Diri comes with several tailorable variables that you can adapt to fit your own security policies and guidelines. As illustrated below, the Diri settings are currently dived in three main categories:
The settings option is found at the bottom of the main menu.
The probability and consequence levels are central in the risk assessment and reporting. These settings are applied when assessing risk and aggregating data into the dashboard. (Guidelines available for registered users)
In Settings > Risk matrix, it is possible to rename consequences and probabilities as well as how many different levels of these two you want to
take into consideration. What is essential to keep in mind here is that the
number of different levels you create must match the number at the top of the
consequences and the probabilities. That number beside these categories is how many of the levels will
appear as choices during the risk assessment. (Six levels is the current limitation of the levels, but let us know if you need additional levels.)
These settings are stored on the current organizational level and inherited downward in the organization. However, you can create tailored levels on lower organizational levels. The data still aggregates into the dashboard at higher levels without problems.
Setting levels for probability and consequence
Levels for information classification and asset evaluation
Asset evaluation is the cornerstone of the risk assessment as it helps determine which assets need protection. An asset has value for the organization and must be protected. Information classification is a central part of the asset evaluation in the risk assessment process. (Register a user to read the article.)
The classification levels are a direct input to your risk assessment consequence estimate and security management as a whole. Classifications are done within the so-called "CIA" levels; confidentiality, integrity, and availability. These levels should fit your organization's data classification policy. (Data classification policy template is available for registered users)
It is also essential
that the number of levels matches the number at the top so that everyone can be
selected in the risk assessment. Remember to save changes; this is not done
In the internationalisation settings, it is currently only possible to change the
currency. The currency is used to keep track of the costs in the action plan.
If you want to change the language in the application from Norwegian to
English or vice versa, this must be done on the "My User" >
Revision Time defines how long the action plan is valid before it needs
to be revised. For example, one can set a validity of 12 months for annual revision which tracks into your dashboard and sends notification to risk assessment owners.
Tracking the risk assessment progression with underlined revision time
You have the opportunity to add Customable fields to the IT system, treatment, and user objects in Diri for recording additional information. You have the options to add either a Dropdown menu or a Text field. The new field will appear as following;
- IT systems: A new page will appear at the end of Step 1 - Registration.
- Treatment: At the bottom of the of the treatment registration
- Users: At the bottom of My account and by clicking on a user from the Users overview
For example, if you want a maturity field on your treatments,
you can add your field with prioritisation options as illustrateted below. The added field will show up at the bottom of the treatment description:
Adding control maturity on a treatment through Custom fields
Other uses: If you want to define something of your own under system, you can also
do this here; for example, you can type "Does the system contain key
codes?" and choose dropbox and answer yes or no.
On the user, one can also define a separate field such as "Is this
a temporary user?" and then select dropbox and answer "Yes or
no" then, this will add up under "My user."
Type definitions (Libraries)
The type definitions are closely connected to the libraries and categories in Diri and are the options you have available in the risk assessments. Please note that you cannot delete any options that are currently in use in risk assessments. The "delete" option will be grey and non-clickable for these items.
You can add, edit, and remove vulnerabilities from your risk assessment. Diri comes with four predefined vulnerability domains (Human, Organisational, Physical, Technical), but you can add a higher granularity if you wish. These choices are linked to data aggregation and statistics in the Diri application.
Under threats its possible to add or customize various threats such as Unfaithful employees,
terror, criminals, natural disasters and so on. Diri comes with a pre-defined list of threats that you can edit, add, or delete from. You can use our Threat assessment template (for registered users) If you need additional information on your threats for your risk management,
The Consequence Category and Event Category