Datenimport/en: Unterschied zwischen den Versionen

With the help of the importer, resources, measures, controls and check questions for knowledge bases or structure updates for organizational units can be imported. These updates can come from an SAP export, for example, or from a specially created Excel or CSV file. In this way, obsolete structures can be updated or completely new structures can be imported.

If an import is performed, all entities that have been changed are updated, and all entities that do not yet exist in HITGuard are created.

Imports can be performed only by administrators or experts.

To perform an import, first go to "Administration → Data import | Import logs". All created import configurations are now displayed here. To perform an import, either an existing import configuration is selected from the list or a new import configuration is created - the process is the same in both cases. Each import is documented under “Administration → Data Import → Import Logs”.

To use an existing import configuration, double-click the desired configuration. To create a new import configuration, click the plus button. (see figure)

A dialog box will then open (see image to the right) where you must enter the configuration name, select the configuration type, and upload the file to be imported.

The file can be either a CSV file or an Excel file. (Structure of an import file)

Clicking on "Next" opens the mask for assigning the fields (see figure below). Here at least all mandatory fields of the selected import type should be assigned. You can find out what these are from the description of the individual imports.

If an Excel file is imported, care must be taken that column headings exist in the file. If these exist, it is selected that the first row contains column headers and should therefore be ignored.

If all mandatory fields have now been assigned, the import can be saved and is ready for import. All that remains is to click on "Save and import".

Note: Instead of a username the name of a team can be entered for the field responsible, provided the team was already created in HITGuard. The name must be correct for the import to work. The team is then set as responsible, e.g., for a resource.

If the import was successful, you will see how many entities were newly created and how many were modified. In case of erroneous import operations, those rows and columns that contain errors will be listed for you.

Each import attempt is documented under "Administration → Data import | Import logs". Both successful and failed import attempts are recorded.

By double-clicking on an import, you will be redirected to a screen where you can see details such as the reason why the import failed.

To import data categories, the "Data category" type must be selected during import.

There are two options:

• Create new data categories
• Update existing data categories

Only classes created under Risk Management → Risk Policy → Data Classes are allowed for the Data Class field.

Only the values Yes and No are permitted for the fields Protection needs analysis and Person-related. You determine where the data categories can be used.

For information about responsible persons see User management.

When importing a file, HITGuard uses the data set ID in the import file to check whether it already exists anywhere in the HITGuard instance (system-wide) or not. If it does not exist, it is created again.

To create a new data category, you must fill in the mandatory fields

• Record ID (system-wide unique identifier)
• Name
• Data class (as per the values in Risk Management → Risk policy → Data classes)

must be available and filled in. Only if this is the case, the import is feasible.

Furthermore the fields

• Description
• Parent record ID (parent data category) (unique identifier)
• Protection needs analysis (Yes/No)
• Personal data (Yes/No)

can be assigned.

If the parent record ID is assigned to a data category, a data category with this ID must either already exist in HITGuard or be created in this import. Furthermore, no cycles may exist. Cycles are used when, for example, data category A has entered data category B as its parent ID and data category B has entered data category A as its parent ID. The importer detects these cycles, prevents the import and refers to the cycle error.

If the record ID of the data category is found during the import, no new data category is created, but the existing one is updated. That means: The existing fields of the import file update the already existing fields like e.g. designation, data class or person related. This allows the maintenance of individual data category or larger data category structures .

Example:

It is decided to create a new data category that should be parent to already existing data categories. In this case, the already existing data categories can be easily subordinated to this new data category by changing their parent ID.

• Template: Importvorlage Datenkategorie.xlsx

To import risks, the "Risk" type is selected during import.

There are two options:

• Create new risk
• Update existing risks

When importing a file, HITGuard uses the data set ID in the import file to check whether it already exists anywhere in the HITGuard instance (across management systems) or not. If it does not exist, it is created again.

To create a new risk, these required fields must be filled in

• Record ID (unique identifier across management systems)
• Name
• Responsible user (e.g., via username)

Additionally, the following fields can be assigned:

• Code
• Description
• Remarks
• Monetary impact
• Probability of occurrence
• Extent of damage
• Strategy
• Status
• Advisor

Other import tools in HITGuard specify the status using numbers. Here, however, you must enter the status as the exact word that appears in the drop-down menu in the “Status” field in the risk record (i.e., “Submitted,” “Active,” etc.). Be sure to use the correct capitalization—even minor discrepancies can prevent HITGuard from recognizing the status.

If the Damage Extent or Probability of Occurrence fields are assigned, then only content that matches the existing HITGuard classes is valid. Again, you must provide the exact word that are specified in the risk policy. For more information, see Probabilities of occurrence or Extensions of damage.

If the field Strategy has been assigned, you must also ensure that a value is selected from the drop-down menu in the Strategy field under Risk. Furthermore, the restriction applies that only values that correspond to the assigned severity or benefit are permitted. Thus, for a severity, it must be a coping strategy, and for a benefit, it must be a treatment strategy.

Although several people can be assigned as advisors for a risk, the import only allows a single user to be assigned as the advisor.

If you enter the "External ID" of an existing Risk in the row "Record ID", no new Risk will be created. Instead, HITGUard will update the existing risk. The entries in the import file update the already existing fields such as designation, description, responsible person, etc. This enables the maintenance of individual risks.

Caution: The ID of the risk must be distinct across the entire HITGuard installation, it must not repeat in different management systems. If you, for example, import an risk with the ID 1234 into a management system, but in another management system there already is a risk with the ID 1234, then that risk will be overwritten.

• Template: Importvorlage Risiko.xlsx

To import business processes, the "Business process" type must be selected during import.

There are two options:

• Create new business processes
• Update existing business processes

For information about responsible persons see User management.

When importing a file, HITGuard checks whether a business process already exists or not based on the record ID in the import file. If none exists, the business process is created.

To create a new business process, you must fill in the mandatory fields

• Record ID (system-wide unique identifier)
• Name

must be available and filled in. Only if this is the case, the import is possible.

Furthermore the fields

• Code
• Description
• Parent business process record ID (system-wide unique identifier)

can be assigned.

If the parent business process record ID is assigned, a business process with this ID must either already exist in HITGuard or be created in this import. Furthermore, no cycles may exist. Cycles exist if, for example, business process A has entered business process B as its parent ID and business process B has entered business process A as its parent ID. The importer recognizes these cycles, prevents the import and refers to the cycle error.

If the record ID of the organizational unit is found during the import, no new business process is created, but the existing one is updated. That means: The existing fields of the import file update the already existing fields like description, code, responsible person, or parent record ID. This enables the maintenance of individual business processes or business process structures.

Example:

It is decided to create a new business process that is parent to already existing business processes. In this case, the already existing business processes can be subordinated to this new business process by changing their parent ID.

• Template: Importvorlage Geschäftsprozess.xlsx

To import organizational units, the "Organizational unit" type must be selected during import.

There are two options:

• Create new organizational structures
• Update existing organizational structures

For information about responsible persons see User management.

When importing a file, HITGuard uses the data set ID in the import file to check whether it already exists or not. If it does not exist, it is created again.

To create a new organizational unit, you must fill in the mandatory fields

• Record ID (system-wide unique identifier)
• Name

must be available and filled in. Only if this is the case, the import is feasible.

Furthermore the fields

• Code
• Description
• Parent OU record ID (system-wide unique identifier)
• Street
• Postal code
• City
• Country
• Sort order

can be assigned.

If the parent OU record ID is assigned, an organizational unit with this ID must either already exist in HITGuard or be created in this import. Furthermore, no cycles may exist. Cycles exist if, for example, organizational unit A has entered organizational unit B as its parent ID and organizational unit B has entered organizational unit A as its parent ID. The importer recognizes these cycles, prevents the import and refers to the cycle error.

If the record ID of the organizational unit is found during the import, no new organizational unit is created, but the existing one is updated. That means: The existing fields of the import file update the already existing fields like e.g. country, address or person in charge. This enables the maintenance of individual organizational units or larger organizational structures.

Example:

It is decided to create a new department that is superior to already existing organizational units. In this case, the already existing organizational units can be subordinated to this new department by changing their parent ID.

• Template: Importvorlage OrgEh.xlsx

To import measures, the type "Measure" is selected upon importing.

There are two options:

• Create new measures
• Update existing measures

When importing a file, HITGuard uses the record ID in the import file to check whether it already exists or not. If it does not exist, it is created again.

To create a new measure, the following mandatory fields must be present and filled in:

• Code
• OrgUnit (external ID!)
• Name
• Responsible
• Recognized at
• Record ID

In addition, all prerequisites of the user administration apply if responsible persons are entered (see User administration).

Important: For the organizational unit you need to use its external ID. If you have not yet set this ID, you can do so manually before the import. Furthermore, the following fields can be added optionally:

• State (0-6, see more information below)
• Description
• Remark
• Budgeted costs
• Actual costs
• Recognized on
• Start date
• Mentioned deadline - Caution: this is a mandatory field if you have configured it under Measures > Settings
• Deadline
• Finished on - Caution: may only be filled in if the measure is imported in the states Completed or Submitted
• Impact - with the names you defined under Measures > Settings
• Effort - with the names you defined under Measures > Settings
• Corrective measure (YES/NO)
• Improvement measure (YES/NO)
• Planned anew (YES/NO)
• Delayed (YES/NO)
• Risk reduction (YES/NO)
• KO-criterion (YES/NO)

The digits 0 to 6 are used for the state of the measure:

0	Planned
1	Open
2	Suspended
3	Completed (Caution: here the field Completed on must be filled in as well)
4	Cancelled
5	Submitted (here the field Completed on can be filled in)
6	Rejected

Note: If you do not enter anything, state 1 (open) is used by default.

If the record ID of the measure is found during the import, no new measure is created, but the existing one is updated. That is: the existing fields of the import file update the already existing fields.

• Template: Importvorlage Maßnahmen.xlsx

To import resources, the "Resource" type is selected during import.

There are two options:

• Create new resources
• Update existing resources

For information about responsible persons see User management.

When importing a file, HITGuard uses the record ID in the import file to check whether it already exists or not. If it does not exist, it is created again.

To create a new resource, you must fill in the mandatory fields

• Record ID (system-wide unique identifier)
• and description

must be available and filled in. In addition, all prerequisites of the user administration apply if responsible persons are entered (see User administration).

Furthermore, the fields:

• Description
• model segment
• RTO
• and RPO

can be assigned. In the model segment, the following values are allowed: "Business Service Level", "Application Level", "IT Infrastructure Level", "OT Infrastructure Level", "Physical Security" and "Process Level". If the field is not assigned, the resources are assigned to the model segment "Application Level". RTO and RPO can be imported either as hours or as minutes; hours and minutes cannot be mixed. In that case, the minutes would overwrite the hours.

Example: If I want an RTO of two and a half hours, I can either enter 2.5 hours or 150 minutes. If I enter 2 hours and 30 minutes, only the 30 minutes will be imported.

Caution: When mapping the columns you also need to differentiate and decide between hours and minutes. If the field for minutes is available, it will be chosen over the hours, even if it is empty.

If the record ID of the resource is found during the import, no new resource is created, but the existing one is updated. That is: the existing fields of the import file update the already existing fields.

• Template: Importvorlage Ressource.xlsx

To import resource connections (meaning an edge, a dependency relationship between two structural elements), the "Resource connection" type is selected during import.

There are two options:

• Create new resource connections
• Update existing resource connections

To create a new resource connection, the mandatory fields

• External ID of the source (system-wide unique identification)
• External ID of the target (system-wide unique identification)
• Type source
• Type target

must be present and filled in.

Furthermore, the fields:

• Protection target and
• Dependency weighting

can be assigned.

Connections can be created between different resources, between organizational units and resources, processes and resources, data categories and resources, and suppliers and resources, in both directions. The following rules apply in the assigning and weighing of protection targets:

• Neither protection target nor dependency weighting stated: all protection targets of the management system are created with 100%.
• Only protection target: the named protection target is created with a weighting of 100%.
• Only dependency weighting: all protection targets of the management system are created with this weighting.
• Protection target and dependency weighting: the named protection target is created with this weighting.

Note: If there already exists a connection created from a protection needs analysis, the new connection is imported but the connection from the protection needs analysis is not overwritten. If you delete the protection needs analysis, the imported connection becomes visible.

Note: If there are multiple entries with the same external ID source and external ID target and the same protection target, the last entry is always considered.

Example:

Row 1: Source_1, Target_1, resource, resource → sets all protection targets to 100%

Row 2: Source_1, Target_1, resource, resource, confidentiality, 50 → sets the protection target "confidentiality" to 50%

Result sof the import → confidentiality is 50%, all other protection targets are 100% for the connection between Source_1 and Target_1.

If during the import the external ID of the source and the target are found in the same combination, no new resource connection is created but the existing one is updated instead. This means: the existing fields of the import file update the already existing fields.

Here, too, edges from protection needs analyses are not overwritten.

• Import template resource connection.xlsx

To import suppliers, the "Supplier" type is selected during import.

There are two options:

• Create new suppliers
• Update existing suppliers

When importing a file, HITGuard uses the record ID in the import file to check whether it already exists anywhere in the HITGuard instance (across management systems) or not. If it does not exist, it is created again.

To create a new resource, you must fill in the mandatory fields

• Record ID (unique identifier across management systems)
• Name.

Only if this is the case, the file can be imported.

Furthermore, the fields

• Code
• Expiration date
• Deactivated (x for yes, empty for no; true/false)
• External metric
• Justification
• Street
• Post code
• City
• County
• Country
• E-mail
• Telephone
• Homepage

can be present and filled in.

If the record ID of the supplier is found during the import, no new supplier is created, but the existing one is updated. That means: The existing fields of the import file update the already existing fields such as name, description, expiration date, etc. This enables the maintenance of individual suppliers.

• Template: Importvorlage Lieferanten.xlsx

The importer allows you to import measures, controls, topics, audit questions, justification templates, or risks into an existing knowledge database. To do this, select the “Knowledge base” type in the importer. Next, you must specify the knowledge base into which the measures, controls, audit questions, topics, and justification templates should be imported. This must be a knowledge base that is still editable—that is, one that has not yet been published.

In order to import measures, controls, topics, review questions, and/or justification templates, the fields

• Title
• Record ID (unique identifier)

must be assigned.

Caution: If the record ID already exists in the KB, no new record is created, but the old one is updated.

Furthermore, in all tabs there are the fields:

• Outline
• Description
• Status: (Date value)

In the Question tab, there are also the fields:

• Question
• Type of question: This defines the type of the review question. Allowed values of the field are: "process question" or "technical question" or "information gathering". Process questions can be answered with a score from 1-5 according to the evaluation schema, technical questions with Yes/No/Partial, and information gatherings are answered by filling in the comment and/or uploading an attachment. If the column is not filled, all review questions will be imported as technical questions.
• linked topics (Record ID)

In the Topic tab, there are also the fields:

• superordinate topic (Record ID)
• linked review questions (Record ID)

Note: For an import, columns from all tabs do not have to be assigned. So you can import topics, review questions, measures, controls, or justification templates separately.

Note: Topics and review questions that are then to be linked can be imported in the same Excel file. But you also have the option of importing linkages for topics/review questions that you have already imported or manually created before.

Note: Multiple record IDs separated by commas can be put into the fields linked review questions to topics and linked topics to review questions. This can be done with or without a space before/after the comma. Example: PF01, PF02, PF03.

• Template: Importvorlage WDB Thema.xslx
• Template: Importvorlage WDB Prüffrage.xslx
• Template: Importvorlage WDB Maßnahme.xslx
• Template: Importvorlage WDB Kontrolle.xslx
• Template: Importvorlage WDB Thema, Prüffrage, Maßnahme und Kontrolle.xslx
• Template: Importvorlage WDB Risiko.xslx

To import users, the "User" type must be selected during import.

There are two options:

• Create new user
• Update existing users

Users can be imported with the importer. When importing organizational units, data categories and resources, a responsible person can optionally be specified, which is then assigned or created and assigned.

If only the user name is specified in the course of the import of a structural element, the responsible person is assigned, but not modified. Therefore, the user must already exist. In the "Responsible" tab, all fields except for the user name can be ignored in this case.

When importing a file, HITGuard uses the data set ID in the import file to check whether it already exists anywhere in the HITGuard instance (system-wide) or not. If it does not exist, it is created again.

To create a new user, the following mandatory fields

• Username (system-wide unique identifier)
• E-mail address
• Password
• First name
• Last name

must be available and filled in. Only if this is the case, the import is possible.

If a responsible person is entered during import that has not yet been created in HITGuard, there are two variants of how HITGuard handles this:

1. Active Directory Integration is disabled:

   The user is created completely new, so that this can be performed, the mandatory fields of the responsible person must be present and entered in the import file. These are:

   • Username
   • E-mail
   • Password (between 12 and 20 characters, with at least 3 of the 4 criteria special characters, upper case, lower case and digits)

   

   
   

2. Active Directory integration is enabled:

   If Active Directory Integration is enabled, only users that exist in Active Directory can be created. However, the first name, last name and email fields can still be assigned. This means that it is possible to change the user's data during import and thus add or correct any errors or information from the Active Directory that is not maintained in HITGuard.

It is possible to update users with the help of the importer. This is useful, for example, if the e-mail or last name of a user changes. The importer checks at each import, if a user is entered, if additional fields like e-mail, last name, etc. exist in the import file, if yes, the content of these fields will be updated with the new content.

This makes it possible to keep information in HITGuard about users that do not exist or are not maintained in the Active Directory. It should be noted that HITGuard does not update the Active Directory!

Caution: The AD integration must be deactivated for the update of users with their own data import.

If a deactivated user is entered or updated as the responsible person during an update, this user is not activated as a result, i.e. he does not change status. However, he will be updated and entered as the responsible person.

• Template: Importvorlage Benutzer.xlsx

The importer supports two format types:

• CSV
• Excel files

The structure of an Excel file consists of a table in which all relevant data is represented as a column in a table. Each row corresponds, e.g., to a new organizational unit or other structure to be imported. During import, depending on the structure, the first row can or must be skipped if this row is the column header.

The structure of a CSV file usually consists of one line, in which the column headings are separated by semicolons. Each additional line contains information about the structure to be imported. It is important that each line has the same number of columns (i.e. the same number of semicolons). Depending on the structure, the first line can or must be skipped during the import if this line contains the column headings.

A few fields you can import as an Excel or CSV are HTML-fields in the application, meaning you can format them. You have the option of already adding this formatting in the import by using html-codes. This applies to, for example, the question section of review questions in knowledge bases, or the description fields of measures or risks.

A few formatting examples:

<ul><li>Item 1</li><li>Item 2</li></ul>

Line 1<br>Line 2

<b>bold</b>

<i>italic</i>

<u>unterlined</u>

<s>struck through</s>

You can also use an online HTML editor, format your text there, and then copy the result, meaning the code, into the Excel or CSV. Remember to remove any line breaks here.