Knowledge bases

What is a knowledge base?

• Knowledge databases contain portable know-how for risk identification (through topics, audit questions, threats) and risk treatment (measures and controls).
• This makes it possible to perform deviation analyses guided by this know-how and thus to check and document compliance / fulfillment of requirements.
• In addition to questions on risk identification, they also contain measures and control proposals to reduce, control or eliminate these very risk situations.
• Furthermore, knowledge databases on a norm or standard basis can be used to check compliance requirements.

Difference to standards and norms: .

• Standards and norms provide no usable know-how and are pure "tables of contents" of a standard.
• They are used to evaluate the impact of risks, review results, measures, and controls on a norm or standard.

Options:

• Import knowledge base
• Create a knowledge base
• Editing knowledge databases| Editing / user adaptation of knowledge databases
• Successor versions of knowledge databases
• Updating review objects
• Merging knowledge bases
• Translating knowledge bases

Norm or standard knowledge bases can only be imported, not exported.

They contain copyrighted content and can not be modified!

The review questions of these knowledge bases map to the respective norm or standard. This allows the degree of compliance with a norm or standard to be determined. The degree of compliance can be viewed under "Risk management dashboard → Compliance Coverage" or in compliance reports.

These knowledge bases contain copyright protected content! They can only be imported, not exported.

Although the content is protected, user adjustments can be made!

During user customization, the review questions defined by the manufacturer cannot be customized! If you do not want to handle them, the review question must be set to "unnecessary". However, the knowledge base can be extended with your own topics and review questions without any restrictions.

So customizing a knowledge base makes sense if certain topics or questions are not covered that would be important or interesting for your business, or you do not want to cover certain knowledge base topics.

Manufacturer and standard knowledge bases can be created and exported by owning a manufacturer license.

These are knowledge databases created by you. In these, you can maintain and prepare the content yourself. For example, you could create and manage databases for internal audits or for collecting answers to questionnaires.

These knowledge bases, as long as they are not published, can be adapted without further ado. Once published, a successor version must be created for editing.

Knowledge bases can be translated into different languages. These language versions can be used in the course of vulnerability analyses and consequently in reports. The language used is the one set by the user at the top right (right next to the logout button).

For translating, see Translating knowledge bases.

Versioning distinguishes between in-house development and user adaptations of vendor knowledge bases.

You can maintain multiple versions of self-developed knowledge bases.

If an in-house development no longer meets your requirements, a new version adapted to the requirements can be created. To do this, click on "Create successor version" in the mask for viewing the knowledge base. For more information, see Successor versions of knowledge bases.

Self-developed knowledge bases consist of only one number. Subsequent versions increase this number by 1.

The version number X.Y for imported knowledge bases behaves as follows:

• X: imported knowledge bases always have a number. For example 1, 2 or 3 but not 1.1,2.1 or 3.3.
• Y: if a customization of an imported knowledge base is created, the number after the dot is increased by 1.

In the overview is displayed: WDB Z in version 5 and WDB W in version 2.3. In the knowledge base itself you will then see WDB W in version 2 customization no. 3.

If several versions of a knowledge base are available, it is possible to set one version as the preferred version.

The knowledge base must be published, then in the mask for viewing the knowledge base there is a button labeled "Set as preferred version".

In the overview of knowledge bases, preferred ones are marked with a heart.

Important!

• Only preferred versions can be selected in variance analyses!

Only "self-developed" knowledge databases can be exported. Knowledge database created by third-parties cant't be exported.

To export, click on "Export" in the Knowledge Base View screen in Published WDBs.

The file generated by this can then be imported to other systems as desired.

If knowledge databases are provided with a copyright, this is displayed in the measures, controls and test questions of the knowledge database. Furthermore, these are also provided with a copyright in the reports.

If a newer version of an existing knowledge base is imported, all test objects that were created with the older version can be updated to the newer version semi-automatically. For more information, see Updating test objects.

The knowledge base is divided into five key elements:

• Topics
• Audit questions
• Measures
• Controls
• Justification templates
• Threats

These elements are related to each other as follows:

• A knowledge base contains a set of topics. These topics can be structured hierarchically among themselves. A topic does not have to contain review questions if, for example, it is only intended to structure topics. However, topics at each level of the hierarchy can contain review questions.
  

• The review questions, when answered (yes/no/partly, unnecessary, score), are used to identify whether there is a potential vulnerability in this area. Gaps (answers with no, partly, or a score deviation) need to be investigated in more detail in the risk assessment step.
  

• When a gap is detected, it is usually addressed by a specific threat to a greater or lesser extent. Therefore, it should be treated with measures or secured with controls in the long term. Therefore, one or more threats, measures and controls are assigned to a review question within the knowledge base.

• For review questions that are normally justified with a standard answer, justification templates can be created and subsequently used in reviews.

In order to make the finding of the previous occurrence of a review question, measure, control, or threat visible, there is the link "Links" at the respective element in the edit form, provided that the element has at least one link.

Topics contained in the knowledge base are used to structure a knowledge base. They are the units within a layer (e.g. IT systems, networks). They describe technical components (such as cabling) or organizational procedures (such as emergency preparedness concept).

Test questions can be assigned to each topic.

To create topics, see Create_topics

Review questions serve to determine possible vulnerabilities in the context of a review. A review question can be assigned to several topics. Review questions can be structured hierarchically by using structure questions.

To create a review question, see Create review question

Measures, controls and threats can be assigned to a review question. This ensures that if the answered question deviates from the desired target state, measures and controls are suggested to address the associated potential risk.

• Review questions that are assigned to topics can be extended by sub-questions in the knowledge base. If a question has one or more sub-questions, the main question becomes a structural question and is only used for structuring. That is: a structural question answered with "No" or "Partly" represents no deviation!
  
• Depending on the answer to the structural question, different review questions can be displayed. For example, two specific review questions may be displayed in case of a "Yes" answer and three other specific review questions may be displayed in case of a "No" answer. However, a negative answer to sub-questions will result in gaps.

If a superordinate question is created, the options "Will be displayed if" and "Answer if not displayed" are available.

• The option "Will be displayed if" defines which answer the superordinate question must have in order for the sub-question to be offered for answering. This means that if only the option "Yes" is selected for the review question under "Will be displayed if", this sub-question will only be displayed for answering if the superordinate question is answered with "Yes".
• The option "Answer if not displayed" defines which answer the sub-question should receive if it is not displayed for answering. If no selection is made here, the review question will not be answered automatically in this case.

Measures in a knowledge database are possible measures that can be selected on the basis of the deviation identified during a review in the context of the risks to be addressed. They are intended to help reduce or eliminate one or more deviations. Possible measures can be transferred into ongoing measures.

To create a test question, see Create measure

Controls in a knowledge base are possible controls that are available for selection based on the identified deviation for the assigned risk. They are intended to help monitor the risk or to control the execution of implemented measures. Possible controls can be transferred into ongoing controls.

To create a check question, see Create check

If a review question is normally justified with a standard answer, a justification template can be created for this question, which can then be used for reviews.

To create a justification template, see Create_justification_template

Threats are mainly used for analyses. For example, a report can be generated in which all deviating test questions are listed for a threat.

To create a review question, see Create threat