Feature - compliance package mappings improvements

Forum - Software
1

Currently mappings in between compliance packages work in the following way:

  • you have to define the source and destination
  • fields defined on the source (list below) are automatically assigned to the destination:
    • Controls
    • Policies
    • Exceptions
    • Audit Findings
    • All three Risks
  • these fields, on the destination, are “blocked”, meaning you can not edit them

image
image2776×558 97.6 KB

You can tell what will be sync, when you edit the “source” you see the sync icon:

image
image1686×820 49.8 KB

Once the asociation of solutions to problems has been made, you see the following columns on the filter (source and destination):

image
image2916×562 123 KB

if i try editing the destination, items are disabled:

image
image1780×724 69.6 KB

If i remove the mapping, what was mapped stays mapped:

image
image2866×578 117 KB

We need a few changes:

  • What can be mapped
  • What happens when you create a mapping
  • PENDING - What happens if the user updates associated items to an item which is part of a mapping?
  • What happens when you change mappings
  • What happens when you delete mappings
  • How you show mappings on Index
  • How you show mappings on Reports

Let’s go one by one and tackle the items above:

What can be mapped?

Unlike today, where you can only map two entities, we want to be able to map multiple entities. For example:

  • ISO 27001 req 5.6, 5.7, 5.8
  • PCI DSS req 12.5, 15.6

We need to group these mappings with a keyword (text field) so the mapping would then look like:

image
image698×126 16.8 KB

What happens when you create a mapping?

The user will go to compliance packages and click on “Advance Mappings” tab, this tab will only be available if there are NO “Simple Mappings” created.

The index should show have the following headers:

  • Mapping Name
  • A column for each compliance package on the system

The rows of the index show the name and a list of mapped items for each compliance package (if nothing on a package is included, we leave the cell empty).

The user then will click on “Add” , name the mapping (Name field) and select for every compliance package, which items are part of this mapping. One or more items from each package are possible to select.

NOTE: a user could have an compliance item in more than one mapping definition, this could lead to a circular conflict, so for the time being such option SHOULD NOT BE POSSIBLE.

When the user “Saves” the mapping, eramba needs to make sure that whatever these items have associated on the key fields, is the same for all of them.

Key Fields:

  • Internal Controls
  • Policies
  • Compliance Exceptions
  • All Three Risks
  • External Audit Findings

What happens if the user updates associated items to an item which is part of a mapping?

Once a mapping has been created, if they user goes to Compliance Analysis and edits an item which is part of a mapping, whatever changes are done on they key fields, will be reflected on the other items.

PENDING HOW WE IMPROVE COMPLIANCE ANALYSIS?

NOTE: here we could make a logic where eramba asks if the changes applies to this item alone or to the others as well. If this option is available, then we need to display items in different colours to differentiate them somehow. TBD.

What happens when you change an existing mapping?

If the user goes to Compliance Packages / Advanced Mappings and clicks on “Edit” for a mapping, then the user can update:

  • Name of the mapping
  • Add or Remove mapped items from any compliance package

When the user saves, we need to warn before taking action what will happen depending on what the user has done (could have done both actions):

  • You have removed items from this mapping, would you like us to keep whatever is already linked there or we should remove and leave these fields empty?
  • You have added new items to this mapping, we will link whatever other items in the mapping have to these new items you have added.

What happens when you delete mappings?

If the user goes go Compliance Packages / Advanced Mappings and clicks on an existing mapping and then “Delete” we need to show a warning message:

  • You are trying to delete a mapping, would you like us to keep whatever is already linked on these compliance items or we should remove and leave these fields empty?

The user can choose what to do.

How you show mappings on Index

On the Compliance Analysis section, we need to display mappings in a slightly different way from the way we do this now, we are suggesting using a new feature on the index called “Group By”, the idea is that we will have a column on the index for “Advanced Mapping” (the “name” attribute”).

the group by will only allow this column from now, is important of course we can still use filters, column settings and sorting.

How you show mappings on Reports

TBD

1 Like