Skip to content
  • There are no suggestions because the search field is empty.

How do I import custom assessment types?

This article will explain the process that will get a custom assessment type imported into the Compliance and Risk Tracker portal.

Last Updated: April 29, 2024

The first place to start is with an understanding of how assessment types are structured within the Compliance and Risk Tracker (CRT) portal. The easiest way to visualize it is to imagine assessments as being like structures of a tree:

First we have the Assessment Type which is your tree trunk, and the basis for all other things that tie together.

Next, we have what are called Domains. Domains are major structures right off the trunk holding supporting the larger branch's. There could be just a single main structure, or multiple structures depending on the size of the tree.

Then, we have Objectives. Objectives are off-shoots, or large branches, of your major structures. There may be one main branch, or multiple branches here.

Finally, we have Practices. Practices are the smaller supporting structures of the tree. These branches of the tree that may have a single leaf, multiple small offshoots, etc. depending on the tree type.

There is another type of branch that comes off the Practices and those are called ParametersParameters are sub-parts of a Practice where all parameters must be met in order to say you fully meet the practice requirements.

There are some other specific items that come into play as well, but this is a general idea.

 

A user can manually enter all the data for a custom assessment type within the application, but this takes much less time and can be easily updated in the future. To start importing a custom assessment type one must download the latest import template from the CRT portal found here: System Administration > Assessment Configuration > Compliance Configuration > Practices. Click the "Excel" button, and then click "Export Practices". This will download a file containing ALL practices currently within the system. From this file is where custom assessment data will be entered to be imported.

The import file as of 4/29/2024 contains the following fields, and then a descriptor of the field (fields denoted with an * are required):

  • ID - Internal database identifier. Do not modify. This value is automatically generated when new practices are imported, and the identity values are displayed upon exporting existing practices. Modifying this field could potentially result in overwriting and/or other inadvertent data loss.
  • Domain * - Main/High level separators within an assessment type. (e.g. Access Control, Network Security, Risk Management, etc.)
  • Domain Sort Order - The order in which you wish this domain to appear within the assessment.
  • Domain Abbreviation - An abbreviation of the domain name used for reporting purposes. (e.g. "AC", "NS", "RM", etc.)
  • Objective * - The next level of organization within an assessment within a specific domain. (e.g. Within the Network Security domain one may have "Environment Configuration", "Environment Change Management", and "Environment Management")
  • Objective Sort Order - The order in which you wish this objective to appear within the assigned domain.
  • Practice * - This is the actual practice or question field where the item being assessed is entered.
  • Description - This is a description field available to the assessor that may have reference material, cross referenced information, etc.
  • Sort Order - The order in which you wish this objective to appear within the assigned objective.
  • NIST_CSF_Function
  • Group - This can be used to define groups that relate specific practices together that may be in multiple domains and/or objectives, and then use that group for reporting. (e.g. a group name may be "SDLC", "Threat Management", "Process", etc.)
  • MIL - Maturity Indicator Level. See <https://support.cyturus.com/kb/what-is-a-mil-and-how-is-it-used> for more information about MIL's and how they affect the system. This field will not apply to all assessment types.
  • Compliance * - For custom assessments the Compliance and AssessmentType values will likely match. However, if you are importing an industry standard compliance type you could enter that value here. (e.g. "800-171", "PCI-DSS", etc.) 
  • AssessmentType * - This is the primary value that will identify this specific custom assessment.
  • Default_Horizon - Used for Compliance Management assessment types where Managed Practices will be used. This value is the default Horizon that the practice would be placed in.
  • Default_Workstream - Used for Compliance Management assessment types where Managed Practices will be used. This value is the default Workstream (within a particular Horizon) that the practice would be placed in.
  • Vertical
  • Industry
  • CMMC - No longer used.
  • Class - For assessments that have multiple tiers/classes this defines which tier/class this practice is a part of. (e.g. for CMMC practices they are part of the Level 1, Level 2, and/or Level 3 classes.)
  • ControlName
  • ControlNumber
  • ControlFamily
  • TestingProcedure
  • ControlDescription
  • As_Of -
  • Version -
  • ReferenceNo - This field is where a question/practice reference number can be placed. (e.g. 1, 1a, 1.a.i, etc.) The reference number will appear next to the question/practice within the assessment. 
  • PracticeVersion
  • PracticeType - There are a couple different types: "Maturity", "Analysis", or "Answer Select". If left blank the type of "Maturity" is automatically set.
  • MinimumStatus - If set. the minimum status required to pass this practice. (Will only be displayed upon an EXPORT of practices.)
  • DomainID - Internal database identifier. Do not modify. This value is automatically generated when new practices are imported, and the identity values are displayed upon exporting existing practices. Modifying this field could potentially result in overwriting and/or other inadvertent data loss.
  • ObjectiveID - Internal database identifier. Do not modify. This value is automatically generated when new practices are imported, and the identity values are displayed upon exporting existing practices. Modifying this field could potentially result in overwriting and/or other inadvertent data loss.
  • Domain Weight * - Used by some compliances for calculating scores. A value of 1 should be used if you do not use scoring (CMMC, CMI) for your assessment type.
  • POA&M Enable - Used by assessment types that use POA&M configurations. This can be left blank if your assessment type does not utilize POA&M's.
  • Purpose - Can be used for importing guidance information. Not required.
  • Recommendations - Can be used for importing guidance information. Not required.
  • Definitions - Can be used for importing guidance information. Not required.
  • Examples - Can be used for importing guidance information. Not required.
  • Testing Procedures - Can be used for importing guidance information. Not required.

Now that the fields in the import are understood you can enter your data into the import file. Do not modify any existing data in the file - only add to it. If you are adding practices to an existing assessment types make sure that the other fields are filled in EXACTLY as shown on other practices within that assessment type, domain, objective, etc. Failure to do so could cause invalid data to be imported and/or existing data to be overwritten.