Protection needs

What is a protection needs analysis?

The protection needs analysis determines the protection needs for data or resources (IT systems, buildings, software, etc.) of organizational units or processes. The results of this analysis, the protection needs of the data and processes, can be examined in the structural analysis, for example, to identify risks and create measures and controls accordingly.

As can be seen in the figure above, professionals and experts can find protection requirement analyses that have been created in the current management system under "Risk management → Protection needs". All protection requirement analyses are displayed, regardless of whether they are completed, in progress or in draft status. Likewise, protection requirement analyses can be created or reassessed here, and workflow plans can be created.

You can download a report on one or more protection needs analyses as a PDF. This contains all marked protection needs analyses.

Special columns in the overview of protection needs analyses are:

Create a new protection needs analysis to gather the protection needs requirements for one, some or all of an organizational unit's or process's resources and/or data categories with a defined set of participants.

Create:

• Protection needs analyses can be created under "Risk Management → Protection needs" via the "Plus" button.

Edit:

• To edit a protection needs analysis, open the required protection needs analysis under "Risk management → Protection needs" by double-clicking on it.
• Completed protection needs analyses can be viewed, but no longer edited!

The following section describes the mapping in more detail:

Select OrgUnit/Process:

• In a protection needs analysis, either organizational units or processes can be analyzed. What is to be analyzed is selected via the audit item.
• This selection can only be changed as long as no resources were assigned in step 2. To be able to change the selection, the assigned resources must first be removed in step 2.

Note: If an organizational unit or a process already have a relationship to resources and/or data categories in the structural analysis, those will automatically be proposed to be added in step 2 of the protection needs analysis. Any protection needs analyses already done are also considered here. In addition, it's possible to adopt the previous analysis' results with the click of a button. The results can also be adopted later for each resource/data category.

Caution: Resources and data categories that already have an as yet open protection needs analysis in connection with the selected organizational unit or process are not automatically proposed and cannot be added manually either. To add them, any open protection needs analyses in the respective constellation must be closed first.

Audit:

• If this protection needs analysis is carried out in the course of an audit, you can relate the audit to the protection needs analysis here. If the protection needs analysis arises as a result of an audit, the fields lead auditor, interview partner, and start and end date of the audit are populated. Alternatively, the header data can be incorporated via the button on the right. (For more on audits, see Audit planning).

OrgUnit/Process:

• Depending on whether an OrgUnit or a process is analyzed, either the organizational unit or the process is selected here.
• This can no longer be changed after the first save!

Function:

• Is only displayed, if it was activated under "Audit management → Settings"
• Functions allow you to optionally further define the context of a review.
• Functions can be created and managed under "Audit management → Functions".

Name:

• The name of the protection needs analysis is entered here.

Description:

• The purpose of the protection needs analysis should be described here.

Lead auditor:

• The main examiner responsible for the protection needs analysis is entered here. They select the resources and/or data that will be analyzed in the course of the protection needs analysis. They determine additional examiners as well as interview partners.

Co-auditors/Companion(s):

• These are individuals who are included as subject matter experts for the protection needs analysis.

Interview partners:

• Interviews about resources and data are conducted with these individuals during the course of a protection needs analysis. In the course of a self assessment, they are tasked with identifying potential damages (see type).
• The users are pre-filled with those set as responsible for the selected organizational unit or process.

Start and end date:

• The planned time span of the protection needs analysis is entered here.

Type:

• Interview: The protection needs analysis is conducted together with the interview partner. The interview partner themselves cannot change anything in the protection needs analysis, but has insight into the analysis.
• Self assessment: the interview partner is tasked with determining possible damage in the event of violations of protection targets. The auditor requests a response via the "Request response" button (if the protection needs analysis has been activated) and reviews it after it has been answered.

Workflow plans:

• This shows, how many workflow plans the protection needs analysis is a part of, either actively or paused. Links can be set anew or deeleted here and existing links can be paused. Deactivated workflow plans are not offered for linking.

Created by workflow plan:

• If the protection needs analysis was created by a workflow, the respective workflow is shown here. You can navigate into the workflow with a simple click and take a look at its details.

Change log:

• Here, it is recorded at what time the protection needs analysis was edited, when the status changed, and when it was completed.

A protection needs analysis can have different status variations. If the e-mail notifications are active in the management system, all persons relevant in the workflow are prompted to perform their tasks when the status changes. This would be, for example, the interview partner when an auditor requests a response or the auditor themselves when the response is returned.

Draft

• When the protection needs analysis is saved for the first time or deactivated from the "In progress" status, it is in the "Draft" status. From here, the protection needs analysis can be activated, i.e. set to the "In progress" status.

In progress

• If the review is activated, it will be set to the status "In progress". Now it is time for the lead auditor to perform the protection needs analysis or to request a response from the interview partner(s) by "Request response" (only for the type self assessment).
• It can be returned to the "Draft" status by selecting "Deactivate review".
• It can be moved to the "Closed" status by selecting "Close review".

Requested (only for self assessments)

• If the protection needs analysis is requested by the lead auditor, it is placed in the status "Requested". The interview partner(s) will now be prompted via e-mail to perform the protection needs analysis.
• It can be placed in the status "Answered" status by selecting "Submit review".

Answered (only for self assessments)

• If the protection needs analysis is returned by the interview partner via "Submit review", it is set to the status "Answered". The auditors are now prompted via e-mail to check the response.
• It can be returned to the status "Requested" by selecting "Request response" again. The interview partner should then revise their response.
• It can be put back into the status "Draft" by selecting "Disable review". The auditors will be informed of this.
• It can be moved to the status "Closed" by selecting "Close review".

Closed

• If the protection needs analysis is set to the status "Closed" by selecting "Complete review", the protection needs analysis becomes read-only and it can no longer be edited. This sets and weights the links between the resources and/or data to the OrgUnit or process in the structural analysis.

Delete a protection needs analysis.

• By "Delete review" you can delete protection needs analyses that are not completed yet. Completed protection needs analyses cannot be deleted!

The second step is to select the resources and/or data that will be analyzed in the protection needs analysis.

To add linked resources or data categories and possibly adopt their previous results, the first button must be clicked. To add resources or data to the analysis, the second button must be clicked. A dialog opens where the resources or data to be analyzed can be selected.

The tab can be used to switch between resources and data.

Tip: Changes (creation/update/deletion) to resources and data categories lead to an automatic update of open protection needs analyses. This allows you to create or modify resources and data categories in a separate browser tab and then use them in the PNA right away, without havingt to reload it.

Tip: Multiple protection needs analyses can exist for one OrgUnit or process, so long as they evaluate different resources and/or data categories. Resources/data categories that are already being evaluated for an OrgUnit or a process (in an open protection needs analysis) are not proposed and also cannot be added manually.

The following figure shows the third step of the protection needs analysis (e.g., 2.1 or 2.2).

In this step, the resources and/or data are analyzed for possible damage that could occur if a protection target is violated. Violations are evaluated by the extent of damage. If there are results from earlier analyses, the justifications can be taken over with a double click into the respective line. The button in the top right corner allows you to adopt all results with one click.

The extents of damage selected here are used in the structural analysis to set connections between the OrgUnit or process and the assessed resource or data and to weight their protection targets. This makes it possible in the structural analysis to examine the organizational unit or the process for dependencies and to identify risks.

To evaluate all resources and data, it is necessary to switch between the added resources and data via the bar to the left or the "Next" button.

The protection targets to be evaluated are specified by the management system and can be configured by experts under "Administration → Management Systems → Used protection targets".

Extents of damage can be created and managed by experts under "Risk management → Risk policy → Extents of damage".

A protection needs analysis can be reassessed so long as there is no more current/younger PNA which evaluates at least one same resource or data category for the OrgUnit/process. In addition, the protection needs analysis needs to have been closed for the revaluation.

There are different ways of creating a reassessment:

1. Plus button: Create a new protection needs analysis for an organizational unit/a process for which there already exists a closed protection needs analysis. In this case the tool automatically proposes the evaluated resources and/or data categories for adoption in step 2. Any results can be adopted optionally.
2. Revaluate button: Create a revaluation via the revaluate button in the overview of protection needs analyses. In this case the tool creates a new protection needs analysis on the basis of the previous one. Here, too, previous results can be adopted. You set the begin date yourself and the end date is calculated from the data of the original protection needs analysis and preset, but can be changed.

Adopt results:

• If activated, the results of the base protection needs analysis are adopted in the creation of the new one. These are the evaluations of the protection targets that were recorded.
  

Example: When do I want to create a new protection needs analysis and when a reassessment? As a rule of thumb, the first protection needs analysis should be done together in the form of an interview. This way, everything can be talked about in detail and any questions can be clarified. When new persons enter the circle of participants or when there is a change in the linked resources and/or data categories, an interview appointment can be helpful as well. For this, a new protection needs analysis is created, even if previous results are adopted. Once this first hurdle is overcome, regular, e.g., annual, reassessments of the same resources and/or data categories can be sent out as self assessments. In this case, the same persons take part in the analysis and the same resources and/or data categories are talked about as before. Basically, you are just checking whether anything has changed in the protection needs in the meantime, e.g., the last year. Here, the workflow plans offer support.

A click on the purple button above the overview of protection needs analyses opens a list of all created workflow plans.

Workflowplans serve to automatically trigger the one-time or repeated execution of workflows. The objective here is the revaluation of already documented results. For protection needs analyses it is therefore possible to create revaluations of closed assessments to review the ongoing validity of the documented contents. For this they are sent to the interview partners, for example on a yearly basis. The interview partners of course have the option of changing or expanding on any of the results.

A new workflow plan can be created with the "plus" button.
An existing workflow plan can be copied with the "copy" button, which adopts the contents of the workflow plan definition, but not the executed workflows or the linked protection needs analyses.
Existing workflow plans can be opened with a double click.

State:

• Workflow plans are active by default. They can be deactivated or suspended here. Deactivated workflows are not offered for linking to a workflow within a protection needs analysis.

Name:

• Enter the name of your workflow plan here.

Description:

• State the purpose of the workflow plan here.

Responsibles:

• The responsible user is informed via e-mail a week before the workflow triggers. Should there be any problems or conflicts at that time (e.g., protection needs analyses to be sent out are currently in the processing state or the needed interview partners are missing), they are described in the e-mail and can thus be rectified in time. The responsible user is also informed when the workflow does trigger about which protection needs analyses were successfully sent and whether there were any problems or conflicts which impeded the sending of further protection needs analyses.

Inform management system responsible persons:

• If this checkmark is set, in addition to the user responsible for the workflow plan, the users responsible for the management system are also informed via e-mail about the upcoming and executed workflow.

Next execution:

• Determine when the workflow shall trigger the next time. At that point, new protection needs analyses on the basis of the linked protection needs analyses are created as self assessments and sent to the interview partner for answering.

Recurring workflow:

• If the workflow plan is to occur regularly, this can be configured here.

Protection needs analyses

This tab shows all linked protection needs analyses. This comprises the protection needs analyses used as templates as well as the new protection needs analyses created from them. At this point, individual protection needs analyses can be paused or reactivated in the workflow plan. An instant reassessment can be triggered for an individual protection needs analysis right here. Paused protection needs analyses are suspended for one cycle, but are then active again. If there are problems or conflicts with a protection needs analysis, this is also displayed here.

Note: In the selection of protection needs analyses to be linked you will find only those that have no or only a yellow conflict (see below). Protection needs analyses with a red conflict (see below) are not offered for selection.

Yellow warning triangles: If there is a conflict within the protection needs analysis itself, this is shown with a yellow warning triangle. Details of the conflict can be found in the tooltip, by hovering over the triangle with the mouse. Example: the analysis is not in the state closed or does not have an interview partner.

Red warning triangles: If there is a conflict with another protection needs analysis in the same or a different management system, this is shown with a red warning triangle. Details of the conflict can be found in the tooltip, by hovering over the triangle with the mouse. In addition, there is a link to the conflicting protection needs analysis. Example: there is a protection needs analysis for the same resource/data category with a younger start date.

Caution: Protection needs analyses that trigger a red warning triangle may also stem from a different management system. In this case, the management system is stated where the conflict is described.

Adopt results

• If activated, the results of the respective protection needs analysis are adopted when the reassessment is created. This concerns the evaluations of the protection targets that were recorded between the organizational unit or process and the linked resources and data categories.
• This checkmark can be set when adding protection needs analysis to the workflow plan, or afterwards directly in the overview of linked protection needs analyses.

This tab shows all past workflows of the plan, which have already been executed. It is displayed whether the workflow functioned as planned or failed and what any problems may have been.

What happens when the workflow plan is executed?
When the workflow plan is executed, reassessments are created for the linked protection needs analyses, and the respective interview partners are requested to respond. A reassessment evaluates the same resources and data categories for the same organizational unit or process as the original protection needs analysis. When is no reassessment created and requested?
No reassessment is created and requested if any of the following conditions apply:

• The reassessment of the protection needs analysis is paused.
• The protection needs analysis is not completed.
• The protection needs analysis has no interview partner.
• There is already another protection needs analysis for the same organizational unit or process that evaluates at least one overlapping resource or data category that:
  • is not yet completed, or
  • has already been completed but has a more recent start date.

Caution: The last case is especially relevant when you operate more than one management systems. If you have planned a protection needs analysis via the workflow, but a colleague in a different management system creates a protection needs analysis that meets the same criteria, that new protection needs analysis will block the workflow.

What happens to paused protection needs analyses?
If a protection needs analysis is paused, no reassessment will be created during the next execution. Instead, the analysis will be re-activated for the following execution cycle.

Why can some closed protection needs analyses be added to workflow plans and some can't?
Protection needs analyses that are closed and where a reassessment is possible can be added to a workflow plan. If a reassessment is not possible for any of the stated reasons, it also cannot be added to a workflow plan.

Relationships in the structural analysis generally lead to the highest protection need. These dependences can be reduced with a protection needs analysis. One should therefore start with the analysis of those assets/resources/services that are most important to the organization and evaluate them regarding the requirements of the management system first.

It makes sense to spread protection needs analyses across multiple workflow plans so they can be reassessed throughout the year, e.g., some in the spring and some in autumn. If, for example, you have created a workflow plan for the spring and one for the fall and those repeat annually, and you have an especially sensitive organizational unit that needs to be reassessed twice a year (in the spring and the fall), you can add the protection needs analysis to both the workflow plans.

If the circle of participants for a protection needs analysis changes, if many new resources/data categories are adde4d, or if there hasn't been a personal interview in a longer while, then we also recommend a manual reassessment as an interview.

If a protection needs analysis is assigned to a workflow plan and a reassessment is triggered manually (via the revaluate button), then this new protection needs analysis is assigned as the basis for the next workflow in the linked protection needs analyses. If the reassessment is deleted, the link is reset to the original protection needs analysis. Caution: if a new protection needs analysis revaluating resources/data categories was created with the plus button, this link is not established and it may cause conflicts.