Risk Policy

All settings and configurations made here are globally valid. I.e. they affect all management systems and can only be edited by experts or administrators.

Each standard as well as each management system pursues a given purpose. Goals are defined to ensure their protection.

Manufacturer-specific protection targets (acc. to ISO 27001, ISO 80001):

• Confidentiality
• Availability
• Integrity

The manufacturer-specific protection targets are subsequently used in risk assessments and structural analyses. These objectives are mapped in the knowledge databases to examination questions or, if required, to other risks or measures. Although these protection targets can be renamed or deactivated, they cannot be deleted. They are marked under "Risk management → Risk policy → Protection targets" as "Manufacturer-specific protection targets".

Additional protection targets can be freely defined and edited by experts.

An example for a protection target:

Since some manufacturer-specific protection targets are only required for certain industries, not all defined protection targets are supplied as standard. However, these can be imported if required. To do this, simply click on the arrow next to the plus and select the desired target for import.

This function is needed, for example, to import knowledge bases created by HITGuard that require a protection target that is not delivered by default.

The probability of occurrence is the estimated probability of the occurrence of a specific event in a given future period (e.g. 1x in 30 years).

As the figure below shows classes of probabilities of occurrence can be freely defined. The number of categories, the name of the occurrence probability classes as well as their description and stored occurrence probabilities (in frequency per period) are freely configurable.

Risk factor:

The risk factor serves as a multiplier for calculating the risk ratio of a risk. The risk factor of the selected probability of occurrence is multiplied by the risk factor of the selected extent of damage, thus determining the risk ratio.

The risk ratio serves to rank the risks. The higher the risk index, the greater the significance of the risk.

Factual:

This checkbox can only be activated for one probability of occurrence. If selected, this probability of occurrence is treated as absolute. Risks, opportunities and impacts evaluated as such are then fact. The factual probability of occurrence is marked as such when choosing it in the risk/opportunity/impact.

Example based on and extended to TR719 (80001):

Damage is not necessarily of a monetary nature. It can be determined, for example, by loss of effectiveness, image damage or patient damage. For this reason, HITGuard offers the possibility to freely configure criteria for the extent of damage. These criteria can then be mapped to extent of damage classes and thus be used for protection needs analyses.

Criteria for the extent of damage can be defined under "Risk management → Risk policy → Criteria for extent of damage".

Extent of loss is divided into classes. The loss severity classes are based on the risk-bearing capacity of the company. The highest loss severity class should therefore be based on the maximum loss that the company can bear.

If you want to use different damage extent classes in one or more management systems, then create an additional classification of extent of damage and benefit for this purpose. You can then create new damage extent classes for these.

Then assign the newly created classification to the desired management system as a classification under "Risk management → Settings".

Classes and classifications can be defined by administrators and experts by clicking on the plus next to the classes/classifications. (see figure)

Monetary damage:

Here you define how high the monetary damage of a class is.

PNA Edge weight:

This value represents the dependency that the extent of damage represents in a protection needs analysis in percent and is used in the graph as the edge weight.

The basis for determining the value can be, for example, the lower limit, upper limit or the mean value of a protection needs class.

Example:

Damage extent class	PNA edge weight
insignificant	10%
Low	20%
Moderately	40%
Up	60%
Catastrophic	100%

Risk factor:

The risk factor serves as a multiplier for calculating the risk ratio of a risk. The risk factor of the selected probability of occurrence is multiplied by the risk factor of the selected extent of damage, thus determining the risk ratio.

The risk ratio serves to rank the risks. The higher the risk index, the greater the significance of the risk.

This risk factor furthermore serves as criterium for the color of extent of damage classification in protection needs reports. On a color scale from green to red, the lowest risk factor results in the color green and the highest in the color red. Risk factors between those two result in colors according to their relative position on the scale from green to red.

Add criterion:

Here the criteria already created can be mapped to an extent of damage class. Furthermore, in the context of the class it should be described what kind of damage must occur to fulfill a criterion.

Examples for damage extent classes:

Benefit is not necessarily of a monetary nature. It can be determined, for example, by heightened effectiveness, improved image, or patient health. For this reason, HITGuard offers the possibility to freely configure criteria for benefit. These criteria can then be mapped to classifications of extent of damage and benefit and thus be used in protection needs analyses.

Criteria for benefits can be defined under "Risk management → Risk policy → Criteria for benefit".

Benefits are divided into classes. These are based on the company's ability to take advantage of opportunities. The highest benefit should, therefore, be based on the maximum benefit the company is able to achieve.

If you want to use different benefit classes in one or more management systems, then create an additional classification of extent of damage and benefit for this purpose. You can then create new benefit classes for these.

Then assign the newly created classification to the desired management system as a classification under "Risk management → Settings".

Classes and classifications can be defined by administrators and experts by clicking on the plus next to the classes/classifications. (see figure)

Monetary benefit:

Here you define how high the monetary benefit of a class is.

Opportunity factor:

The opportunity factor serves as a multiplier for calculating the risk ratio of an opportunity. The risk factor of the selected probability of occurrence is multiplied by the opportunity factor of the selected benefit, thus determining the risk ratio.

The risk ratio serves to rank the risks and opportunities. The higher the risk ratio (meaninng, the further away from zero), the greater the significance of the opportunity.

Add criterion:

Here the criteria already created can be mapped to a benefit class. Furthermore, in the context of the class it should be described what kind of benefit must occur to fulfill a criterion.

Since protection goals can have different meanings in different classifications, it is possible to specify synonyms for the respective classifications in terms of their naming. For example, the protection goal "confidentiality" can be interpreted as privacy in the context of the data protection classification (see figure). This means that wherever the protection goal is applied, the protection goal characteristic of the damage extent classification of the data privacy management system - i.e., the designation "privacy" - is displayed.

This menu item is only visible if at least two damage extent classifications exist.

The protection requirements of a resource, organizational unit, data category, or process are based on the extent of damage that can occur if its operation is impaired. Since it is often not possible to determine the exact amount of damage, you should define classes that are suitable for your application.

Protection Needs Classes can be created and managed by administrators or experts under "Risk Management → Risk Policy → Protection Needs".

The previously defined damage extent classes fall into different protection needs classes depending on the height of your PNA edge weight (the higher the edge weight, the higher the protection need).

The so-called PNA edge weight range (from to) ensures that a dependency analysis can be used in the structural analysis to determine a protection needs class for a data category or resource. This determination is derived from the PNA edge weight range. For all incoming protection target relationships per resource or data category, the edge dependency is determined in % with the highest PNA value and the corresponding protection need class is determined from the range.

The color is used to signal the importance of a class in the structural analysis.

Examples for protection needs classes:

• Normal: The damage effects are limited and manageable (0-30% PNA edge weight).
• High: The damage effects can be considerable (30-70% PNA edge weight).
• Very high: The damage effects can reach an existentially threatening, catastrophic magnitude (70-100% PNA edge weight).

The risk matrix for each protection requirement class results from the combination of extent of damage (vertical) and probability of occurrence (horizontal). For this purpose, the respective risk factors are multiplied in order to obtain the risk ratio. The higher the risk or opportunity ratio (as in, the further away from zero), the more critical a risk is and the more urgent it must be dealt with in order to prevent serious consequences, and the greater an opportunity is and the sooner it should be taken advantage of to gain a benefit.

Administrators and experts can specify in which color a risk indicator is displayed in the dashboard and structural analysis (the more critical and urgent a risk is, the more alarming the color should be) under " Risk Management → Risk policy → Risk matrix". Furthermore, the risk indicator serves to rank the risks and opportunities on the dashboard.

For each classification of extent of damage and benefit there is a separate risk matrix that can be configured.

The data classification specifies how data is to be handled, depending on your classification. This depends on the confidentiality of the data and the corresponding desired level of protection.

The number of categories, the name of the data class and its description are freely definable. A new class can be created using the "Plus" button.

It is usually possible to derive an association so that the different protection needs for each data class can be explained by the extent of damage associated with the confidentiality risk. Mapping between data classes and damage severity classes is therefore possible.

If several damage extent classifications exist, it is necessary to select from which classification the damage extent originates.

Example:

The abilities to control are used to evaluate the quality of the risk treatment measures and controls that have already been implemented for a risk. More about the context of their application can be found here.

The abilities to control available for that evaluation can be managed here.

A new ability to control can be created with the "plus" button. Existing ones can be deleted with the "trash can" button.

The following abilities to control are offered by default:

• nicht relevant | not relevant - The ability to control the risk with the assigned set of measures and controls is not relevant.
• initial | initial - The ability to control the risk with the assigned set of measures and controls is in an early state of development.
• gemanagt | managed - The ability to control the risk with the assigned set of measures and controls can done successfully.
• definiert | defined - The ability to control the risk with the assigned set of measures and controls is reproducible and can be handled with an adapted standard process.
• gemessen | measured - The ability to control the risk with the assigned set of measures and controls is measurable with a statistical control.
• optimiert | optimized - The ability to control the risk with the assigned set of measures and controls is measurable with a statistical control and can improve the modus operandi.

These classes are recommendations and can be edited by Expert users; they are only available in German in the tool.

To be better able to manage and thus treat identified risks, opportunities, and impacts, categories can be defined under "Risk management → Risk policy → Categories of risks/opps and impacts".

New risk categories can be added with the "Plus" button. They can be renamed at any time. Categories that have not been selected for any risks/opps/impacts can also be deleted. The "Delete" button is deactivated for any categories that are currently in use.

Individual risks, opportunities, and impacts can be assigned to and grouped by one or more category.

An ilmpact can be of different natures. Therefore, HITGuard offers the possibility to freely configure criteria for impacts. These criteria can then be mapped to impacts.

Criteria for impacts can be defined under "Risk management → Risk policy → Criteria for impacts".

The impact classifications describe the scale, scope, and remedy (only for negative impacts) of an impact. The are used in the materiality analysis to evaluate positive and negative impacts on the organization from outside and outwards by the organization. Using criteria, additional details can be recorded for the individual impacts.

Impact classes can be defined for each of the three classifications.

Add criterion:

Here the criteria already created can be mapped to an impact class. Furthermore, in the context of the class it should be described what kind of circumstance must occur to fulfill a criterion.

Impact factor:

The impact ratio is calculated from the impact factors of the impact classes and the risk factor of the probability of occurrence. Like the risk ratio, it shows how big or small an impact is by a company on its environment.