January 2022: New version of the Diri software

January 2022: New version of the Diri software



Happy new year to everyone!

We are excited to announce that we are launching a new version of the Diri software on the 17th of January. We are launching many new features and making improvements to existing ones. You can quickly familiarize yourself with them in this post.

The topics are:
  • New features
    • Copy and re-use risk assessments
    • The Diri control matrix
    • API
    • New dashboard cards
    • New risk assessment type for quick analysis
  • Generic improvements
    • Visual improvements
    • Usability
    • Improvements to the Organizational risk assessment
    • Generic risk assessment improvements
    • Global and system specific controls
    • Follow up of tasks, treatments, and expire dates
    • Minor changes and improvements

New features

Copy and re-use risk assessments

Are you delighted with one or more of your assessments? Or is the same IT system in use multiple places? Existing risk assessments can now be copied and re-used in other parts of the organization. The copy functionality allows for selective censorship of either sensitive information or unnecessary details for others to see. You can choose what to keep and where to place the copy. The copy option is available in the top right corner of the risk assessment dashboard.


The Diri control matrix - a major step towards Diri compliance

We assure you that we have big plans for Diri. One of them is the innovative Diri control matrix, a security control visualization tool to display how well the system security is managed. Our security control categorizations are tightly coupled with the best practice and divide controls into three types and four classes. The control matrix shows how security controls are categorized and their implementation status. The matrix is clickable and allows for drill-down. The control matrix is an innovation that adds significant transparency to your assessment and will enable you to audit systems and organizations like never before. You can find it in your risk assessment dashboard, below the registration and assessment process.


Application Programming Interface (API)

The entire Diri solution is built to support data flow in and out. This feature is essential for easy integration with existing systems. The most apparent integration is companies with a help desk and ticketing system for handling tasks. As tasks are also generated in Diri, we must integrate to send and receive tickets with existing systems to avoid complicated workflows. There are many exciting opportunities for an API, and we are exploring the possibilities.
The API keys are generated for each organization in Diri. To access the API, you have to be an administrator. Click on "Organisation" in the main menu, and click on the edit icon for the organization you wish to access. The API documentation and key generation are available below the user invitation feature. Keys are generated and shown once. Access is withdrawn by deleting the API key. 
Contact us for more information on how to use the Diri API.

New dashboard cards

There are two new data visualization cards you can add to your dashboard. The first one is an organizational risk matrix containing all the identified risks. The second is a histogram that counts the number of systems containing each asset type. Both are available through the configuration icon in the upper right corner of the dashboard.


New risk assessment type for quick analysis

Were you worried when the "Log4j" vulnerability recently hit the scene? We have added an option for risk assessing specific problems that are not bound to specific systems or the organizational risk assessment. This problem analysis approach is tailored for cases such as the Log4j vulnerability, where one quickly needs to get an overview of the situation, map out implications, and implement countermeasures. The assessment allows you to choose implicated existing systems and promptly access the Diri risk analysis. 


Generic improvements

Most of the things you know and love in Diri will stay the same, but we have added some improvements.

Visual improvements in forms and data collection instruments

We have made visual improvements to the data collection forms in the risk assessment process. Illustrated in the picture below, old version on the left and the new one on the right. The text guidance now clearly belongs to the question, and we have added even spacing for all data collection fields:


Usability

A summary of the usability improvements:
  • All mandatory fields are now marked with an asterisk* to avoid unnecessary interruptions in the workflow
  • The Diri help menu now has its scrollbar to improve usability when working with longer forms with many items.
  • Added a tree selector for administrators that want to re-position their users up and down in the organization.
  • Administrators no longer have to re-authenticate changing organizational affiliation


Improvement to the Organizational risk assessment

The organizational risk assessment is quickly developing to become one of the most valuable features in Diri. The assessment now allows you to profile your organization and quickly list existing IT systems, risks, assets, and controls. The controls are listed in the Treatments-list and can be applied in future risk assessments for those with access to the object. Other minor changes:
  • We have hidden the "Next/Previous"-buttons in the Diri-helper to avoid misclicks and dataloss.
  • The assessment facilitates adding risk assesment participants (this is now standard for all risk assessment types)
  • Treatments listed in the quick-listing are easily available for use in the organizational risk assessment



Generic risk assessment improvements

  • We have added the library function for standardizing consequence descriptions similar to "Events." Diri will still retain your old consequence name but convert the old categorization to the new format.
  • Diri now shows your asset evaluation results when implicating an asset in a consequence; The information classification of the asset helps guide your consequence estimate when considering breaches to confidentiality, integrity, or availability. The old (left) and new (right) are illustrated in the figure below.



  • Color codes on probability and consequence estimates in the risk matrix have been updated to be coherent with the risk matrix.


Global and system specific controls

One of the most complex issues in a risk management system is the many-to-many relationships between risk assessment objects (IT systems) and security controls. It is not uncommon that a control (treatment) has implications for the risk of many IT systems. Managing this is an essential issue as it prevents the same treatment from being registered and recommended multiple times. 

We call it a global control when a unique control is included in more than one assessment. Typical global control mechanisms are single sign-on solutions that provide access to many systems and network firewalls that protect multiple systems and servers. A system-specific control only applies to one specific IT system. 

Global controls can now easily be added in Diri via the Organizational risk assessment. System-specific treatments can also be made global by including them in new risk assessments. The treatment now lists how many risk assessments it is included in and the number of risks it mitigates. A premise for re-using existing treatments is that the user can access the original analysis where the control resides.



Follow up of tasks, treatments, and expire dates

In previous versions of Diri, the software would only send email notifications for specific tasks. This feature has now been expanded to include risk assigned treatments, treatment plans, and risk assessment expiration. The email is sent from noreply@diri.no. The settings are available in "My account," be careful to configure which emails you wish to receive.


Minor changes and improvements

  • Dashboard: Fixed the risk thresholds causing improper risk categorizations for low and medium risks in the Company risk picture and Risk registry. The colour coding from the risk matrix is now in coherence with the dashboard.
  • Asset evaluation: Added "Customer data" as an option under asset type "Company data."
  • Asset evaluation: It is now possible to add a rationale when clicking "No" for an asset type. Clicking the asset in the list will show the rationale. The asset will then only be listed in the asset evaluation without confidentiality, integrity, or availability assessments.
  • Risk treament accessability: We have improved access control to treatments such that users without access to a risk assessment still can see and edit treatments that are assigned to them.
  • Multiple Language improvements, the most important one:
    • "Analysis" in main menu has changed name to "Survey" to better indicate functionality


We hope you enjoy these improvements and there is more to come!
Best cyber wishes from Diri AS!