Protection needs

What is a protection needs analysis?

The protection needs analysis determines the protection needs for data or resources (IT systems, buildings, software, etc.) of organizational units or processes. The results of this analysis, the protection needs of the data and processes, can be examined in the structural analysis, for example, to identify risks and create measures and controls accordingly.

As can be seen in the figure above, professionals and experts can find protection requirement analyses that have been created in the current management system under "Risk management → Protection needs". All protection requirement analyses are displayed, regardless of whether they are completed, in progress or in draft status. Likewise, protection requirement analyses can be created or reassessed here, and workflow plans can be created.

You can download a report on one or more protection needs analyses as a PDF. This contains all marked protection needs analyses.

Create:

• Protection needs analyses can be created under "Risk Management → Protection needs" via the "Plus" button.

Edit:

• To edit a protection needs analysis, open the required protection needs analysis under "Risk management → Protection needs" by double-clicking on it.
• Completed protection needs analyses can be viewed, but no longer edited!

The following section describes the mapping in more detail:

Select OrgUnit/Process:

• In a protection needs analysis, either organizational units or processes can be analyzed. What is to be analyzed is selected via the audit item.
• This selection can only be changed as long as no resources were assigned in step 2. To be able to change the selection, the assigned resources must first be removed in step 2.

Note: If an organizational unit or a process already have a relationship to resources and/or data categories in the structural analysis, those will automatically be added to step 2 of the protection needs analysis. Any protection needs analyses already done are also considered here. In addition, it's possible to adopt the previous analysis' results with the click of a button.

Caution: Resources and data categories that already have an as yet open protection needs analysis in connection with the selected organizational unit or process are not automatically added and cannot be added manually either. To add them, any open protection needs analyses in the respective constellation must be closed first.

Audit:

• If this protection needs analysis is carried out in the course of an audit, you can relate the audit to the protection needs analysis here. If the protection needs analysis arises as a result of an audit, the fields lead auditor, interview partner, and start and end date of the audit are populated. Alternatively, the header data can be incorporated via the button on the right. (For more on audits, see Audit planning).

OrgUnit/Process:

• Depending on whether an OrgUnit or a process is analyzed, either the organizational unit or the process is selected here.
• This can no longer be changed after the first save!

Function:

• Is only displayed, if it was activated under "Audit management → Settings"
• Functions allow you to optionally further define the context of a review.
• Functions can be created and managed under "Audit management → Functions".

Name:

• The name of the protection needs analysis is entered here.

Description:

• The purpose of the protection needs analysis should be described here.

Lead auditor:

• The main examiner responsible for the protection needs analysis is entered here. They select the resources and/or data that will be analyzed in the course of the protection needs analysis. They determine additional examiners as well as interview partners.

Co-auditors/Companion(s):

• These are individuals who are included as subject matter experts for the protection needs analysis.

Interview partners:

• Interviews about resources and data are conducted with these individuals during the course of a protection needs analysis. In the course of a self assessment, they are tasked with identifying potential damages (see type).

Start and end date:

• The planned time span of the protection needs analysis is entered here.

Type:

• Interview: The protection needs analysis is conducted together with the interview partner. The interview partner themselves cannot change anything in the protection needs analysis, but has insight into the analysis.
• Self assessment: the interview partner is tasked with determining possible damage in the event of violations of protection targets. The auditor requests a response via the "Request response" button (if the protection needs analysis has been activated) and reviews it after it has been answered.

Workflow plans:

• This shows, how many workflow plans the protection needs analysis is a part of, either actively or paused. Links can be set anew or deeleted here and existing links can be paused.

Created by workflow plan:

• If the protection needs analysis was created by a workflow, the respective workflow is shown here. You can navigate into the workflow with a simple click and take a look at its details.

Change log:

• Here, it is recorded at what time the protection needs analysis was edited, when the status changed, and when it was completed.

A protection needs analysis can have different status variations. If the e-mail notifications are active in the management system, all persons relevant in the workflow are prompted to perform their tasks when the status changes. This would be, for example, the interview partner when an auditor requests a response or the auditor themselves when the response is returned.

Draft

• When the protection needs analysis is saved for the first time or deactivated from the "In progress" status, it is in the "Draft" status. From here, the protection needs analysis can be activated, i.e. set to the "In progress" status.

In progress

• If the review is activated, it will be set to the status "In progress". Now it is time for the lead auditor to perform the protection needs analysis or to request a response from the interview partner(s) by "Request response" (only for the type self assessment).
• It can be returned to the "Draft" status by selecting "Deactivate review".
• It can be moved to the "Closed" status by selecting "Close review".

Requested (only for self assessments)

• If the protection needs analysis is requested by the lead auditor, it is placed in the status "Requested". The interview partner(s) will now be prompted via e-mail to perform the protection needs analysis.
• It can be placed in the status "Answered" status by selecting "Submit review".

Answered (only for self assessments)

• If the protection needs analysis is returned by the interview partner via "Submit review", it is set to the status "Answered". The auditors are now prompted via e-mail to check the response.
• It can be returned to the status "Requested" by selecting "Request response" again. The interview partner should then revise their response.
• It can be put back into the status "Draft" by selecting "Disable review". The auditors will be informed of this.
• It can be moved to the status "Closed" by selecting "Close review".

Closed

• If the protection needs analysis is set to the status "Closed" by selecting "Complete review", the protection needs analysis becomes read-only and it can no longer be edited. This sets and weights the links between the resources and/or data to the OrgUnit or process in the structural analysis.

Delete a protection needs analysis.

• By "Delete review" you can delete protection needs analyses that are not completed yet. Completed protection needs analyses cannot be deleted!

The second step is to select the resources and/or data that will be analyzed in the protection needs analysis.

To add resources or data to the analysis, the "Select resources/data" button must be clicked. A dialog opens where the resources or data to be analyzed can be selected.

The tab can be used to switch between resources and data.

Tip:

Changes (creation/update/deletion) to resources and data categories lead to an automatic update of open protection needs analyses. This allows you to create or modify resources and data categories in a separate browser tab and then use them in the PNA right away, without havingt to reload it.

The following figure shows the third step of the protection needs analysis (e.g., 2.1 or 2.2).

In this step, the resources and/or data are analyzed for possible damage that could occur if a protection target is violated. Violations are evaluated by the extent of damage. If there are results from earlier analyses, the justifications can be taken over with a double click into the respective line.

The extents of damage selected here are used in the structural analysis to set connections between the OrgUnit or process and the assessed resource or data and to weight their protection targets. This makes it possible in the structural analysis to examine the organizational unit or the process for dependencies and to identify risks.

To evaluate all resources and data, it is necessary to switch between the added resources and data via the bar to the left or the "Next" button.

The protection targets to be evaluated are specified by the management system and can be configured by experts under "Administration → Management Systems → Used protection targets".

Extents of damage can be created and managed by experts under "Risk management → Risk policy → Extents of damage".

A protection needs analysis can be reassessed, if...
... it is closed.
... it is the youngest (meaning the one with the most recent begin date) protection needs analysis for the contained resources and/or data categories.

Für Neubewertungen gibt es verschiedene Möglichkeiten der Erstellung:

1. Plus Button: Erstellen einer neuen Schutzbedarfsanalyse für eine Organisationseinheit/einen Prozess, für die/den es bereits eine abgeschlossene Schutzbedarfsanalyse gibt. In diesem Fall werden vom Tool die bewerteten Ressourcen und/oder Datenkategorien automatisch übernommen. Etwaige Ergebnisse können optional übernommen werden.
2. Neubewerten Button: Erstellen einer Neubewertung über den Neubewerten Button in der Übersicht der Schutzbedarfsanalysen. In diesem Fall erstellt das Tool eine neue Schutzbedarfsanalyse auf Basis der vorherigen. Auch hier kann man frühere Ergebnisse übernehmen. Als Datum wird das aktuelle Datum genommen, für die Uhrzeit wird die Beginn- und Endzeit der originalen Schutzbedarfsanalyse kopiert.

Ergebnisse übernehmen:

• Wenn aktiviert, werden bei der Erstellung der Neubewertung die Ergebnisse der zugrunde liegenden Schutzbedarfsanalyse übernommen. Es handelt sich dabei um die Bewertungen der Schutzziele, die erfasst wurden.
  

Relationships in the structural analysis generally lead to the highest protection need. These dependences can be reduced with a protection needs analysis. One should therefore start with the analysis of those assets/resources/services that are most important to the organization and evaluate them regarding the requirements of the management system first.