We will start working on the project next week once we complete release (e|c)2.8.0, the plan for the first release of this platform will be:
- A catalogue (templates) of:
internal controls (control catalogue/internal controls) and policies (control catalogue / policies). They will hold already relationships to popular compliance requirements (we’ll start with PCI, ISO27k, CyberSecurity and CIS).
Vendor Assessment (compliance management / vendor assessments), assets (Asset Management /Asset Identification), liabilities (organization/liabilities) and third parties (organization/third party) which will not have any initial linkage to start with but will be helpful for the user as inspiration.
This catalogue content will be initially funded by eramba (in the future, expanded and improved by the community), we’ll load all the content on a database which will be managed by a website (opensourcegrc.org) running a cake3 application. For the first phase there will not be any user interface for this website. This will all be licenced under gnu or similar fully open-source license (not the case of eramba community or enterprise).
On eramba we need to build the basic UX to consume this database, the goal is that users can:
1- Add new items (on the sections we have templates) based on “Templates”.
2- Get automatic template suggestions on applicable policies and controls based on the compliance item they are editing
1 - Add from Template
On the sections we have templates for (Controls, Policies and Vendor Assessments) we need to enable under “Actions” a button called “Add from Template”
When the button is clicked we need a light modal:
Title: Search Online Templates (www.opensourcegrc.org)
Field name: Search by using one or more comma separated tag
Field helper: Introduce up to ten comma separated search tags to search for $section at https://www.opensourcegrc.org public database
The search will launch an API rest call to our platform and search by comparing the provided tags against our item tags (all our items include tags).
Note: we need to handle timeouts larger than 10seconds elegantly.
If something is found the same modal expands (the search bar at the top) by listing the “name” (note, some sections call the item differently…so of course this needs to be a config setting depending on the modal) of the item and two buttons:
- Add: this opens what we call in eramba “Quick Add” with all fields pre-completed , the user can edit what they want and add it to their system
- Preview: this opens a new tab to our website (which wont have a frontend yet…)
1 - Suggestions from Template
This is likely to work on many other sections, but we’ll start with:
- Compliance Management / Compliance Analysis
- Compliance Management / Vendor Assessments
The idea is that we suggest from the database what suggestions we have in mind and if we dont have any we let them search for whatever they need (we use the logic described above).
In the case of compliance analysis, when an item is edited (from modal, not inline edit) we need to send an API request to our database with:
- compliance_package_regulators.(publisher name|name|version|language) + compliance_package.package_id + compliance_package_items.item_id
NOTE: we miss the “compliance_package_regulators.name” field currently
We then need to search that against our database, we need an exact match … we might find something or we might not find something. We need to make that clear on the form:
In blue we write: We found %s suggestions for this item, would you like to see them? … if we did not find anything … We could not find any suggestion for this item, feel free to search by yourself.
Clicking takes us to the modals described above.
The compliance suggestion is special as it relates to a compliance package … but assets, liabilities, etc are on other forms and although we cant search for suggestions we can anyway let them know we have a database.
In this case we will simply tell our DB hey im on this modal, let me know how many suggestions you have so i can put a message under the field.
Suggestions will have to be a setting as many people might not want to use them, under System / Settings / Connectors we will list an automatic list of modals were we have suggestions enabled and we’ll let the user choose if they want them or not. In the future in this place we’ll also define Web Hooks that will be used by notifications, workflows, dynamic status, etc.