Übersetzungen exportieren

Einstellungen

Gruppe

Sprache

Format

Für die Offline-Übersetzung exportieren

Im systemeigenen Format exportieren

Im CSV-Format exportieren

{{DISPLAYTITLE:Vulnerabilities}}What is a review?

In HITGuard, a review is understood to be the recording of deviations from a target state. For example, a review can be an audit by an external auditor. The findings that the auditor may have handed over to you in the form of a report can be entered in HITGuard as a so-called "review result".

Review results can also arise from a review with HITGuard. This is done by using knowledge bases in the "gap analyses". Here, a review is guided by structured questionnaires, with the help of which deviations from the desired target state are determined.

The target state is referred to as the target score level in HITGuard and can be set separately for each management system. Only experts or administrators can set and change the target score level under [[Special:MyLanguage/Managementsysteme#Aktiver_Analysezeitraum|"Administration → Management Systems"]].

== Reviews (gap analyses/review results) ==

Under "Risk management → Vulnerabilities → Reviews, professionals and experts can find all reviews that have been created in this management system. All reviews are displayed, regardless of whether they are completed, in progress, or in draft status. New reviews can also be created or requested here. Furthermore, the reviews can also be downloaded as PDF or Word files.

[[Datei:Risikoidentifikation Überprüfungen.png|left|thumb|900px|Overview of the reviews]]

=== Create/edit review ===

Review result:
* A review result means, for example, the findings that were handed out by the auditor in the course of an audit, possibly in the form of a report. 
* These findings can be entered using the "Add review result" button, accessible via the dropdown in the "Plus" button.

Gap analysis:
* Gap analyses are questionnaire-based reviews (KB) on specific topics. These questionnaires can be used, for example, to determine the degree of compliance with a standard. In addition to the questionnaire topics, other review results can be recorded.
* If a translation of the KB is available in the currently selected language (flag on the top right, next to the "Logout" button), it will be applied.
* To create a gap analysis, click on the "Plus" button.

In terms of procedure, the only difference between the two inspection options is that an inspection result cannot handle inspection objects based on knowledge bases.

To edit a review, double-click on it in the overview.

For more information on creating or editing a review, whether gap analysis or review result, see [[Special:MyLanguage/Überprüfung| Create/Edit review]].

===Copy review===
====Create duplicate====
A copy of a review can be created at the click of a button. For this, the structure of the review objects is taken from the original, but not the answers or any linked elements (measures, controls,...). Copies are created with "- Copy" in the name in the state "Draft".
====Create reassessment====
A reassessment of a review can be created at the click of a button.  but you can decide whether you want to also adopt the answers and justifications. Reassessments are created with "- Revaluation" in the name in the state Draft. The original must be in the state Closed for this to work.

A re-evaluation of a review can be created with the click of a button. Here, not only the structure of the review objects is copied from the original, but you can also choose whether to copy the original answers and justifications. For answers, you can select whether to include all, only positive, or no answers. For justifications, you can (regardless of the answers) adopt all justification texts from the original or set a placeholder. Re-evaluations are created with “- Re-evaluation” in the name and have the status “Draft.” The original must be in the “Closed” status for this to work.

===Workflowpläne===
Ein Klick auf den lila Button oberhalb der Übersicht der Abweichungsanalysen und Prüfergebnisse öffnet eine Liste aller erstellten Workflowpläne.Workflowpläne sind dazu da, die einmalige oder wiederkehrende Ausführung von Workflows automatisiert anzustoßen. Dabei geht es um die Neubewertung von bereits dokumentierten Ergebnissen. Bei den Abweichungsanalysen/Prüfergebnissen können somit Neubewertungen von bereits abgeschlossenen Analysen zur Überprüfung der weiteren Gültigkeit der dokumentierten Inhalte an Interviewpartner auf z.B. einer jährlichen Basis ausgesendet werden. Die Interviewpartner haben natürlich die Möglichkeit, die Inhalte auch zu verändern oder zu erweitern.

A new workflow plan can be created with the "plus" button. 
An existing workflow plan can be copied with the "copy" button, which adopts the contents of the workflow plan definition, but not the executed workflows or the linked reviews. 
Existing workflow plans can be opened with a double click.
[[Datei:Workflow_WorkflowplanDefinition_AAPE.png|left|thumb|900px]]

State:
* Workflow plans are active by default. They can be deactivated or suspended here. Deactivated workflows are not offered for linking to a workflow within a gap analysis/review result.
* One-time workflows are automatically changed from the state Active to the state Deactivated after their execution.

Name:
* Enter the name of your workflow plan here.

Description:
* State the purpose of the workflow plan here.

Responsibles:</>
*The responsible user is informed via e-mail a week before the workflow triggers. Should there be any problems or conflicts at that time (e.g., reviews to be sent out are currently in the processing state or the needed interview partners are missing), they are described in the e-mail and can thus be rectified in time. The responsible user is also informed when the workflow does trigger about which reviews were successfully sent and whether there were any problems or conflicts which impeded the sending of further reviews.

Inform management system responsible persons:
* If this checkmark is set, in addition to the user responsible for the workflow plan, the users responsible for the management system are also informed via e-mail about the upcoming and executed workflow.

Next execution:
* Determine when the workflow shall trigger the next time. At that point, new reviews on the basis of the linked reviews are created as self assessments and sent to the interview partner for answering.

Recurring workflow:
* If the workflow plan is to occur regularly, this can be configured here.

This tab shows all linked reviews. This comprises the reviews used as templates as well as the new reviews created from them. At this point, individual reviews can be paused or reactivated in the workflow plan. An instant reassessment can be triggered for an individual review right here. Paused reviews are suspended for one cycle, but are then active again. If there are problems or conflicts with a review, this is also displayed here.

Note: In the selection of reviews to be linked you will find only those that have no or only a yellow conflict (see below). Reviews with a red conflict (see below) are not offered for selection. It is also shown, if the review is already assigned to workflow plans and which ones.

Yellow warning triangles: If there is a conflict within the review itself, this is shown with a yellow warning triangle. Details of the conflict can be found in the tooltip, by hovering over the triangle with the mouse. Example: the analysis is not in the state closed or does not have an interview partner.

Red warning triangles: If there is a conflict with another review in the same management system, this is shown with a red warning triangle. Details of the conflict can be found in the tooltip, by hovering over the triangle with the mouse. In addition, there is a link to the conflicting review. Example: there are two reviews in the workflow plan referencing the same review object.

Possible conflicts
*The review is not in the state Closed.
*The review does not have an interview partner.
*A review object of the review is contained in multiple linked reviews.
*A review object of the review is contained in a not closed review.

Adopt results
Adopting results happens in two steps. First, you select which version of the knowledge base should be used for the reassessment. Second, you configure which answers and justifications from the previous review should be adopted. This configuration is first made while assigning the reviews. YOu can also edit it when they are already assigned.
[[Datei:Workflow_AA_ErgebnisseÜbernehmen.png|left|thumb|900px]]

====Durchgeführte Workflows====
Dieser Tab zeigt alle vergangenen Workflows des Plans an, die bereits durchgeführt worden sind. Hier wird dargestellt, ob der Workflow funktioniert hat oder fehlgeschlagen ist und was etwaige Probleme waren.

====Workflow plan FAQs====
What happens when the workflow plan is executed?
When the workflow plan is executed, reassessments are created for the linked reviews, and the respective interview partners are requested to respond. A reassessment evaluates the same review objects for the same organizational unit as the original review.
When is no reassessment created and requested?
No reassessment is created and requested if any of the following conditions apply:
*The reassessment of the review is paused.
*The review is not completed.
*The review has no interview partner.
*There is already another review that contains a newer version of one of the review objects that is not completed.
What happens to paused reviews?
If a review is paused, no reassessment will be created during the next execution. Instead, the analysis will be re-activated for the following execution cycle.

=== Navigation in the wizard === 
The following section explains how the navigation in the review wizard works.

[[Datei:Wizard Navigation.png|left|thumb|900px|Review wizard]]

The navigation in the wizard for performing checks works as follows:
* Clicking on "Next" takes you to the next step or to the next review question.

* Clicking on "Back" takes you to the previous step or to the previous review question.

* Clicking in the navigation tree on the left side will take you to the desired location.

* At the bottom left of the navigation mask, the review questions can be displayed in the navigation tree via a "Review questions" checkbox. The wizard remembers whether the checkbox was selected or deselected and maintains the desired behavior.

* If you show the review questions, you can also navigate to them via the tree. In the same way, you are taken back to the review question/result if you have left the review by creating a measure or control. Generally, the left part always shows the review questions/results that are currently visible on the right.

* "Save" and "Close" behave self-explanatorily.

Regardless of the type of review you perform (gap analysis using a knowledge base or recording review results) the processing steps in the perform review wizard are essentially the same:
# Create and save review
# Add topics or review objects and activate review
# Answering the review objects or the possibility to request an answer in the "self assessment" by the interview partner
# Check responses or identified gaps
# Complete the review

A review can be performed by an expert or professional. However, he also has the option of requesting the answer to the review from his interview partner in HITguard. Via workflow support, the interview partner receives a request for this and can complete the response and then return it to the expert. The expert checks the results and can mark the review as completed and archive it. The handling of deviations from the review is possible at any time, even if a review has already been completed. Measures and controls can also be linked at any time.

=== Status and deletion of a review===

[[Datei:Überprüfung Stati wechseln.PNG|right|thumb|900px]]

A review can have different states. If the e-mail notifications are active in the management system, all persons relevant in the workflow are prompted to perform their tasks when the status changes. This would be, for example, the interview partner if an auditor requests a response, or the auditor themselves if the response is returned.

The status of the review can be changed via the blue button in the upper right corner.

Draft
* When the review is saved for the first time or deactivated from the "In Progress" status, it is in the "Draft" status.
* "Draft" means that the review is not yet active and no one has been informed about the review by the system.
* From this status, the review can be activated, i.e. set to the "In Progress" status.

In progress
* If the review is activated, it will be set to "In Progress" status. As a result, the interview partner and auditor will see it under "My tasks."
* Now it is time for the lead auditor to perform the review or request a response by "Request Response" from interview partners (only for self assessments). 
* It can be set back to the status "Draft" by selecting "Deactivate review".
* It can be set to the status "Closed" by selecting "Close review".

Requested (only for self assessments) .
* If the review is requested by the lead auditor, it will be set to "Requested" status. The interview partner will be prompted via e-mail to perform the review.
* The interview partner can set the status to "Answered" by clicking on "Submit review" after the review has been conducted.
* Requested self assessments are marked with a badge.

Answered (only for self assessmentse) .
* If the review is returned by the interview partner with "Submit review", it will be set to the status "Answered". The auditors will be prompted by an e-mail to check the response.
* Answered self assessments are marked with a badge.
* It can be returned to the status "Requested" by selecting "Request response" again. The interview partner must then revise their response.
* It can be put back into the status "Draft" by selecting "Deactivate review" (only auditors will be notified).
* It can be moved to the status "Closed" by selecting "Close review".

Closed
* If the review is set to the "Closed" status by "Close review", it is read-only and it can no longer be edited.
* Caution: A self assessment can only be closed if there is at least one interview partner.
* Exception: Even in already closed reviews, measures and controls can still be added to or removed from review questions.

Delete a review.
* With "Delete review" you can delete reviews that are not completed yet.
* Caution: By deleting, the review objects created in this review as well as gaps already assigned to risks will also be deleted!

==== Change review type (interview <=> self assessment) ====

The type of review can be changed only in the "Draft" status. If the type is changed to "Self assessment", the end date changes to the reply deadline.

If the wrong type was set and the check was activated, the check must first be reset to the "Draft" status by "Deactivate check".

====Tips, tricks & best practice====
[[Datei:BESTPRACTICE.png|left|thumb|100px]]
*This type of analysis is a powerful tool in HITGuard. It is a central component of risk identification and treatment. Detected gaps can be linked with reduction measures and/or monitoring controls directly within the analysis.
*The crucial benefit of doing this in one step is that any gaps, measures, and controls can be assigned to the identified risk. If the review object is also linked with a structural element, such as an application, this information is also comprehensibly shown in the details of that element.
*Revaluating instead of evaluating again. From time to time, generally at regular intervals, the status quo should be ascertained again. For this, HITGuard offers the revaluation of analyses, which allows the updating of previous analyses instead of having to perform a completely new analysis. Previous answers can be viewed and even carried over. This makes the development of a review object even more apparent.

== Review objects ==

Under "Risk management → Vulnerabilities → Review| Objects of review | Gaps | Clarification needed", you will find all the review objects that were created in the course of reviews in the current management system.

[[Datei:Prüfobjekte Übersicht.png|left|thumb|900px|Overview of the review objects]]

Clicking on a review object opens the detailed view.

[[Datei:Prüfobjekt bearbeiten.png|left|thumb|901px|Edit review object]]

Here you can see how the review object was answered. Likewise, if several versions of the review object are available, you can view how the assessment of the review object has developed from one version to the next. Only the header data of a review object can be edited via this mask. This means that this mask cannot be used to answer a review object.

=== Initiate semi-automatic revaluation ===

Due to the implementation of measures, it can happen that review objects are proposed for semi-automatic revaluation. This always happens if the measure was either created in the course of a check for a review object or linked to a review object, the "after" value of the vulnerability reduction was set, and the measure is implemented. If a measure is implemented, the linked review objects are marked with "Revaluation recommended".

To avoid having to perform a new review every time a measure is implemented, HITGuard offers the option of subjecting these marked review objects to a semi-automatic revaluation. This means that HITGuard automatically updates the gap of the respective review questions of the review objects. A separate review is created for each individual organizational unit. In this process, the review questions that are affected by the implementation of measures are set to the "after" value of the vulnerability reduction.

Execution:
# Select review object.
# Click the orange arrow "Initiate semi-automatic revaluation".
# Select the gaps to be updated.
# Click the orange arrow "Perform revaluation for selected gaps".

[[Datei:RNDezember2019 4.png|left|thumb|901px|Semi-automatic revaluation]]

===Tips, tricks & best practice===
[[Datei:BESTPRACTICE.png|left|thumb|100px]]
Review objects can be evaluated multiple times within one analysis. For example, BSI's IT Grundschutz offers a module "Web applications". If various web applications are operated in an organization, it is recommended to answer the module for each one of them. This means the module should be selected multiple times across one or more reviews and linked to the respective resources. Additional tip: Give your review objects meaningful and telling names, such as "Web application 123_Cloud". This allows you to simply search the review objects when doing a revaluation.

== Gaps==

Under "Risk management → Vulnerabilities → Reviews | Objects of review | Gaps | Clarification needed", you will find all gaps that were identified during the performance of reviews.

[[Datei:Abweichungen Übersicht.png|left|thumb|900px|Overview of gaps]]

The columns "Measure missing", "Target value missing", "Target value too low" can be used to find out against which gaps nothing or too little has been done. These gaps are tagged in the grid. If a gap does not have a tag, this means that attempts are being made to correct the gap.

Here you have the option to assign gaps that have not yet been assigned to a risk.

Double-clicking on a gap opens the review at the point where the gap was detected. Here, measures and controls for the gap can now be defined. For more information, see [[Special:MyLanguage/Prüffragen_beantworten| Answer review questions]].

Optionally, it is possible to display a column that shows whether the line is a review question (from a knowledge base) or a review result (freely entered). This allows experts to then expand their self-developed knowledge bases by review results that are often added to reviews during the interview.

===Filter gaps===

[[Datei:Abweichungsfilter.png|right|thumb|900px|Abweichungsfilter]]

With the filter, it can be selected which type of gaps is displayed:
*negative: review questions/results that were evaluated < the target score
*none: review questions/results that were evaluated = the target score
*positive: review questions/results that were evaluated > the target score

=== Target score weighting===

What the target score level is and where it is set can be found under [[Special:MyLanguage/Managementsysteme#Aktiver Analysezeitraum | Management systems]].
Wherever gaps occur, there is an additional form of sorting: the target score weighting. This is possible, for example, under "Risk management → Vulnerabilities → Gaps".

If activated, the sorting of protection targets is based on the target score weighting. The greater the deviation from the target score level and the greater the weighting of the protection target, the greater the target score weighting: target score weighting = deviation level * weighting of the protection target.

Note: A response of "No" corresponds to score level 1, "Partially" corresponds to score level 3.

Examples for illustration: Protection goal weighting: Mean (3).
*score of deviation = 2, target score = 4 =&gt; Degree of deviation = 2, target score weighting = 2 * 3 = 6.
*score of deviation = 4, target score = 4 =&gt; degree of deviation = 0, target score weighting = 0 * 3 = 0.

[[Datei:Zielreifegrad Gewichtung anwenden.gif|left|thumb|900px|Apply target score weighting]]

== Clarification needed ==

Under "Risk Management → Vulnerabilities → Reviews | Objects of review | Gaps| Clarification needed", you will find all review questions/review results that were marked with "Clarification needed" in the course of a review.

[[Datei:Abklärungsbedarf Übersicht.png|left|thumb|900px|Overview of review questions/review results requiring clarification]]

This label is necessary in practice if you cannot yet clarify how the question is to be answered when answering a review question. This can happen if, for example, you would need to consult another person or otherwise research the information. Following a series of reviews, the system evaluates which questions still need to be researched. This is exactly what the "Clarification needed" view is for.

If you click on a review question/result, you will be redirected to it.

It is also possible to export a list of all review questions/results requiring clarification via the "Export" button (next to the search bar). This provides an easy-to-use list of the review questions that require clarification.