Feature - opensource to new website and new UX in eramba for templatea

We need to move opensource to the new website, we want to achieve:

  • a single website with all the stuff (website, templates, learning, etc)
    • initially, we will work only on english language templates
    • there is a possibility we will do this in other languages in the future
  • we want to remove “collaboration from users” in opensourcegrc, in 3 years we got three collaborations despite thousands using the opensourcegrc platform
  • we want to expand templates to other areas: threats, vulnerabilities, risks, assets, questionnaire, etc
    • we need to populate this templates from an eramba managed by the core team
    • any update done on our side should become available to users within hours maximum, ideally inmendiately
    • consider users might run different versions of eramba from what we will be running on the master template server
  • we want to reinstate a seamless user interface in eramba so people can use templates directly from their eramba
    • people should be able to add compliance packages directly from templates
    • people should be able to create risks (and their relationships: assets, etc) from templates
    • etc

github: https://github.com/eramba/eramba_v2/issues/3539
related: https://github.com/eramba/eramba_v2/issues/2595


There are two pieces to this functionality:

  • changes on the website for a new opensourcegrc
  • changes in eramba to get that content easily

Changes on the website:

We need somewhere to explain we have free, open license templates. I suggest one more frame here:

We also need to access templates from the menu on the top because we want this to be super visible:

When clicked there, we want to show the templates main page which needs to be a mix of introduction on how this works and the content itself

which templates:

  • compliance packages
  • mapping in between them
  • controls, policies linked to compliance packages
  • OA templates

and later:

  • third parties
  • liabilities
  • assets
  • risks
  • controls and policies linked to risks

The website landing page could be something like this:

The box below - ‘here we show the content’ is where the actual content is shown and depending on what they click above it might change. This is because the things above are related to each-other. So lets go one by one:

They are used on the OA section, so if we want to let people add them on eramba we need the following attributes: name and description. We can use a table shown as below , we would need a few actions on the table: search and download as CSV.

We will use tables here, every column header needs to have a (?) or something that the user clicks or puts the mouse over and a description is show. This applies to all tables:

We also need a filter option, so if the field is boolean we can filter by that column alone and if is not we can search by string on that column alone.

Compliance Packages:
They are used in compliance packages and compliance analysis, we have multiple attributes for them in eramba: name, description, owner, liability, publisher name, regulation name, version, language, url, paid or free (we have too many , we need to get rid of some of them).

We can re-use the same approach opensourcegrc has, we select a drop down with the compliance package and the table builds up. If a second compliance package that has mappings to the first one exist, then we show another column:

We need to get rid of the items per page (we show the full list), filter option (we keep the search) and download means download the table as CSV exactly as it is shown to the user.

When a Internal Control or Policy is clicked a modal opens that shows the content (see what attributes they have) and they can download them on word format.

They are used on the policy module in eramba and they are linked to Compliance Requirements, Risks and Controls. So here is where we start mixing things and the table is a bit more complicated.

The table shows the documents and also the number of relationships with other sections: compliance mappings and risks. When you click on the compliance mappings or risks or controls you get redirected to a new table (or better modal or new tab) that shows from the mapped perspective the relations. This is hard to explain we might need a call

They have four attributes we need: Name, Objective, Testing Methodology and Success Criteria.

Same approach as with the policies…the mapping is shown as a clickable counter that triggers a new table.