Workflow with VIVA#
The options for IT documentation are already diverse in i-doit and can be adapted to the specifications and needs of the respective (organizational) environment. The VIVA add-on is no exception: Even though the underlying standards of IT-Grundschutz provide many specifications, they are open to interpretation in numerous places. VIVA attempts to do justice to this. Despite all this, some work sequences have become established in practice and are described in more detail in this chapter. The example makes no claim to be complete or binding. Further (intermediate) steps such as adaptation of the documentation are probably necessary.
The goal of this workflow is to create a solid documentation basis to later support auditing and certification according to ISO 27001 based on IT-Grundschutz.
- Preparing the VIVA installation: i-doit's IT documentation contains objects (including location and software assignment as well as port connections, if possible) that are modeled as services and are to be covered by IT-Grundschutz.
- Manage IT-Grundschutz catalogs
- Import IT-Grundschutz catalogs EL 15 from 2016
- Adapt building blocks, measures and hazards (optional)
- Model information federation with target groups and objects
- Create information federation
- Run IT service wizard (layer 5 applications); then:
- Application wizard (layer 3 IT systems)
- IT system wizard (layer 2 infrastructure)
- IT system wizard (layer 4 networks)
- Determine protection requirements
- Adapt protection requirement categories
- Determine protection needs of target groups in layer 5 Applications; then run wizards:
- Protection Needs Wizard (Layer 3 IT Systems)
- Protection requirement wizards (layer 2 infrastructure)
- Assign modules and implement measures
- Assign the necessary modules for each target group
- Document the implementation of measures for each target group
- Answer test questions
- Perform risk analysis
- Perform supplementary safety analysis
- Perform risk analysis if necessary
- Create audit
- Review reports and repeat steps 2-5, if necessary, until reports no longer provide unavoidable negative results
- Store information on reference documents A.0 and A.1
- Create audits
- Post-process output