Feature - Findings (ongoing)

Hi there,

We’ve historically used the Compliance Analysis Findings module to track our different regulation-based audits (HIPAA, PCI, etc.).

We recently had a penetration test performed, and I wanted to use the Compliance Analysis Findings module to track those findings as well, as our teams are somewhat used to that portion of the tool.

Our assessor made the findings somewhat generic in nature, and not mapped one to one to specific assets. This is why I chose not to use the Asset Risk Management feature of Eramba.

So, I tried adding a Compliance Analysis Finding, leaving the Compliance Package section blank, but Eramba requires this. Two questions:

  1. Would it be possible for the compliance package to be an optional field so I can use it in this manner?
  2. Are there any other ways of tracking penetration test findings within Eramba that I’m not thinking of?

Thanks!

-Noah

Hi

Quite the same issue here. Somehow I’m missing the option to follow-up on findings which are not directly related to a compliance analysis.
E.g. we have some findings about improving some of our documents, which are not part of any compliance analysis we made. I see that we need some relation somewhere in order to integrate it in the ISMS improvement cycle. Maybe it should possible to link it to a risk? Or should we just open a new risk for this finding and link to an improvement there? Then we should have sort of a “source” field at least, to be able to gather all findings from one audit.

Regards
Fabian

This is a bit of a mess, we easily agree with that and we need to sort this stuff. We have three things in eramba that are used to describe:

Project - how we are fixing a problem
Issue or Finding - a problem
Exception - a problem we decided to live with

We dont seem to disagree that the three need to be there, but we do think:

  • Issues and Findings (which we will call “Findings” or “Issues”) will be expanded to the same sections “Projects” are and they will be called “Issues” that you can link to items on that section.
  • Sections will include “Issues” filters and notifications (the same as now “Findings” have), an item with an open “Issue” will be tagged in red as “With Issues” until the issue is “Closed”.
  • You will attach them to one or more items in that section, how that will be done depends on the section.

Since they are everywhere you want one place to look at them at once, for that reason we’ll create a new section under Security Operations where all “Issues” from all sections will be shown to you, this will help you know “What Problems do we have?” in a glance. The section will allow you to:

  • edit them
  • filter all of them at once, you will get the chance to list one or two fields from the item section they relate to.
  • trigger notifications (against the status and date)
  • initially you wont be able to create new “Issues” (as that is done on each section) but is likely that in the future you will be able to do it

We are thinking also on merging all exceptions into one section under control catalogue…but we’ll work on that only once we conclude with the findings stuff.

Side note: this is the current relationships for projects, findings, exceptions and issues:

Currently Projects link to:

  • Program / Goals
  • Risk Management / Asset Risk Management
  • Risk Management / Third Party Risk Management
  • Risk Management / Business Risk Management
  • Control Catalogue / Security Service
  • Control Catalogue / Security Service / Audits
  • Control Catalogue / Security Policy
  • Compliance Management / Compliance Analysis / Item
  • Asset Management / Data Flow Analysis / Flow

Filters on these section don’t really tell you easily what projects are active against them, filters on this sections need to include a tab called “Projects” and the following filters options:

  • Project Name
  • Start Date
  • End Date
  • Owner
  • Completion %
  • Status (drop down with: completed, ongoing, etc)
  • Status (drop down with: Ok, Project Expired, Improvement Project Expired, Improvement Project with Expired Tasks, Etc)
  • Planned Budget
  • Actual Budget

Issues are linked to:

  • Control Catalogue / Security Service / Audits

We need to migrate this to the new “Issues” schema defined above, the status “Control with Issues” remains as the new issues have that built in.

Findings

  • Compliance Management / Vendor Assessmetns
  • Security Operations / Account Reviews

These two need to be merged and expanded to all other sections as described above, they will be called “Issues”

Exceptions

  • Risk Management / Asset Risk Management
  • Risk Management / Third Party Risk Management
  • Risk Management / Business Risk Management
  • Control Catalogue / Security Policy
  • Compliance Management / Compliance Analysis / Item

These all need to be merged and put together under “Control Catalogue”.

internsal ref: https://github.com/eramba/eramba_v2/issues/1313

I was wondering if there was any further update on this. Excited to be able to track issues/findings throughout the product.

We need to complete the new template , which will happen hopefully soon (we will publish a video showing how it works) and then we will finally be able to work on the pending work (which is huge).

Thanks for the update. Excited for this as well.

Is the video you referenced the one linked in this post here: Feature - Completely new UX/UI

(specifically, this one: https://www.youtube.com/watch?v=ku-pKJm6900&feature=youtu.be)?

Thanks!

-Noah

Just stumbled upon this topic again… since open items to our IT are increasing :slight_smile:
I don’t think this has been implemented yet, has it?

I need some automatic reminders (weekly, daily, hourly, quarter-hourly… ok the last two intervals were not meant seriously)

this is totally stalled, in fact im not sure we’ll do it at all … we shifted priorities this year to:

  • dynamic status
  • workflows
  • compliance analysis imports and “library”
1 Like

@Fabian We use either JIRA, ServiceNow, or other ticketing platforms to track these sort of issues/finding outside of Eramba. If an issue/finding can be linked back to a Risk or Compliance Finding, we use a custom field to track the URL to the active ticket in the external platform.

@eramba those are some good priorities and I can’t wait to use them once implemented.

for the time being, we are not doing this. other fronts to fight right now!

Hi @eramba - it’s been a year since the last update. I was wondering if there’s any appetite for reconsidering this feature - a centralised issues register? I think it would be a great feature to have.

I hope the fight on the other fronts are going well :slight_smile:

we are stuck with the infamous migration for another month , the issue is on the roadmap so eventually we’ll do something about it … no idea when tough