Risk assessment

In this overview, all hazard situations from the different management systems are displayed. It is also possible to display only the hazards of the current management system. Furthermore, hazard situations can be set to private, so that they are only displayed in the management system in which they were created.

If you click on a hazard situation, you can edit or view it. Then it is possible to view which gaps, measures or controls are assigned to this hazard situation.

Caution:

• A hazard situation that is not "private" can be assessed separately for each management system that uses different damage extent classifications. That is, assessments apply only to management systems that use the same extent-of-damage classifications.

A hazard situation can be a collection of gaps that form a concrete danger for the linked entities.

Gaps occur in the course of a review. This is the case, for example, when review questions of review objects are answered "negatively" or below the target score. Subsequently, the gaps can be assigned to hazard situations.

The review objects containing the review questions can also be associated with entities (resources, data categories, processes and/or organizational units). This association creates a specific hazard situation for the affected entities, which is visible in the structural analysis.

Hazard situations can also be recorded freely.

Freely recorded hazard situations normally have no linked gaps, but such gaps can be assigned to them. Freely entered hazard situations can, for example, be a list of risks that was already maintained before HITGuard was implemented, e.g. with Excel. Such lists can be imported using the Data importer.

Hazard situations can then be evaluated by selecting a probability of occurrence and an extent of damage. This results in the risk score according to which the hazard situation is displayed in the risk management dashboard, for example. This evaluation is done according to the extent of damage classification. This means: if a hazard situation was evaluated in one management system with classification "Standard", it can be evaluated differently in another management system with classification "Privacy" (as long as it is not marked as "Private").

The assessment/review of hazard situations can be delegated to the registered advisor (see workflow button). They will then find the hazard situation under their tasks to assess/review.

Within the hazard situation itself:

• the key data are displayed.
• all gaps assigned to the hazard situation are displayed.
• the measures/controls assigned to the gaps are listed.
• the measures/controls that are manually assigned to the hazard situation are listed.

Furthermore, every change in the hazard situation/risk assessment is logged. This documentation can be found in the menu item "Development over time".

Important: These should be post-documented for hazard situations created before HITGuard Release October 2020. More on this can be found under Time evolution.

Abbreviation:

• In the abbreviation, enter the abbreviated title of the hazard situation.

Status:

• Active: The hazard situation still exists.
• Closed: The hazardous situation has been resolved.
• Accepted: They are aware of the hazard situation, but will not fix it at this time for various reasons.
• Changes here are logged (Time evolution).

Private:

• If you set the hazard situation to private, the hazard situation will only be displayed in the current management system. Otherwise, it is visible in any management system and can be evaluated for any damage extent classification.
• However, measures, controls, and gaps are only visible in the respective management systems in which they were created, regardless of whether the hazard situation was marked as private.

Workflow Button:

• Request review

This allows advisors to request a review/reassessment of the hazard situation. Advisors will find requested reviews in their tasks in "My Tasks → Hazard Situation".

• Accept review

If the review is returned by the advisor, it can be accepted here. If the review is incorrect or insufficient, it can also be requested again.

Designation and description:

• In the designation, write what the hazard situation should be named.
• In the description, describe/explain the hazard situation.

Notes:

• Here, it can be explained how it came to the assessment of the hazard situation.

Coping srategy:

• This option should describe how the hazard situation will be dealt with.
  • Undefined (it has not yet been determined how to deal with it)
  • Avoidance (Waiver of the activity; in fact, the hazardous situation should then also be closed)
  • Reduction (Probability of occurrence is reduced by measures)
  • Transfer (Outsourcing of the hazard; e.g. by rolling over the hazard)
  • Acceptanz

Probability of occurrence:

• Here, you can enter how likely it is that the hazard situation will affect the company.
  For more information, see Probability of occurrence
• Changes here are logged (Time evolution).

Extent of damage:

• Here, you can enter how big is the potential damage that can be caused by the hazard situation.
• Only damage extents of the classification of the current management system are available.
• Changes here are logged (Time evolution).

Responsibility and Advisors:

• The person in charge is the primary contact for the hazard situation.
• The advisors are responsible for risk handling. If a review of the hazard situation is requested, the advisors are responsible for the review.

Assigned protection goals and weightings:

• Here, you can record which protection goals are affected to what extent when the hazard situation occurs.
  Example:

Hazard situation: Break-in in the server room.

Protection goal	Weighting	Explanation
Confidentiality	4	Break-in to steal a hard disk
availability	4	The burglar could destroy something
integrity	3	He could also change something in the system

Norm mapping:

• If the hazard situation deals with one or more norm chapters they should be entered here.

Affected structural elements:

• All structural elements are listed here that are related to the hazard situation by the gaps.
• By opening the drop-down menu, structural elements can be linked to the hazard situation. Furthermore, it can be seen here from which test object the automatically set links come.
• Example:

The hazard situation "Temperature problems in server rooms", for example, is linked to the structural element "Server room" via a gap when checking the server rooms.

ID in third-party systems:

By this ID the hazard situation can be updated by an import of a hazard situation. For this, the ID must match the ID of the hazard situation of the import. This field should only be set manually if the hazard situation actually originates from a third-party system, but the hazard situation was already created manually before an import and is to be updated by imports in the future.

This tab lists all gaps that are assigned to the hazard situation. This is normally the result of the gap handling of a review. However, you can also assign existing gaps to the hazard situation here.

Target score weighting:

• If enabled, the sorting of protection targets is based on the target score weighting. The greater the deviation from the target score and the greater the weighting of the protection target, the greater the target score weighting. More about the target score weighting can be found here.

Caution: Only gaps of the current management system are displayed. Just because the hazard situation in this management system has no gaps does not mean that none exist.

Display of gaps:

• Black: Gaps assigned to this hazard situation that have not been corrected.
• Green: Gaps assigned to this hazard situation that have been remediated or indicated as having at least the target score.
• Gray: These are historical gaps. These were identified in previous reviews and assigned to the hazard situation. In the meantime, the test items of these reviews have already been subject to a reassessment.
• Moved to Hazard Situation xx: The gap was originally assigned to the currently presented hazard situation. In a further step, the assignment changed to another hazard situation: hazard situation xx.

Click on "Assign gaps" to open a screen for assigning gaps.

This tab lists all measures and controls that have been assigned to the hazard situation and therefore contribute to the risk treatment. Depending on their state they are displayed either in the top or the bottom table, more on this below. The measures and controls either come from the assignment of a gap, are selected from the available list (link button) or are created here specifically for the hazard situation (plus button).

Find out more about creating measures here and more about creating controls here.

If measures and controls come from a gap, the assignment to the hazard situation can only be removed by removing the assignment to the respective gap. Assignments of measures or controls selected from the available list or created here can be removed with the button to the right of the measure or control.

Caution: Only measures and controls of the current management system are displayed. The hazard situation not having any measures or controls in this management system does not mean it doesn't have assigned measures or controls in a different management system.

The gross (inherent) risk is the evaluation of the risk before any measures and controls for its treatment have been put into effect. The gross risk is marked with a badge in the tab Temporal development when it is first recorded. The information in the tab Measures and controls reflects that and cannot be changed manually.

The button to the right opens a risk matrix that shows a graphic visualization of the risk.

These measures and controls were introduced to treat the original gross risk. Through them the risk is turned from the gross (inherent) risk into the current risk. They are finished and/or canceled measures, as well as active control definitions with successful executions.

If a new measure or control is implemented and thus inserted into this table, it is recommended to revaluate the hazard situation. The hazard situation and the triggering measure or control are then marked with "Revaluation recommended". The revaluation shows whether the current risk has changed with the impact of the implementation. In the case of measures, this is only triggered if the "Implemented" date was set and doesn't fall on the same day of the last relevant revaluation (a relevant revaluation in this context is a change entry in the temporal development log where either extent of damage or probability of occurrence were changed).

Ability to Control:

• This is the evaluation of the quality of the set of risk treatment measures and controls that has already been implemented.
• The abilities to control available for selection can be configured in the Risk policy.

Current risk:

• The current risk is the evaluation of the risk after all already implemented measures and executed controls for its treatment have been taken, and before the still planned measures and controls have been implemented.
• Again, a risk matrix to show the position of the current risk is available through the button to the right.

These measures and controls are planned for the treatment of the current risk and are meant to reduce it to the planned net (residual) risk. They are open, planned and/or suspended measures (not implemented), as well as suspended, deactivated and/or active control definitions without executions.

Net risk:

• The net (residual) risk is the evaluation of the risk in the following scenario: 1) all implemented and planned, yet-to-be-implemented measures have been taken AND 2) all implemented and yet-to-be-implemented controls have been put into effect. As this is a prognosis for the future, three variations are to be recorded: best case, most likely case, worst case.
• The evaluation of the net risk can be done either with the dropdown boxes or directly in the displayed risk matrices. A click into a square in a matrix sets the corresponding values for probability of occurrence and extent of damage.

For each change in the probability of occurrence, extent of damage and/or status, the person making the change must make an entry to the change log with the reason and date for their change. Only when this is entered can the change be made. A log subsequently appears in the temporal evolution of the hazard situation. Changes to the extent of damage assessment only appear in the management systems that use the same extent of damage classification.

The first entry defining both probability of occurrence and extent of damage is marked with "Gross risk" here and is shown as the gross risk in the tab measures and controls.

Important: Time developments can also be entered manually. To do this, click on the "Plus" button in the overview.