Hierarchical information networks and security concepts

First of all, all the components which are relevant to the IT-basic protection of the information networks such as processes, applications, IT systems, industrial control systems networks, locations and generic aspects, are defined. The networks can be arranged and evaluated hierarchically. Each level can represent a different issue e.g. processes and procedures, security concepts and organisational structures. Each hierarchy can be evaluated separately, e.g. in order to create an overview of all security concepts at the Berlin site.

Structural analysis with centralised and decentralised target objects

In the structural analysis, all components of the information networks and processes, as well as security concepts are recorded and linked in their mutual dependencies. Assets or complete networks can be made available as a service or basic service in large organisations with distributed working. Sub-organisations can book these services, link them to their own security concept and use them as an own target object, with the stored level of protection. The responsibility for the basic protection check- and risk analysis lies with the provider; redundancies in security concepts are avoided.

Assessment of protection requirements with automatic inheritance

HiScout focuses on the information to be protected and inherits the identified protection requirements alongside the IT structure, in accordance with the individual target objects. It thereby considers the individual target objects that observe the cumulative effects which occur.
The mandatory protection requirements are compared to the agreed protection in case of offered or purchased services, in order to disclose any gaps in the protection coverage. Inheritance paths and origin are displayed transparently for each target object.
Protection requirements, protection requirement classes, damage scenarios and other parameters can be individually customised.

Automatic modelling in accordance with IT-Basic Protection

Relevant security requirements of the target objects are determined during modelling. This is required in order to evaluate the security of existing processes as well as those in the planning stage. BSI Basic Protection Compendiums and individual components can be maintained and modelled in HiScout Basic Protection. You can also store your own standard modellings for freely-definable target object types and automatically apply them.

Basic Protection check with the Questionnaire function

The individual security requirements of the basic protection components are automatically taken over. A tabular overview with graphical display shows the progress of the basic protection, core protection and standard protection and provides a quick overview of all modelled requirements of the basic protection compendium. Existing basic protection checks are integrated automatically or manually, as required. The implementation status for requirements, target object and network are clearly documented in a reporting.

Risk analysis with action plan

The HiScout risk analysis is carried out in three steps – risk overview, risk classification and risk treatment. The threats can be taken from the existing components and be enhanced manually. Using a risk matrix, the gross and net risk per hazard is automatically calculated based on the frequency of occurrence and impact. The evaluation levels and the resulting risk classes can be freely adapted to the requirements of the respective organisation. The implementation status of the measures is displayed transparently in the target objects and can be incorporated into the risk assessment. The measures are transferred to the basic protection check after the approval of the risk action plan. Risk analyses, which are no longer valid, are archived for future checks. The HiScout risk analyses fulfils the requirements for BSI standards 200-3 and 100-3, including suggested measures based on the cross-reference tables for the IT-Basic Protection Compendium.

Certifiable reference reports

The reference documents A1-A6, based on BSI standard 200-2, are created at the touch of a button and are immediately available for download. All reports can be customised according to individual specifications and company design if Customizing has been commissioned. The HiScout live reports are automatically displayed and updated.

PLAN –Taking stock, defining goals and action planning

Management system basics
Store all sets of rules and regulations, the specifications agreed upon contractually and individual industry norms (e.g. SOX, Euro-SOX and BAIT) in one system. Central norms such as ISO 2700X and COBIT are regularly updated. Administer your company’s entire IT security organisation, process descriptions and meetings.

DO – Implementation of the measures

Master data management and determining protection needs
Record and maintain your assets such as IT systems, applications, services and external service providers, as well as their logical and technical connections and dependencies. Determine the protection needs of the assets from the perspective of those responsible and have them passed on automatically along the recorded structures.

Risk analysis and action planning
Risk analysis can be carried out according to common market standards such as ISO 27005, ISO 31000 or BSI 200-3, and can be adapted to individual needs. Classify the hazards into risk classes by specifying their probability of occurrence and amount of damage. Assign threats to the target objects. Then plan the necessary security measures, including expenses for integrated cost planning.

Action management
For generic processes, the implementation of security measures is documented in the central action management via tracking and reporting. Role-based work areas, predefined workflows and automatic notifications, (e.g. for expiring implementation deadlines) help you in ensuring that the processing is reliable and time saving. Get a quick overview on the current status of the management system at any time.

Handling security incidents
The control and documentation of security incidents runs in a fully standardised manner with HiScout, and is fully transparent.

CHECK – Success control and monitoring goal-attainment

External audits and self-assessments
HiScout maps the entire audit and self-assessment process – from planning content and criteria, to recording the degree of fulfilment and any deviations – up to their treatment through measures. Clear and management-friendly reports of the entire audit process are created at the touch of a button. You can carry out the data collection de-centrally and automatically in HTML or PDF format with the questionnaire function in HiScout Questionnaire.

ACT – Elimination of deficiencies and improvements

The cycle starts anew
Thanks to the high level of flexibility and adaptability of HiScout, continuous improvements in your procedures and security processes are quickly stored in HiScout. In contrast to statically implemented tools, you can carry out these changes economically and without programming efforts.

Directory of the Processing Activities

You describe all activities occurring in your organisation where personal data (PD) is processed, in the processing activities registry (VVT). The VVT is a mandatory data protection document which complies with GDPR (General Data Protection Regulation), and is the basis for all further activities when creating a data protection management system. It contains the following information:

Privacy Impact Assessment (PIA)

A protection impact assessment with threshold analysis shows whether a Privacy Impact Assessment (PIA) is required. The protection requirement assessment includes a detailed description of the processing, the processed data, the recognised risks and the selected risk-reduction measures. The remaining risks of the processing activity for those affected will be examined, in case a Privacy Impact Assessment (PIA) is required. The PIA in HiScout covers all important areas required by GDPR (General Data Protection Regulation) – the description of the processing activities, weighing the purpose of the processing as opposed to the intervention of the rights of those affected, and the assessment of the residual risks of those affected after the use of minimised measures. Finally, the data protection expert assesses whether the processing activity is still permissible.

Deletion Concept

The HiScout Data Protection module supports you in administering and carrying out the deletion procedure in accordance with GDPR (General Data Protection Regulation), and in recording the retention periods and legal basis. Existing deletion concepts and other accompanying documents can be embedded. The data stored in the processing directories are automatically prepared and are compiled into a report at the touch of a button in HiScout Version 3.1.2 and higher.

Technical and Organisational Measures

To ensure secure processing, all organisations which use personal data must define and document technical and organisational measures (TOMs) in accordance with GDPR (General Data Protection Regulation). HiScout allows you to select the measures from all catalogues stored in the program as well as your own measures maintained in other modules. You can then assign these to a processing activity, e.g., from the BSI Basic Protection Catalogue or various compliance guidelines, as well as from the standard data protection module.

Order Processing Contracts

An order processing contract must be concluded in case personal data is processed in a specific order. HiScout Data Protection offers the following options for mapping order processing conditions in HiScout Version 3.1.2 and higher:

Transfer Impact Assessment

In order to comply with the new SCC (Standard Contractual Clauses) published by the EU Commission in 2021, a separate risk assessment must be carried out for data transfer to third countries. HiScout Data Protection supports you in carrying out the transfer impact assessment.