6 - Importing and exporting risk assessment registrations with Excel Spreadsheets

6 - Importing and exporting risk assessment registrations with Excel Spreadsheets

Why import and export?

Many organisations have already mapped their ICT systems portfolio. This overview is often in a spreadsheet format, and Diri includes a spreadsheet import functionality to avoid doing the work twice. Importing through this functionality will quickly establish your risk assessment portfolio in Diri with key information variables. The import/export is also a tool for making major changes to the risk assessment portfolio.

Using import and export via the Excel spreadsheet

The functionality is available to administrators and located in the Risk Assessments tab in the main menu. The option for Export/Import is located in the upper right corner:

The Export/Import option is visible to the right in the picture

The first thing you must do is to click export and download the spreadsheet.

Using this functionality requires the Excel-template from Diri. Each column in the spreadsheet is mapped to variables in the Diri database, and for the import to work you must:
  1. Retain the headers in row one.
  2. Do not add additional formatting to the template.
  3. Do not change the ordering of the columns.
  4. Adhere to the formatting in the spreadsheet.
Click Export to download the template and open it. If this is the first time you are using Diri, the spreadsheet will be empty.

Filling in the Excel spreadsheet

Creating new risk assessments

Fill in the available information to add new systems to your Diri database. You can find the descriptions of registration variables in the Diri application.  Empty fields will be converted to empty fields in Diri. 

Important information about the import and export

Please note the following:
  1. The input is case-sensitive. The underscoring is to highlight the correct the input, not for use in the Excel-import.
  2. The import functionality supports both the English and Norwegian language, with the language setting bound to your user in Diri. This means that if your user has English as the language setting in Diri, the import/export will instead look for English variable names.
  3. A file exported in English will not import in Norwegian and vice versa.

Common variables in all risk assessment types

The common field descriptions for all risk assessment types are:
  1. ID - Leave empty for new systems and will be automatically assigned.
     
  2. Type - Determines risk assessment type. Available types are:
    1. For IT System put "system"
    2. For Overall risk assessment put "orgros"
    3. For Problem assessment put "other"

  3. Name - Put the name of the risk assessment object.
  4. Description - Provide a brief description of system purpose and functionality
  5. Responsible - Provide the email address of the person responsible. The email is checked against the Diri user database on import.
  6. Delimitations - Describe relevant delimitations, assumptions and assumptions made for the assessment.
  7. Date started - The date will be automatically assigned in Diri.

Fields specific to IT systems

This functionality is primarily developed for quick import of an ICT system portfolio. 
  1. Importance - Is a ranking variable for quickly sorting your systems according to perceived importance in day-to-day operations. Available types are:
    1. "extremely"
    2. "very"
    3. "moderately"
    4. "slightly"
    5. "unimportant"
  1. System tags - Add comma separated tags for describing the system.
  2. Organizational unit - Enter the name of the department owning the system. 
  3. Organizational sub-unit - If applicable, the names of subunits can be entered here, such as unit or section name.
  4. System owner - If the system owner is registered in Diri put the email address of the user in this field.
  5. Provider information - Enter contact information for any external suppliers. Name, phone, email, function. You can refer to other updated documentation.

  6. System status - The question refers to the system's current status in the software development life cycle. Valid inputs are:
    1. en: "Unknown", no: "Ukjent",
    2. en: "In development", no: "Utvikling",
    3. en: "Test", no: "Test",
    4. en: "Piloting", no: "Pilot",
    5. en: "Production", no: "Produksjon",
    6. en: "Phasing out", no: "Under utfasing",
    7. en: "Phased out", no: "Faset ut",
    8. en: "Storage", no: "Under oppbevaring",
    9. en: "Discontinued", no: "Fjernet"

  7. Number of users today - Numerical answer
  8. Maximum number of users - Numerical answer
  9. Users category - For multiple answerss add a comma separated answer. Available categories are:
    1. "en: "Employees", no: "Ansatte",
    2. en: "Visitors", no: "Besøkende",
    3. en: "Volunteers", no: "Frivillige",
    4. en: "Consultants", no: "Konsulenter",
    5. en: "Customers", no: "Kunder",
    6. en: "Suppliers", no: "Leverandører",
    7. en: "Students", no: "Studenter",
    8. en: "Open to public", no: "Systemet er offentlig"

  10. System access method - For multiple answerss add a comma separated answer. Available categories are:
    1. en: "Internet accessed", no: "Via internet",
    2. en: "Remote access through VPN or similar", no: "Fjerntilgang via VPN eller lignende",
    3. en: "Local access (internal)", no: "Lokal tilgang (internt)"

  11. Hosting - Only one answer. Alternatives are:
    1. en: "Internally", no: "Internt",
    2. en: "Externally", no: "Externt",
    3. en: "Cloud-based", no: "Skybasert",
    4. en: "Hybrid", no: "Hybrid"
  1. Periods with higher availability requirements - This is a true or false value, options are
    1. For false put "0"
    2. For true put "1"

  2. Availability (value is given in a scale from 1 - 100) - Numerical answer. The scale adapts to your scale.  If you use a four point information classification each point apply the following numbers:
    1. 0 - 32 Lowest score, e.g. Open information
    2. 33 - 66 Second lowest, e.g. Protected information
    3. 67 - 99 Second highest, e.g. Confidential information
    4. 100 - Highest score, e.g. Strictly confidential

  3. Availability reasoning - Provide a written description.

  4. Operating system - Only one answer. Alternatives are:
    1. Windows
    2. Linux
    3. Unix
    4. For "Other" put "Annet"
  5. Operating system version - Provide a written description
  6. System documentation link - Provide a written url
  7. System login link - Provide a written url

Fields specific to the Overall Risk Assessment

It is better to edit the Overall risk assessments (ORA) directly in the Diri application since there will be few objects of this type per organization. However, the import/export provides access to the ORA registrations as well.
  1. Selected organization - Connected to the organisation in Diri.  
  2. Industrial classification
  3. Standard Industrial Classification - Standized description of the Industrial classification. Valid options are available in Diri.
  4. Number of employees - Numerical variable
  5. Security requirements - Provide a brief description of "What are the elements that require security in the organisation?"
  6. Important deliveries - Provide a brief description of "What are the organisations most important deliveries?"


Fields specific to the Problem Risk Assessment

There is only one field that is specific to the Problem risk assessment and that is "Implicated risk assessments" which lists objects tied to the problem assessment.

Deletion of Risk assessments using Import/Export (Rightmost column)

If you want to delete one or more objects in the Diri database you can use the rightmost column. To delete an object mark the row with an "X".


Limitations of the functionality

The import/export functionality is limited to registering and editing step 1 in the risk assessment process for all objects. Some of the inputs are limited to accepting only one language, but the correct syntax is given above.

Note that the import and export follows the user's language choice when the file is loaded. This means that files can NOT mix the languages, and are read as the language the user has when import or export is clicked.


    • Related Articles

    • 5 - Settings

      Diri comes with several tailorable variables that you can adapt to fit your own security policies and guidelines. As illustrated below, the Diri settings are currently dived in three main categories: Many organizations already have pre-defined levels ...

    • 7 - Task and Treatment reminders

      Follow up of tasks, treatments, and expire dates Diri sends reminders on risk assigned treatments, treatment plans, and risk assessment expiration. The email is sent from noreply@diri.no. The settings are available in "My account," be careful to ...

    • 3 - Role-based Access Control (RBAC)

      Role-based access control in Diri Diri allows for tailoring accesses based on roles. RBAC is an approach to restricting system access to authorized users. RBAC mechanisms are defined around roles and privileges. RBAC makes it easy to assign ...

    • 4 - Configure the Dashboard

      What is the dashboard? The dashboard is the primary risk reporting and auditing tool in Diri. The dashboard provides basic visualisation of aggregated data that your user has access to. The data is visualised using risk assessment tools such as the ...

    • 3 - Role-based Access Control (RBAC)

      Role-based access control in Diri Diri allows for tailoring accesses based on roles. RBAC is an approach to restricting system access to authorized users. RBAC mechanisms are defined around roles and privileges. RBAC makes it easy to assign ...