diff --git a/.github/workflows/startup-tests.yml b/.github/workflows/startup-tests.yml index ad27fc444..3fb3bb1bd 100644 --- a/.github/workflows/startup-tests.yml +++ b/.github/workflows/startup-tests.yml @@ -130,7 +130,7 @@ jobs: export $(grep -v '^#' .env | xargs) - name: Config the Docker app run: | - sleep 60 # give the migrations time to finish (included in the up on the previous step) + sleep 120 # give the migrations time to finish (included in the up on the previous step) docker compose -f docker-compose-build.yml exec backend /bin/bash -c "DJANGO_SUPERUSER_EMAIL=admin@tests.com DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput && exit 0" - name: Run tests working-directory: ${{ env.frontend-directory }} @@ -142,6 +142,7 @@ jobs: exit 0 else echo "Failure" + echo "Check if migrations are not too long" exit 1 fi @@ -258,7 +259,7 @@ jobs: export $(grep -v '^#' .env | xargs) - name: Config the Docker app run: | - sleep 60 # give the migrations time to finish (included in the up on the previous step) + sleep 120 # give the migrations time to finish (included in the up on the previous step) docker compose -f enterprise/docker-compose-build.yml exec backend /bin/bash -c "DJANGO_SUPERUSER_EMAIL=admin@tests.com DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput --settings=${{ env.enterprise-backend-settings-module }} && exit 0" - name: Run tests working-directory: ${{ env.frontend-directory }} @@ -270,5 +271,6 @@ jobs: exit 0 else echo "Failure" + echo "Check if migrations are not too long" exit 1 fi diff --git a/LICENSE.txt b/LICENSE.md similarity index 81% rename from LICENSE.txt rename to LICENSE.md index 15a1df5ed..c12c788b3 100644 --- a/LICENSE.txt +++ b/LICENSE.md @@ -1,11 +1,11 @@ -Source code in this repository is variously licensed under the GNU Affero General Public License (AGPL), or the intuitem Commercial License (https://intuitem.com/license/commercial/). +Source code in this repository is variously licensed under the GNU Affero General Public License (AGPL), or the [intuitem Commercial License](enterprise/LICENSE.md). - All the files within the top-level "enterprise" directory are released under the intuitem Commercial Software License. - All the files outside the top-level "enterprise" directory are released under the [AGPLv3](https://choosealicense.com/licenses/agpl-3.0/). Binary files are generated for each edition for CISO Assistant: -- Binaries located at ghcr.io/intuitem/ciso-assistant-community/ are released under the AGPL. +- Binaries located at ghcr.io/intuitem/ciso-assistant-community/ are released under the AGPLv3. - Binaries located directly under the ghcr.io/intuitem/ namespace are released under the intuitem Commercial Software License. intuitem Commercial Software License requires a valid contract between the licensee and intuitem. diff --git a/README.md b/README.md index f2690a523..668f78001 100644 --- a/README.md +++ b/README.md @@ -43,13 +43,13 @@ Our vision is to provide a one stop shop for cyber security posture management a CyberSecurity teams need to use GRC as a foundation to structure their program and implement the right tools and processes to mitigate the risks, and leave the rest to CISO Assistant 🐙 -The vision of the tool is based on this model: +The vision of the tool is based on these fundamental objects: -![](posture.png) +![](core_objects.png) -The full details are available in the [data model](documentation/architecture/data-model.md). +There are other concepts and models to provide other features. The full details are available in the [data model](documentation/architecture/data-model.md). -The decoupling allows you to save a considerable amount of time: +The decoupling concept is a pillar of the app and allows you to save a considerable amount of time: - reuse previous assessments, - assess a scope against multiple frameworks at the same time, @@ -534,6 +534,6 @@ All the files within the top-level "enterprise" directory are released under the All the files outside the top-level "enterprise" directory are released under the [AGPLv3](https://choosealicense.com/licenses/agpl-3.0/). -See [LICENSE.txt](./LICENSE.txt) for details. For more details about the commercial editions, you can reach us on . +See [LICENSE.md](./LICENSE.md) for details. For more details about the commercial editions, you can reach us on . Unless otherwise noted, all files are © intuitem. diff --git a/backend/app_tests/api/test_api_projects.py b/backend/app_tests/api/test_api_projects.py index f1ea8b58c..417d64dbe 100644 --- a/backend/app_tests/api/test_api_projects.py +++ b/backend/app_tests/api/test_api_projects.py @@ -90,7 +90,7 @@ def test_get_projects(self, test): "name": PROJECT_NAME, "description": PROJECT_DESCRIPTION, "folder": test.folder, - "internal_reference": PROJECT_REFERENCE, + "ref_id": PROJECT_REFERENCE, "lc_status": PROJECT_STATUS[0], }, { @@ -112,7 +112,7 @@ def test_create_projects(self, test): "name": PROJECT_NAME, "description": PROJECT_DESCRIPTION, "folder": str(test.folder.id), - "internal_reference": PROJECT_REFERENCE, + "ref_id": PROJECT_REFERENCE, "lc_status": PROJECT_STATUS[0], }, { @@ -137,14 +137,14 @@ def test_update_projects(self, test): "name": PROJECT_NAME, "description": PROJECT_DESCRIPTION, "folder": test.folder, - "internal_reference": PROJECT_REFERENCE, + "ref_id": PROJECT_REFERENCE, "lc_status": PROJECT_STATUS[0], }, { "name": "new " + PROJECT_NAME, "description": "new " + PROJECT_DESCRIPTION, "folder": str(folder.id), - "internal_reference": "new " + PROJECT_REFERENCE, + "ref_id": "new " + PROJECT_REFERENCE, "lc_status": status[0], }, { diff --git a/backend/app_tests/api/test_api_requirement_assessments.py b/backend/app_tests/api/test_api_requirement_assessments.py index ef49c83e1..12dad4661 100644 --- a/backend/app_tests/api/test_api_requirement_assessments.py +++ b/backend/app_tests/api/test_api_requirement_assessments.py @@ -124,7 +124,48 @@ def test_get_requirement_assessments(self, test): "id": str(compliance_assessment.id), "str": compliance_assessment.name, }, - "requirement": str(RequirementNode.objects.all()[0].id), + "requirement": { + "str": str(RequirementNode.objects.all()[0]), + "id": str(RequirementNode.objects.all()[0].id), + "urn": RequirementNode.objects.all()[0].urn, + "annotation": RequirementNode.objects.all()[0].annotation, + "name": RequirementNode.objects.all()[0].name, + "description": RequirementNode.objects.all()[0].description, + "typical_evidence": RequirementNode.objects.all()[ + 0 + ].typical_evidence, + "ref_id": RequirementNode.objects.all()[0].ref_id, + "associated_reference_controls": RequirementNode.objects.all()[ + 0 + ].associated_reference_controls, + "associated_threats": RequirementNode.objects.all()[ + 0 + ].associated_threats, + "parent_requirement": { + "str": RequirementNode.objects.all()[0].parent_requirement.get( + "str" + ), + "urn": RequirementNode.objects.all()[0].parent_requirement.get( + "urn" + ), + "id": str( + RequirementNode.objects.all()[0].parent_requirement.get( + "id" + ) + ), + "ref_id": RequirementNode.objects.all()[ + 0 + ].parent_requirement.get("ref_id"), + "name": RequirementNode.objects.all()[0].parent_requirement.get( + "name" + ), + "description": RequirementNode.objects.all()[ + 0 + ].parent_requirement.get("description"), + } + if RequirementNode.objects.all()[0].parent_requirement + else None, + }, }, base_count=-1, user_group=test.user_group, @@ -210,7 +251,48 @@ def test_update_requirement_assessments(self, test): "id": str(compliance_assessment.id), "str": compliance_assessment.name, }, - "requirement": str(RequirementNode.objects.all()[0].id), + "requirement": { + "str": str(RequirementNode.objects.all()[0]), + "id": str(RequirementNode.objects.all()[0].id), + "urn": RequirementNode.objects.all()[0].urn, + "annotation": RequirementNode.objects.all()[0].annotation, + "name": RequirementNode.objects.all()[0].name, + "description": RequirementNode.objects.all()[0].description, + "typical_evidence": RequirementNode.objects.all()[ + 0 + ].typical_evidence, + "ref_id": RequirementNode.objects.all()[0].ref_id, + "associated_reference_controls": RequirementNode.objects.all()[ + 0 + ].associated_reference_controls, + "associated_threats": RequirementNode.objects.all()[ + 0 + ].associated_threats, + "parent_requirement": { + "str": RequirementNode.objects.all()[0].parent_requirement.get( + "str" + ), + "urn": RequirementNode.objects.all()[0].parent_requirement.get( + "urn" + ), + "id": str( + RequirementNode.objects.all()[0].parent_requirement.get( + "id" + ) + ), + "ref_id": RequirementNode.objects.all()[ + 0 + ].parent_requirement.get("ref_id"), + "name": RequirementNode.objects.all()[0].parent_requirement.get( + "name" + ), + "description": RequirementNode.objects.all()[ + 0 + ].parent_requirement.get("description"), + } + if RequirementNode.objects.all()[0].parent_requirement + else None, + }, }, user_group=test.user_group, ) diff --git a/backend/ciso_assistant/settings.py b/backend/ciso_assistant/settings.py index b0e821d19..32b1a25d3 100644 --- a/backend/ciso_assistant/settings.py +++ b/backend/ciso_assistant/settings.py @@ -153,6 +153,7 @@ def set_ciso_assistant_url(_, __, event_dict): "allauth.socialaccount", "allauth.socialaccount.providers.saml", "allauth.mfa", + "huey.contrib.djhuey", ] MIDDLEWARE = [ @@ -224,6 +225,7 @@ def set_ciso_assistant_url(_, __, event_dict): "MIN_REFRESH_INTERVAL": 60, } + # Empty outside of debug mode so that allauth middleware does not raise an error STATIC_URL = "" @@ -372,6 +374,16 @@ def set_ciso_assistant_url(_, __, event_dict): # OTHER SETTINGS } +HUEY = { + "huey_class": "huey.SqliteHuey", # Huey implementation to use. + "name": "huey-ciso-assistant", # Use db name for huey. + "results": True, # Store return values of tasks. + "store_none": False, # If a task returns None, do not save to results. + "immediate": DEBUG, # If DEBUG=True, run synchronously. + "utc": True, # Use UTC for all times internally. + "filename": "db/huey.sqlite3", +} + # SSO with allauth ACCOUNT_USER_MODEL_USERNAME_FIELD = None diff --git a/backend/core/helpers.py b/backend/core/helpers.py index cb7ebc0c9..a6792e8ff 100644 --- a/backend/core/helpers.py +++ b/backend/core/helpers.py @@ -15,6 +15,9 @@ from iam.models import Folder, Permission, RoleAssignment, User from library.helpers import get_referential_translation +from statistics import mean +import math + from .models import * from .utils import camel_case @@ -889,6 +892,13 @@ def viewable_items(model): viewable_controls = viewable_items(AppliedControl) controls_count = viewable_controls.count() + progress_avg = math.ceil( + mean([x.progress() for x in viewable_items(ComplianceAssessment)] or [0]) + ) + missed_eta_count = viewable_controls.filter( + eta__lt=date.today(), + ).count() + data = { "controls": { "total": controls_count, @@ -897,6 +907,8 @@ def viewable_items(model): "on_hold": viewable_controls.filter(status="on_hold").count(), "active": viewable_controls.filter(status="active").count(), "deprecated": viewable_controls.filter(status="deprecated").count(), + "p1": viewable_controls.filter(priority=1).exclude(status="active").count(), + "eta_missed": missed_eta_count, }, "risk": { "assessments": viewable_items(RiskAssessment).count(), @@ -908,17 +920,19 @@ def viewable_items(model): "acceptances": viewable_items(RiskAcceptance).count(), }, "compliance": { + "used_frameworks": viewable_items(ComplianceAssessment) + .values("framework_id") + .distinct() + .count(), "audits": viewable_items(ComplianceAssessment).count(), "active_audits": viewable_items(ComplianceAssessment) .filter(status__in=["in_progress", "in_review", "done"]) .count(), "evidences": viewable_items(Evidence).count(), - "compliant_items": viewable_items(RequirementAssessment) - .filter(result="compliant") - .count(), "non_compliant_items": viewable_items(RequirementAssessment) .filter(result="non_compliant") .count(), + "progress_avg": progress_avg, }, "audits_stats": build_audits_stats(user), "csf_functions": csf_functions(user), diff --git a/backend/core/management/commands/status.py b/backend/core/management/commands/status.py index bbee0ed8e..f8d345a8b 100644 --- a/backend/core/management/commands/status.py +++ b/backend/core/management/commands/status.py @@ -22,8 +22,9 @@ def handle(self, *args, **kwargs): nb_risk_assessments = RiskAssessment.objects.all().count() nb_risk_scenarios = RiskScenario.objects.all().count() nb_risk_acceptances = RiskAcceptance.objects.all().count() - nb_seats_available = getattr(settings, "LICENSE_SEATS", 0) - nb_expiry_date = getattr(settings, "LICENSE_EXPIRATION", "") + nb_seats = getattr(settings, "LICENSE_SEATS", 0) + nb_editors = len(User.get_editors()) + expiration = getattr(settings, "LICENSE_EXPIRATION", "") created_at = Folder.get_root_folder().created_at last_login = max( @@ -41,5 +42,5 @@ def handle(self, *args, **kwargs): + f"threats={nb_threats} functions={nb_functions} measures={nb_measures} " + f"evidences={nb_evidences} compliance={nb_compliance_assessments} risk={nb_risk_assessments} " + f"scenarios={nb_risk_scenarios} acceptances={nb_risk_acceptances} " - + f"number_of_seats={nb_seats_available} expiry_date={nb_expiry_date}" + + f"seats={nb_seats} editors={nb_editors} expiration={expiration}" ) diff --git a/backend/core/migrations/0041_add_ref_id_to_project_appliedcontrol_assessment.py b/backend/core/migrations/0041_add_ref_id_to_project_appliedcontrol_assessment.py new file mode 100644 index 000000000..f5ea2f3ac --- /dev/null +++ b/backend/core/migrations/0041_add_ref_id_to_project_appliedcontrol_assessment.py @@ -0,0 +1,43 @@ +# Generated by Django 5.1.1 on 2024-11-19 10:15 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0040_riskscenario_ref_id"), + ] + + operations = [ + migrations.RenameField( + model_name="project", old_name="internal_reference", new_name="ref_id" + ), + migrations.AlterField( + model_name="project", + name="ref_id", + field=models.CharField( + blank=True, max_length=100, null=True, verbose_name="reference id" + ), + ), + migrations.AddField( + model_name="appliedcontrol", + name="ref_id", + field=models.CharField( + blank=True, max_length=100, null=True, verbose_name="reference id" + ), + ), + migrations.AddField( + model_name="complianceassessment", + name="ref_id", + field=models.CharField( + blank=True, max_length=100, null=True, verbose_name="reference id" + ), + ), + migrations.AddField( + model_name="riskassessment", + name="ref_id", + field=models.CharField( + blank=True, max_length=100, null=True, verbose_name="reference id" + ), + ), + ] diff --git a/backend/core/migrations/0042_asset_filtering_labels.py b/backend/core/migrations/0042_asset_filtering_labels.py new file mode 100644 index 000000000..becd9fca4 --- /dev/null +++ b/backend/core/migrations/0042_asset_filtering_labels.py @@ -0,0 +1,19 @@ +# Generated by Django 5.1.1 on 2024-11-28 10:13 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0041_add_ref_id_to_project_appliedcontrol_assessment"), + ] + + operations = [ + migrations.AddField( + model_name="asset", + name="filtering_labels", + field=models.ManyToManyField( + blank=True, to="core.filteringlabel", verbose_name="Labels" + ), + ), + ] diff --git a/backend/core/migrations/0043_historicalmetric.py b/backend/core/migrations/0043_historicalmetric.py new file mode 100644 index 000000000..72630bf02 --- /dev/null +++ b/backend/core/migrations/0043_historicalmetric.py @@ -0,0 +1,49 @@ +# Generated by Django 5.1.1 on 2024-11-29 09:46 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0042_asset_filtering_labels"), + ] + + operations = [ + migrations.CreateModel( + name="HistoricalMetric", + fields=[ + ( + "id", + models.BigAutoField( + auto_created=True, + primary_key=True, + serialize=False, + verbose_name="ID", + ), + ), + ("date", models.DateField(db_index=True, verbose_name="Date")), + ("data", models.JSONField(verbose_name="Historical Data")), + ("model", models.TextField(db_index=True, verbose_name="Model")), + ( + "object_id", + models.UUIDField(db_index=True, verbose_name="Object ID"), + ), + ( + "updated_at", + models.DateTimeField(auto_now=True, verbose_name="Updated at"), + ), + ], + options={ + "indexes": [ + models.Index( + fields=["model", "object_id", "date"], + name="core_histor_model_e05191_idx", + ), + models.Index( + fields=["date", "model"], name="core_histor_date_ddb7df_idx" + ), + ], + "unique_together": {("model", "object_id", "date")}, + }, + ), + ] diff --git a/backend/core/models.py b/backend/core/models.py index 804751726..a2df46e8d 100644 --- a/backend/core/models.py +++ b/backend/core/models.py @@ -1049,6 +1049,40 @@ class RequirementNode(ReferentialObjectMixin, I18nObjectMixin): ) question = models.JSONField(blank=True, null=True, verbose_name=_("Question")) + @property + def associated_reference_controls(self): + _reference_controls = self.reference_controls.all() + reference_controls = [] + for control in _reference_controls: + reference_controls.append( + {"str": control.display_long, "urn": control.urn, "id": control.id} + ) + return reference_controls + + @property + def associated_threats(self): + _threats = self.threats.all() + threats = [] + for control in _threats: + threats.append( + {"str": control.display_long, "urn": control.urn, "id": control.id} + ) + return threats + + @property + def parent_requirement(self): + parent_requirement = RequirementNode.objects.filter(urn=self.parent_urn).first() + if not parent_requirement: + return None + return { + "str": parent_requirement.display_long, + "urn": parent_requirement.urn, + "id": parent_requirement.id, + "ref_id": parent_requirement.ref_id, + "name": parent_requirement.name, + "description": parent_requirement.description, + } + class Meta: verbose_name = _("RequirementNode") verbose_name_plural = _("RequirementNodes") @@ -1169,8 +1203,9 @@ class Project(NameDescriptionMixin, FolderMixin): ("eol", _("EndOfLife")), ("dropped", _("Dropped")), ] - internal_reference = models.CharField( - max_length=100, null=True, blank=True, verbose_name=_("Internal reference") + + ref_id = models.CharField( + max_length=100, null=True, blank=True, verbose_name=_("reference id") ) lc_status = models.CharField( max_length=20, @@ -1205,7 +1240,9 @@ def __str__(self): return self.folder.name + "/" + self.name -class Asset(NameDescriptionMixin, FolderMixin, PublishInRootFolderMixin): +class Asset( + NameDescriptionMixin, FolderMixin, PublishInRootFolderMixin, FilteringLabelMixin +): class Type(models.TextChoices): """ The type of the asset. @@ -1361,6 +1398,13 @@ def get_security_objectives(self) -> dict[str, dict[str, dict[str, int | bool]]] If the asset is a supporting asset, the security objectives are the union of the security objectives of all the primary assets it supports. If multiple ancestors share the same security objective, its value in the result is its highest value among the ancestors. """ + if self.security_objectives.get("objectives"): + self.security_objectives["objectives"] = { + key: self.security_objectives["objectives"][key] + for key in Asset.DEFAULT_SECURITY_OBJECTIVES + if key in self.security_objectives["objectives"] + } + if self.is_primary: return self.security_objectives @@ -1541,6 +1585,9 @@ class Status(models.TextChoices): blank=True, verbose_name=_("Reference Control"), ) + ref_id = models.CharField( + max_length=100, null=True, blank=True, verbose_name=_("reference id") + ) evidences = models.ManyToManyField( Evidence, blank=True, @@ -1738,6 +1785,34 @@ class Status(models.TextChoices): fields_to_check = ["name"] +## historical data +class HistoricalMetric(models.Model): + date = models.DateField(verbose_name=_("Date"), db_index=True) + data = models.JSONField(verbose_name=_("Historical Data")) + model = models.TextField(verbose_name=_("Model"), db_index=True) + object_id = models.UUIDField(verbose_name=_("Object ID"), db_index=True) + updated_at = models.DateTimeField(auto_now=True, verbose_name=_("Updated at")) + + class Meta: + unique_together = ("model", "object_id", "date") + indexes = [ + models.Index(fields=["model", "object_id", "date"]), + models.Index(fields=["date", "model"]), + ] + + @classmethod + def update_daily_metric(cls, model, object_id, data): + """ + Upsert method to update or create a daily metric. Should be generic enough for other metrics. + """ + return cls.objects.update_or_create( + model=model, + object_id=object_id, + date=now().date(), + defaults={"data": data}, + ) + + ########################### Secondary objects ######################### @@ -1800,14 +1875,46 @@ class RiskAssessment(Assessment): help_text=_("WARNING! After choosing it, you will not be able to change it"), verbose_name=_("Risk matrix"), ) + ref_id = models.CharField( + max_length=100, null=True, blank=True, verbose_name=_("reference id") + ) class Meta: verbose_name = _("Risk assessment") verbose_name_plural = _("Risk assessments") + def upsert_daily_metrics(self): + per_treatment = self.get_per_treatment() + + total = RiskScenario.objects.filter(risk_assessment=self).count() + data = { + "scenarios": { + "total": total, + "per_treatment": per_treatment, + }, + } + + HistoricalMetric.update_daily_metric( + model=self.__class__.__name__, object_id=self.id, data=data + ) + def __str__(self) -> str: return f"{self.name} - {self.version}" + def get_per_treatment(self) -> dict: + output = dict() + for treatment in RiskScenario.TREATMENT_OPTIONS: + output[treatment[0]] = ( + RiskScenario.objects.filter(risk_assessment=self) + .filter(treatment=treatment[0]) + .count() + ) + return output + + def save(self, *args, **kwargs) -> None: + super().save(*args, **kwargs) + self.upsert_daily_metrics() + @property def path_display(self) -> str: return f"{self.project.folder}/{self.project}/{self.name} - {self.version}" @@ -2102,14 +2209,17 @@ class RiskScenario(NameDescriptionMixin): ] QUALIFICATIONS = [ - ("Financial", _("Financial")), - ("Legal", _("Legal")), - ("Reputation", _("Reputation")), - ("Operational", _("Operational")), ("Confidentiality", _("Confidentiality")), ("Integrity", _("Integrity")), ("Availability", _("Availability")), + ("Proof", _("Proof")), ("Authenticity", _("Authenticity")), + ("Privacy", _("Privacy")), + ("Safety", _("Safety")), + ("Reputation", _("Reputation")), + ("Operational", _("Operational")), + ("Legal", _("Legal")), + ("Financial", _("Financial")), ] DEFAULT_SOK_OPTIONS = { @@ -2387,6 +2497,7 @@ def save(self, *args, **kwargs): else: self.residual_level = -1 super(RiskScenario, self).save(*args, **kwargs) + self.risk_assessment.upsert_daily_metrics() class ComplianceAssessment(Assessment): @@ -2396,6 +2507,9 @@ class ComplianceAssessment(Assessment): selected_implementation_groups = models.JSONField( blank=True, null=True, verbose_name=_("Selected implementation groups") ) + ref_id = models.CharField( + max_length=100, null=True, blank=True, verbose_name=_("reference id") + ) # score system is suggested by the framework, but can be changed at the start of the assessment min_score = models.IntegerField(null=True, verbose_name=_("Minimum score")) max_score = models.IntegerField(null=True, verbose_name=_("Maximum score")) @@ -2407,12 +2521,36 @@ class Meta: verbose_name = _("Compliance assessment") verbose_name_plural = _("Compliance assessments") + def upsert_daily_metrics(self): + per_status = dict() + per_result = dict() + for item in self.get_requirements_status_count(): + per_status[item[1]] = item[0] + + for item in self.get_requirements_result_count(): + per_result[item[1]] = item[0] + total = RequirementAssessment.objects.filter(compliance_assessment=self).count() + data = { + "reqs": { + "total": total, + "per_status": per_status, + "per_result": per_result, + "progress_perc": self.progress(), + "score": self.get_global_score(), + }, + } + + HistoricalMetric.update_daily_metric( + model=self.__class__.__name__, object_id=self.id, data=data + ) + def save(self, *args, **kwargs) -> None: if self.min_score is None: self.min_score = self.framework.min_score self.max_score = self.framework.max_score self.scores_definition = self.framework.scores_definition super().save(*args, **kwargs) + self.upsert_daily_metrics() def create_requirement_assessments( self, baseline: Self | None = None @@ -2775,48 +2913,71 @@ def compute_requirement_assessments_results( ) -> list["RequirementAssessment"]: requirement_assessments: list[RequirementAssessment] = [] result_order = ( + RequirementAssessment.Result.NOT_ASSESSED, + RequirementAssessment.Result.NOT_APPLICABLE, RequirementAssessment.Result.NON_COMPLIANT, RequirementAssessment.Result.PARTIALLY_COMPLIANT, RequirementAssessment.Result.COMPLIANT, ) + + def assign_attributes(target, attributes): + """ + Helper function to assign attributes to a target object. + Only assigns if the attribute is not None. + """ + keys = ["result", "status", "score", "is_scored", "observation"] + for key, value in zip(keys, attributes): + if value is not None: + setattr(target, key, value) + for requirement_assessment in self.requirement_assessments.all(): mappings = mapping_set.mappings.filter( target_requirement=requirement_assessment.requirement ) inferences = [] refs = [] + + # Filter for full coverage relationships if applicable if mappings.filter( relationship__in=RequirementMapping.FULL_COVERAGE_RELATIONSHIPS ).exists(): mappings = mappings.filter( relationship__in=RequirementMapping.FULL_COVERAGE_RELATIONSHIPS ) + for mapping in mappings: source_requirement_assessment = RequirementAssessment.objects.get( compliance_assessment=source_assessment, requirement=mapping.source_requirement, ) - inferred_result, inferred_status = requirement_assessment.infer_result( + inferred_result = requirement_assessment.infer_result( mapping=mapping, source_requirement_assessment=source_requirement_assessment, ) - if inferred_result in result_order: - inferences.append((inferred_result, inferred_status)) + if inferred_result.get("result") in result_order: + inferences.append( + ( + inferred_result.get("result"), + inferred_result.get("status"), + inferred_result.get("score"), + inferred_result.get("is_scored"), + inferred_result.get("observation"), + ) + ) refs.append(source_requirement_assessment) + if inferences: if len(inferences) == 1: - requirement_assessment.result = inferences[0][0] - if inferences[0][1]: - requirement_assessment.status = inferences[0][1] + selected_inference = inferences[0] ref = refs[0] else: - lowest_result = min( + selected_inference = min( inferences, key=lambda x: result_order.index(x[0]) ) - requirement_assessment.result = lowest_result[0] - if lowest_result[1]: - requirement_assessment.status = lowest_result[1] - ref = refs[inferences.index(lowest_result)] + ref = refs[inferences.index(selected_inference)] + + assign_attributes(requirement_assessment, selected_inference) + requirement_assessment.mapping_inference = { "result": requirement_assessment.result, "source_requirement_assessment": { @@ -2826,7 +2987,9 @@ def compute_requirement_assessments_results( }, # "mappings": [mapping.id for mapping in mappings], } + requirement_assessments.append(requirement_assessment) + return requirement_assessments def progress(self) -> int: @@ -2924,24 +3087,39 @@ def get_requirement_description(self) -> str: def infer_result( self, mapping: RequirementMapping, source_requirement_assessment: Self - ) -> str | None: + ) -> dict | None: if mapping.coverage == RequirementMapping.Coverage.FULL: - return ( - source_requirement_assessment.result, - source_requirement_assessment.status, - ) + if ( + source_requirement_assessment.compliance_assessment.min_score + == self.compliance_assessment.min_score + and source_requirement_assessment.compliance_assessment.max_score + == self.compliance_assessment.max_score + ): + return { + "result": source_requirement_assessment.result, + "status": source_requirement_assessment.status, + "score": source_requirement_assessment.score, + "is_scored": source_requirement_assessment.is_scored, + "observation": source_requirement_assessment.observation, + } + else: + return { + "result": source_requirement_assessment.result, + "status": source_requirement_assessment.status, + "observation": source_requirement_assessment.observation, + } if mapping.coverage == RequirementMapping.Coverage.PARTIAL: if source_requirement_assessment.result in ( RequirementAssessment.Result.COMPLIANT, RequirementAssessment.Result.PARTIALLY_COMPLIANT, ): - return (RequirementAssessment.Result.PARTIALLY_COMPLIANT, None) + return {"result": RequirementAssessment.Result.PARTIALLY_COMPLIANT} if ( source_requirement_assessment.result == RequirementAssessment.Result.NON_COMPLIANT ): - return (RequirementAssessment.Result.NON_COMPLIANT, None) - return (None, None) + return {"result": RequirementAssessment.Result.NON_COMPLIANT} + return {} def create_applied_controls_from_suggestions(self) -> list[AppliedControl]: applied_controls: list[AppliedControl] = [] @@ -2982,6 +3160,10 @@ class Meta: verbose_name = _("Requirement assessment") verbose_name_plural = _("Requirement assessments") + def save(self, *args, **kwargs) -> None: + super().save(*args, **kwargs) + self.compliance_assessment.upsert_daily_metrics() + ########################### RiskAcesptance is a domain object relying on secondary objects ######################### diff --git a/backend/core/serializers.py b/backend/core/serializers.py index d8be3960f..c8490d807 100644 --- a/backend/core/serializers.py +++ b/backend/core/serializers.py @@ -230,7 +230,7 @@ class AssetReadSerializer(AssetWriteSerializer): disaster_recovery_objectives = serializers.JSONField( source="get_disaster_recovery_objectives_display" ) - + filtering_labels = FieldsRelatedField(["folder"], many=True) type = serializers.CharField(source="get_type_display") @@ -619,6 +619,20 @@ class RequirementAssessmentReadSerializer(BaseModelSerializer): compliance_assessment = FieldsRelatedField() folder = FieldsRelatedField() assessable = serializers.BooleanField(source="requirement.assessable") + requirement = FieldsRelatedField( + [ + "id", + "urn", + "annotation", + "name", + "description", + "typical_evidence", + "ref_id", + "associated_reference_controls", + "associated_threats", + "parent_requirement", + ] + ) class Meta: model = RequirementAssessment diff --git a/backend/core/startup.py b/backend/core/startup.py index 0b5294dc5..f3faad47d 100644 --- a/backend/core/startup.py +++ b/backend/core/startup.py @@ -345,7 +345,6 @@ "view_complianceassessment", "view_requirementassessment", "change_requirementassessment", - "view_requirementnode", "view_evidence", "add_evidence", "change_evidence", diff --git a/backend/core/views.py b/backend/core/views.py index 2b7ea4122..cf10705b1 100644 --- a/backend/core/views.py +++ b/backend/core/views.py @@ -17,6 +17,8 @@ from pathlib import Path import humanize +# from icecream import ic + from django.utils.decorators import method_decorator from django.views.decorators.cache import cache_page from django.views.decorators.vary import vary_on_cookie @@ -155,12 +157,36 @@ def _process_request_data(self, request: Request) -> None: elif not request.data[field][0]: request.data[field] = [] + def _process_labels(self, labels): + """ + Creates a FilteringLabel and replaces the value with the ID of the newly created label. + """ + new_labels = [] + for label in labels: + try: + uuid.UUID(label, version=4) + new_labels.append(label) + except ValueError: + new_label = FilteringLabel(label=label) + new_label.full_clean() + new_label.save() + new_labels.append(str(new_label.id)) + return new_labels + def create(self, request: Request, *args, **kwargs) -> Response: self._process_request_data(request) + if request.data.get("filtering_labels"): + request.data["filtering_labels"] = self._process_labels( + request.data["filtering_labels"] + ) return super().create(request, *args, **kwargs) def update(self, request: Request, *args, **kwargs) -> Response: self._process_request_data(request) + if request.data.get("filtering_labels"): + request.data["filtering_labels"] = self._process_labels( + request.data["filtering_labels"] + ) return super().update(request, *args, **kwargs) def partial_update(self, request: Request, *args, **kwargs) -> Response: @@ -191,7 +217,7 @@ class ProjectViewSet(BaseModelViewSet): model = Project filterset_fields = ["folder", "lc_status"] - search_fields = ["name", "internal_reference", "description"] + search_fields = ["name", "ref_id", "description"] @action(detail=False, name="Get status choices") def lc_status(self, request): @@ -276,6 +302,22 @@ def quality_check_detail(self, request, pk): else: return Response(status=HTTP_403_FORBIDDEN) + @action(detail=False, methods=["get"]) + def ids(self, request): + my_map = dict() + + (viewable_items, _, _) = RoleAssignment.get_accessible_object_ids( + folder=Folder.get_root_folder(), + user=request.user, + object_type=Project, + ) + for item in Project.objects.filter(id__in=viewable_items): + if my_map.get(item.folder.name) is None: + my_map[item.folder.name] = {} + my_map[item.folder.name].update({item.name: item.id}) + + return Response(my_map) + class ThreatViewSet(BaseModelViewSet): """ @@ -296,6 +338,21 @@ def retrieve(self, request, *args, **kwargs): def threats_count(self, request): return Response({"results": threats_count_per_name(request.user)}) + @action(detail=False, methods=["get"]) + def ids(self, request): + my_map = dict() + + (viewable_items, _, _) = RoleAssignment.get_accessible_object_ids( + folder=Folder.get_root_folder(), + user=request.user, + object_type=Threat, + ) + for item in Threat.objects.filter(id__in=viewable_items): + if my_map.get(item.folder.name) is None: + my_map[item.folder.name] = {} + my_map[item.folder.name].update({item.name: item.id}) + return Response(my_map) + class AssetViewSet(BaseModelViewSet): """ @@ -373,6 +430,21 @@ def graph(self, request): {"nodes": nodes, "links": links, "categories": categories, "meta": meta} ) + @action(detail=False, methods=["get"]) + def ids(self, request): + my_map = dict() + + (viewable_items, _, _) = RoleAssignment.get_accessible_object_ids( + folder=Folder.get_root_folder(), + user=request.user, + object_type=Asset, + ) + for item in Asset.objects.filter(id__in=viewable_items): + if my_map.get(item.folder.name) is None: + my_map[item.folder.name] = {} + my_map[item.folder.name].update({item.name: item.id}) + return Response(my_map) + @action(detail=False, name="Get security objectives") def security_objectives(self, request): return Response({"results": Asset.DEFAULT_SECURITY_OBJECTIVES}) @@ -437,6 +509,22 @@ def used(self, request): ) return Response({"results": used_matrices}) + @action(detail=False, methods=["get"]) + def ids(self, request): + my_map = dict() + + (viewable_items, _, _) = RoleAssignment.get_accessible_object_ids( + folder=Folder.get_root_folder(), + user=request.user, + object_type=RiskMatrix, + ) + for item in RiskMatrix.objects.filter(id__in=viewable_items): + if my_map.get(item.folder.name) is None: + my_map[item.folder.name] = {} + my_map[item.folder.name].update({item.name: item.id}) + + return Response(my_map) + class VulnerabilityViewSet(BaseModelViewSet): """ @@ -452,34 +540,6 @@ class VulnerabilityViewSet(BaseModelViewSet): def status(self, request): return Response(dict(Vulnerability.Status.choices)) - def _process_labels(self, labels): - """ - Creates a FilteringLabel and replaces the value with the ID of the newly created label. - """ - new_labels = [] - for label in labels: - try: - uuid.UUID(label, version=4) - new_labels.append(label) - except ValueError: - new_label = FilteringLabel(label=label) - new_label.full_clean() - new_label.save() - new_labels.append(str(new_label.id)) - return new_labels - - def update(self, request: Request, *args, **kwargs) -> Response: - request.data["filtering_labels"] = self._process_labels( - request.data["filtering_labels"] - ) - return super().update(request, *args, **kwargs) - - def create(self, request: Request, *args, **kwargs) -> Response: - request.data["filtering_labels"] = self._process_labels( - request.data["filtering_labels"] - ) - return super().create(request, *args, **kwargs) - class FilteringLabelViewSet(BaseModelViewSet): """ @@ -655,30 +715,46 @@ def risk_assessment_csv(self, request, pk): writer = csv.writer(response, delimiter=";") columns = [ "ref_id", + "assets", "threats", "name", "description", "existing_controls", - "current_level", - "applied_controls", - "residual_level", + "current_impact", + "current_proba", + "current_risk", + "additional_controls", + "residual_impact", + "residual_proba", + "residual_risk", "treatment", ] writer.writerow(columns) - for scenario in risk_assessment.risk_scenarios.all().order_by("created_at"): - applied_controls = ",".join( - [m.csv_value for m in scenario.applied_controls.all()] + for scenario in risk_assessment.risk_scenarios.all().order_by("ref_id"): + additional_controls = ",".join( + [m.name for m in scenario.applied_controls.all()] + ) + existing_controls = ",".join( + [m.name for m in scenario.existing_applied_controls.all()] ) + threats = ",".join([t.name for t in scenario.threats.all()]) + assets = ",".join([t.name for t in scenario.assets.all()]) + row = [ scenario.ref_id, + assets, threats, scenario.name, scenario.description, - scenario.existing_controls, + existing_controls, + scenario.get_current_impact()["name"], + scenario.get_current_proba()["name"], scenario.get_current_risk()["name"], - applied_controls, + additional_controls, + scenario.get_residual_impact()["name"], + scenario.get_residual_proba()["name"], scenario.get_residual_risk()["name"], scenario.treatment, ] @@ -1120,6 +1196,22 @@ def duplicate(self, request, pk): {"results": AppliedControlReadSerializer(duplicate_applied_control).data} ) + @action(detail=False, methods=["get"]) + def ids(self, request): + my_map = dict() + + (viewable_items, _, _) = RoleAssignment.get_accessible_object_ids( + folder=Folder.get_root_folder(), + user=request.user, + object_type=AppliedControl, + ) + for item in AppliedControl.objects.filter(id__in=viewable_items): + if my_map.get(item.folder.name) is None: + my_map[item.folder.name] = {} + my_map[item.folder.name].update({item.name: item.id}) + + return Response(my_map) + class PolicyViewSet(AppliedControlViewSet): model = Policy @@ -1466,6 +1558,7 @@ class FolderViewSet(BaseModelViewSet): model = Folder filterset_class = FolderFilter + search_fields = ["ref_id"] def perform_create(self, serializer): """ @@ -1550,6 +1643,19 @@ def org_tree(self, request): return Response(tree) + @action(detail=False, methods=["get"]) + def ids(self, request): + my_map = dict() + + (viewable_items, _, _) = RoleAssignment.get_accessible_object_ids( + folder=Folder.get_root_folder(), + user=request.user, + object_type=Folder, + ) + for item in Folder.objects.filter(id__in=viewable_items): + my_map[item.name] = item.id + return Response(my_map) + @action(detail=False, methods=["get"]) def my_assignments(self, request): risk_assessments = RiskAssessment.objects.filter( @@ -1896,7 +2002,7 @@ class ComplianceAssessmentViewSet(BaseModelViewSet): model = ComplianceAssessment filterset_fields = ["framework", "project", "status"] - search_fields = ["name", "description"] + search_fields = ["name", "description", "ref_id"] ordering_fields = ["name", "description"] @method_decorator(cache_page(60 * LONG_CACHE_TTL)) @@ -2209,8 +2315,9 @@ def tree(self, request, pk): @action(detail=True, methods=["get"]) def requirements_list(self, request, pk): """Returns the list of requirement assessments for the different audit modes""" + assessable = self.request.query_params.get("assessable", False) requirement_assessments_objects = self.get_object().get_requirement_assessments( - include_non_assessable=True + include_non_assessable=not assessable ) requirements_objects = RequirementNode.objects.filter( framework=self.get_object().framework @@ -2284,6 +2391,31 @@ def create_suggested_applied_controls(request, pk): requirement_assessment.create_applied_controls_from_suggestions() return Response(status=status.HTTP_200_OK) + @action(detail=True, methods=["get"], url_path="progress_ts") + def progress_ts(self, request, pk): + try: + raw = ( + HistoricalMetric.objects.filter( + model="ComplianceAssessment", object_id=pk + ) + .annotate(progress=F("data__reqs__progress_perc")) + .values("date", "progress") + .order_by("date") + ) + + # Transform the data into the required format + formatted_data = [ + [entry["date"].isoformat(), entry["progress"]] for entry in raw + ] + + return Response({"data": formatted_data}) + + except HistoricalMetric.DoesNotExist: + return Response( + {"error": "No metrics found for this assessment"}, + status=status.HTTP_404_NOT_FOUND, + ) + class RequirementAssessmentViewSet(BaseModelViewSet): """ diff --git a/backend/iam/models.py b/backend/iam/models.py index 6bd64a1e6..17b3dc4a5 100644 --- a/backend/iam/models.py +++ b/backend/iam/models.py @@ -80,6 +80,7 @@ class ContentType(models.TextChoices): content_type = models.CharField( max_length=2, choices=ContentType.choices, default=ContentType.DOMAIN ) + parent_folder = models.ForeignKey( "self", null=True, @@ -534,7 +535,11 @@ def is_editor(self) -> bool: @classmethod def get_editors(cls) -> List[Self]: - return [user for user in cls.objects.all() if user.is_editor] + return [ + user + for user in cls.objects.all() + if user.is_editor and not user.is_third_party + ] class Role(NameDescriptionMixin, FolderMixin): diff --git a/backend/library/libraries/enisa-5g-scm-v1.3.yaml b/backend/library/libraries/enisa-5g-scm-v1.3.yaml index a947a3394..c142bef82 100644 --- a/backend/library/libraries/enisa-5g-scm-v1.3.yaml +++ b/backend/library/libraries/enisa-5g-scm-v1.3.yaml @@ -9,7 +9,7 @@ copyright: "The Matrix is provided on an \u2018as is\u2019 basis. ENISA is not r \ for the information contained in the Matrix, including the use that might be made\ \ of this information, or the content of any external sources referenced in the\ \ Matrix.\n" -version: '2' +version: 2 provider: ENISA packager: intuitem objects: diff --git a/backend/library/libraries/hds-v2023-a.yaml b/backend/library/libraries/hds-v2023-a.yaml index 81ee2a49e..e64ca13dc 100644 --- a/backend/library/libraries/hds-v2023-a.yaml +++ b/backend/library/libraries/hds-v2023-a.yaml @@ -5,7 +5,7 @@ name: HDS v2023-A description: "R\xE9f\xE9rentiel de certification H\xE9bergeur de donn\xE9es de sant\xE9\ \ (HDS) - Exigences" copyright: "Loi fran\xE7aise et europ\xE9enne" -version: '1' +version: 1 provider: "Agence du Num\xE9rique en Sant\xE9" packager: intuitem objects: diff --git a/backend/library/libraries/ict-minimal.yaml b/backend/library/libraries/ict-minimal.yaml index 765b230a6..8754b7212 100644 --- a/backend/library/libraries/ict-minimal.yaml +++ b/backend/library/libraries/ict-minimal.yaml @@ -4,7 +4,7 @@ ref_id: ict-minimal name: ICT - Minimum standard description: Minimum standard for improving ICT resilience - Version may 2023 copyright: Creative Commons BY. -version: '1' +version: 1 provider: Swiss FONES packager: intuitem translations: diff --git a/backend/library/libraries/mapping-ccb-cff-2023-03-01-to-iso27001-2022.yaml b/backend/library/libraries/mapping-ccb-cff-2023-03-01-to-iso27001-2022.yaml index 2a6851832..b32fc99ce 100644 --- a/backend/library/libraries/mapping-ccb-cff-2023-03-01-to-iso27001-2022.yaml +++ b/backend/library/libraries/mapping-ccb-cff-2023-03-01-to-iso27001-2022.yaml @@ -5,7 +5,7 @@ name: CCB-CFF-2023-03-01 -> ISO/IEC 27001:2022 description: Mapping from CCB CyberFundamentals Framework to International standard ISO/IEC 27001:2022 copyright: intuitem -version: '1' +version: 1 provider: CCB packager: intuitem dependencies: diff --git a/backend/library/libraries/mapping-cjis-policy-5.9.4-to-cjis-policy-5.9.yaml b/backend/library/libraries/mapping-cjis-policy-5.9.4-to-cjis-policy-5.9.yaml index e6288ab9e..9c424ee7c 100644 --- a/backend/library/libraries/mapping-cjis-policy-5.9.4-to-cjis-policy-5.9.yaml +++ b/backend/library/libraries/mapping-cjis-policy-5.9.4-to-cjis-policy-5.9.yaml @@ -5,7 +5,7 @@ name: CJIS-POLICY-5.9.4 -> CJIS-POLICY-5.9.5 description: Mapping from Criminal Justice Information Services (CJIS) Security Policy to Criminal Justice Information Services (CJIS) Security Policy 5.9.5 copyright: intuitem -version: '1' +version: 1 provider: intuitem packager: intuitem dependencies: diff --git a/backend/library/libraries/mapping-iso27001-2022-to-secnumcloud-3.2.yaml b/backend/library/libraries/mapping-iso27001-2022-to-secnumcloud-3.2.yaml index 033048444..fbc6ab392 100644 --- a/backend/library/libraries/mapping-iso27001-2022-to-secnumcloud-3.2.yaml +++ b/backend/library/libraries/mapping-iso27001-2022-to-secnumcloud-3.2.yaml @@ -6,7 +6,7 @@ description: "Correspondance entre la norme internationale ISO/IEC 27001:2022 et \ r\xE9f\xE9rentiel d\u2019exigences de prestataires de services d\u2019informatique\ \ en nuage (SecNumCloud 3.2)" copyright: https://www.iso.org/standard/27001 - ANSSI - ANS -version: '1' +version: 1 provider: ISO/IEC - ANSSI - ANS (annexe 1 du document HDS 2.0) packager: protocolpaladin dependencies: diff --git a/backend/library/libraries/mapping-secnumcloud-3.2-to-iso27001-2022.yaml b/backend/library/libraries/mapping-secnumcloud-3.2-to-iso27001-2022.yaml index 5757c0044..f8c2c25cf 100644 --- a/backend/library/libraries/mapping-secnumcloud-3.2-to-iso27001-2022.yaml +++ b/backend/library/libraries/mapping-secnumcloud-3.2-to-iso27001-2022.yaml @@ -6,7 +6,7 @@ description: "Correspondance entre le r\xE9f\xE9rentiel d\u2019exigences de pres \ de services d\u2019informatique en nuage (SecNumCloud 3.2) et la norme internationale\ \ ISO/IEC 27001:2022" copyright: https://www.iso.org/standard/27001 - ANSSI - ANS -version: '1' +version: 1 provider: ISO/IEC - ANSSI - ANS (annexe 1 du document HDS 2.0) packager: protocolpaladin dependencies: diff --git a/backend/library/libraries/nist-sp-800-66-rev2.yaml b/backend/library/libraries/nist-sp-800-66-rev2.yaml index 642cf412b..0abb9c32a 100644 --- a/backend/library/libraries/nist-sp-800-66-rev2.yaml +++ b/backend/library/libraries/nist-sp-800-66-rev2.yaml @@ -10,7 +10,7 @@ description: 'Implementing the Health Insurance Portability and Accountability A ' copyright: With the exception of material marked as copyrighted, information presented on NIST sites are considered public information and may be distributed or copied. -version: '1' +version: 1 provider: NIST packager: intuitem objects: diff --git a/backend/library/libraries/risk-matrix-4x4-ebios-rm.yaml b/backend/library/libraries/risk-matrix-4x4-ebios-rm.yaml new file mode 100644 index 000000000..51ff10780 --- /dev/null +++ b/backend/library/libraries/risk-matrix-4x4-ebios-rm.yaml @@ -0,0 +1,174 @@ +urn: urn:intuitem:risk:library:risk-matrix-4x4-ebios-rm +locale: en +ref_id: risk-matrix-4x4-ebios-rm +name: 4x4 risk matrix from EBIOS-RM +description: based on the official guide of the EBIOS RM approach +copyright: public domain +version: 2 +provider: intuitem +packager: intuitem +translations: + fr: + name: Matrice 4x4 EBIOS-RM + description: "Bas\xE9e sur le guide officiel de la m\xE9thode EBIOS RM" +objects: + risk_matrix: + - urn: urn:intuitem:risk:matrix:risk-matrix-4x4-ebios-rm + ref_id: risk-matrix-4x4-ebios-rm + name: 4x4 risk matrix from EBIOS-RM + description: based on the official guide of the EBIOS RM approach + probability: + - id: 0 + abbreviation: V1 + name: Unlikely + description: The source of risk is unlikely to achieve its intended objective + under any of the proposed procedures. The likelihood of the scenario is weak. + translations: + fr: + name: Peu vraisemblable + description: "La source de risque a peu de chances d\u2019atteindre son\ + \ objectif vis\xE9 selon l\u2019un des modes op\xE9ratoires envisag\xE9\ + s. La vraisemblance du sc\xE9nario est faible." + hexcolor: '#FAF7E9' + - id: 1 + abbreviation: V2 + name: Likely + description: ' The source of risk is likely to achieve its intended objective + according to one of the operating procedures envisaged. The likelihood of + the scenario is significant. ' + translations: + fr: + name: Vraisemblable + description: "La source de risque est susceptible d\u2019atteindre son objectif\ + \ vis\xE9 selon l\u2019un des modes op\xE9ratoires envisag\xE9s. La vraisemblance\ + \ du sc\xE9nario est significative." + hexcolor: '#EEE6BC' + - id: 2 + abbreviation: V3 + name: Very likely + description: The risk source is very likely to achieve its intended objective + through one of the anticipated methods of operation. The likelihood of the + scenario is high. + translations: + fr: + name: "Tr\xE8s vraisemblable" + description: "La source de risque va probablement atteindre son objectif\ + \ vis\xE9 selon l\u2019un des modes op\xE9ratoires envisag\xE9s. La vraisemblance\ + \ du sc\xE9nario est \xE9lev\xE9e." + hexcolor: '#DCCC77' + - id: 3 + abbreviation: V4 + name: Certain + description: The risk source will certainly achieve its intended objective through + one of the anticipated methods of operation OR such a scenario has already + occurred within the organization (incident history). + translations: + fr: + name: Certain + description: "La source de risque va certainement atteindre son objectif\ + \ vis\xE9 selon l\u2019un des modes op\xE9ratoires envisag\xE9s OU un\ + \ tel sc\xE9nario s\u2019est d\xE9j\xE0 produit au sein de l\u2019organisation\ + \ (historique d\u2019incidents)." + hexcolor: '#C4AA00' + impact: + - id: 0 + abbreviation: G1 + name: Minor + description: 'No operational impact on the performance of the activity or on + the safety of people and property. ' + translations: + fr: + name: Mineur + description: "Aucun impact op\xE9rationnel ni sur les performances de l\u2019\ + activit\xE9 ni sur la s\xE9curit\xE9 des personnes et des biens." + hexcolor: '#42C7C4' + - id: 1 + abbreviation: G2 + name: Significant + description: 'Deterioration in the performance of the activity without impact + on the safety of people and property. ' + translations: + fr: + name: Significatif + description: "D\xE9gradation des performances de l\u2019activit\xE9 sans\ + \ impacts sur la s\xE9curit\xE9 des personnes et des biens." + hexcolor: '#FBF082' + - id: 2 + abbreviation: G3 + name: Important + description: 'Sharp deterioration in the performance of the activity, with possible + significant impacts on the safety of people and property. ' + translations: + fr: + name: Important + description: "Forte d\xE9gradation des performances de l\u2019activit\xE9\ + , avec d\u2019\xE9ventuels impacts significatifs sur la s\xE9curit\xE9\ + \ des personnes et des biens." + hexcolor: '#FFC586' + - id: 3 + abbreviation: G4 + name: Critical + description: Inability for the company to carry out all or part of its activity, + with possible serious impacts on the safety of people and property. + translations: + fr: + name: Critique + description: "Incapacit\xE9 pour la soci\xE9t\xE9 d\u2019assurer tout ou\ + \ partie de son activit\xE9, avec d\u2019\xE9ventuels impacts graves sur\ + \ la s\xE9curit\xE9 des personnes et des biens." + hexcolor: '#EE7B86' + risk: + - id: 0 + abbreviation: '1' + name: Low + description: Acceptable as is. + translations: + fr: + name: Faible + description: "Acceptable en l'\xE9tat" + hexcolor: '#59BBB2' + - id: 1 + abbreviation: '2' + name: Medium + description: Tolerable under control. Risk management monitoring must be conducted, + and actions should be implemented as part of continuous improvement in the + medium and long term. + translations: + fr: + name: Moyen + description: "Tol\xE9rable sous contr\xF4le. Un suivi en termes de gestion\ + \ du risque est \xE0 mener et des actions sont \xE0 mettre en place dans\ + \ le cadre d\u2019une am\xE9lioration continue sur le moyen et long terme." + hexcolor: '#F5C481' + - id: 2 + abbreviation: '3' + name: High + description: Unacceptable. Risk reduction measures must be implemented urgently + in the short term. Otherwise, all or part of the activity will be denied. + translations: + fr: + name: "\xC9lev\xE9" + description: "Inacceptable. Des mesures de r\xE9duction du risque doivent\ + \ imp\xE9rativement \xEAtre prises \xE0 court terme. Dans le cas contraire,\ + \ tout ou partie de l\u2019activit\xE9 sera refus\xE9e." + hexcolor: '#E6686D' + grid: + - - 0 + - 0 + - 1 + - 1 + - - 0 + - 0 + - 1 + - 2 + - - 0 + - 1 + - 2 + - 2 + - - 1 + - 1 + - 2 + - 2 + translations: + fr: + description: "Bas\xE9e sur le guide officiel de la m\xE9thode EBIOS RM" diff --git a/backend/library/libraries/sama-csf-1.0.yaml b/backend/library/libraries/sama-csf-1.0.yaml new file mode 100644 index 000000000..1cc2ea5b2 --- /dev/null +++ b/backend/library/libraries/sama-csf-1.0.yaml @@ -0,0 +1,2273 @@ +urn: urn:intuitem:risk:library:sama-csf-1.0 +locale: en +ref_id: SAMA-CSF-1.0 +name: 'SAMA Cyber Security Fundamentals ' +description: 'SAMA Cyber Security Fundamentals ' +copyright: All texts, layouts, designs and other elements of any nature in this document + are subject to copyright law. +version: 1 +provider: SAMA +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:sama-csf-1.0 + ref_id: SAMA-CSF-1.0 + name: 'SAMA Cyber Security Fundamentals ' + description: 'SAMA Cyber Security Fundamentals ' + min_score: 0 + max_score: 5 + scores_definition: + - score: 0 + name: Non-existent + description: "\u2022 No documentation.\n\u2022 There is no awareness or attention\ + \ for certain cyber security control." + - score: 1 + name: Ad-hoc + description: "\u2022 Cyber security controls is not or partially defined.\n\u2022\ + \ Cyber security controls are performed in an inconsistent way.\n\u2022 The\ + \ way of execution is depending on individuals." + - score: 2 + name: Repeatable but informal + description: The execution of the cyber security control is based on an informal, + unwritten though standard practice. + - score: 3 + name: Structured & formalized + description: "\u2022 Cyber security controls are defined, approved and implemented\ + \ in a structured and formalized way.\n\u2022 The implementation of cyber\ + \ security controls can be demonstrated." + - score: 4 + name: Managed & measurable + description: "\u2022 The effectiveness of the cyber security controls are periodically\ + \ assessed and improved when necessary.\n\u2022 This periodic measurement,\ + \ evaluations and opportunities for improvement are documented." + - score: 5 + name: Adaptive + description: "\u2022 Cyber security controls are subject to a continuous improvement\ + \ plan." + requirement_nodes: + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + assessable: false + depth: 1 + name: Cyber Security Leadership and Governance + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + name: 'Cyber Security Governance ' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-1 + description: A Cyber Security committee should be established and be mandated + by the board. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-2 + description: The Cyber Security committee should be headed by an independent + senior manager from a control function. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-3 + description: "The following positions should be represented in the Cyber Security\ + \ committee: a. senior managers from all relevant departments (e.g., COO,\ + \ CIO, compliance officer, heads of relevant business departments);b. Chief\ + \ information security officer (CISO);c. Internal audit may attend as an \u201C\ + observer\"." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-4 + description: "A Cyber Security committee charter should be developed, approved,\ + \ and reflect: \na. committee objectives \nb. roles and responsibilities \n\ + c.minimum number of meeting participants. \nd.meeting frequency (minimum on\ + \ a quarterly basis)." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-5 + description: A Cyber Security function should be established. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-6 + description: 'The Cyber Security function should be independent from the information + technology function. To avoid any conflict of interest, the Cyber Security + function and information technology function should have separate reporting + lines, budgets and staff evaluations. + + + ' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-7 + description: The Cyber Security function should report directly to the CEO/managing + director of the Member Organization or general manager of a control function. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-8 + description: A full-time senior manager for the Cyber Security function, referred + to as CISO, should be appointed at senior management level. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-9 + description: "The Member Organization should :\na. ensure the CISO has a Saudi\ + \ nationality. \nb. ensure the CISO is sufficiently qualified\nc. obtain no\ + \ objection from SAMA to assign the CISO." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + ref_id: 3.1.1-10 + description: The board of the Member Organization should allocate sufficient + budget to execute the required Cyber Security activities. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + name: Cyber Security Strategy + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.2-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 + ref_id: 3.1.2-1 + description: The Cyber Security strategy should be defined, approved, maintained + and executed. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.2-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 + ref_id: 3.1.2-2 + description: "The Cyber Security strategy should be aligned with: \na. the Member\ + \ Organization\u2019s overall objectives; \nb. the legal and regulatory compliance\ + \ requirements of the Member Organization. \nc. the Banking Sector\u2019s\ + \ Cyber Security strategy." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.2-3.a-b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 + ref_id: 3.1.2-3.a-b + description: "The Cyber Security strategy should address: \na. the importance\ + \ and benefits of Cyber Security for the Member Organization; \nb. the anticipated\ + \ future state of Cyber Security for the Member Organization to become and\ + \ remain resilient to (emerging) Cyber Security threats;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.2-3.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 + ref_id: 3.1.2-3.c + description: c. which and when Cyber Security initiatives and projects should + be executed to achieve the anticipated future state. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + name: 'Cyber Security Policy ' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 + ref_id: 3.1.3-1 + description: The Cyber Security policy should be defined, approved and communicated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 + ref_id: 3.1.3-2 + description: The Cyber Security policy should be reviewed periodically according + to a predefined and structured review process. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-3.a-c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 + ref_id: 3.1.3-3.a-c + description: "The Cyber Security policy should be: \na. considered as input\ + \ for other corporate policies of the Member Organization (e.g., HR policy,\ + \ finance policy and IT policy);\nb. supported by detailed security standards\ + \ (e.g., password standard, firewall standard) and procedures\nc. based on\ + \ best practices and (inter)national standards;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-3.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 + ref_id: 3.1.3-3.d + description: d. communicated to relevant stakeholders. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 + ref_id: 3.1.3-4 + description: "The Cyber Security policy should include: \na. a definition of\ + \ Cyber Security; \nb. the Member Organization\u2019s overall Cyber Security\ + \ objectives and scope. c. a statement of the board\u2019s intent, supporting\ + \ the Cyber Security objectives; \nd. a definition of general and specific\ + \ responsibilities for Cyber Security. \ne. the reference to supporting Cyber\ + \ Security standards and procedures; \nf. Cyber Security requirements that\ + \ ensure:\n1. information is classified in a way that indicates its importance\ + \ to the Member Organization;\n2. information is protected in terms of Cyber\ + \ Security requirements, in line with the risk appetite;\n3. owners are appointed\ + \ for all information assets;\n4. Cyber Security risk assessments are conducted\ + \ for information assets;\n5. relevant stakeholders are made aware of Cyber\ + \ Security and their expected behavior (Cyber Security awareness program);\n\ + 6. compliance with regulatory and contractual obligations are being met;\n\ + 7. Cyber Security breaches and suspected Cyber Security weaknesses are reported;\n\ + 8. Cyber Security is reflected in business continuity management." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + name: Cyber Security Roles and Responsibilities + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-1 + description: 'The Board of Directors has the ultimate responsibility for Cyber + Security, including: a. ensuring that sufficient budget for Cyber Security + is allocated. approving the Cyber Security committee charter''s. endorsing + (after being approved by the Cyber Security committee): + + 1. the Cyber Security governance; + + 2. the Cyber Security strategy; + + 3. the Cyber Security policy.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-2.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-2.a + description: "The Cyber Security committee should be responsible for: \na. monitoring,\ + \ reviewing and communicating the Member Organization\u2019s Cyber Security\ + \ risk appetite periodically or upon a material change in the risk appetite;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-2.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-2.b + description: b. reviewing the Cyber Security strategy to ensure that it supports + the Member Organization objectives; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-2.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-2.c + description: 'c. approving, communicating, supporting and monitoring: + + 1. the Cyber Security governance; + + 2. the Cyber Security strategy; + + 3. the Cyber Security policy; + + 4. Cyber Security programs (e.g., awareness program, data classification program, + data privacy, data leakage prevention, key Cyber Security improvements); + + 5. Cyber Security risk management process; + + 6. the key risk indicators (KRIs) and key performance indicators (KPIs) for + Cyber Security.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-3.a + description: "The senior management should be responsible for: \na. ensuring\ + \ that standards, processes and procedures reflect security requirements (if\ + \ applicable);" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-3.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-3.b + description: b. ensuring that individuals accept and comply with the Cyber Security + policy, supporting standards and procedures when they are issued and updated; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-3.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-3.c + description: c. ensuring that Cyber Security responsibilities are incorporated + in the job descriptions of key positions and Cyber Security staff. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.a + description: "The CISO should be responsible for: \na. developing and maintaining:\n\ + 1. Cyber Security strategy;\n2. Cyber Security policy;\n3. Cyber Security\ + \ architecture;\n4. Cyber Security risk management process." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.b + description: b. ensuring that detailed security standards and procedures are + established, approved and implemented; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.c + description: c. delivering risk-based Cyber Security solutions that address + people, process and technology; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.d + description: d. developing the Cyber Security staff to deliver Cyber Security + solutions in a business context; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.e + description: 'e. Cyber Security activities across the Member Organization, including: + + 1. monitoring of the Cyber Security activities (SOC monitoring); + + 2. monitoring of compliance with Cyber Security regulations, policies, standards + and procedures; + + 3. overseeing the investigation of Cyber Security incidents; + + 4. gathering and analyzing threat intelligence from internal and external + sources; + + 5. performing Cyber Security reviews;' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.f + description: "f. conducting Cyber Security risk assessments on the Members Organization\u2019\ + s information assets;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.g + description: 'g. proactively supporting other functions on Cyber Security, including: + + 1. performing information and system classifications; + + 2. determining Cyber Security requirements for important projects; + + 3. performing Cyber Security reviews.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.h + description: h. defining and conducting the Cyber Security awareness programs; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.i + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-4.i + description: 'i. measuring and reporting the KRIs and KPIs on: + + 1. Cyber Security strategy; + + 2. Cyber Security policy compliance; + + 3. Cyber Security standards and procedures; + + 4. Cyber Security programs (e.g., awareness program, data classification program, + key Cyber Security improvements).' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-5 + description: "The internal audit function should be responsible for: \na. performing\ + \ Cyber Security audits." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 + ref_id: 3.1.4-6 + description: "All Member Organization\u2019s staff should be responsible for:\ + \ \na. complying with Cyber Security policy, standards and procedures." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node44 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + name: Cyber Security in Project Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.5-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node44 + ref_id: 3.1.5-1 + description: Cyber Security should be integrated into the Member Organization's + project management methodology to ensure that Cyber Security risks are identified + and addressed as part of a project. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.5-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node44 + ref_id: 3.1.5-2 + description: "The Member Organization\u2019s project management methodology\ + \ should ensure that:\n a. Cyber Security objectives are included in project\ + \ objectives. \nb. the Cyber Security function is part of all phases of the\ + \ project. \nc. a risk assessment is performed at the start of the project\ + \ to determine the Cyber Security risks and to ensure that Cyber Security\ + \ requirements are addressed either by the existing Cyber Security controls\ + \ (based on Cyber Security standards) or to be developed. \nd. Cyber Security\ + \ risks are registered in the project-risk register and tracked. \ne. responsibilities\ + \ for Cyber Security are defined and allocated; \nf. a Cyber Security review\ + \ is performed by an independent internal or external party." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + name: Cyber Security Awareness + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 + ref_id: 3.1.6-1 + description: The Cyber Security awareness programs should be defined, approved + and conducted to promote Cyber Security awareness and to create a positive + Cyber Security culture. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 + ref_id: 3.1.6-2 + description: 'A Cyber Security awareness program should be defined and conducted + for: a. staff of the Member Organization. third parties of the Member Organization. + customers of the Member Organization.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 + ref_id: 3.1.6-3 + description: The Cyber Security awareness program should target Cyber Security + behaviors by tailoring the program to address the different target groups + through multiple channels. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 + ref_id: 3.1.6-4 + description: The activities of the Cyber Security awareness program should be + conducted periodically and throughout the year. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 + ref_id: 3.1.6-5 + description: 'The Cyber Security awareness program should at a minimum include: + a. an explanation of Cyber Security measures provided. the roles and responsibilities + regarding Cyber Security. information on relevant emerging Cyber Security + events and cyber threats (e.g., spear-phishing, whaling).' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 + ref_id: 3.1.6-6 + description: 'The Cyber Security awareness program should be evaluated to: a. + measure the effectiveness of the awareness activities. formulate recommendations + to improve the Cyber Security awareness program.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 + ref_id: 3.1.6-7 + description: Customer awareness should address for both retail and commercial + customers and, at a minimum, include a listing of suggested Cyber Security + mechanisms which customers may consider implementing to mitigate their own + risk(s). + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node55 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + name: Cyber Security Training + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.7.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node55 + ref_id: 3.1.7.1 + description: "Specialist or security-related skills training should be provided\ + \ to staff in the Member Organization\u2019s relevant functional area categories\ + \ in line with their job descriptions, including: a. key roles within organization.\ + \ staff of the Cyber Security function. staff involved in developing and (technically)\ + \ maintaining information assets. staff involved in risk assessments." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.7.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node55 + ref_id: 3.1.7.2 + description: "Education should be provided in order to equip staff with the\ + \ skills and required knowledge to securely operate the Member Organization\u2019\ + s information assets." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + assessable: false + depth: 1 + name: Cyber Security Risk Management & Compliance + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Cyber Security Risk Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-1 + description: The Cyber Security risk management process should be defined, approved + and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-2 + description: The Cyber Security risk management process should focus on safeguarding + the confidentiality, integrity and availability of information assets. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-3 + description: The Cyber Security risk management process should be aligned with + the existing enterprise risk management process + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-4.a + description: 'The Cyber Security risk management process should be documented + and address: + + a. risk identification;' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-4.b + description: b. risk analysis; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-4.c + description: c. risk response; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-4.d + description: d. risk monitoring & review + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-5 + description: "The Cyber Security risk management process should address the\ + \ Member Organization\u2019s information assets, including (but not limited\ + \ to):\na. business processes;\nb. business applications;\nc. infrastructure\ + \ components" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-6.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-6.a + description: 'The Cyber Security risk management process should be initiated: + + a. at an early stage of the project;' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-6.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-6.b + description: b. prior to critical change; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-6.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-6.c + description: c. when outsourcing is being considered; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-6.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-6.d + description: d. when launching new products and technologies. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-7 + description: Existing information assets should be periodically subject to Cyber + Security risk assessment based on their classification or risk profile. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-8 + description: 'The Cyber Security risk management activities should involve: + a. business owners. IT specialists. Cyber Security specialists. key user representatives.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-9 + description: The result of the risk assessment should be reported to the relevant + business owner (i.e., risk owner) within the Member Organization; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-10 + description: The relevant business owner (i.e., risk owner) within the Member + Organization should accept and endorse the risk assessment results. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + ref_id: 3.2.1-11 + description: "The Member Organization\u2019s Cyber Security risk appetite and\ + \ risk tolerance should be clearly defined and formally approved." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node77 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Cyber Security Risk Identification + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.1-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node77 + ref_id: 3.2.1.1-1 + description: Cyber Security risk identification should be performed. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.1-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node77 + ref_id: 3.2.1.1-2 + description: Identified Cyber Security risks should be documented (in a central + register). + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.1-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node77 + ref_id: 3.2.1.1-3 + description: Cyber Security risk identification should address relevant information + assets, threats, vulnerabilities and the key existing Cyber Security controls. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node81 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Cyber Security Risk Analysis + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.2-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node81 + ref_id: 3.2.1.2-1 + description: A Cyber Security risk analysis should be performed. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.2-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node81 + ref_id: 3.2.1.2-2 + description: The Cyber Security risk analysis should address the level of potential + business impact and likelihood of Cyber Security threat events materializing. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Cyber Security Risk Response + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + ref_id: 3.2.1.3-1 + description: "The relevant determined Cyber Security risks should be treated\ + \ according to the Member Organization\u2019s risk appetite and Cyber Security\ + \ requirements." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + ref_id: 3.2.1.3-2 + description: Cyber Security risk response should ensure that the list of risk + treatment options are documented (i.e., accepting, avoiding, transferring + or mitigating risks by applying Cyber Security controls). + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + ref_id: 3.2.1.3-3.a + description: "Accepting Cyber Security risks should include: \na. the consideration\ + \ of predefined limits for levels of Cyber Security risk;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-3.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + ref_id: 3.2.1.3-3.b + description: 'b. the approval and sign-off by the business owner, ensuring that: + + 1. the accepted Cyber Security risk is within the risk appetite and is reported + to the Cyber Security committee; + + 2. the accepted Cyber Security risk does not contradict SAMA regulations.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + ref_id: 3.2.1.3-4 + description: Avoiding Cyber Security risks should involve a decision by a business + owner to cancel or postpone a particular activity or project that introduces + an unacceptable Cyber Security risk. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + ref_id: 3.2.1.3-5 + description: 'Transferring or sharing the Cyber Security risks should: + + a. involve sharing the Cyber Security risks with relevant (internal or external) + providers; + + b. be accepted by the receiving (internal or external) provider(s); + + c. eventually lead to the actual transferring or sharing of the Cyber Security + risk.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + ref_id: 3.2.1.3-6 + description: "Applying Cyber Security controls to mitigate Cyber Security risks\ + \ should include \na. identifying appropriate Cyber Security controls. \n\ + b.evaluating the strengths and weaknesses of the Cyber Security controls;\n\ + 1. assessing the cost of implementing the Cyber Security controls;\n2. assessing\ + \ the feasibility of implementing the Cyber Security controls;\n3. Review\ + \ relevant compliance requirements for the Cyber Security controls. \nc. selecting\ + \ Cyber Security controls. \nd. identifying, documenting, and obtaining sign-off\ + \ for any residual risk by the business owner." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 + ref_id: 3.2.1.3-7 + description: Cyber Security risk treatment actions should be documented in a + risk treatment plan. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node93 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Cyber Risk Monitoring and Review + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.4-1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node93 + ref_id: 3.2.1.4-1.a + description: 'The Cyber Security treatment should be monitored, including: + + a. tracking progress in accordance to treatment plan. + + ' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.4-1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node93 + ref_id: 3.2.1.4-1.b + description: b. the selected and agreed Cyber Security controls are being implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.4-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node93 + ref_id: 3.2.1.4-2 + description: The design and effectiveness of the revised or newly implemented + Cyber Security controls should be reviewed. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node97 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Regulatory Compliance + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.2-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node97 + ref_id: 3.2.2-1 + description: 'A process should be established for ensuring compliance with relevant + regulatory requirements affecting Cyber Security across the Member Organization. + The process of ensuring compliance should: + + a. be performed periodically or when new regulatory requirements become effective; + + b. involve representatives from key areas of the Member Organization; + + c. result in the update of Cyber Security policy, standards and procedures + to accommodate any necessary changes (if applicable).' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node99 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Compliance with (inter)national industry standards + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.3-1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node99 + ref_id: 3.2.3-1.a + description: 'The Member Organization should comply with: + + a. Payment Card Industry Data Security Standard (PCI-DSS);' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.3-1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node99 + ref_id: 3.2.3-1.b + description: b. EMV (Europay, MasterCard and Visa) technical standard; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.3-1.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node99 + ref_id: 3.2.3-1.c + description: "c. SWIFT Customer Security Controls Framework \u2013 March 2017." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Cyber Security Review + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 + ref_id: 3.2.4-1 + description: Cyber Security reviews should be periodically performed for critical + information assets. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 + ref_id: 3.2.4-2 + description: Customer and internet-facing services should be subject to annual + review and penetration tests. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 + ref_id: 3.2.4-3 + description: Details of Cyber Security review performed should be recorded, + including the results of review, issues identified and recommended actions. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 + ref_id: 3.2.4-4 + description: The results of Cyber Security review should be reported to business + owner. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 + ref_id: 3.2.4-5 + description: 'Cyber Security review should be subject to follow-up reviews to + check that: + + a. all identified issues have been addressed; + + b. critical risks have been treated effectively; + + c. all agreed actions are being managed on an ongoing basis.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node109 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 + name: Cyber Security Audits + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.5-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node109 + ref_id: 3.2.5-1 + description: Cyber Security audits should be performed independently and according + to generally accepted auditing standards and SAMA Cyber Security framework. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.5-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node109 + ref_id: 3.2.5-2 + description: "Cyber Security audits should be performed according to the Member\ + \ Organization\u2019s audit manual and audit plan." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + assessable: false + depth: 1 + name: Operation & Technology + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Human Resources + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + ref_id: 3.3.1-1 + description: The human resources process should define, approve and implement + Cyber Security requirements. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + ref_id: 3.3.1-2 + description: The effectiveness of the human resources process should be monitored, + measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + ref_id: 3.3.1-3.a + description: "The human resource process should include: \na. Cyber Security\ + \ responsibilities and non-disclosure clauses within staff agreements (during\ + \ and after the employment);" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + ref_id: 3.3.1-3.b + description: b. staff should receive Cyber Security awareness at the start and + during their employment; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + ref_id: 3.3.1-3.c + description: c. when disciplinary actions will be applicable; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + ref_id: 3.3.1-3.d + description: d. screening and background check; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + ref_id: 3.3.1-3.e + description: 'e. post-employment Cyber Security activities, such as: + + 1. revoking access rights; + + 2. returning information assets assigned (e.g., access badge, tokens, mobile + devices, all electronic and physical information).' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node121 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Physical Security + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.2-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node121 + ref_id: 3.3.2-1 + description: The physical security process should be defined, approved and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.2-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node121 + ref_id: 3.3.2-2 + description: The effectiveness of the physical security process should be monitored, + measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.2-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node121 + ref_id: 3.3.2-3 + description: "The physical security process should include (but not limited\ + \ to): \na. physical entry controls (including visitor security); \nb. monitoring\ + \ and surveillance (e.g., CCTV, ATMs GPS tracking, sensitivity sensors); \n\ + c. protection of data centers and data rooms; \nd. environmental protection;\ + \ \ne. protection of information assets during lifecycle (including transport\ + \ and secure disposal, avoiding unauthorized access and (un)intended data\ + \ leakage." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node125 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Asset Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.3-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node125 + ref_id: 3.3.3-1 + description: The asset management process should be defined, approved and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.3-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node125 + ref_id: 3.3.3-2 + description: The effectiveness of the asset management process should be monitored, + measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.3-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node125 + ref_id: 3.3.3-3 + description: "The asset management process should include: \na. a unified register;\ + \ \nb. ownership and custodianship of information assets; \nc. the reference\ + \ to relevant other processes, depending on asset management; \nd. information\ + \ asset classification, labeling and handling; \ne. the discovery of new information\ + \ assets." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Cyber Security Architecture + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 + ref_id: 3.3.4-1 + description: The Cyber Security architecture should be defined, approved and + implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 + ref_id: 3.3.4-2 + description: The compliance with the Cyber Security architecture should be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 + ref_id: 3.3.4-3.a + description: "The Cyber Security architecture should include: \na. A strategic\ + \ outline of Cyber Security capabilities and controls based on the business\ + \ requirements;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 + ref_id: 3.3.4-3.b + description: b. approval of the defined Cyber Security architecture; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 + ref_id: 3.3.4-3.c + description: c. the requirement of having qualified Cyber Security architects; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 + ref_id: 3.3.4-3.d + description: d. design principles for developing Cyber Security controls and + applying Cyber Security requirements (i.e., the security-by-design principle); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 + ref_id: 3.3.4-3.e + description: e. periodic review of the Cyber Security architecture. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Identity and Access Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-1 + description: The identity and access management policy, including the responsibilities + and accountabilities, should be defined, approved and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-2 + description: The compliance with the identity and access policy should be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-3 + description: The effectiveness of the Cyber Security controls within the identity + and access management policy should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-4.a + description: "The identity and access management policy should include: \na.\ + \ business requirements for access control (i.e., ned-to-have and ned-to-know);" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-4.b + description: 'b. user access management (e.g., joiners, movers, leavers): + + 1. all identified user types should be covered (i.e., internal staff, third + parties); + + 2. changes of job status or job positions for internal staff (e.g. joiner, + mover and leaver) should be instigated by the human resources department; + + 3. changes for external staff or third parties should be instigated by the + appointed accountable party; + + 4. user access requests are formally approved in accordance with business + and compliance requirements (i.e., ned-to-have and ned-to-know to avoid unauthorized + access and (un)intended data leakage)); + + 5. changes in access rights should be processed in a timely manner; + + 6. periodically user access rights and profiles should be reviewed; + + 7. an audit trail of submitted, approved and processed user access requests + and revocation requests should be established;' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-4.c + description: c. user access management should be supported by automation; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-4.d + description: d. centralization of the identity and access management function; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-4.e + description: e. multi-factor authentication for sensitive and critical systems + and profiles; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 + ref_id: 3.3.5-4.f + description: "f. privileged and remote access management, which should address:\n\ + 1. the allocation and restricted use of privileged and remote access, specifying:\n\ + \ a. multi-factor authentication should be used for all remote access;\n b.\ + \ multi-factor authentication should be used for privilege access on critical\ + \ systems based on a risk assessment;\n2. the periodic review of users with\ + \ privileged and remote accounts;\n3. individual accountability;\n4. the use\ + \ of non-personal privileged accounts, including:\na. limitation and monitoring;\n\ + b. confidentiality of passwords;\nc. changing passwords frequently and at\ + \ the end of each session." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Application Security + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-1 + description: The application Cyber Security standards should be defined, approved + and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-2 + description: The compliance with the application security standards should be + monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-3 + description: The effectiveness of the application Cyber Security controls should + be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-4 + description: Application development should follow the approved secure system + development life cycle methodology (SDLC). + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-5.a + description: "The application security standard should include: \na. secure\ + \ coding standards;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-5.b + description: b. the Cyber Security controls implemented (e.g., configuration + parameters, events to monitor and retain [including system access and data], + identity and access management); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-5.c + description: c. the segregation of duties within the application (supported + with a documented authorization matrix); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-5.d + description: d. the protection of data aligned with the (agreed) classification + scheme (including privacy of customer data and, avoiding unauthorized access + and (un)intended data leakage); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-5.e + description: e. vulnerability and patch management; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-5.f + description: f. back-up and recovery procedures; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 + ref_id: 3.3.6-5.g + description: g. periodic Cyber Security compliance review. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Change Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-1 + description: The change management process should be defined, approved and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-2 + description: The compliance with the change management process should be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-3 + description: The effectiveness of the Cyber Security controls within the change + management process should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.a + description: "The change management process should include: \na. Cyber Security\ + \ requirements for controlling changes to information assets, such as assessing\ + \ the impact of requested changes, classification of changes and the review\ + \ of changes;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.b + description: 'b. security testing, which should (if applicable) include: + + 1. penetration testing; + + 2. code review if applications are developed internally; + + 3. code review of externally developed applications and if the source code + is available + + 4. a code review report (or equivalent, such as an independent assurance statement) + in case the source code cannot be provided;' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.c + description: c. approval of changes by the business owner; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.d + description: d. approval from the Cyber Security function before submitting + to Change Advisory Board (CAB); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.e + description: e. approval by CAB; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.f + description: f. post-implementation review of the related Cyber Security controls; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.g + description: g. development, testing and implementation are segregated for both + the (technical) environment and involved individuals; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.h + description: h. the procedure for emergency changes and fixes; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.i + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 + ref_id: 3.3.7-4.i + description: i. fall-back and roll-back procedures. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Infrastructure Security + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-1 + description: ' The infrastructure security standards should be defined, approved + and implemented.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-2 + description: The compliance with the infrastructure security standards should + be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-3 + description: The effectiveness of the infrastructure Cyber Security controls + should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-4 + description: 'The infrastructure security standards should cover all instances + of infrastructure available in the main datacenter(s), the disaster recovery + data site(s) and office spaces. + + + The infrastructure security standards should cover all instances of infrastructure + (e.g., operating systems, servers, virtual machines, firewalls, network devices, + IDS, IPS, wireless network, gateway servers, proxy servers, email gateways, + external connections, databases, file-shares, workstations, laptops, tablets, + mobile devices, PBX).' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.a + description: "The infrastructure security standard should include: \na. the\ + \ Cyber Security controls implemented (e.g., configuration parameters, events\ + \ to monitor and retain [including system access and data], data-leakage prevention\ + \ [DLP], identity and access management, remote maintenance);" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.b + description: b. the segregation of duties within the infrastructure component + (supported with a documented authorization matrix); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.c + description: c. the protection of data aligned with the (agreed) classification + scheme (including privacy of customer data and, avoiding unauthorized access + and (un)intended data leakage); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.d + description: d. the use of approved software and secure protocols; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.e + description: e. segmentation of networks; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.f + description: f. malicious code/software and virus protection (and applying application + whitelisting and APT protection); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.g + description: g. vulnerability and patch management; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.h + description: "h. DDOS protection (where applicable); this should include:\n\ + \ 1. the use of scrubbing services;\n 2. specification of the bandwidth agreed;\n\ + \ 3. 24x7 monitoring by Security Operating Center (SOC), Service Provider\ + \ (SP) and scrubbing provider;\n 4. testing of DDOS scrubbing (minimum twice\ + \ a year);\n 5. DDOS services should be implemented for the main datacenter(s)\ + \ as well as the disaster recovery site(s);" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.i + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.i + description: i. back-up and recovery procedures; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.j + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 + ref_id: 3.3.8-5.j + description: j. periodic Cyber Security compliance review. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Cryptography + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.9-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 + ref_id: 3.3.9-1 + description: A cryptographic security standard should be defined, approved and + implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.9-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 + ref_id: 3.3.9-2 + description: The compliance with the cryptographic security standard should + be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.9-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 + ref_id: 3.3.9-3 + description: The effectiveness of the cryptographic security controls should + be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.9-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 + ref_id: 3.3.9-4 + description: 'The cryptographic security standard should include: + + a. an overview of the approved cryptographic solutions and relevant restrictions + (e.g., technically, legally); + + b. the circumstances when the approved cryptographic solutions should be applied; + + c. the management of encryption keys, including lifecycle management, archiving + and recovery.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Bring Your Own Device (BYOD) + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + ref_id: 3.3.10-1 + description: The BYOD Cyber Security standard should be defined, approved and + implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + ref_id: 3.3.10-2 + description: The compliance with the BYOD Cyber Security standard should be + monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + ref_id: 3.3.10-3 + description: The effectiveness of the BYOD Cyber Security controls should be + measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + ref_id: 3.3.10-4.a + description: 'The BYOD standard should include: a. responsibilities of the user + (including awareness training);' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + ref_id: 3.3.10-4.b + description: b. information regarding the restrictions and consequences for + staff when the Member Organization implements Cyber Security controls on their + personal devices; for example when using modified devices (jailbreaking), + terminating the employment or in case of loss or theft of the personal device; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + ref_id: 3.3.10-4.c + description: c. the isolation of business information from personal information + (e.g., containerization); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + ref_id: 3.3.10-4.d + description: "d. the regulation of corporate mobile applications or approved\ + \ \u201Cpublic\u201D mobile applications;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 + ref_id: 3.3.10-4.e + description: e. the use of mobile device management (MDM); applying access controls + to the device and business container and encryption mechanisms on the personal + device (to ensure secure transmission and storage). + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Secure Disposal of Information Assets + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 + ref_id: 3.3.11-1 + description: The secure disposal standard and procedure should be defined, approved + and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 + ref_id: 3.3.11-2 + description: The compliance with the secure disposal standard and procedure + should be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 + ref_id: 3.3.11-3 + description: The effectiveness of the secure disposal Cyber Security controls + should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 + ref_id: 3.3.11-4 + description: Information assets should be disposed in accordance with legal + and regulatory requirements, when no longer required (i.e. meting data privacy + regulations to avoid unauthorized access and avoid (un)intended data leakage). + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 + ref_id: 3.3.11-5 + description: Sensitive information should be destroyed using techniques to make + the information non-retrievable (e.g., secure erase, secure wiping, incineration, + double crosscut, shredding). + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 + ref_id: 3.3.11-6 + description: The Member Organization should ensure that third party service + providers used for secure disposal, transport and storage comply with the + secure disposal standard and procedure and the effectiveness is periodically + measured and evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Payment Systems + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.12-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + ref_id: 3.3.12-1 + description: For Saudi Arabian Riyal Interbank Express (SARIE) information, + please refer to the SARIE Information Security Policy, Version Issue 1.0 - + June 2016. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.12-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + ref_id: 3.3.12-2 + description: "For mada information, please refer to the following sections in\ + \ the mada Rules and Standards Technical Book (se appendix A):\n \u2022 Part\ + \ IIIa - Security Framework, Version Issue 6.0.0 - May 2016\n \u2022 Part\ + \ IIIb - HSM Requirements, Version Issue 6.0.0 - May 2016\n \u2022 SAMA CA\ + \ IPK Certificate Procedures, Version Issue 6.0.1 \u2013 October 2016\n" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Electronic Banking Services + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 + ref_id: 3.3.13-1 + description: The Cyber Security standards for electronic banking services should + be defined, approved and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 + ref_id: 3.3.13-2 + description: The compliance with Cyber Security standards for electronic banking + services should be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 + ref_id: 3.3.13-3 + description: The effectiveness of the Cyber Security standard for electronic + banking services should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 + ref_id: 3.3.13-4.a + description: 'Electronic banking services security standard should cover: a. + use of brand protection measures to protect online services including social + media.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 + ref_id: 3.3.13-4.b + description: "b. online, mobile and phone banking:\n 1. use of official application\ + \ stores and websites (applicable for online and mobile banking);\n 2. use\ + \ of detection measures and take-down of malicious apps and websites (applicable\ + \ for online and mobile banking);\n 3. use of sandboxing (applicable for online\ + \ and mobile banking);\n 4. use of non-caching techniques (applicable for\ + \ online and mobile banking);\n 5. use of communication techniques to avoid\ + \ \u2018man-in-the-middle\u2019-attacks (applicable for online and mobile\ + \ banking);\n6. use of multi-factor authentication mechanisms:\n a. multi-factor\ + \ authentication should be used during the registration process for the customer\ + \ in order to use of electronic banking services;\n b. multi-factor authentication\ + \ should be implemented for all electronic banking services available to customers;\n\ + \ c. the use of hard and soft tokens should be password protected;\n d. revoking\ + \ the access of customers after 3 successive incorrect passwords or invalid\ + \ PINs;\n e. the process for changing the customer mobile number should only\ + \ be done from either a branch or ATM;\n f. the processes for requesting and\ + \ activating of the multi-factor authentication should be done through different\ + \ delivery channels;\n g. multi-factor authentication should be implemented\ + \ for the following processes:\n 1. sign-on;\n 2. adding or modifying beneficiaries;\n\ + \ 3. adding utility and government payment services;\n 4. high-risk transactions\ + \ (when it exceeds predefined limits);\n 5. password reset;\n7. the processes\ + \ for adding and activating beneficiaries should be done through different\ + \ delivery channels (applicable for mobile and online banking);\n 8. high\ + \ availability of the electronic banking services should be ensured;\n 9.\ + \ scheduled downtime of the electronic banking services should be timely communicated\ + \ to SAMA and customers;\n 10. contractual agreements between the Member Organization\ + \ and the customer addressing the roles, responsibilities and liabilities\ + \ for both the Member Organization and the customers;\n11. obtaining approval\ + \ of SAMA before launching a new electronic banking service." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 + ref_id: 3.3.13-4.c + description: "c. ATMs and POSs:\n 1. prevention and detection of exploiting\ + \ the ATM/POS application and infrastructure vulnerabilities (e.g., cables,\ + \ (USB)-ports, rebooting);\n 2. Cyber Security measures, such as hardening\ + \ of operating systems, malware protection, privacy screens, masking of passwords\ + \ or account numbers (e.g., scren and receipt), geo-blocking (e.g., disable\ + \ cards per default for outside GCC countries, disable magnetic strip transactions),\ + \ video monitoring (CCTV), revoking cards after 3 successive invalid PINs,\ + \ anti-skimming solutions (hardware/software), and PIN-pad protection;\n 3.\ + \ remote stopping of ATMs in case of malicious activities." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 + ref_id: 3.3.13-4.d + description: "d. SMS instant notification services:\n 1. SMS messages should\ + \ not contain sensitive data (e.g., account balance - except for credit cards);\n\ + \ 2. SMS alert should be sent to both mobile numbers (old and new) when the\ + \ customer\u2019s mobile number has ben changed;\n 3. SMS notification should\ + \ be sent to the customer\u2019s mobile number when requesting a new multi-factor\ + \ authentication mechanism.\n 4. SMS notification should be sent to the customer\u2019\ + s mobile number for all retail and personal financial transactions.\n 5. SMS\ + \ notification should be sent to the customer\u2019s mobile number when beneficiaries\ + \ are added, modified and activated." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Cyber Security Event Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-1 + description: The security event management process should be defined, approved + and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-2 + description: The effectiveness of the Cyber Security controls within the security + event management process should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-3 + description: To support this process a security event monitoring standard should + be defined, approved and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-3.a + description: a. the standard should address for all information assets the mandatory + events which should be monitored, based on the classification or risk profile + of the information asset. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.a + description: 'The security event management process should include requirements + for: + + a. the establishment of a designated team responsible for security monitoring + (i.e., Security Operations Center (SOC));' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.b + description: b. skilled and (continuously) trained staff; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.c + description: c. a restricted area to facilitate SOC activities and workspaces; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.d + description: d. resources required continuous security event monitoring activities + (24x7); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.e + description: e. detection and handling of malicious code and software; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.f + description: f. detection and handling of security or suspicious events and + anomalies; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.g + description: g. deployment of security network packet analysis solution; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.h + description: h. adequately protected logs; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.i + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.i + description: i. periodic compliance monitoring of applications and infrastructure + Cyber Security standards + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.j + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.j + description: j. automated and centralized analysis of security loggings and + correlation of event or patterns (i.e., Security Information and Event Management + (SIEM)); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.k + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.k + description: k. reporting of Cyber Security incidents; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.l + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 + ref_id: 3.3.14-4.l + description: l. independent periodic testing of the effectiveness of the security + operations center (e.g., red-teaming). + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Cyber Security Incident Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-1 + description: The Cyber Security incident management process should be defined, + approved, implemented and aligned with the enterprise incident management + process. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-2 + description: The effectiveness of the Cyber Security controls within the Cyber + Security incident management process should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-3 + description: The standard should address the mandatory and suspicious security + events which should be responded to. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4 + description: 'The security incident management process should include requirements + for:' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.a + description: a. the establishment of a designated team responsible for security + incident management; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.b + description: b. skilled and (continuously) trained staff; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.c + description: c. sufficient capacity available of certified forensic staff for + handling major incidents (e.g., internal staff or contracting an external + forensic team); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.d + description: d. a restricted area to facilitate the computer emergency response + team (CERT) workspaces; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.e + description: e. the classification of Cyber Security incidents; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.f + description: f. the timely handling of Cyber Security incidents, recording and + monitoring progress; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.g + description: g. the protection of relevant evidence and loggings; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.h + description: h. post-incident activities, such as forensics, root-cause analysis + of the incidents; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.i + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.i + description: i. reporting of suggested improvements to the CISO and the Committe; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.j + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-4.j + description: j. establish a Cyber Security incident repository. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-5 + description: "The Member Organization should inform \u2018SAMA IT Risk Supervision\u2019\ + \ immediately when a medium or high classified security incident has occurred\ + \ and identified." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-6 + description: "The Member Organization should obtain \u2018no objection\u2019\ + \ from \u2018SAMA IT Risk Supervision\u2019 before any media interaction related\ + \ to the incident." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 + ref_id: 3.3.15-7 + description: "The Member Organization should submit a formal incident report\ + \ \u2018SAMA IT Risk Supervision\u2019 after resuming operations, including\ + \ the following incident details: a. title of incident;b. classification of\ + \ the incident (medium or high);c. date and time of incident occurred. date\ + \ and time of incident detected. information assets involved; f. (technical)\ + \ details of the incident;g. root-cause analysis;h. corrective activities\ + \ performed and planned;i. description of impact (e.g., loss of data, disruption\ + \ of services, unauthorized modification of data, (un)intended data leakage,\ + \ number of customers impacted);j. total estimated cost of incident;k. estimated\ + \ cost of corrective actions." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node254 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Threat Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.16-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node254 + ref_id: 3.3.16-1 + description: The threat intelligence management process should be defined, approved + and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.16-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node254 + ref_id: 3.3.16-2 + description: The effectiveness of the threat intelligence management process + should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.16-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node254 + ref_id: 3.3.16-3 + description: 'The threat intelligence management process should include: a. + the use of internal sources, such as access control, application and infrastructure + logs, IDS, IPS, security tooling, Security Information and Event Monitoring + (SIEM), support functions (e.g., Legal, Audit, IT Helpdesk, Forensics, Fraud + Management, Risk Management, Compliance);b. the use of reliable and relevant + external sources, such as SAMA, government agencies, security forums, (security) + vendors, security organizations and specialist notification services;c. a + defined methodology to analyze the threat information periodically;d. the + relevant details on identified or collected threats, such as modus operandi, + actors, motivation and type of threats;e. the relevance of the derived intelligence + and the action-ability for follow-up (for e.g., SOC, Risk Management);f. sharing + the relevant intelligence with the relevant stakeholders (e.g., SAMA, BCIS + members).' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node258 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 + name: Vulnerability Management + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.17-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node258 + ref_id: 3.3.17-1 + description: The vulnerability management process should be defined, approved + and implemented. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.17-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node258 + ref_id: 3.3.17-2 + description: The effectiveness of the vulnerability management process should + be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.17-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node258 + ref_id: 3.3.17-3 + description: 'The vulnerability management process should include: a. all information + assets;b. frequency of performing the vulnerability scan (risk-based);c. classification + of vulnerabilities;d. defined timelines to mitigate (per classification);e. + prioritization for classified information assets; f. patch management and + method of deployment.' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node262 + assessable: false + depth: 1 + name: Third Party Security + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node262 + name: 'Contract and Vendor Management ' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1 + description: The Cyber Security requirements should be defined, approved, implemented + and communicated within the contract and vendor management processes. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.2 + description: The compliance with contract and vendor management process should + be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.3 + description: The effectiveness of the Cyber Security controls within the contract + and vendor management process should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1-4 + description: "These contract and vendor management processes should cover: \n\ + a. whether the involvement of the Cyber Security function is actively required\ + \ (e.g., in case of due diligence);\nb. the baseline Cyber Security requirements\ + \ which should be applied in all cases;\nc. the right to periodically perform\ + \ Cyber Security reviews and audits." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1-5.a + description: 'The contract management process should cover requirements for: + a. executing a Cyber Security risk assessment as part of the procurement process;' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1-5.b + description: b. defining the specific Cyber Security requirements as part of + the tender process; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1-5.c + description: c. evaluating the replies of potential vendors on the defined Cyber + Security requirements; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1-5.d + description: d. testing of the agreed Cyber Security requirements (risk-based); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1-5.e + description: e. defining the communication or escalation process in case of + Cyber Security incidents; + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1-5.f + description: f. ensuring Cyber Security requirements are defined for exiting, + terminating or renewing the contract (including escrow agreements if applicable); + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-4.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1-4.g + description: g. defining a mutual confidentiality agreement. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1.-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + ref_id: 3.4.1.-6 + description: 'The vendor management process (i.e., service level management) + should cover requirements for: a. periodic reporting, reviewing, and evaluating + the contractually agreed Cyber Security requirements (in SLAs).' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node262 + name: 'Outsourcing ' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.2-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + ref_id: 3.4.2-1 + description: The Cyber Security requirements within the outsourcing policy and + process should be defined, approved, implemented and communicated within Member + Organization. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.2-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + ref_id: 3.4.2-2 + description: The Cyber Security requirements regarding the outsourcing policy + and process should be measured and periodically evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.2-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + ref_id: 3.4.2-3 + description: "The outsourcing process should include: \na. the approval from\ + \ SAMA prior to material outsourcing. \nb. the involvement of the Cyber Security\ + \ function. \nc. compliance with the SAMA circular on outsourcing." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node262 + name: 'Cloud Computing ' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1 + description: The Cyber Security controls within the cloud computing policy for + hybrid and public cloud services should be defined, approved and implemented, + and communicated within Member Organization. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-2 + description: The compliance with the cloud computing policy should be monitored. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-3 + description: The Cyber Security controls regarding the cloud computing policy + and process for hybrid and public cloud services should be periodically measured + and evaluated. + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1.a + description: "The cloud computing policy for hybrid and public cloud services\ + \ should address requirements for: \na. the process for adopting cloud services,\ + \ including that:\n1. a Cyber Security risk assessment and due diligence on\ + \ the cloud service provider and its cloud services should be performed;\n\ + 2. the Member Organization should obtain SAMA approval prior to using cloud\ + \ services or signing the contract with the cloud provider;\n3. a contract\ + \ should be in place, including the Cyber Security requirements, before using\ + \ cloud services;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1.b + description: 'b. data location, including that: + + 1. in principle only cloud services should be used that are located in Saudi + Arabia, or when cloud services are to be used outside Saudi Arabia that the + Member Organization should obtain explicit approval from SAMA;' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1.c + description: "c. data use limitations, including that:\n1. the cloud service\ + \ provider should not use the Member Organization\u2019s data for secondary\ + \ purposes;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1.d + description: "d. security, including that:\n1. The cloud service provider should\ + \ implement and monitor the Cyber Security controls as determined in the risk\ + \ assessment for protecting the confidentiality, integrity, and availability\ + \ of the Member Organization\u2019s data;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1.e + description: "e. data segregation, including that:\n1. the Member Organization\u2019\ + s data is logically segregated from other data held by the cloud service provider,\ + \ including that the cloud service provider should be able to identify the\ + \ Member Organization\u2019s data and at all times should be able to distinguish\ + \ it from other data." + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1.f + description: "f. business continuity, including that:\n1. business continuity\ + \ requirements are met in accordance with the Member Organization\u2019s business\ + \ continuity policy;" + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1.g + description: 'g. audit, review and monitoring, including that: + + 1. the Member Organization has the right to perform a Cyber Security review + at the cloud service provider; + + 2. the Member Organization has the right to perform a Cyber Security audit + at the cloud service provider; + + 3. the Member Organization has the right to perform a Cyber Security examination + at the cloud service provider;' + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 + ref_id: 3.4.3-1.h + description: "h. exit, including that:\n1. the Member Organization has termination\ + \ rights;\n2. the cloud service provider has to return the Member Organization\u2019\ + s data on termination;\n3. the cloud service provider has to irreversibly\ + \ delete the Member Organization\u2019s data on termination." diff --git a/backend/library/libraries/tisax-v5.1.yaml b/backend/library/libraries/tisax-v5.1.yaml index 1acb92ea8..b6cb73318 100644 --- a/backend/library/libraries/tisax-v5.1.yaml +++ b/backend/library/libraries/tisax-v5.1.yaml @@ -21,7 +21,7 @@ copyright: "Publisher: VERBAND DER AUTOMOBILINDUSTRIE e.\_V. (VDA, German Associ \ Creative Commons Attribution - No Derivative Works 4.0 International Public License.\ \ In addition, You are granted the right to distribute derivatives under certain\ \ terms." -version: '1' +version: 1 provider: VDA packager: intuitem objects: diff --git a/backend/poetry.lock b/backend/poetry.lock index 1fe15109f..33acc7be3 100644 --- a/backend/poetry.lock +++ b/backend/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand. [[package]] name = "argon2-cffi" @@ -107,10 +107,6 @@ files = [ {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:a37b8f0391212d29b3a91a799c8e4a2855e0576911cdfb2515487e30e322253d"}, {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:e84799f09591700a4154154cab9787452925578841a94321d5ee8fb9a9a328f0"}, {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:f66b5337fa213f1da0d9000bc8dc0cb5b896b726eefd9c6046f699b169c41b9e"}, - {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:5dab0844f2cf82be357a0eb11a9087f70c5430b2c241493fc122bb6f2bb0917c"}, - {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e4fe605b917c70283db7dfe5ada75e04561479075761a0b3866c081d035b01c1"}, - {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:1e9a65b5736232e7a7f91ff3d02277f11d339bf34099a56cdab6a8b3410a02b2"}, - {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:58d4b711689366d4a03ac7957ab8c28890415e267f9b6589969e74b6e42225ec"}, {file = "Brotli-1.1.0-cp310-cp310-win32.whl", hash = "sha256:be36e3d172dc816333f33520154d708a2657ea63762ec16b62ece02ab5e4daf2"}, {file = "Brotli-1.1.0-cp310-cp310-win_amd64.whl", hash = "sha256:0c6244521dda65ea562d5a69b9a26120769b7a9fb3db2fe9545935ed6735b128"}, {file = "Brotli-1.1.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:a3daabb76a78f829cafc365531c972016e4aa8d5b4bf60660ad8ecee19df7ccc"}, @@ -123,14 +119,8 @@ files = [ {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:19c116e796420b0cee3da1ccec3b764ed2952ccfcc298b55a10e5610ad7885f9"}, {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:510b5b1bfbe20e1a7b3baf5fed9e9451873559a976c1a78eebaa3b86c57b4265"}, {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:a1fd8a29719ccce974d523580987b7f8229aeace506952fa9ce1d53a033873c8"}, - {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:c247dd99d39e0338a604f8c2b3bc7061d5c2e9e2ac7ba9cc1be5a69cb6cd832f"}, - {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:1b2c248cd517c222d89e74669a4adfa5577e06ab68771a529060cf5a156e9757"}, - {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:2a24c50840d89ded6c9a8fdc7b6ed3692ed4e86f1c4a4a938e1e92def92933e0"}, - {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:f31859074d57b4639318523d6ffdca586ace54271a73ad23ad021acd807eb14b"}, {file = "Brotli-1.1.0-cp311-cp311-win32.whl", hash = "sha256:39da8adedf6942d76dc3e46653e52df937a3c4d6d18fdc94a7c29d263b1f5b50"}, {file = "Brotli-1.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:aac0411d20e345dc0920bdec5548e438e999ff68d77564d5e9463a7ca9d3e7b1"}, - {file = "Brotli-1.1.0-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:32d95b80260d79926f5fab3c41701dbb818fde1c9da590e77e571eefd14abe28"}, - {file = "Brotli-1.1.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:b760c65308ff1e462f65d69c12e4ae085cff3b332d894637f6273a12a482d09f"}, {file = "Brotli-1.1.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:316cc9b17edf613ac76b1f1f305d2a748f1b976b033b049a6ecdfd5612c70409"}, {file = "Brotli-1.1.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:caf9ee9a5775f3111642d33b86237b05808dafcd6268faa492250e9b78046eb2"}, {file = "Brotli-1.1.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:70051525001750221daa10907c77830bc889cb6d865cc0b813d9db7fefc21451"}, @@ -141,24 +131,8 @@ files = [ {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:4093c631e96fdd49e0377a9c167bfd75b6d0bad2ace734c6eb20b348bc3ea180"}, {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:7e4c4629ddad63006efa0ef968c8e4751c5868ff0b1c5c40f76524e894c50248"}, {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:861bf317735688269936f755fa136a99d1ed526883859f86e41a5d43c61d8966"}, - {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:87a3044c3a35055527ac75e419dfa9f4f3667a1e887ee80360589eb8c90aabb9"}, - {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:c5529b34c1c9d937168297f2c1fde7ebe9ebdd5e121297ff9c043bdb2ae3d6fb"}, - {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:ca63e1890ede90b2e4454f9a65135a4d387a4585ff8282bb72964fab893f2111"}, - {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:e79e6520141d792237c70bcd7a3b122d00f2613769ae0cb61c52e89fd3443839"}, {file = "Brotli-1.1.0-cp312-cp312-win32.whl", hash = "sha256:5f4d5ea15c9382135076d2fb28dde923352fe02951e66935a9efaac8f10e81b0"}, {file = "Brotli-1.1.0-cp312-cp312-win_amd64.whl", hash = "sha256:906bc3a79de8c4ae5b86d3d75a8b77e44404b0f4261714306e3ad248d8ab0951"}, - {file = "Brotli-1.1.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:8bf32b98b75c13ec7cf774164172683d6e7891088f6316e54425fde1efc276d5"}, - {file = "Brotli-1.1.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:7bc37c4d6b87fb1017ea28c9508b36bbcb0c3d18b4260fcdf08b200c74a6aee8"}, - {file = "Brotli-1.1.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3c0ef38c7a7014ffac184db9e04debe495d317cc9c6fb10071f7fefd93100a4f"}, - {file = "Brotli-1.1.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:91d7cc2a76b5567591d12c01f019dd7afce6ba8cba6571187e21e2fc418ae648"}, - {file = "Brotli-1.1.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a93dde851926f4f2678e704fadeb39e16c35d8baebd5252c9fd94ce8ce68c4a0"}, - {file = "Brotli-1.1.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f0db75f47be8b8abc8d9e31bc7aad0547ca26f24a54e6fd10231d623f183d089"}, - {file = "Brotli-1.1.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:6967ced6730aed543b8673008b5a391c3b1076d834ca438bbd70635c73775368"}, - {file = "Brotli-1.1.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:7eedaa5d036d9336c95915035fb57422054014ebdeb6f3b42eac809928e40d0c"}, - {file = "Brotli-1.1.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:d487f5432bf35b60ed625d7e1b448e2dc855422e87469e3f450aa5552b0eb284"}, - {file = "Brotli-1.1.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:832436e59afb93e1836081a20f324cb185836c617659b07b129141a8426973c7"}, - {file = "Brotli-1.1.0-cp313-cp313-win32.whl", hash = "sha256:43395e90523f9c23a3d5bdf004733246fba087f2948f87ab28015f12359ca6a0"}, - {file = "Brotli-1.1.0-cp313-cp313-win_amd64.whl", hash = "sha256:9011560a466d2eb3f5a6e4929cf4a09be405c64154e12df0dd72713f6500e32b"}, {file = "Brotli-1.1.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:a090ca607cbb6a34b0391776f0cb48062081f5f60ddcce5d11838e67a01928d1"}, {file = "Brotli-1.1.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2de9d02f5bda03d27ede52e8cfe7b865b066fa49258cbab568720aa5be80a47d"}, {file = "Brotli-1.1.0-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2333e30a5e00fe0fe55903c8832e08ee9c3b1382aacf4db26664a16528d51b4b"}, @@ -168,10 +142,6 @@ files = [ {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:fd5f17ff8f14003595ab414e45fce13d073e0762394f957182e69035c9f3d7c2"}, {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_1_ppc64le.whl", hash = "sha256:069a121ac97412d1fe506da790b3e69f52254b9df4eb665cd42460c837193354"}, {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:e93dfc1a1165e385cc8239fab7c036fb2cd8093728cbd85097b284d7b99249a2"}, - {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_2_aarch64.whl", hash = "sha256:aea440a510e14e818e67bfc4027880e2fb500c2ccb20ab21c7a7c8b5b4703d75"}, - {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_2_i686.whl", hash = "sha256:6974f52a02321b36847cd19d1b8e381bf39939c21efd6ee2fc13a28b0d99348c"}, - {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_2_ppc64le.whl", hash = "sha256:a7e53012d2853a07a4a79c00643832161a910674a893d296c9f1259859a289d2"}, - {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_2_x86_64.whl", hash = "sha256:d7702622a8b40c49bffb46e1e3ba2e81268d5c04a34f460978c6b5517a34dd52"}, {file = "Brotli-1.1.0-cp36-cp36m-win32.whl", hash = "sha256:a599669fd7c47233438a56936988a2478685e74854088ef5293802123b5b2460"}, {file = "Brotli-1.1.0-cp36-cp36m-win_amd64.whl", hash = "sha256:d143fd47fad1db3d7c27a1b1d66162e855b5d50a89666af46e1679c496e8e579"}, {file = "Brotli-1.1.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:11d00ed0a83fa22d29bc6b64ef636c4552ebafcef57154b4ddd132f5638fbd1c"}, @@ -183,10 +153,6 @@ files = [ {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:919e32f147ae93a09fe064d77d5ebf4e35502a8df75c29fb05788528e330fe74"}, {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:23032ae55523cc7bccb4f6a0bf368cd25ad9bcdcc1990b64a647e7bbcce9cb5b"}, {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:224e57f6eac61cc449f498cc5f0e1725ba2071a3d4f48d5d9dffba42db196438"}, - {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_2_aarch64.whl", hash = "sha256:cb1dac1770878ade83f2ccdf7d25e494f05c9165f5246b46a621cc849341dc01"}, - {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_2_i686.whl", hash = "sha256:3ee8a80d67a4334482d9712b8e83ca6b1d9bc7e351931252ebef5d8f7335a547"}, - {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_2_ppc64le.whl", hash = "sha256:5e55da2c8724191e5b557f8e18943b1b4839b8efc3ef60d65985bcf6f587dd38"}, - {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_2_x86_64.whl", hash = "sha256:d342778ef319e1026af243ed0a07c97acf3bad33b9f29e7ae6a1f68fd083e90c"}, {file = "Brotli-1.1.0-cp37-cp37m-win32.whl", hash = "sha256:587ca6d3cef6e4e868102672d3bd9dc9698c309ba56d41c2b9c85bbb903cdb95"}, {file = "Brotli-1.1.0-cp37-cp37m-win_amd64.whl", hash = "sha256:2954c1c23f81c2eaf0b0717d9380bd348578a94161a65b3a2afc62c86467dd68"}, {file = "Brotli-1.1.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:efa8b278894b14d6da122a72fefcebc28445f2d3f880ac59d46c90f4c13be9a3"}, @@ -199,10 +165,6 @@ files = [ {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:1ab4fbee0b2d9098c74f3057b2bc055a8bd92ccf02f65944a241b4349229185a"}, {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:141bd4d93984070e097521ed07e2575b46f817d08f9fa42b16b9b5f27b5ac088"}, {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:fce1473f3ccc4187f75b4690cfc922628aed4d3dd013d047f95a9b3919a86596"}, - {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:d2b35ca2c7f81d173d2fadc2f4f31e88cc5f7a39ae5b6db5513cf3383b0e0ec7"}, - {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:af6fa6817889314555aede9a919612b23739395ce767fe7fcbea9a80bf140fe5"}, - {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:2feb1d960f760a575dbc5ab3b1c00504b24caaf6986e2dc2b01c09c87866a943"}, - {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:4410f84b33374409552ac9b6903507cdb31cd30d2501fc5ca13d18f73548444a"}, {file = "Brotli-1.1.0-cp38-cp38-win32.whl", hash = "sha256:db85ecf4e609a48f4b29055f1e144231b90edc90af7481aa731ba2d059226b1b"}, {file = "Brotli-1.1.0-cp38-cp38-win_amd64.whl", hash = "sha256:3d7954194c36e304e1523f55d7042c59dc53ec20dd4e9ea9d151f1b62b4415c0"}, {file = "Brotli-1.1.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:5fb2ce4b8045c78ebbc7b8f3c15062e435d47e7393cc57c25115cfd49883747a"}, @@ -215,10 +177,6 @@ files = [ {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:949f3b7c29912693cee0afcf09acd6ebc04c57af949d9bf77d6101ebb61e388c"}, {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:89f4988c7203739d48c6f806f1e87a1d96e0806d44f0fba61dba81392c9e474d"}, {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:de6551e370ef19f8de1807d0a9aa2cdfdce2e85ce88b122fe9f6b2b076837e59"}, - {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:0737ddb3068957cf1b054899b0883830bb1fec522ec76b1098f9b6e0f02d9419"}, - {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:4f3607b129417e111e30637af1b56f24f7a49e64763253bbc275c75fa887d4b2"}, - {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:6c6e0c425f22c1c719c42670d561ad682f7bfeeef918edea971a79ac5252437f"}, - {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:494994f807ba0b92092a163a0a283961369a65f6cbe01e8891132b7a320e61eb"}, {file = "Brotli-1.1.0-cp39-cp39-win32.whl", hash = "sha256:f0d8a7a6b5983c2496e364b969f0e526647a06b075d034f3297dc66f3b360c64"}, {file = "Brotli-1.1.0-cp39-cp39-win_amd64.whl", hash = "sha256:cdad5b9014d83ca68c25d2e9444e28e967ef16e80f6b436918c700c117a85467"}, {file = "Brotli-1.1.0.tar.gz", hash = "sha256:81de08ac11bcb85841e440c13611c00b67d3bf82698314928d0b676362546724"}, @@ -984,6 +942,20 @@ chardet = ["chardet (>=2.2)"] genshi = ["genshi"] lxml = ["lxml"] +[[package]] +name = "huey" +version = "2.5.2" +description = "huey, a little task queue" +optional = false +python-versions = "*" +files = [ + {file = "huey-2.5.2.tar.gz", hash = "sha256:df33db474c05414ed40ee2110e9df692369871734da22d74ffb035a4bd74047f"}, +] + +[package.extras] +backends = ["redis (>=3.0.0)"] +redis = ["redis (>=3.0.0)"] + [[package]] name = "humanize" version = "4.11.0" @@ -2396,4 +2368,4 @@ test = ["pytest"] [metadata] lock-version = "2.0" python-versions = "^3.11" -content-hash = "5f38fdc11bf9e530472b19a6527ef3a33008ab252e82e8e78fbd86414065f10a" +content-hash = "821aaf8fbb21d8500884b69f44180e50accade9ff10587752ac69d9cd4e248ac" diff --git a/backend/pyproject.toml b/backend/pyproject.toml index 967f41b76..40144abed 100644 --- a/backend/pyproject.toml +++ b/backend/pyproject.toml @@ -32,6 +32,7 @@ python-magic = "0.4.27" pytz = "2024.2" fido2 = "^1.1.3" humanize = "^4.11.0" +huey = "^2.5.2" [tool.poetry.group.dev.dependencies] pytest-django = "4.8.0" diff --git a/cli/RA_sample.csv b/cli/RA_sample.csv new file mode 100644 index 000000000..904518c88 --- /dev/null +++ b/cli/RA_sample.csv @@ -0,0 +1,4 @@ +ref_id;assets;threats;name;description;existing_controls;current_impact;current_proba;current_risk;additional_controls;residual_impact;residual_proba;residual_risk;treatment +R.1;dsafa;Data Encrypted for Impact;Ransomware;;ISMS Scope document,Statement of Applicabilty document;Significant;Likely;Low;Risk management policy,Organization overview document,Main policy,Competency matrix;Critical;Very likely;High;open +R.2;;System Shutdown/Reboot;Unavailability;;Information security awareness and traning policy;Significant;Very likely;Medium;Management review plan document,Main policy,ISMS Scope document,Responsibility matrix;Important;Unlikely;Medium;open +R.3;dsasfad;Scheduled Task,Cloud Administration Command;Insider threats;;;Important;Likely;Medium;;--;--;--;open diff --git a/cli/README.md b/cli/README.md new file mode 100644 index 000000000..be0afcfeb --- /dev/null +++ b/cli/README.md @@ -0,0 +1,6 @@ + +## Examples + +```sh +./clica.py import-risk-assessment --file RA_sample.csv --folder "BU 1" --project "Orion" --matrix "4x4 risk matrix from EBIOS-RM" --name example +``` diff --git a/cli/clica.py b/cli/clica.py index 5ecbb1a89..1b72564bf 100755 --- a/cli/clica.py +++ b/cli/clica.py @@ -6,7 +6,10 @@ import pandas as pd import requests import yaml -from rich import print +import json +from rich import print as rprint + +from icecream import ic cli_cfg = dict() auth_data = dict() @@ -81,7 +84,6 @@ def init_config(): def check_auth(): if Path(".tmp.yaml").exists(): - click.echo("Found auth data. Trying them", err=True) with open(".tmp.yaml", "r") as yfile: auth_data = yaml.safe_load(yfile) return auth_data["token"] @@ -123,6 +125,21 @@ def auth(email, password): print(res.json()) +def ids_map(model, folder=None): + my_map = dict() + url = f"{API_URL}/{model}/ids/" + headers = {"Authorization": f"Token {TOKEN}"} + res = requests.get(url, headers=headers, verify=VERIFY_CERTIFICATE) + if res.status_code != 200: + print("something went wrong. check authentication.") + sys.exit(1) + if folder: + my_map = res.json().get(folder) + else: + my_map = res.json() + return my_map + + def _get_folders(): url = f"{API_URL}/folders/" headers = {"Authorization": f"Token {TOKEN}"} @@ -138,9 +155,183 @@ def _get_folders(): @click.command() def get_folders(): """Get folders.""" - GLOBAL_FOLDER_ID, res = _get_folders() - print("GLOBAL_FOLDER_ID: ", GLOBAL_FOLDER_ID) - print(res) + print(json.dumps(ids_map("folders"), ensure_ascii=False)) + + +@click.command() +def get_projects(): + """getting projects as a json""" + print(json.dumps(ids_map("projects"), ensure_ascii=False)) + + +@click.command() +def get_matrices(): + """getting loaded matrix as a json""" + print(json.dumps(ids_map("risk-matrices", folder="Global"), ensure_ascii=False)) + + +def get_unique_parsed_values(df, column_name): + unique_values = df[column_name].dropna().unique() + parsed_values = [] + + for value in unique_values: + value_str = str(value) + split_values = [v.strip() for v in value_str.split(",")] + parsed_values.extend(split_values) + + return set(parsed_values) + + +def batch_create(model, items, folder_id): + headers = { + "Authorization": f"Token {TOKEN}", + } + output = dict() + url = f"{API_URL}/{model}/" + for item in items: + data = { + "folder": folder_id, + "name": item, + } + res = requests.post(url, json=data, headers=headers) + if res.status_code != 201: + print("something went wrong") + print(res.json()) + else: + output.update({item: res.json()["id"]}) + return output + + +@click.command() +@click.option("--file", required=True, help="") +@click.option("--folder", required=True, help="") +@click.option("--project", required=True, help="") +@click.option("--matrix", required=True, help="") +@click.option("--name", required=True, help="") +@click.option( + "--create_all", + required=False, + is_flag=True, + default=True, + help="Create all associated objects (threats, assets)", +) +def import_risk_assessment(file, folder, project, name, matrix, create_all): + """crawl a risk assessment (see template) and create the assoicated objects""" + df = pd.read_csv(file, delimiter=";") + headers = { + "Authorization": f"Token {TOKEN}", + } + folder_id = ids_map("folders").get(folder) + project_id = ids_map("projects", folder=folder).get(project) + matrix_id = ids_map("risk-matrices", folder="Global").get(matrix) + + # post to create risk assessment + data = { + "name": name, + "folder": folder_id, + "project": project_id, + "risk_matrix": matrix_id, + } + res = requests.post( + f"{API_URL}/risk-assessments/", + json=data, + headers=headers, + verify=VERIFY_CERTIFICATE, + ) + ra_id = None + if res.status_code == 201: + ra_id = res.json().get("id") + print("ok") + else: + print("something went wrong.") + print(res.json()) + + if create_all: + threats = get_unique_parsed_values(df, "threats") + batch_create("threats", threats, folder_id) + assets = get_unique_parsed_values(df, "assets") + batch_create("assets", assets, folder_id) + existing_controls = get_unique_parsed_values(df, "existing_controls") + batch_create("applied-controls", existing_controls, folder_id) + additional_controls = get_unique_parsed_values(df, "additional_controls") + batch_create("applied-controls", additional_controls, folder_id) + + res = requests.get(f"{API_URL}/risk-matrices/{matrix_id}", headers=headers) + if res.status_code == 200: + matrix_def = res.json().get("json_definition") + matrix_def = json.loads(matrix_def) + # ic(matrix_def) + impact_map = dict() + proba_map = dict() + # this can be factored as one map probably + for item in matrix_def["impact"]: + impact_map[item["name"]] = item["id"] + if item.get("translations"): + langs = item.get("translations") + for lang in langs: + impact_map[langs[lang]["name"]] = item["id"] + for item in matrix_def["probability"]: + proba_map[item["name"]] = item["id"] + if item.get("translations"): + langs = item.get("translations") + for lang in langs: + proba_map[langs[lang]["name"]] = item["id"] + + ic(impact_map) + ic(proba_map) + + df = df.fillna("--") + + threats = ids_map("threats", folder) + assets = ids_map("assets", folder) + controls = ids_map("applied-controls", folder) + + for scenario in df.itertuples(): + data = { + "ref_id": scenario.ref_id, + "name": scenario.name, + "risk_assessment": ra_id, + } + if None in [ + impact_map.get(scenario.current_impact), + proba_map.get(scenario.current_proba), + impact_map.get(scenario.residual_impact), + proba_map.get(scenario.residual_proba), + ]: + print("Matrix doesn't match the labels used on your input file") + + if scenario.current_impact != "--": + data.update({"current_impact": impact_map.get(scenario.current_impact)}) + if scenario.current_proba != "--": + data.update({"current_proba": proba_map.get(scenario.current_proba)}) + + if scenario.residual_impact != "--": + data.update({"residual_impact": impact_map.get(scenario.residual_impact)}) + if scenario.residual_proba != "--": + data.update({"residual_proba": proba_map.get(scenario.residual_proba)}) + + if scenario.existing_controls != "--": + items = str(scenario.existing_controls).split(",") + data.update( + {"existing_applied_controls": [controls[item] for item in items]} + ) + + if scenario.additional_controls != "--": + items = str(scenario.additional_controls).split(",") + data.update({"applied_controls": [controls[item] for item in items]}) + + if scenario.assets != "--": + items = str(scenario.assets).split(",") + data.update({"assets": [assets[item] for item in items]}) + + if scenario.threats != "--": + items = str(scenario.threats).split(",") + data.update({"threats": [threats[item] for item in items]}) + + res = requests.post(f"{API_URL}/risk-scenarios/", json=data, headers=headers) + if res.status_code != 201: + rprint(res.json()) + rprint(data) @click.command() @@ -172,9 +363,9 @@ def import_assets(file): ) if res.status_code != 201: click.echo("❌ something went wrong", err=True) - print(res.json()) + rprint(res.json()) else: - print(f"✅ {name} created", file=sys.stderr) + rprint(f"✅ {name} created", file=sys.stderr) @click.command() @@ -208,9 +399,9 @@ def import_controls(file): ) if res.status_code != 201: click.echo("❌ something went wrong", err=True) - print(res.json()) + rprint(res.json()) else: - print(f"✅ {name} created", file=sys.stderr) + rprint(f"✅ {name} created", file=sys.stderr) @click.command() @@ -240,9 +431,9 @@ def import_evidences(file): ) if res.status_code != 201: click.echo("❌ something went wrong", err=True) - print(res.json()) + rprint(res.json()) else: - print(f"✅ {row['name']} created", file=sys.stderr) + rprint(f"✅ {row['name']} created", file=sys.stderr) @click.command() @@ -260,13 +451,13 @@ def upload_attachment(file, name): url, headers=headers, params={"name": name}, verify=VERIFY_CERTIFICATE ) data = res.json() - print(data) + rprint(data) if res.status_code != 200: - print(data) - print(f"Error: check credentials or filename.", file=sys.stderr) + rprint(data) + rprint(f"Error: check credentials or filename.", file=sys.stderr) return if not data["results"]: - print(f"Error: No evidence found with name '{name}'", file=sys.stderr) + rprint(f"Error: No evidence found with name '{name}'", file=sys.stderr) return evidence_id = data["results"][0]["id"] @@ -280,16 +471,19 @@ def upload_attachment(file, name): } with open(file, "rb") as f: res = requests.post(url, headers=headers, data=f, verify=VERIFY_CERTIFICATE) - print(res) - print(res.text) + rprint(res) + rprint(res.text) cli.add_command(get_folders) +cli.add_command(get_projects) cli.add_command(auth) cli.add_command(import_assets) cli.add_command(import_controls) cli.add_command(import_evidences) cli.add_command(init_config) cli.add_command(upload_attachment) +cli.add_command(import_risk_assessment) +cli.add_command(get_matrices) if __name__ == "__main__": cli() diff --git a/cli/requirements.txt b/cli/requirements.txt index a857296db..1dbed4d6a 100644 --- a/cli/requirements.txt +++ b/cli/requirements.txt @@ -3,3 +3,4 @@ rich requests click pyyaml +icecream diff --git a/core_objects.png b/core_objects.png new file mode 100644 index 000000000..614cafaa2 Binary files /dev/null and b/core_objects.png differ diff --git a/docker-compose-build.yml b/docker-compose-build.yml index efc6b204b..f55da3050 100644 --- a/docker-compose-build.yml +++ b/docker-compose-build.yml @@ -12,6 +12,23 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # build: + # context: ./backend + # dockerfile: Dockerfile + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/docker-compose-pg.yml b/docker-compose-pg.yml index be5fc52e0..2336c9412 100644 --- a/docker-compose-pg.yml +++ b/docker-compose-pg.yml @@ -16,6 +16,21 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml index f71579b92..8576f8bcd 100644 --- a/docker-compose-prod.yml +++ b/docker-compose-prod.yml @@ -11,6 +11,21 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/docker-compose-remote-api.yml b/docker-compose-remote-api.yml index c61695b75..64fa67f8e 100644 --- a/docker-compose-remote-api.yml +++ b/docker-compose-remote-api.yml @@ -11,6 +11,21 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/docker-compose-remote.yml b/docker-compose-remote.yml index cec4d86b1..9a12300db 100644 --- a/docker-compose-remote.yml +++ b/docker-compose-remote.yml @@ -11,6 +11,21 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/docker-compose-traefik.yml b/docker-compose-traefik.yml index 58b6b226d..23c952bde 100644 --- a/docker-compose-traefik.yml +++ b/docker-compose-traefik.yml @@ -22,6 +22,21 @@ services: networks: - front + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend restart: unless-stopped diff --git a/documentation/architecture/data-model.md b/documentation/architecture/data-model.md index 953f5a932..b94205a92 100644 --- a/documentation/architecture/data-model.md +++ b/documentation/architecture/data-model.md @@ -56,16 +56,19 @@ erDiagram ROOT_FOLDER ||--o{ USER_GROUP : contains ROOT_FOLDER ||--o{ ROLE : contains ROOT_FOLDER ||--o{ ROLE_ASSIGNMENT : contains + ROOT_FOLDER ||--o{ LABEL : contains ROOT_FOLDER_OR_DOMAIN ||--o{ EVIDENCE : contains ROOT_FOLDER_OR_DOMAIN ||--o{ REFERENCE_CONTROL : contains ROOT_FOLDER_OR_DOMAIN ||--o{ APPLIED_CONTROL : contains ROOT_FOLDER_OR_DOMAIN ||--o{ RISK_ACCEPTANCE : contains ROOT_FOLDER_OR_DOMAIN ||--o{ ASSET : contains ROOT_FOLDER_OR_DOMAIN ||--o{ THREAT : contains + ROOT_FOLDER_OR_DOMAIN ||--o{ VULNERABILITY : contains ROOT_FOLDER_OR_DOMAIN ||--o{ COMPLIANCE_ASSESSMENT : contains ROOT_FOLDER_OR_DOMAIN ||--o{ RISK_ASSESSMENT : contains DOMAIN { + string ref_id string name string description int version @@ -113,11 +116,16 @@ erDiagram RISK_ACCEPTANCE }o--o{ RISK_SCENARIO : covers RISK_ASSESSMENT_REVIEW }o--|| RISK_ASSESSMENT : reviews RISK_SCENARIO }o--o{ VULNERABILITY : exploits + VULNERABILITY }o--o{ APPLIED_CONTROL : is_fixed_by + USER }o--o{ RISK_SCENARIO : owns + USER }o--o{ APPLIED_CONTROL : owns + USER }o--o{ ASSET : owns PROJECT { + string ref_id string name string description - string internal_reference + string ref_id string status } @@ -138,6 +146,7 @@ erDiagram } COMPLIANCE_ASSESSMENT { + string ref_id string name string description @@ -148,16 +157,16 @@ erDiagram string status principal[] author principal[] reviewer - string[] tags string observation string[] selected_implementation_groups - int min_score - int max_score - json scores_definition + int min_score + int max_score + json scores_definition } RISK_ASSESSMENT { + string ref_id string name string description @@ -167,10 +176,8 @@ erDiagram string status principal[] author principal[] reviewer - string[] tags string observation - - string risk_assessment_method + boolean embedded } THREAT { @@ -184,16 +191,6 @@ erDiagram json translations } - VULNERABILITY { - string urn - string locale - string ref_id - string name - string description - string annotation - string provider - } - REQUIREMENT_NODE { string urn string locale @@ -226,6 +223,7 @@ erDiagram } APPLIED_CONTROL { + string ref_id string name string description @@ -237,9 +235,18 @@ erDiagram url link string effort float cost - string[] tags } + VULNERABILITY { + string ref_id + string name + string description + string status + int severity + json references + } + + REQUIREMENT_ASSESSMENT { string status string observation @@ -278,10 +285,12 @@ erDiagram ASSET { string name string description - string business_value string type asset parent_asset + url reference_link + json security_objectives + json disaster_recovery_objectives } RISK_SCENARIO { @@ -299,8 +308,7 @@ erDiagram string strength_of_knowledge string justification json qualifications - - principal[] owner + string threat_actor } RISK_ACCEPTANCE { @@ -354,357 +362,29 @@ erDiagram ``` -## Class diagram for IAM objects - -```mermaid -classDiagram -direction RL - -AbstractBaseModel <|-- NameDescriptionMixin -NameDescriptionMixin <|-- Folder -NameDescriptionMixin <|-- UserGroup -FolderMixin <|-- UserGroup -FolderMixin <|-- User -AbstractBaseModel <|-- User -AbstractBaseUser <|-- User -NameDescriptionMixin <|-- Role -FolderMixin <|-- Role -NameDescriptionMixin <|-- RoleAssignment -FolderMixin <|-- RoleAssignment - -class AbstractBaseModel{ - +UUIDField id - +DateTimeField created_at - +DateTimeField updated_at - +BooleanField is_published - +scoped_id() UUID - +display_path() str - +display_name() str - +edit_url() str - +get_scope() Folder - +clean() - +save() -} - -class NameDescriptionMixin{ - +CharField name - +CharField description -} - -class Folder { - +CharField content_type - +Folder parent_folder - +booleanField builtin - +subfolders() Folder[] - +get_parent_folders() Folder[] - +get_folder() Folder$ -} - -class FolderMixin { - +Folder folder -} - -class UserGroup { - +booleanField builtin - +get_name_display() str -} - -class User { - +CharField last_name - +CharField first_name - +CharField email - +BooleanField first_login - +BooleanField is_active - +DateTimeField date_joined - +BooleanField is_superuser - +UserGroup[] user_groups - +get_full_name() str - +get_short_name() str - +mailing() - +has_backup_permission() bool - +edit_url() str - +username() str - +permissions() -} - -class Role { - +Permission[] permissions - +booleanField builtin -} - -class RoleAssignment { - +Folder[] perimeter_folders - +User user - +UserGroup user_group - +Role role - +BooleanField is_recursive - +BooleanField builtin - - +is_access_allowed(user, perm, folder) bool$ - +get_accessible_folders(folder, user, content_tupe, codename) Folder[]$ - +get_accessible_object_ids(folder, user, object_type) UUID[]$ - +is_user_assigned(user) bool - +get_role_assignments(user) RoleAssignment[]$ - +get_permissions(user) Permission[]$ - +has_role(user, role) bool$ -} +### Labels -``` +All objects can be linked to user-defined labels. Labels are simple strings with no blank, regex r"\w{0:36}". -## Class diagram for general objects +Labels are attached to the root folder. They can be read by everyone, added by any contributor, and modified or deleted only by global administrators. ```mermaid -classDiagram -direction RL - -NameDescriptionMixin <|-- RiskScenario -AbstractBaseModel <|-- NameDescriptionMixin -NameDescriptionMixin <|-- ReferentialObjectMixin -FolderMixin <|-- ReferentialObjectMixin -ReferentialObjectMixin <|-- Threat -ReferentialObjectMixin <|-- ReferenceControl -ReferentialObjectMixin <|-- RiskMatrix -ReferentialObjectMixin <|-- Framework -ReferentialObjectMixin <|-- RequirementNode -ReferentialObjectMixin <|-- Mapping -ReferentialObjectMixin <|-- LibraryMixin -LibraryMixin <|-- StoredLibrary -LibraryMixin <|-- LoadedLibrary -NameDescriptionMixin <|-- Assessment -FolderMixin <|-- Project -NameDescriptionMixin <|-- Project -FolderMixin <|-- Asset -NameDescriptionMixin <|-- Asset -FolderMixin <|-- Evidence -NameDescriptionMixin <|-- Evidence -FolderMixin <|-- AppliedControl -NameDescriptionMixin <|-- AppliedControl -FolderMixin <|-- RiskAcceptance -NameDescriptionMixin <|-- RiskAcceptance -AppliedControl <|-- Policy -Assessment <|-- RiskAssessment -Assessment <|-- ComplianceAssessment -AbstractBaseModel <|-- RequirementAssessment -FolderMixin <|-- RequirementAssessment - -namespace ReferentialObjects { - class ReferentialObjectMixin { - +CharField urn - +CharField ref_id - +CharField locale - +CharField provider - +CharField annotation - +display_short() str - +display_long() str - } - - class LibraryMixin { - +CharField copyright - +IntegerField version - +CharField provider - +CharField packager - +JsonField dependencies - +BooleanField builtin - +JSONField objects_meta - } - - class StoredLibrary { - +BooleanField is_loaded - +CharField hash_checksum - +TextField content - } - - class LoadedLibrary { - +LoadedLibrary[] dependencies - +reference_count() int - } - - class Threat { - +LoadedLibrary library - +is_deletable() bool - +frameworks() Framework[] - } - - class ReferenceControl { - +LoadedLibrary library - +CharField category - +CharField csf_function - +JSONField typical_evidence - +is_deletable() bool - +frameworks() Framework[] - } - - class RiskMatrix { - +LoadedLibrary library - +JSONField json_definition - +BooleanField is_enabled - +CharField provider - +is_used() bool - +risk_assessments() RiskAssessment[] - +projects() Project[] - +parse_json() - +get_detailed_grid() - +render_grid_as_colors() - } - - class Framework { - +LoadedLibrary library - +int get_next_order_id(obj_type, _parent_urn) - +is_deletable() bool - } - - class RequirementNode { - +Threat[] threats - +ReferenceControl[] REFERENCE_CONTROLs - +Framework framework - +CharField parent_urn - +IntegerField order_id - +json implementation_groups - +BooleanField assessable - } - - class Mapping { - +CharField reference_urn - +CharField target_urn - +CharField rationale - +CharField relationship - +BooleanField fulfilled_by - +IntegerField strength - } -} - -namespace DomainObjects { - - class Project { - +CharField internal_reference - +CharField lc_status - +overall_compliance() - } - - class Asset { - +CharField business_value - +CharField type - +Asset[] parent_assets - +is_primary() bool - +is_support() bool - +ancestors_plus_self() Asset[] - } - - class Evidence { - +FileField attachment - +URLField link - +get_folder() Folder - +filename() str - +preview() - } - - class AppliedControl { - +ReferenceControl REFERENCE_CONTROL - +Evidence[] evidences - +CharField category - +CharField csf_function - +CharField status - +DateField eta - +DateField expiry_date - +CharField link - +CharField effort - +Decimal cost - - +RiskScenario[] risk_scenarios() - +RiskAssessments[] risk_assessments() - +Project[] projects() - +Project parent_project() - +mid() - +csv_value() - +get_ranking_score() int - +get_html_url() str - +get_linked_requirements_count() int - } - - class RiskAcceptance { - +RiskScenario[] risk_scenarios - +User approver - +CharField state - +DateField expiry_date - +DateTimeField accepted_at - +DateTimeField rejected_at - +DateTimeField revoked_at - +CharField justification - +get_html_url() str - +set_state(state) +erDiagram + ANY_USER_DEFINED_OBJECT }o--o{ LABEL : has_label + + LABEL { + string label } -} - -class Assessment { - +TextChoices Status - +Project project - +CharField version - +CharField status - +CharField authors - +CharField reviewers - +DateField eta - +DateField due_date -} - -class RiskAssessment { - +RiskMatrix risk_matrix - +path_display() str - +get_scenario_count() int - +quality_check() - +risk_scoring(probability, impact, risk_matrix) int -} - - -class ComplianceAssessment { - +Framework framework - +CharField result - +get_requirements_status_count() int - +get_measures_status_count() int - +donut_render() - +quality_check() -} - -class RequirementAssessment { - +CharField status - +Evidence[] evidences - +TextField observation - +ComplianceAssessment compliance_assessment - +RequirementNode requirement - +AppliedControl[] APPLIED_CONTROLs -} +``` -class RiskScenario { - +RiskAssessment risk_assessment - +Asset[] assets - +AppliedControl[] APPLIED_CONTROLs - +Threat[] threats - +TextField existing_controls - +SmallIntegerField current_proba - +SmallIntegerField current_impact - +SmallIntegerField current_level - +SmallIntegerField residual_proba - +SmallIntegerField residual_impact - +SmallIntegerField residual_level - +CharField treatment - +CharField strength_of_knowledge - +CharField justification - - +Project parent_project() - +RiskMatrix get_matrix() - +get_current_risk(s) int - +get_current_impact() int - +get_current_proba() int - +get_residual_risk() int - +get_residual_impact() int - +get_residual_proba() int - +rid() -} +In all views and analytics, a filter on label shall be displayed. -``` +Note: in MVP, labels are attached only to vulnerabilities. ## Global fields All models have the following fields: + - created_at: the date when the object has been created. - modified_at: the date when the object has been lastly modified. @@ -715,26 +395,80 @@ Projects are fundamental context objects defined by the entity using CISO Assist The domain is the fundamental perimeter for access control. All objects, in particular domains, within a domain, have consistent access rights. If this granularity is not sufficient, the entity shall define new domains. Note: the IAM model is based on folders. A folder has a type among: + - ROOT: the root folder, which is also called "global domain". - DOMAIN: a user-defined domain. - ENCLAVE: a invisible folder used to confine the actions of a third party. Projects have the following fields: + +- ref_id (ex internal reference) - Name - Description -- Internal reference - Status: --/Design/Development/Production/End of life/Dropped -## Assets +## Assets, security and disaster recovery objectives Assets are context objects defined by the entity using CISO Assistant. They are optional, assessments can be done without using them. -Assets are of type primary or support. A primary asset has no parent, a support asset can have parent assets (primary or support), but not itself. +Assets are of type primary or supporting. A primary asset has no parent, a supporting asset can have parent assets (primary or supporting), but not itself. + +Primary assets have security objectives that are evolutive, so they are catched in a json field. + +Security objectives are specific goals or requirements that an organization, system, or process aims to achieve in order to ensure its security and protect its primary assets. + +There is a global parameter that defines a list of security objectives with a corresponding scale and a corresponding boolean allowing to select or hide a security objective. The following security objectives are pre-defined: + + ref_id | Name | Description | default scale | default select value +--------|----------------------------|-------------|---------------|--------------------- + C | Confidentiality | ... | 1-4 | True + I | Integrity | ... | 1-4 | True + A | Availability | ... | 1-4 | True + P | Proof | ... | 1-4 | True + Auth | Authenticity | ... | 1-4 | False + Priv | Privacy | ... | 1-4 | False + Safe | Safety | ... | 1-4 | False + +The following disaster recovery objectives (measured in seconds) are pre-defined: + + ref_id | Name | Description +--------|----------------------------|------------ + RTO | Recovery Time Objective | ... + RPO | Recovery Point Objetive | ... + MTD | Maximum Tolerable Downtime | ... + +In a future version, users will be able to define custom security objectives. + +Security objectives are measured using a specifc scale. For now, the following scales are defined: +- 0-3: coded as 0-3 +- 1-4: coded as 0-3 +- FIPS-199: coded as 0-3 + +There is a correspondance between the 0-3, 1-4 and FIPS-199 scales (called "discrete scales"): + +scale | internal value | scale value +---------|----------------|--------------- +0-3 | 0 | 0 +0-3 | 1 | 1 +0-3 | 2 | 2 +0-3 | 3 | 3 +1-4 | 0 | 1 +1-4 | 1 | 2 +1-4 | 2 | 3 +1-4 | 3 | 4 +FIPS-199 | 0 | low +FIPS-199 | 1 | moderate +FIPS-199 | 2 | moderate +FIPS-199 | 3 | high + +Security objectives can be evaluated for each asset. The default value is Null. The corresponding json field is composed of a list of tuples {security_objective_ref_id, value}. + +When a security objective is hidden in the global parameters, it is simply not proposed for new edition. However, a security objective that is already used in an asset is kept and editable even if it is hidden globally. Thus, when selecting or hiding a security objective, no value is changed in asset. ## Frameworks The fundamental object of CISO Assistant for compliance is the framework. It corresponds to a given standard, e.g. ISO27001:2013. It mainly contains requirements nodes. A requirement node can be assessable or not (e.g. title or informational elements are not assessable). Assessable requirement nodes can be simply called "requirements". -The structure (tree) of requirements is defined by the requirement node objects. The *parent_urn* of a requirement node can either be the URN of another requirement node or null for top-level objects. This allows to simply define the structure of a framework. An assessable requirement node can be the child of another assessable requirement node, which is very convenient for frameworks that have lists of conditions attached to a requirement. +The structure (tree) of requirements is defined by the requirement node objects. The _parent_urn_ of a requirement node can either be the URN of another requirement node or null for top-level objects. This allows to simply define the structure of a framework. An assessable requirement node can be the child of another assessable requirement node, which is very convenient for frameworks that have lists of conditions attached to a requirement. The implementation_groups field contains a comma-separated list of implementation groups where the requirement node is found, when this is relevant (e.g. for CMMC or CIS). Implementation groups are identified by their ref_id string. Implementation groups are independent, a requirement can be member of any implementation group. Implementation groups are defined in the implementation_groups_definition json field (None by default), that contains a list of objects containing the following fields (example for CMMC): @@ -770,11 +504,24 @@ Threats are referential objects used to clarify the aim of a requirement node or ## Vulnerabilities -Vulnerabilities are referential objects used to clarify a risk scenario and to follow remediations. They are informative, risk assessments can be realised without using them. Well-known providers are NVD and CISA KEV, but custom vulnerabilities can also be defined, e.g. to point a weakness in an internal process. +Vulnerabilities are used to clarify a risk scenario and to follow remediations, e.g. after a pentest. They are informative, risk assessments can be realised without using them. Reference to CVE, CISA KEV or any other catalog can be done in the references field, but this is not mandatory. Therefore, custom vulnerabilities can also be defined, e.g. to point a weakness in an internal process. + +Vulnerabilities have a status among the following values: --/potential/exploitable/mitigated/fixed. + +The format of the references field is list of the following objects (* for mandatory): +- string ref_id (*) +- url reference_link +- boolean is_cve +- boolean is_kev +- ... + +The UX shall facilitate the proper edition of references. + +Vulnerabilities also have a ref_id (defaults to empty string), a name, a description, and a severity within values --/low/medium/high/critical (coded as an integer from -1 to 3). ## Reference controls -Reference controls are templates for Applied controls. They facilitate the creation of a applied control, and help to have consistent Applied controls. They are not mandatory to create a applied control, but recommended. +Reference controls are templates for Applied controls. They facilitate the creation of a applied control, and help to have consistent Applied controls. They are not mandatory to create a applied control, but recommended. Reference controls have a category within the following possibilities: --/Policy/Process/Technical/Physical. @@ -784,7 +531,8 @@ Reference controls have a csf_function within the following possibilities: --/Go Applied controls are fundamental objects for compliance and remediation. They can derive from a reference control, which provides better consistency, or be independent. -A applied control has the following specific fields: +A applied control has the following specific fields: + - a category (same as reference controls) - a csf_function (same as reference controls) - a status (--/planned/active/inactive) @@ -793,7 +541,6 @@ A applied control has the following specific fields: - an effort (--/S/M/L/XL) - a cost (--/float value) - a url link -- a list of user-defined tags When a applied control derives from a reference control, the same category and csf_function are proposed, but this can be changed. @@ -802,6 +549,7 @@ Costs are measured in a global currency/multiple that is defined in global setti ## Compliance and risk assessments Both types of assessments have common fields: + - a name - a description - a version (defined by the analyst) @@ -810,11 +558,10 @@ Both types of assessments have common fields: - a status: (--/planned/in progress/in review/done/deprecated) that facilitates reporting. - a list of authors - a list of reviewers -- a list of user-defined tags -An assessment review can be asked. When at least one principal is defined, the *done* status can only be set if a representant of each principal has reviewed and validated the assessment. +An assessment review can be asked. When at least one principal is defined, the _done_ status can only be set if a representant of each principal has reviewed and validated the assessment. -When the assessment status goes from *in progress* to *in review*, each defined reviewer is notified of the review request. +When the assessment status goes from _in progress_ to _in review_, each defined reviewer is notified of the review request. A review is deprecated if the assessment is changed. A warning shall be displayed to avoid doing that by error. The state of a review can be: created/submitted/validated/changes requested/deprecated @@ -824,11 +571,11 @@ The state of a review can be: created/submitted/validated/changes requested/depr When a compliance assessment is created, each requirement of the corresponding framework is linked to a requirement assessment object. To cover a requirement, the assessor shall link it to Applied controls. Here are the specific fields for requirement assessments: + - result: --/compliant/partially compliant/non-compliant/not applicable - score: --/. - a status: (todo/in progress/in review/done) that facilitates reporting. - The compliance assessment score is a read-only field which is calculated when at least one requirement assessment is scored. We calculate the average of scored requriement assessments (ignoring requirement assessments with an undefined score or with status not-applicable). Requirement assessments can have attached evidences. An evidence contains a name, a description, an attached file, a url link. @@ -841,6 +588,7 @@ For the sake of performance, when a change is done on the selected implementatio Note: the selection is persistent, and used in particular for reporting and analytics. The UX could provide dynamic capacity to show or hide implementation groups independently of the selection (e.g. a button "show unselected requirements"). Compliance assessments have a score scale (min_score, max_score, score definition) that is inherited from the corresponding framework. But it is possible during the creation of the assessment to specify another score scale. The following hardcoded score scales are proposed as an alternative: + - percentage (0-100%, no score definition) - CMMI (1-5, Initial/Managed/Defined/Quantitatively Managed/Optimizing) - 0-5 (0-5, no score definition) @@ -853,6 +601,7 @@ Requirement mapping sets are referential objects that describe relations between A requirement mapping set contains a unique specific attribute in json format called mapping_rules. A mapping_rules is a list of elements containing: + - a source requirement URN - a target requirement URN - a rationale giving the explanation for why a Source Document Element and a Target Document Element are related. This will be syntactic, semantic, or functional. @@ -862,6 +611,7 @@ A mapping_rules is a list of elements containing: Requirement mapping rules are used to automatically generate a draft compliance assessment for a target framework, given existing source assessments. The following inference rules are used: + - there is an order relation in results: compliant > non-compliant minor > non-compliant major - N/A or -- in source makes the mapping not usable. - when several mappings exist for a target requirement, the strongest inference result is used to determine the compliance result. @@ -873,15 +623,20 @@ The following inference rules are used: A risk assessment is based on scenarios, covered by Applied controls. Gathering the risk scenarios constitutes the "risk identification" phase. -A risk assessment has an *risk_assessment_method* field that can take the following values: 0 (risk matrix)/1 (Open FAIR). This cannot be changed once the risk assessment is created. Similarly, the risk matrix cannot be changed once the risk assessment is created. -To analyse the risk, each scenario contains Existing Controls, current probability and impact, proposed controls, residual probability and impact. To facilitate using an assistant to estimate probability and impact, or for advanced methods like openfair, the json fields *current_risk_vector* and *residual_risk_vector* are aimed at keeping the data used to calculate to the estimation. +The risk matrix cannot be changed once the risk assessment is created. + +A risk assessment has an _risk_assessment_method_ field that can take the following values: 0 (risk matrix)/1 (Open FAIR). This cannot be changed once the risk assessment is created. Similarly, the risk matrix cannot be changed once the risk assessment is created. + +To analyse the risk, each scenario contains Existing Controls, current probability and impact, proposed controls, residual probability and impact. To facilitate using an assistant to estimate probability and impact, or for advanced methods like openfair, the json fields _current_risk_vector_ and _residual_risk_vector_ are aimed at keeping the data used to calculate to the estimation. A risk scenario contains a treatment option with the values --/open/mitigate/accept/avoid/transfer A risk scenario also contains a "strength of knowledge", within the values --/0 (Low)/1 (Medium)/2 (High). This can be used to represent a third dimension of risk, as recommended by the Society for Risk Analysis. The field "justification" can be used to expose the knowledge. -A risk scenario also contains a "qualification" field, containing an array with the following possible values: Confidentiality, Integrity, Availability, Authenticity, Reputation, Operational, Legal, Financial. The qualification can cover none, one or several of the values. +A risk scenario also contains a "qualification" field, containing an array with the following possible values: Confidentiality, Integrity, Availability, Proof, Authenticity, Privacy, Safety, Reputation, Operational, Legal, Financial. The qualification can cover none, one or several of the values. + +Note: the list of qualifications is a superset of security objectives. The risk evaluation is automatically done based on the selected risk matrix. @@ -895,32 +650,56 @@ The definition JSON field has the following format: { "type": "risk_matrix", "fields": { - "probability" : [ - {"abbreviation": "L", "name": "Low", "description": "Unfrequent event"}, - {"abbreviation": "M", "name": "Medium", "description": "Occasional event"}, - {"abbreviation": "H", "name": "High", "description": "Frequent event"} - ], - "impact": [ - {"abbreviation": "L", "name": "Low", "description": "<100k$"}, - {"abbreviation": "M", "name": "Medium", "description": "between 100 to 1000k$"}, - {"abbreviation": "H", "name": "High", "description": ">1000k$"} - ], - "risk": [ - {"abbreviation": "L", "name": "Low", "description": "acceptable risk", "hexcolor": "#00FF00"}, - {"abbreviation": "M", "name": "Medium", "description": "risk requiring mitigation within 2 years", "hexcolor": "#FFFF00"}, - {"abbreviation": "H", "name": "High", "description": "unacceptable risk", "hexcolor": "#FF0000"} - ], - "grid": [ - [1, 2, 2], - [0, 1, 2], - [0, 0, 1]] + "probability": [ + { "abbreviation": "L", "name": "Low", "description": "Unfrequent event" }, + { + "abbreviation": "M", + "name": "Medium", + "description": "Occasional event" + }, + { "abbreviation": "H", "name": "High", "description": "Frequent event" } + ], + "impact": [ + { "abbreviation": "L", "name": "Low", "description": "<100k$" }, + { + "abbreviation": "M", + "name": "Medium", + "description": "between 100 to 1000k$" + }, + { "abbreviation": "H", "name": "High", "description": ">1000k$" } + ], + "risk": [ + { + "abbreviation": "L", + "name": "Low", + "description": "acceptable risk", + "hexcolor": "#00FF00" + }, + { + "abbreviation": "M", + "name": "Medium", + "description": "risk requiring mitigation within 2 years", + "hexcolor": "#FFFF00" + }, + { + "abbreviation": "H", + "name": "High", + "description": "unacceptable risk", + "hexcolor": "#FF0000" + } + ], + "grid": [ + [1, 2, 2], + [0, 1, 2], + [0, 0, 1] + ] } } ``` ## Risk acceptance -A risk acceptance can be asked on a list of scenarios that are part of validated risk assessments (assessment in the *done* state with at least one reviewer). It is directed to an approver that should be the risk owner. +A risk acceptance can be asked on a list of scenarios that are part of validated risk assessments (assessment in the _done_ state with at least one reviewer). It is directed to an approver that should be the risk owner. The state of a risk acceptance can be: created/submitted/accepted/rejected/revoked @@ -931,9 +710,9 @@ Once a risk acceptance is active, the correponding risk assessments are frozen. ## Libraries Libraries can contain: + - frameworks (including requirement nodes) - threats -- vulnerabilities - reference controls - risk matrices - requirement mapping sets @@ -947,10 +726,10 @@ Libraries have a URN to uniquely identify them. Libraries have a locale that describes the main locale for the whole content of the library. Libraries have an integer version that completes the URN. The highest version for a given URN shall always be privileged. So: + - a library loading is performed if and only if there is no greater or equal version already loaded, for the same urn. - if a breaking change is necessary, the URN should be changed. - Libraries have a provider (which entity produced the original content), and a packager (which entity did the library). Objects in the library inherit their provider from the library's. Libraries can depend on other libraries, thanks to the "dependencies" section, that contains a list of URNs. When loading a library, CISO Assistant first loads the dependent libraries. If a dependency is missing, the loading is cancelled. @@ -961,10 +740,11 @@ Deleting a library is possible only if none of its objects is currently used. Re ## Referential objects -Frameworks (including requirement nodes), mappings, threats, vulnerabilities, reference controls and risk matrices are called "referential objects", as they constitute the basis of an assessment. +Frameworks (including requirement nodes), mappings, threats, reference controls and risk matrices are called "referential objects", as they constitute the basis of an assessment. Referential objects can be downloaded from a library. They are called "global referential objects" or "library objects" in that case, and they have the following characteristics: -- they have a non-null URN identifier *urn* of the form: ```urn:intuitem:::[:]```. Client-defined URNs are also possible. The framework part is present for items that are part of a framework. + +- they have a non-null URN identifier _urn_ of the form: `urn:intuitem:::[:]`. Client-defined URNs are also possible. The framework part is present for items that are part of a framework. - they are read-only in the database once imported. They can be removed only by removing the corresponding library. - they are attached to the root folder. - Everyone has the right to read them, they are "published" to all domains. @@ -972,11 +752,13 @@ Referential objects can be downloaded from a library. They are called "global re - They have a link to their library. Conversely, a referential object with a null URN is called a "local referential object" has the following characteristics: + - it is created by a user in a given domain (not in the root folder) - it can be edited with proper permission. - The URN cannot be edited and is hidden. Referential objects have the following optional fields: + - ref_id: reference used in the standard for this object (e.g. A.5.5). - annotation: provided by the library packager or the user to clarify the meaning of the object. They can be used for search, and are displayed when available. - provider: describes where the object comes from, e.g. ISO, NIST, CIS, MITRE ATT&CK... @@ -994,9 +776,10 @@ The library_manager role will be defined to manage library objects. ## Referential objects translation -Referential objects translations are contained inside a JSON called previously *translations*. The translation takes place directly inside the yaml at the point where the object is defined. +Referential objects translations are contained inside a JSON called previously _translations_. The translation takes place directly inside the yaml at the point where the object is defined. Example: + ```yaml { - urn: urn:intuitem:risk:req_node:iso27001-2022:4 @@ -1013,9 +796,10 @@ Example: } ``` -Everything in the library can be translated, from the library itself to the the last object. To specify that the library is available in a language other than the default one, *translations* field has to be filled for the language(s) concerned. +Everything in the library can be translated, from the library itself to the the last object. To specify that the library is available in a language other than the default one, _translations_ field has to be filled for the language(s) concerned. Example: + ```yaml { urn: urn:intuitem:risk:library:iso27001-2022 @@ -1047,6 +831,7 @@ All objects in CISO Assistant follow a simple and consistent RBAC IAM model, inc There are two dimensions: rights and perimeter. There granularity of rights is mapped on Django convention: + - Add - View - Change @@ -1059,6 +844,7 @@ Practically, the Add, Change or Delete permissions require the View permission. The perimeter for access control is based on the folder concept, with all its content, including subfolders. Boolean parameters allow a finer-grain definition of the perimeter, as will be seen later. Practically, the perimeter is either: + - global, corresponding to the root folder - a domain, corresponding to a folder of level 1. @@ -1067,18 +853,19 @@ Practically, the perimeter is either: For Access Control purpose, CISO Assistant data is organized in a tree of folders, starting from a root folder. The organization of the tree is not hardcoded, it is entirely determined by configuration. Any object in CISO Assistant is attached to a folder (including folders), either directly or indirectly through a parent object that is attached to a folder. The root folder is attached to None. A folder contains the following attributes: + - name: the short name given to the folder - description: a longer description of the folder - contentType: an enum representing the type of content. Currently GLOBAL and DOMAIN. This parameter is aimed at adjusting the UI depending of the type of content. - folder: the parent folder. None for root folder. Currently, the folder organization is as follows: + - The root folder has contentType=GLOBAL. - The root folder can only contain referential objects. - There is only one level of subfolders, each subfolder with contentType=DOMAIN. - Folders are not displayed as such, they are visible only to the programmer. - ### Roles and role assignments To simplify access control, we use a RBAC model. @@ -1093,14 +880,15 @@ To simplify access control, we use a RBAC model. | Risk approver | like reader, but with additional capability to approve risk acceptances | | Reviewer | like reader, but with additional capability to review assessments. | - Note: a DJANGO superuser is given administrator rights automatically on startup. Principals are either: + - users - group of users Role assignements are described as a table containing the following attributes: + - user: the user that receives the role assignment (can be None) - user_group: the group that receives the role assignment (can be None) - role: the role assigned to the principal @@ -1135,6 +923,7 @@ The goal of Third-Party Risk Management is to manage the risk incurred by a prov ### Retained approach The following approach has been retained: + - An "entity" model is added to modelize third parties in a generic way. - A third party is an entity that is provider of the entity representing the client using CISO Assistant. - An evaluation of a third party is based on a compliance assessment, to leverage a huge amount of existing models and code. @@ -1170,15 +959,6 @@ erDiagram url reference_link } - ASSET { - string name - string description - string business_value - string type - string security_need - asset parent_asset - } - SOLUTION { string name string description @@ -1203,7 +983,6 @@ erDiagram string status principal[] author principal[] reviewer - string[] tags string observation string conclusion @@ -1246,6 +1025,7 @@ erDiagram #### Entity An entity represents a legal entity, a corporate body, an administrative body, an association. An entity can be: + - the main subject for the current CISO Assistant instance ("main entity"). - a subisdiary of another entity. - a provider of another entity. @@ -1265,11 +1045,12 @@ An entity assessment is based on a questionnaire/compliance assessment, and/or o Typically, the main entity can use the requirement group selector to tailor the questionnaire before sending it to the third-party, then a self-assessment is done by the provider, then a review is done by the main entity. An entity assessment has the following specific fields: - - conclusion: --|blocker|warning|ok|N/A - - penetration: as defined by ebios RM - - dependency: as defined by ebios RM - - maturity: as defined by ebios RM - - trust: as defined by ebios RM + +- conclusion: --|blocker|warning|ok|N/A +- penetration: as defined by ebios RM +- dependency: as defined by ebios RM +- maturity: as defined by ebios RM +- trust: as defined by ebios RM #### Solution @@ -1309,7 +1090,7 @@ There is no link between representatives (modeling of the ecosystem) and users o - Add a "contract" category - Add a foreign key "contract" to point to a contract -The foreign key contract shall be non-null only if the category is set to "contract". The UX shall reflect this constraint. +The foreign key contract shall be non-null only if the category is set to "contract". The UX shall reflect this constraint. Note: in the future, we will use the same approach for policies. @@ -1318,6 +1099,7 @@ Note: in the future, we will use the same approach for policies. The format for question and answer json fields will evolve over time. The initial format is the following: - question: + ```json { "question": { @@ -1341,3 +1123,220 @@ The objects manipulated by the third party (compliance assessment and evidences) - The change in applied control is not retained. - implementation_group_selector is not retained. - ebios-RM parameters are not retained. + +## Near-term evolutions + +We need to add in the near term the follwoing objects: +- EBIOS-RM study +- Audit campaign +- Third-party campaign +- Pentest follow-up +- Incident follow-up + +Each of these objects will have its specific datamodel. Factoring will be done ad-hoc. + +## EBIOS-RM evolution + +### Mapping of essential concepts + +EBIOS-RM (english) | EBIOS-RM (french) | CISO Assistant +----------------------|-------------------------|---------------- +Study | Etude | Bundle +Studied object | Objet de l'étude | Description of the bundle +Mission | Mission | Mission of the reference entity added to the bundle +Business asset | Valeurs métier | Primary asset +Supporting asset | Bien support | Supporting asset +Feared event | Evénement redouté | Risk analysis at asset level +Impact | Impact | Impact in a risk analysis +Security baseline | Socle de sécurité | Compliance frameworks and audits +Risk origins | Sources de risque | TBD +Target objectives | Objectifs visés | TBD +Ecosystem | Ecosystème | Third Party Risk Management +Strategic scenarios | Scénarios stratégiques | Risk analysis at strategic level (focus on impact) +Security controls | Mesures de sécurité | Reference/applied controls +Operational scenarios | Scénarios opérationnels | Risk analysis at operational level (focus on probability) +Risk treatment | Traitement du risque | Applied controls in a risk analysis + +### EBIOS-RM study + +The type EBIOS-RM study is a sort of assessment. It contains the following specific fields: +- reference risk matrix (chosen at creation and immutable after creation) +- ref_id +- name of the study +- description of the study +- reference entity +- a list of primary assets and corresponding secondary assets (workshop 1) +- a list of audits for the security baseline (workshop 1) +- a list of feared events (workshop 1) +- a list of risk_origin_target_objective (workshop 2) +- a list of ecosystem entities (workshop 3) +- a list of strategic scenarios/attack paths (workshop 3) +- a list of opeating scenarios (workshop 4) +- a resulting risk assessment (workshop 5) + +The object feared events (workshop 1) contains the following fields: +- primary asset +- ref_id +- name +- description +- list of impact qualifications +- gravity (from the risk matrix impact scale) +- selected +- justification + +The object risk_origin_target_objective (workshop 2) contains the following fields: +- risk origin (--/state/organized crime/terrorist/activist/professional/amateur/avenger/pathological/) +- target objective (text) +- motivation (--/1 very low/2 low/3 significant/4 strong) (--/très peu/peu/assez/fortement motivé) +- resources (--/1 limited/2 significant/3 important/4 unlimited) (--/limitées/significatives/importantes/illimitées) +- pertinence (--/1 Irrelevant/2 partially relevant/3 fairly relevant/4 highly relevant) (--/peu pertinent/moyennement pertient/plutôt pertinent/très pertinent) +- activity (--/1/2/3/4) +- selected +- justification + +The object ecosystem entity (workshop 3) links to a TPRM entity, and contains the following fields: +- category (provider/partner/client/...) +- third-party entity from TPRM (optional) +- Dependence +- Penetration +- Cyber maturity +- trust +- selected +- justification + +The object strategic attack path (workshop 3) contains the following fields: +- risk_origin_target_objective +- description +- affected ecosystem entities +- intial threat level +- Controls +- residual threat level +- selected +- justification + +THe object operational scenario (workshop 4) contains the following fields: +- strategic attack path +- list of techniques/threats (typically from Mitre Att@ck) +- description +- likelihood +- selected +- justification + +The frontend for risk study shall propose the following steps: +- workshop 1: framing and security baseline (cadrage et socle de sécurité) + - define the study, the reference entity and its mission + - select/define primary assets ("valeurs métier") + - the nature "process" or "information" can be defined as a label + - select/define secondary assets ("biens support") + - define feared events + - list of reference audits +- workshop 2: risk origin/target objectives (sources de risque) + - define risk_origin_target_objective objects +- workshop 3: + - list of ecosystem entities + - list of strategic scenarios/attack paths +- workshop 4: operational scenarios + - list of operational scenarios +- workshop 5: risk treatment + - The risk assessment is generated from workshop 4, thanks to a dedicated button. When the risk assessment is generated again, automatic versioning is applied, and mitigations can be copied on demand (based on ref_id of operational scenarios). + - After generation, a risk assessment is fully editable, to allow customisation, and the risk assessment can be managed normally as any other risk assessment. + - risk treatment is based on the risk assessment. + + +```mermaid +erDiagram + DOMAIN ||--o{ EBIOS_RM_STUDY : contains + DOMAIN ||--o{ ECOSYSTEM_ENTITY : contains + DOMAIN ||--o{ OPERATIONAL_SCENARIO : contains + DOMAIN ||--o{ FEARED_EVENT : contains + DOMAIN ||--o{ RO_TO : contains + DOMAIN ||--o{ ATTACK_PATH : contains + +``` + +```mermaid +erDiagram + + ATTACK_PATH }o--|| RO_TO : derives + RO_TO }o--|{ FEARED_EVENT : corresponds_to + EBIOS_RM_STUDY }o--o{ RO_TO : contains + EBIOS_RM_STUDY }o--o{ ECOSYSTEM_ENTITY : contains + EBIOS_RM_STUDY }o--o{ OPERATIONAL_SCENARIO : contains + EBIOS_RM_STUDY }o--o{ FEARED_EVENT : contains + EBIOS_RM_STUDY }o--o{ ATTACK_PATH : contains + EBIOS_RM_STUDY }o--o| ENTITY : studies + EBIOS_RM_STUDY }o--o{ COMPLIANCE_ASSESSMENT: leverages + EBIOS_RM_STUDY }o--|| RISK_MATRIX : leverages + EBIOS_RM_STUDY }o--o{ RISK_ASSESSMENT : generates + OPERATIONAL_SCENARIO }o--|| ATTACK_PATH : derives + OPERATIONAL_SCENARIO }o--o{ THREAT : leverages + ATTACK_PATH }o--o{ ECOSYSTEM_ENTITY : uses + ATTACK_PATH }o--o{ APPLIED_CONTROL : mitigated_by + ECOSYSTEM_ENTITY }o--|| ENTITY : qualifies + + EBIOS_RM_STUDY { + string ref_id + string name + string description + + string version + date eta + date due_date + string status + principal[] author + principal[] reviewer + string observation + } + + FEARED_EVENT { + string ref_id + string name + string description + json qualifications + int gravity + bool selected + bool justification + } + + RO_TO { + string risk_origin + string target_objective + int motivation + int resources + int pertinence + int activity + bool selected + bool justification + } + + ECOSYSTEM_ENTITY { + string category + int dependence + int penetration + int maturity + int trust + bool selected + bool justification + } + + ATTACK_PATH { + string description + int intial_threat_level + int residual_threat_level + bool selected + bool justification + } + + OPERATIONAL_SCENARIO { + string description + int likelihood + bool selected + string justification + } + +``` + +### Implementation + +EBIOS-RM objects are defined within a dedicated Django "application" ebios_rm. + diff --git a/enterprise/LICENSE.md b/enterprise/LICENSE.md new file mode 100644 index 000000000..a53638542 --- /dev/null +++ b/enterprise/LICENSE.md @@ -0,0 +1,47 @@ +# Intuitem Commercial License + +## Preamble +Usage of files in this directory and its subdirectories, and of **CISO Assistant PRO** and **Enterprise** features, is governed by the terms set forth in the Intuitem Commercial License below. A valid license from Intuitem is required for any authorized use. + +Access to files in this directory and its subdirectories does not constitute permission to use this code. The full terms of the Intuitem Commercial License are detailed herein. + +--- + +## Copyright Notice +Copyright (c) 2024 intuitem SARL. + +--- + +## License Overview +This license governs the use of the **CISO Assistant** source code located in the `"enterprise"` directory (the "Software"). These components are not part of the Community Edition and are subject to the following terms. + +--- + +## Terms of Use +1. **Production Use**: The Software may only be used in production with a valid subscription for the appropriate number of users. +2. **Testing and Contributions**: + - You may modify the Software solely for testing purposes. + - Modifications may be submitted to Intuitem as pull requests (PRs) for possible inclusion in the Software. +3. **Prohibited Actions**: The Software may not be used in production, copied, modified, distributed, sublicensed, or sold without authorization, except as expressly permitted above. + +--- + +## Scope +- This license applies to the content of the `"enterprise"` directory. +- Binaries for **CISO Assistant** located directly under the `ghcr.io/intuitem/` namespace are also released under this Intuitem Commercial License. +- Third-party components incorporated into the Software are licensed under their respective original licenses. + +--- + +## Additional Licensing +For a non-AGPLv3 license of the Community Edition, please contact Intuitem. + +--- + +## Disclaimer +The Software is provided "AS IS," without any warranties. Intuitem and its licensors are not liable for damages arising from its use. + +--- + +## Contact +For licensing inquiries, subscriptions, or more information, please contact **[contact@intuitem.com](mailto:contact@intuitem.com)** or visit **[www.intuitem.com](http://www.intuitem.com)**. diff --git a/enterprise/LICENSE.txt b/enterprise/LICENSE.txt deleted file mode 100644 index 20f50883d..000000000 --- a/enterprise/LICENSE.txt +++ /dev/null @@ -1,3 +0,0 @@ -Usage of files in this directory and its subdirectories, and of CISO Assistant PRO and Enterprise features, is subject to the intuitem Commercial License (https://intuitem.com/license/commercial/), and conditional on having a valid license from intuitem. - -Access to files in this directory and its subdirectories does not constitute permission to use this code. diff --git a/enterprise/docker-compose-build.yml b/enterprise/docker-compose-build.yml index 56c2d9cb9..cbab56653 100644 --- a/enterprise/docker-compose-build.yml +++ b/enterprise/docker-compose-build.yml @@ -13,6 +13,23 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # build: + # context: ../ + # dockerfile: ./enterprise/backend/Dockerfile + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/enterprise/docker-compose-pg.yml b/enterprise/docker-compose-pg.yml index 0d483ef15..7f9c44985 100644 --- a/enterprise/docker-compose-pg.yml +++ b/enterprise/docker-compose-pg.yml @@ -16,6 +16,21 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/enterprise/docker-compose-remote-api.yml b/enterprise/docker-compose-remote-api.yml index 58efa4510..7647a5310 100644 --- a/enterprise/docker-compose-remote-api.yml +++ b/enterprise/docker-compose-remote-api.yml @@ -11,6 +11,21 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/enterprise/docker-compose-remote.yml b/enterprise/docker-compose-remote.yml index 50fb12b6e..ba99da11c 100644 --- a/enterprise/docker-compose-remote.yml +++ b/enterprise/docker-compose-remote.yml @@ -11,6 +11,21 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/enterprise/docker-compose.yml b/enterprise/docker-compose.yml index a17805a67..19d35c08d 100644 --- a/enterprise/docker-compose.yml +++ b/enterprise/docker-compose.yml @@ -13,6 +13,21 @@ services: volumes: - ./db:/code/db + # huey: + # container_name: huey + # image: ghcr.io/intuitem/ciso-assistant-community/backend:latest + # restart: always + # environment: + # - ALLOWED_HOSTS=backend,localhost + # - DJANGO_DEBUG=False + # volumes: + # - ./db:/code/db + # entrypoint: + # - /bin/sh + # - -c + # - | + # poetry run python manage.py run_huey + frontend: container_name: frontend environment: diff --git a/enterprise/frontend/src/lib/components/Forms/ModelForm/FolderForm.svelte b/enterprise/frontend/src/lib/components/Forms/ModelForm/FolderForm.svelte index f9123d39a..46ca9c739 100644 --- a/enterprise/frontend/src/lib/components/Forms/ModelForm/FolderForm.svelte +++ b/enterprise/frontend/src/lib/components/Forms/ModelForm/FolderForm.svelte @@ -12,6 +12,7 @@ export let initialData: Record = {}; + -
-
-
+
+ -
-
+
+
+ {#if !data.clientSettings.settings.name} + + {/if} +
+
+
+
-
+
diff --git a/enterprise/frontend/src/routes/(authentication)/login/Greetings.svelte b/enterprise/frontend/src/routes/(authentication)/login/Greetings.svelte index 7b667197d..070dbd6ff 100644 --- a/enterprise/frontend/src/routes/(authentication)/login/Greetings.svelte +++ b/enterprise/frontend/src/routes/(authentication)/login/Greetings.svelte @@ -7,7 +7,10 @@ const clientSettings = $page.data.clientSettings; -
+
{#if !clientSettings?.settings.name}
diff --git a/enterprise/update-ciso-assistant-enterprise.sh b/enterprise/update-ciso-assistant-enterprise.sh new file mode 100755 index 000000000..699a060e8 --- /dev/null +++ b/enterprise/update-ciso-assistant-enterprise.sh @@ -0,0 +1,4 @@ +#! /usr/bin/env bash +pushd .. +./update-ciso-assistant.sh enterprise +popd diff --git a/frontend/messages/ar.json b/frontend/messages/ar.json index 16bf95edc..1bcdb4f62 100644 --- a/frontend/messages/ar.json +++ b/frontend/messages/ar.json @@ -787,6 +787,9 @@ "questionPlural": "أسئلة", "fillMetadataURL": "الخيار 1: املأ عنوان URL الخاص بالبيانات الوصفية", "fillSSOSLOURLx509cert": "الخيار 2: املأ عنوان URL الخاص بـ SSO وعنوان URL الخاص بـ SLO وx509cert", + "proof": "دليل", + "privacy": "خصوصية", + "safety": "أمان", "noExpirationDateSet": "لم يتم تحديد تاريخ انتهاء الصلاحية", "sumpageTotal": "المجموع", "sumpageActive": "نشيط", @@ -859,6 +862,8 @@ "addTag": "إضافة علامة", "tagsHelpText": "تُستخدم العلامات لتصنيف العناصر وتصفيتها. يمكنك إضافة علامات في قسم \"إضافي\"", "forgotPassword": "هل نسيت كلمة السر", + "scoreSemiColon": "نتيجة:", + "mappingInferenceHelpText": "هذه المتغيرات ثابتة ولن تتغير اعتمادًا على المصدر.", "bringTheEvidences": "أحضر الأدلة", "bringTheEvidencesHelpText": "في حالة التعطيل، سيتم تكرار الكائن بدون أدلته" } diff --git a/frontend/messages/de.json b/frontend/messages/de.json index 36498f939..3be9296d1 100644 --- a/frontend/messages/de.json +++ b/frontend/messages/de.json @@ -786,6 +786,9 @@ "questionPlural": "Fragen", "fillMetadataURL": "Option 1: Füllen Sie die Metadaten-URL aus", "fillSSOSLOURLx509cert": "Option 2: Füllen Sie die SSO-URL, SLO-URL und x509cert aus", + "proof": "Nachweisen", + "privacy": "Privatsphäre", + "safety": "Sicherheit", "noExpirationDateSet": "Kein Ablaufdatum festgelegt", "sumpageTotal": "gesamt", "sumpageActive": "aktiv", @@ -858,6 +861,8 @@ "addTag": "Tag hinzufügen", "tagsHelpText": "Tags werden zum Kategorisieren und Filtern der Elemente verwendet. Sie können Tags im Abschnitt Extra hinzufügen", "forgotPassword": "Passwort vergessen", + "scoreSemiColon": "Punktzahl:", + "mappingInferenceHelpText": "Diese Variablen sind fest und ändern sich je nach Quelle nicht.", "bringTheEvidences": "Bringen Sie die Beweise", "bringTheEvidencesHelpText": "Wenn deaktiviert, wird das Objekt ohne seine Beweise dupliziert" } diff --git a/frontend/messages/en.json b/frontend/messages/en.json index 8c2fd163c..9d5b87a36 100644 --- a/frontend/messages/en.json +++ b/frontend/messages/en.json @@ -809,14 +809,17 @@ "sumpageToDo": "to do", "sumpageInProgress": "in progress", "sumpageOnHold": "on hold", - "sumpageActiveAudits": "active audits", - "sumpageCompliantItems": "compliant items", - "sumpageNonCompliantItems": "non compliant items", - "sumpageEvidences": "evidences", - "sumpageAssessments": "assessments", - "sumpageScenarios": "scenarios", - "sumpageMappedThreats": "mapped threats", - "sumpageRiskAccepted": "risks accepted", + "sumpageP1": "Pending P1", + "sumpageEtaMissed": "Missed ETA", + "sumpageActiveAudits": "Active audits", + "sumpageCompliantItems": "Compliant items", + "sumpageNonCompliantItems": "Non compliant items", + "sumpageEvidences": "Evidences", + "sumpageAvgProgress": "Average progress", + "sumpageAssessments": "Assessments", + "sumpageScenarios": "Scenarios", + "sumpageMappedThreats": "Mapped threats", + "sumpageRiskAccepted": "Risks accepted", "sumpageSectionControls": "controls", "sumpageTitleComplianceOverview": "Compliance overview", "sumpageTitleCurrentRisks": "Current risks", @@ -888,11 +891,36 @@ "youCanSetPasswordHere": "You can set your password here", "forgotPassword": "Forgot password", "ssoSettingsUpdated": "SSO settings updated", + "scoreSemiColon": "Score:", + "mappingInferenceHelpText": "These variables are fixed and will not change depending on the source.", "priority": "Priority", "p1": "P1", "p2": "P2", "p3": "P3", "p4": "P4", + "ebiosWs1": "Workshop 1: Framing and Security Foundation", + "ebiosWs2": "Workshop 2: Risk Sources", + "ebiosWs3": "Workshop 3: Strategic Scenarios", + "ebiosWs4": "Workshop 4: Operational Scenarios", + "ebiosWs5": "Workshop 5: Risk Treatment", + "ebiosWs1_1": "Define the study framework", + "ebiosWs1_2": "Define business and technical perimeter", + "ebiosWs1_3": "Identify feared events", + "ebiosWs1_4": "Determine the security foundation", + "ebiosWs2_1": "Identify risk sources and targeted objectives", + "ebiosWs2_2": "Evaluate RS/TO pairs", + "ebiosWs2_3": "Select RS/TO pairs", + "ebiosWs3_1": "Map the ecosystem", + "ebiosWs3_2": "Develop strategic scenarios", + "ebiosWs3_3": "Define security measures for the ecosystem", + "ebiosWs4_1": "Develop operational scenarios", + "ebiosWs4_2": "Evaluate the likelihood of operational scenarios", + "ebiosWs5_1": "Conduct a risk assessment", + "ebiosWs5_2": "Decide on risk treatment strategy", + "ebiosWs5_3": "Define security measures", + "ebiosWs5_4": "Assess and document residual risks", + "ebiosWs5_5": "Establish risk monitoring framework", + "activity": "Activity", "bringTheEvidences": "Bring the evidences", "bringTheEvidencesHelpText": "If disabled, the object will be duplicated without its evidences" } diff --git a/frontend/messages/es.json b/frontend/messages/es.json index 230a4778a..6d3af4836 100644 --- a/frontend/messages/es.json +++ b/frontend/messages/es.json @@ -786,6 +786,9 @@ "questionPlural": "Preguntas", "fillMetadataURL": "Opción 1: Completar la URL de metadatos", "fillSSOSLOURLx509cert": "Opción 2: Complete la URL de SSO, la URL de SLO y el certificado x509", + "proof": "Prueba", + "privacy": "Privacidad", + "safety": "Seguridad", "noExpirationDateSet": "No hay fecha de caducidad establecida", "sumpageTotal": "total", "sumpageActive": "activo", @@ -858,6 +861,8 @@ "addTag": "Agregar etiqueta", "tagsHelpText": "Las etiquetas se utilizan para categorizar y filtrar los elementos. Puedes agregar etiquetas en la sección Extra", "forgotPassword": "Has olvidado tu contraseña", + "scoreSemiColon": "Puntaje:", + "mappingInferenceHelpText": "Estas variables son fijas y no cambiarán dependiendo de la fuente.", "bringTheEvidences": "Traer las evidencias", "bringTheEvidencesHelpText": "Si está deshabilitado, el objeto se duplicará sin sus evidencias." } diff --git a/frontend/messages/fr.json b/frontend/messages/fr.json index 5555c049d..a67e21bca 100644 --- a/frontend/messages/fr.json +++ b/frontend/messages/fr.json @@ -791,22 +791,28 @@ "fillMetadataURL": "Option 1 : Remplissez l'URL des métadonnées", "fillSSOSLOURLx509cert": "Option 2 : Remplissez l'URL SSO, l'URL SLO et le certificat x509", "licenseAboutToExpireWarning": "Il reste {days_left} jours avant l'expiration de votre licence.", + "proof": "Preuve", + "privacy": "Confidentialité", + "safety": "Sécurité", "noExpirationDateSet": "Aucune date d'expiration définie", - "sumpageTotal": "total", - "sumpageActive": "actif", - "sumpageDeprecated": "obsolète", - "sumpageToDo": "à faire", - "sumpageInProgress": "en cours", - "sumpageOnHold": "en attente", - "sumpageActiveAudits": "audits actifs", - "sumpageCompliantItems": "items conformes", - "sumpageNonCompliantItems": "items non conformes", - "sumpageEvidences": "preuves", - "sumpageAssessments": "évaluations", - "sumpageScenarios": "scénarios", - "sumpageMappedThreats": "menaces mappées", - "sumpageRiskAccepted": "risques acceptés", - "sumpageSectionControls": "mesures", + "sumpageTotal": "Total", + "sumpageActive": "Actif", + "sumpageDeprecated": "Obsolète", + "sumpageToDo": "A faire", + "sumpageInProgress": "En cours", + "sumpageOnHold": "En attente", + "sumpageP1": "P1 en attente", + "sumpageEtaMissed": "ETA râté", + "sumpageActiveAudits": "Audits actifs", + "sumpageCompliantItems": "Exigences conformes", + "sumpageNonCompliantItems": "Exigences non conformes", + "sumpageEvidences": "Preuves", + "sumpageAvgProgress": "Avancement moyenné", + "sumpageAssessments": "Analyses", + "sumpageScenarios": "Scénarios", + "sumpageMappedThreats": "Menaces mappées", + "sumpageRiskAccepted": "Risques acceptés", + "sumpageSectionControls": "Mesures", "sumpageTitleComplianceOverview": "Aperçu conformité", "sumpageTitleCurrentRisks": "Risques actuels", "sumpageTitleResidualRisks": "Risques résiduels", @@ -866,6 +872,31 @@ "youCanSetPasswordHere": "Vous pouvez définir votre mot de passe ici", "forgotPassword": "Mot de passe oublié", "ssoSettingsUpdated": "Paramètres SSO mis à jour", + "scoreSemiColon": "Score:", + "mappingInferenceHelpText": "Ces variables sont fixes et ne changeront pas en fonction de la source.", + "ebiosWs1": "Atelier 1 : Cadrage et Socle de sécurité", + "ebiosWs2": "Atelier 2 : Sources de risque", + "ebiosWs3": "Atelier 3 : Scénarios stratégiques", + "ebiosWs4": "Atelier 4 : Scenarios opértionnels", + "ebiosWs5": "Atelier 5 : Traitement du risque", + "ebiosWs1_1": "Définir le cadre de l’étude", + "ebiosWs1_2": "Définir le périmètre métier et technique", + "ebiosWs1_3": "Identifier les événements redoutés", + "ebiosWs1_4": "Déterminer le socle de sécurité", + "ebiosWs2_1": "Identifier les sources de risque et objectifs visés", + "ebiosWs2_2": "Évaluer les couples SR/OV", + "ebiosWs2_3": "Sélectionner les couples SR/OV", + "ebiosWs3_1": "Cartographier l’écosystème", + "ebiosWs3_2": "Élaborer les scénarios stratégiques", + "ebiosWs3_3": "Définir les mesures de sécurité sur l’écosystème", + "ebiosWs4_1": "Elaborer les scénarios opérationnels", + "ebiosWs4_2": "Evaluer la vraisemblance des scénarios opérationnel", + "ebiosWs5_1": "Réaliser une évaluation des risques", + "ebiosWs5_2": "Décider de la stratégie de traitement du risque", + "ebiosWs5_3": "Définir les mesures de sécurité", + "ebiosWs5_4": "Évaluer et documenter les risques résiduels", + "ebiosWs5_5": "Mettre en place le cadre de suivi des risques", + "activity": "Activité", "bringTheEvidences": "Apportez les preuves", "bringTheEvidencesHelpText": "Si désactivé, l'objet sera dupliqué sans ses preuves" } diff --git a/frontend/messages/hi.json b/frontend/messages/hi.json index 800f70248..051d2e76c 100644 --- a/frontend/messages/hi.json +++ b/frontend/messages/hi.json @@ -786,6 +786,9 @@ "questionPlural": "प्रश्न", "fillMetadataURL": "विकल्प 1: मेटाडेटा यूआरएल भरें", "fillSSOSLOURLx509cert": "विकल्प 2: SSO URL, SLO URL और x509cert भरें", + "proof": "सबूत", + "privacy": "गोपनीयता", + "safety": "सुरक्षा", "noExpirationDateSet": "कोई समाप्ति तिथि निर्धारित नहीं", "sumpageTotal": "कुल", "sumpageActive": "सक्रिय", @@ -857,6 +860,9 @@ "tags": "टैग", "addTag": "टैग जोड़ें", "tagsHelpText": "टैग का उपयोग आइटम को वर्गीकृत और फ़िल्टर करने के लिए किया जाता है। आप अतिरिक्त अनुभाग में टैग जोड़ सकते हैं", + "forgotPassword": "पासवर्ड भूल गए", + "scoreSemiColon": "अंक:", + "mappingInferenceHelpText": "ये चर निश्चित हैं और स्रोत के आधार पर परिवर्तित नहीं होंगे।", "bringTheEvidences": "सबूत लाओ", "bringTheEvidencesHelpText": "यदि अक्षम किया गया है, तो ऑब्जेक्ट को उसके साक्ष्य के बिना डुप्लिकेट किया जाएगा" } diff --git a/frontend/messages/it.json b/frontend/messages/it.json index 025facfb2..837ab5dea 100644 --- a/frontend/messages/it.json +++ b/frontend/messages/it.json @@ -786,6 +786,9 @@ "questionPlural": "Domande", "fillMetadataURL": "Opzione 1: inserire l'URL dei metadati", "fillSSOSLOURLx509cert": "Opzione 2: inserire l'URL SSO, l'URL SLO e il certificato x509cert", + "proof": "Prova", + "privacy": "Riservatezza", + "safety": "Sicurezza", "noExpirationDateSet": "Nessuna data di scadenza impostata", "sumpageTotal": "Totale", "sumpageActive": "Attivo", @@ -858,6 +861,8 @@ "addTag": "Aggiungi tag", "tagsHelpText": "I tag vengono utilizzati per categorizzare e filtrare gli elementi. Puoi aggiungere tag nella sezione Extra", "forgotPassword": "Ha dimenticato la password", + "scoreSemiColon": "Punto:", + "mappingInferenceHelpText": "Queste variabili sono fisse e non cambiano a seconda della fonte.", "bringTheEvidences": "Portare le prove", "bringTheEvidencesHelpText": "Se disabilitato, l'oggetto verrà duplicato senza le sue prove" } diff --git a/frontend/messages/nl.json b/frontend/messages/nl.json index af0204de9..fab932bd3 100644 --- a/frontend/messages/nl.json +++ b/frontend/messages/nl.json @@ -786,6 +786,9 @@ "questionPlural": "Vragen", "fillMetadataURL": "Optie 1: Vul de metadata-url in", "fillSSOSLOURLx509cert": "Optie 2: Vul de SSO-URL, SLO-URL en x509cert in", + "proof": "Bewijs", + "privacy": "Privacy", + "safety": "Veiligheid", "noExpirationDateSet": "Geen vervaldatum ingesteld", "sumpageTotal": "totaal", "sumpageActive": "actief", @@ -858,6 +861,8 @@ "addTag": "Tag toevoegen", "tagsHelpText": "Tags worden gebruikt om de items te categoriseren en te filteren. U kunt tags toevoegen in de sectie Extra", "forgotPassword": "Wachtwoord vergeten", + "scoreSemiColon": "Punt:", + "mappingInferenceHelpText": "Deze variabelen zijn vast en veranderen niet, afhankelijk van de bron.", "bringTheEvidences": "Breng de bewijzen", "bringTheEvidencesHelpText": "Als dit is uitgeschakeld, wordt het object gedupliceerd zonder de bijbehorende bewijzen" } diff --git a/frontend/messages/pl.json b/frontend/messages/pl.json index be324cdf7..1991efea2 100644 --- a/frontend/messages/pl.json +++ b/frontend/messages/pl.json @@ -786,6 +786,9 @@ "questionPlural": "Pytania", "fillMetadataURL": "Opcja 1: Wypełnij adres URL metadanych", "fillSSOSLOURLx509cert": "Opcja 2: Wypełnij adres URL SSO, adres URL SLO i certyfikat x509cert", + "proof": "Dowód", + "privacy": "Prywatność", + "safety": "Bezpieczeństwo", "noExpirationDateSet": "Brak daty ważności", "sumpageTotal": "całkowity", "sumpageActive": "aktywny", @@ -858,6 +861,8 @@ "addTag": "Dodaj tag", "tagsHelpText": "Tagi służą do kategoryzowania i filtrowania elementów. Możesz dodać tagi w sekcji Extra", "forgotPassword": "Zapomniałem hasła", + "scoreSemiColon": "Wynik:", + "mappingInferenceHelpText": "Te zmienne są stałe i nie zmieniają się w zależności od źródła.", "bringTheEvidences": "Przynieś dowody", "bringTheEvidencesHelpText": "Jeśli wyłączone, obiekt zostanie zduplikowany bez dowodów" } diff --git a/frontend/messages/pt.json b/frontend/messages/pt.json index d805f3c67..4ecdb5a0a 100644 --- a/frontend/messages/pt.json +++ b/frontend/messages/pt.json @@ -786,6 +786,9 @@ "questionPlural": "Questões", "fillMetadataURL": "Opção 1: Preencha a URL dos metadados", "fillSSOSLOURLx509cert": "Opção 2: Preencha a URL do SSO, a URL do SLO e o x509cert", + "proof": "Prova", + "privacy": "Privacidade", + "safety": "Segurança", "noExpirationDateSet": "Nenhuma data de validade definida", "sumpageTotal": "total", "sumpageActive": "ativo", @@ -858,6 +861,8 @@ "addTag": "Adicionar etiqueta", "tagsHelpText": "As tags são usadas para categorizar e filtrar os itens. Você pode adicionar tags na seção Extra", "forgotPassword": "Esqueceu sua senha", + "scoreSemiColon": "Pontuação:", + "mappingInferenceHelpText": "Essas variáveis são fixas e não mudarão dependendo da fonte.", "bringTheEvidences": "Traga as evidências", "bringTheEvidencesHelpText": "Se desabilitado, o objeto será duplicado sem suas evidências" } diff --git a/frontend/messages/ro.json b/frontend/messages/ro.json index fcd2a213c..09b399431 100644 --- a/frontend/messages/ro.json +++ b/frontend/messages/ro.json @@ -786,6 +786,9 @@ "questionPlural": "Întrebări", "fillMetadataURL": "Opțiunea 1: completați adresa URL a metadatelor", "fillSSOSLOURLx509cert": "Opțiunea 2: completați URL-ul SSO, URL-ul SLO și x509cert", + "proof": "Dovada", + "privacy": "Confidențialitate", + "safety": "Siguranţă", "noExpirationDateSet": "Nu a fost stabilită o dată de expirare", "sumpageTotal": "total", "sumpageActive": "activ", @@ -858,6 +861,8 @@ "addTag": "Adăugați etichetă", "tagsHelpText": "Etichetele sunt folosite pentru a clasifica și filtra articolele. Puteți adăuga etichete în secțiunea Extra", "forgotPassword": "Aţi uitat parola", + "scoreSemiColon": "Scor:", + "mappingInferenceHelpText": "Aceste variabile sunt fixe și nu se vor modifica în funcție de sursă.", "bringTheEvidences": "Aduceți dovezile", "bringTheEvidencesHelpText": "Dacă este dezactivat, obiectul va fi duplicat fără dovezile sale" } diff --git a/frontend/messages/sv.json b/frontend/messages/sv.json index df01d97c7..aeee7ca16 100644 --- a/frontend/messages/sv.json +++ b/frontend/messages/sv.json @@ -861,6 +861,8 @@ "youCanSetPasswordHere": "Du kan ställa in ditt lösenord här", "forgotPassword": "Glömt lösenord", "ssoSettingsUpdated": "SSO-inställningar uppdaterade", + "scoreSemiColon": "Göra:", + "mappingInferenceHelpText": "Dessa variabler är fasta och kommer inte att ändras beroende på källan.", "bringTheEvidences": "Kom med bevisen", "bringTheEvidencesHelpText": "Om det är inaktiverat kommer objektet att dupliceras utan dess bevis" } diff --git a/frontend/messages/ur.json b/frontend/messages/ur.json index 6022533c7..0d822959d 100644 --- a/frontend/messages/ur.json +++ b/frontend/messages/ur.json @@ -786,6 +786,9 @@ "questionPlural": "سوالات", "fillMetadataURL": "آپشن 1: میٹا ڈیٹا یو آر ایل کو بھریں۔", "fillSSOSLOURLx509cert": "اختیار 2: SSO URL، SLO URL اور x509cert پُر کریں۔", + "proof": "ثبوت", + "privacy": "رازداری", + "safety": "حفاظت", "noExpirationDateSet": "میعاد ختم ہونے کی کوئی تاریخ مقرر نہیں ہے۔", "sumpageTotal": "کل", "sumpageActive": "فعال", @@ -858,6 +861,8 @@ "addTag": "ٹیگ شامل کریں۔", "tagsHelpText": "ٹیگز اشیاء کی درجہ بندی اور فلٹر کرنے کے لیے استعمال ہوتے ہیں۔ آپ اضافی سیکشن میں ٹیگ شامل کر سکتے ہیں۔", "forgotPassword": "پاس ورڈ بھول گئے۔", + "scoreSemiColon": "سکور:", + "mappingInferenceHelpText": "یہ متغیرات طے شدہ ہیں اور ماخذ کے لحاظ سے تبدیل نہیں ہوں گے۔", "bringTheEvidences": "ثبوت لے کر آئیں", "bringTheEvidencesHelpText": "اگر غیر فعال ہو تو، اعتراض کو اس کے ثبوت کے بغیر نقل کر دیا جائے گا۔" } diff --git a/frontend/src/lib/components/Chart/TimeSeriesChart.svelte b/frontend/src/lib/components/Chart/TimeSeriesChart.svelte new file mode 100644 index 000000000..30f53a76d --- /dev/null +++ b/frontend/src/lib/components/Chart/TimeSeriesChart.svelte @@ -0,0 +1,82 @@ + + +
diff --git a/frontend/src/lib/components/DataViz/Card.svelte b/frontend/src/lib/components/DataViz/Card.svelte index e2c7818eb..277b88ed8 100644 --- a/frontend/src/lib/components/DataViz/Card.svelte +++ b/frontend/src/lib/components/DataViz/Card.svelte @@ -1,7 +1,7 @@ -
@@ -20,10 +21,10 @@ {section}
-
{count}
+

{count}

{label}
-
+