative (financial) consequences and may require resources to remediate. | |
| Catastrophic | Monetary damage: > 10 million euros |
| Patient harm: Death | |
| Loss of effectiveness: planned operations/procedures no longer feasible | |
| Data and system security: may lead to full disclosure of sensitive information |
Protection target synonyms
Since protection goals can have different meanings in different classifications, it is possible to specify synonyms for the respective classifications in terms of their naming. For example, the protection goal "confidentiality" can be interpreted as privacy in the context of the data protection classification (see figure). This means that wherever the protection goal is applied, the protection goal characteristic of the damage extent classification of the data privacy management system - i.e., the designation "privacy" - is displayed.
This menu item is only visible if at least two damage extent classifications exist.
Protection requirement
The protection requirements of a resource, organizational unit, data category, or process are based on the extent of damage that can occur if its operation is impaired. Since it is often not possible to determine the exact amount of damage, you should define classes that are suitable for your application.
Protection Needs Classes can be created and managed by administrators or experts under "Risk Management → Risk Policy → Protection Needs".
The previously defined damage extent classes fall into different protection needs classes depending on the height of your PNA edge weight (the higher the edge weight, the higher the protection need).
The so-called PNA edge weight range (from to) ensures that a dependency analysis can be used in the structural analysis to determine a protection needs class for a data category or resource. This determination is derived from the PNA edge weight range. For all incoming protection target relationships per resource or data category, the edge dependency is determined in % with the highest PNA value and the corresponding protection need class is determined from the range.
The color is used to signal the importance of a class in the structural analysis.
Examples for protection needs classes:
- Normal: The damage effects are limited and manageable (0-30% PNA edge weight).
- High: The damage effects can be considerable (30-70% PNA edge weight).
- Very high: The damage effects can reach an existentially threatening, catastrophic magnitude (70-100% PNA edge weight).
Risk matrix
The risk matrix for each protection requirement class results from the combination of extent of damage (vertical) and probability of occurrence (horizontal). For this purpose, the respective risk factors are multiplied in order to obtain the risk ratio. The higher the risk ratio, the more critical a risk is and the more urgent a risk must be dealt with in order to prevent serious consequences.
Administrators and experts can specify in which color a risk indicator is displayed in the dashboard and structural analysis (the more critical and urgent a risk is, the more alarming the colorshould be) under " Risk Management → Risk Policy → Risk Matrix". Furthermore, the risk indicator serves to rank the risks on the dashboard.
For each damage extent classification there is a separate risk matrix that can be configured.
Data classes
The data classification specifies how data is to be handled, depending on your classification. This depends on the confidentiality of the data and the corresponding desired level of protection.
The number of categories, the name of the data class and its description are freely definable. A new class can be created using the "Plus" button.
It is usually possible to derive an association so that the different protection needs for each data class can be explained by the extent of damage associated with the confidentiality risk. Mapping between data classes and damage severity classes is therefore possible.
If several damage extent classifications exist, it is necessary to select from which classification the damage extent originates.
Example:
| Data classes | ! Damage extent class |
|---|---|
| Public | Very Low (Default) |
| Internal | Medium (default) |
| Confidential | Large (default) |
| Secret | Very Large (default) |
Abilities to Control
Die Abilities to Control werden verwendet um bereits implementierte Maßnahmen- und Kontrollensets zur Risikosteuerung einer Gefährdungslage nach ihrer Qualität zu bewerten. Mehr zum Kontext der Verwendung ist hier zu finden.
Hier können die zur Bewertung verfügbaren Abilities to Control verwaltet werden.
Eine neue Ability to Control kann über den "Plus" Button erstellt werden. Über den "Mülleimer" Button können bestehende gelöscht werden.
Standardmäßig werden folgende Abilities to Control angeboten:
- nicht relevant
- Die Fähigkeit zur Steuerung der Gefährdungslage durch das zugewiesene Set an Maßnahmen und Kontrollen ist nicht relevant.
- initial
- Die Fähigkeit zur Steuerung der Gefährdungslage durch das zugewiesene Set an Maßnahmen und Kontrollen ist in einem frühen Entwicklungsstadium.
- gemanagt
- Die Fähigkeit zur Steuerung der Gefährdungslage durch das zugewiesene Set an Maßnahmen und Kontrollen kann erfolgreich durchgeführt werden.
- definiert
- Die Fähigkeit zur Steuerung der Gefährdungslage durch das zugewiesene Set an Maßnahmen und Kontrollen ist reproduzierbar und kann nach einem angepassten Standardprozess abgehandelt werden.
- gemessen
- Die Fähigkeit zur Steuerung der Gefährdungslage durch das zugewiesene Set an Maßnahmen und Kontrollen ist anhand einer statistischen Kontrolle messbar.
- optimiert
- Die Fähigkeit zur Steuerung der Gefährdungslage durch das zugewiesene Set an Maßnahmen und Kontrollen ist anhand einer statistischen Kontrolle messbar und kann die Arbeitsweise verbessern.
