Resources

Resources are systems, people, buildings or other entities that are required for the execution of processes or for the functionality of an organizational unit. HITGuard offers the possibility to build up resource structures and to graphically display their effects and dependencies on other systems via the structure analysis.

Under "Administration → Resources" you can manage the resources as an admin or expert.

To create a resource click the "Plus" button.

To edit a resource, double-click on the corresponding resource.

Name: The name of the resource.

Description: Used to describe the resource.

Type: Resources are divided into model segments. In the individual segments, resources can be further structured via resource groups, whereby resource groups only serve the structure and cannot be used for valuations or similar. Resources themselves can be assigned to resource groups. They can be linked to test objects in gap analyses or test results. This means that they can also be assigned to risks, which means that they can be directly linked to measures and controls.

Select group color/group:

Resource group: That color with which the resources of this group are outlined in the structure analysis.

Resources: Resources can be assigned to resource groups here.

Model segment: Model segments are used for general grouping of structural elements. They are specified by HITGuard and include:

• Application level
• IT infrastructure level
• OT infrastructure level
• Physical security
• Process level

Person responsible: The user who is responsible for the content of the resource.

Advisor: The user responsible for this at the model segment level (e.g., the IT level or physical security).

Score: The score at which the resource is evaluated.

Node color: The background color of the resource/resource group in the structure analysis.

Protection need class: The protection need of the resource/resource group. For more information about protection need classes, see protection need.

RTO:

RTO or Recovery Time Objective specifies how long a business process/system may be down. In this context, the RTO specifies the time that may pass from the time of damage until the complete recovery of the business processes (recovery of: Infrastructure - Data - Reprocessing of data - Resumption of activities) may pass.

Undefined means that the RTO of this resource is not further relevant.

Secured means that, e.g., an SLA or another kind of contract exists, in which the provider of the resource assures to keep a certain RTO. This document can also be deposited at this point.

The RTO can be entered in hours but also minutes. In either case it is then converted into hours and shown as a decimal number in the overview.

The RTO is only shown with the resource, if the protection target RTO is used in the management system.

RPO:

RPO oder Recovery Point Objective gibt an, wie viel Datenverlust in Kauf genommen werden kann. Dabei gibt die RPO den Zeitraum an, der zwischen zwei Datensicherungen liegen darf. Das heißt: Wie viele Daten/Transaktionen zwischen der letzten Sicherung und dem Systemausfall höchstens verloren gehen dürfen.

The RPO can be entered in hours but also minutes. In either case it is then converted into hours and shown as a decimal number in the overview.

The RPO is only shown with the resource, if the protection target RPO is used in the management system.

External ID: With this ID a resource can be connected with an external resource via updates. That means: If a resource is imported with matching ID, then no new resource is created for it, but the one with matching ID is updated.

Risks: For resources only. All risks of the resource are listed here. It is not possible to assign risks here. More about risks can be found here.

Delete resource: To delete in the edit screen, click on the red trash can.

In the "Relationships" tab, all existing connections to the resource are listed. Experts can give the resource new connections or edit or delete already existing ones.

Incoming connections: the resource depends on the listed nodes.

Outgoing connections: the listed nodes depend on the resource.

create a new connection:

1. First, you must select whether the connection is incoming or outgoing.
2. Secondly, the destination or outgoing node must be selected.
3. Now only "Add" must be clicked.

edit/delete connections:

• Each connection is weighted using protection goals. (See protection goals) These protection goals can be set manually if they have not been set by a Protection needs analysis. To change the weighting of the protection target, see Edit protection target.
• Connections, if not weighted by a protection needs analysis, can be deleted by clicking on the red trash can.

These tabs list deviations, measures and controls that are related to the entity via test objects. These tabs are only overview lists. This means that no deviations, measures or controls can be assigned manually here.

Historical deviations are displayed in gray.