Feature - Compliance, Control and Policies Templates

Forum - Software
1

Introduction

The objective of this feature is to pre-populate eramba installs (new and existing) with a set of templates that users can adjust and use. This feature will be public for community and enterprise users.

Right next after this feature is built we will deploy an AI assistant that will actually improve templates with a slightly different approach.

Scope

The following sections will include templates (in order of priority):

  1. Compliance Packages
  2. Internal Controls
  3. Policies
  4. Risks

Definitions

  • Templates are items (Controls, Policies, etc)
  • Templates will have a unique ID that will never change, like rodne cislo of sorts
  • Template items might or not have pre-defined relationships with other Items, when these relationships exists we refer to them as “Suggestions”. For example: a control might have a “Suggested” policy, a “Compliance Package Item” might have a “Suggested” policy.
  • These “Suggestions” will be visible to the user in two places: forms, filters (views) with a very distinctive colour and shape
  • The user can disable these “Suggestions” to be shown on the View or the Form (two settings) on every module (user setting, not global to all users).
  • Templates can not be deleted by users, they can only be cloned for them to become “Real” items.
  • When a user clones a template item (when they click on a suggestion), they must “Adjust” the fields of the item to whatever they think is best (owner, description, title, etc). Whatever change they made is irrelevant to the rodne cislo of the item, it will always stay with that cloned item. Once they save the item becomes “real”.
  • Templates will be pre-loaded to eramba and updated by eramba core team from a central eramba instance. This instance will deploy changes to customers only when eramba admins say so, not automatically.
  • When a user clones a Template and that Template gets updated, we will let the user know (this is why, among other reasons, the rodne cislo of a template is important)

Compliance Management

The process by which the user will implement the compliance management module in eramba using templates is defined by the following flow:

Audit_Maintenance Logic-Template-Compliance
Audit_Maintenance Logic-Template-Compliance2432Ă—502 84.2 KB

The “Templates” involved in this diagram (and the type of relationship) is described in this module relationship:

Audit_Maintenance Logic-Compliance Template Relationships (1)
Audit_Maintenance Logic-Compliance Template Relationships (1)1083Ă—192 25.7 KB

  • there might be “Automations” linked to" “InternalControls” in the future.
  • for new installs and those that have never used the feature, we will hide the “Compliance Package Mappings” feature starting on release 28
  • when we reach the point where compliance package CSVs support mappings, we will check if there are mappings created, if they are we will ask the user to delete these mappings to enable templates

Retrofitting Existing Customer Packages

Without means to update the compliance package a user has already uploaded, they can not use this feature. We need an “update” feature through CSVs.

Policies Templates

  • We need to start implementing templates on this module because it has no dependencies
  • A Policy template will include the following completed fields: title, description, version, content, document type, status
  • All other fields will need to be completed by the user

image
image1920Ă—1238 99.1 KB

image
image1920Ă—1237 95.4 KB

Internal Control Templates

  • An internal control template will include the following fields completed: title, objective, one or more policy (suggested), status=production, audit dates, audit methodology, audit success criteria, maintenance=null
  • When the user clicks on the item to “Clone” it and make it “Real”, they will need to adjust the fields mentioned above plus the following empty fields: GRC Contact, Control Operator Contact, Audit Owner, Audit Evidence Owner. There is a chance we might link Automation scripts, leaving the option to the user to use manual or automated testing (both will need to be adjusted).
  • The form will have one or more suggested Policy templates, if the policy exists already on the system, it will be automatically associated. If the policy does not exist, since is optional, will be shown as a suggestion that requires clicking.

Compliance Package Templates

  • Compliance Packages for the time being will keep being CSV files that will incorporate three optional columns for one or more: Policies, Controls, Asset Risks, Third Party Risks, Business Risks
  • I think from a software perspective, these CSV package items will need a rodne cislo too
  • When the user imports the CSV the process is the same as is today, but the system will pre-load the compliance analysis module in a way that these suggestions become visible.
  • This module needs to be implemented at the end when we have already all Controls and Policies loaded on the system.

Note: i do not want to pre-load compliance packages for now because i think is a big deal and we need to deliver this quickly. Most people is fine with CSVs and also we do not have now time to deal with paid templates.

Template Database

  • Controls and Policy templates will be shown as a View, we’ll create this view early so is visible by users (but they won’t be able to do anything with it until the entire feature is released).

image
image2756Ă—1786 339 KB

  • The user can access the view, filter, sort, etc.
  • The user can also create an Internal Control, Policy, etc from a template to a “Real” item without the need of compliance packages, but this action makes little sense so we’ll discourage it somehow.

Template Updates

We will be managing the database of templates, this implies creation, updating and deletion:

  • Create: eramba creates the template, the template shows up on the customer, displays a dynamic status for 7 days (since the update).
  • Update: eramba updates an existing template, the user gets the updated template, displays a dynamic status 7 days (since the update).. If the user has already cloned that template, the cloned item also gets a dynamic status to let the user know about the updated template.
  • Deleted: we just delete the item, no notifications or anything sent to the user.

We need a “Report” notification sent daily with a View of updated, created items to be sent to the admin of the system.

Template Suggestions

  • Suggestions will be displayed based on the relationship of these templates (rodne cislos) and displayed on the Views with some distinctive mark.

image
image2582Ă—1668 322 KB

  • Under the “…” menu (right), we need a “Template” setting where the user can “Disable” or “Enable” template suggestions for this module. This option affects this user alone.
  • On forms, when the user edits an item, we might also need to show suggestions. These will also be highlighted with some colour or mark.

image
image1920Ă—1238 92.1 KB

  • There is a common issue when working with suggestions when they are in the same tab, this is obvious on the risk module assets, threats, vulnerabilities. We need to handle this more elegantly.

Left Over Questions

  • what to do when user import template that he imported before but deleted
  • clear rules for customised items - probably some kind of reset will be available all the time with option to reset back to original template

Drawings

Audit_Maintenance Logic (2).drawio (41.7 KB)

1 Like
Product Roadmap (Last Update: 26th January)