In the course of a review, there can be an uncertainty regarding the answer to a review question. Sometimes further queries arise for them that can’t be answered right away. These review questions can be marked with “Clarification needed”. They are then listed in the overview under Risk management → Vulnerabilities → Clarification needed and can be worked through uncomplicatedly.

More on the Clarificatio needed tag can be found under Vulnerabilities → Clarification needed.

A gap is the difference to the desired target score that's identified in a gap analysis or a review result. Generally, those are underfulfillments that are then shown as risks or clustered as such, and mitigated or eradicated with measures. Overfulfillments are also identified and can be useful in opportunities management.

Find more on gaps here.

In a gap analysis a review question catalog from a knowledge base is answered with the help of an assistant, which reveals deviations from the intended target score. It can be done as an interview or sent to the responsible person and/or interview partner as a self assessment. It is also possible to add new review objects in the course of an interview.

Find more on gap analyses here.

A dossier is created for one or more tickets in case management and helps the support team in solving the reported problems, clarifying circumstances, and handling incidents. Aside from the relevant tickets, reviews, risks, measures, and controls can also be linked to the dossier.

Find more on dossiers here.

An analysis period is used to make the different elements of a management system evaluable and comparable. Using various KPIs on the dashboard, analysis periods can be compared with each other side by side.

Analysis periods are defined by experts in the management system and successor periods are created manually or at defined intervals. Every analysis period has a start and an end date, a target score, and the relevant organizational units can be defined. For measure tracking, an editorial deadline is also set, so that progress reports can be requested in time.

Find more on analysis periods under Administration → Management systems.

To make the planning of audit programs and audits easier, organizational units that are close to each other either regionally or thematically and are therefore often audited together, can be grouped into audit clusters.

Find more on audit clusters under Audit management → Audit clusters.

Companions support external lead-auditors in the execution of reviews.

Observers are a user role in HITGuard.

For more on user roles, see Administration → Users/User roles.

The support team is the team that's responsible for incoming tickets in the case management.

Find more on the support team here.

Co-auditors support internal lead-auditors in the execution of reviews.

Compliance managers are a user role in HITGuard.

For more on user roles, see Administration → Users/User roles.

DPIA stands for data protection impact assessment (DSFA in German). According to the GDPR, a documented decision must be made for each processing activity (PA) as to whether a data protection impact assessment (DPIA) is to be carried out. This is done in the course of a so-called DPIA requirement assessment. This DPIA and DPIA requirement check can be performed in HITGuard under Data protection → DPIA.

It is possible to note in measures through which event the necessity of the measure's implementation was recognized. If a measure is created out of a risk or out of a review, this field is prefilled with its name.

Experts are a user role in HITGuard.

For more on user roles, see Administration → Users/User roles.

Externals in the context of data protection are external legal or natural entities, meaning companies or people, who receive personal data from your company or transmit them to you. Externals can be recorded under Data protection > Externals.

Find more on externals in data protection here.

External auditors are lead auditors that are from outside the organization and do not have their own HITGuard access. The should therefore always conduct audits with a companion. They can be created under Audit management > External auditors and then be entered as lead auditors in audits and reviews.

The recording of determination types can be activated in the audit management settings. Then, the following additions are available with the answers in reviews: major deviation, minor deviation, note, recommendation, model implementation. They can be especially highlighted in KPIs and reports.

A progress report is a notification by the responsible(s) for a measure to the responsible(s) of a management system, telling them the current status of the measure. Usually, progress reports are requested, but they can be reported proactively if the option is activated.

Find more on progress reports here.

Functions can be used in audit management to display more information on reviews. For example, a single user can be questioned through the lense of a team leader or a facility manager.

Find more on functions here.

In HITGuard, it is possible to import existing data, e.g. risks or organizational units, from other sources (e.g. SAP). The ID makes it possible to keep data consistent across applications. If an import is performed and the ID of the import data set matches an existing ID, then a new data set is not imported, but the existing data set is updated with the import data set.

Example: You use SAP to manage organizational units and import them monthly to HITGuard to bring all changes from SAP into HITGuard.

For more information, see Data import.

An information gathering is a review question in a knowledge base that does not have an evaluation. Information can be gathered here, such as number of employees or regulatory documents.

If a review or protection needs analysis in HITGuard is of the type interview, that means that the task is not completed by the interview partner. The lead-auditor and any co-auditors/companions execute the assessment as an interview together with the responsibles and/or interview partners and themselves fill out all forms.

An edge is a connecting line between two entities in the structural analysis. It shows whether there is a relationship of dependence, what direction the dependence runs in (arrow direction, who depends on whom) and with which percentage the dependence is weighed.

Find more on edges and their use here.

Control definitions are the basis of controls in HITGuard. They are given master data, implementers, examiners, and a repetition schema by Experts or Professionals.

Controls are the repeating tasks that are triggered on the basis of control definitions.

The term KPI stands for key performance indicator and is used in business administration to describe key figures that can be used to measure and/or determine progress or the degree of fulfillment with regard to important objectives or critical success factors within an organization. In HITGuard, KPIs can be added to dashboards and are used to give overviews and for reporting.

Find more on dashboards here.

LDAP or Lightweight Directory Access Protocol is a network protocol standard that can be used in HITGuard to authenticate users. This allows users to log in using the credentials from your Authentication Provider.

For more information about this, see Login options and Global settings.

A management system is a contentwise bundling of elements, meaning measures and progress reports, controls, determinations and gaps, audits and reviews, etc.

The elements are assigned to a team of responsible experts and professionals in terms of monitoring and workflow handling (e.g. information security management team or data protection team). Also, all elements managed in it are historized in terms of analysis periods and thus made comparable.

OrgUnit or organizational units map the structure of a company. A company usually consists of several organizational units that participate in the individual processing steps, which in turn take place in one or more organizational units. The creation and processing of data in these organizational units during the individual process steps is predominantly IT-supported using IT systems. In HITGuard, the process steps occurring in the OrgUnit as well as the data and resources used in the process can be mapped with the Structural analysis.

Practitioner is a user role in HITGuard.

Find more on user roles here.

Professionals is a user role in HITGuard. Find more on user roles here.

Process questions are review questions in knowledge bases that are answered with a level of maturity as per the CMMI model (maturity level 0 to maturity level 5).

In a review result, question catalogs that are not part of a knowledge base and their answers are entered into HITGuard with an assistant. The review objects and review questions can be entered in full after an assessment, be edited together in the course of an interview, or be sent to the responsible person/interview partner as a self assessment. As an example, the contents of an external audit can be documented and included in evaluations in this way.

The risk policy is a conglomerate of risk management parameters and settings in HITGuard. Among them are, for example, protection targets, extents of damage, probabilities of occurrence, or the risk matrix. Under risk management → Risk policy, these and more factore can be configured for all management systems in order to get the maximum benefit from the different risk management analyses and workflows.

Find more on the risk policy here.

RPO or Recovery Point Objective indicates how much data loss can be accepted. The RPO specifies the period of time that can elapse between two data backups. In other words, the maximum amount of data/transactions that can be lost between the last backup and the system failure. If no data loss is acceptable, the RPO is 0 seconds.

RTO or Recovery Time Objective specifies how long a business process/system may be down. The RTO specifies the time that may pass from the time of damage until the complete recovery of the business processes (recovery of: Infrastructure - Data - Reprocessing of data - Resumption of activities) may pass. The time period can range from 0 minutes (systems must be available immediately) to several days, in some cases weeks.

The advisor is the user that the responsible person asks for the completion of a task in the different HITGuard modules. For many elements, such as risks or processing activities, the responsible person as well as the advisor are set, in order to be able to delegate work.

If a review, protection needs analysis or processing activity in HITGuard is of the Self Assessment type, then this means that this activity is to be carried out by the officer or interviewee, for example. The responsible party can then request a response to the activity from the case worker or interview partner. The clerk or interview partner answers this and returns it to the responsible person. The latter can then check and accept the response or request a new response.

Review questions in knowledge bases can be added as structural questions. Their response is not part of the calculation of the score. They define if and which sub-questions should be answered next.

Teams consist of at least one member and are responsible for implementing the tasks assigned to you (measures, controls, audits, business impact analyses, etc.). Members of a team are responsible for working on the tasks assigned to them and receive an e-mail requesting them to implement these tasks.

The team leader only has to have an overview of his team. He can see which tasks are assigned to his team, but is not responsible for the implementation (unless he is a member) of these tasks. Therefore, he does not receive any e-mails requesting him to implement a task. However, he can still implement the tasks if necessary. Team leaders are only informed if the deadline is exceeded, e.g. by controls or progress reports.

Find more on teams here.

Technical questions are review questions in knowledge bases that are answered with Yes, No, or Partially.

Every structural question in a knowledge base can have sub-questions. Opposed to structural questions, those are part of the calculation of the score. It is possible to define the answers depending on what was said for the structural question.

TOMs are technical and organizational measures or controls used for handling personal data.

According to Art. 32 GDPR, data controllers and the processor are required to take appropriate technical and organizational measures (TOMs for short) to ensure a level of protection appropriate to the risk. The criteria that the TOM must meet, as well as some examples of appropriate measures, are described in Art. 32(1) of the GDPR.

Find more on the creation and use of TOMs in HITGuard here.

There are three types of reviews in HITGuard:

1. Gap analyses
2. Protection needs analyses
3. Review results

The implementer is set for control definitions. It is the user who executes the control after it has triggered and then returns it for examination.

Find more about controls here.

A responsible person (or multiple responsible persons) or a responsible team (or multiple responsible teams) can be set for the various elements in HITGuard. In the case of elements of the core data (e.g., resources or organizational units), the responsible person is of an informative nature only and not actively involved in any workflows. In the case of elements of the different management modules, the responsible person is also involved in workflows.They implement measures and report their progress, for example, evaluate risks and processing activities, and they see reviews under My tasks.

The context of each element reveals the role of its responsible person, and their role can be looked up on the respective pages in the Online Help.

A processing register in HITGuard is the collection of all processing activities of the management system. It can be structured into company and organizational registers.

PA is the abbreviation for processing activity. A legal definition of the term can be found in Art. 4 of the GDPR, where the term "processing" is defined as follows:

• any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This means that any operation or process which in any way processes personal data, whether the data is only stored or used for analysis, is a processing activity.

An effectiveness test is done to determine whtether the implementation of a measure has achieved the desired effect in the short and/or long term. This is done in the form of a follow-up measure or a control that deals with the new status quo.

A knowledge base is a catalog of review questions used to determine compliance and score. Knowledge base can be acquired from TogetherSecure as a subscription or created freely directly in the tool.

Find out more about knowledge bases under Administration → Knowledge bases.

The central management representative can be recorded under Audit management > Settings if the audit management add-on is activated. This user is then preset as the creator for all new audit programs.