Feature - opensourcegrc.org (wikipedia of grc)

Many people has asked us to provide template controls, policies, compliance requirements and their asociated mappings with iso, nist, cis, etc.

We will start this year a side, small project that will hopefully use the community to build such content and distribute it under open-source licences. we will provide the software that will be used (a bit like wikipedia) to regulate the content and its quality.

eramba, and any other tool or person will be able to consume this content using programatic (api, etc) or “download” tools.

we just purchased opensourcegrc.(com|org|net) to run this project. we are not really good at driving communities but i guess we’ll need to learn

We are starting to document ideas in this slides: https://docs.google.com/presentation/d/1CXVWF-VvNPftTEwz29-0cSIPaVWjhavxiEzlHKy-cjk/edit?usp=sharing

A good start would be the open source HiTRUST policies from datica on github.

can you share the iurl?
thanks!

looks really ok! we’ll reach out to them , many thanks

we are actually in the process of implementing their policies in eramba. Having some difficulty extracting the controls from the policies at the moment.

The only thing eramba doesnt have that;s missing is a request tracker with custom fields. We are using Google form to log requests right now ( i.e. access request, audit request, etc )

creating controls is a bit of an art - we made many mistakes in the past until we found a way worked for us best, you can watch this video (very boring one) that shows how we do compliance:

image1045×293 59.5 KB

we dont have many things…but thank you for the diplomacy

this is a bit like a service desk portal? companies use remedy, etc kind of thing but maybe im not understanding the challenge well?

It is a bit like a service desk portal, but it tends to be more specific than that for audit related tasks. For many of our clients, we typically jump on whatever service desk they’re using (Zendesk, JIRA, custom made, etc.) and use that to help them implement their new controls with a prime example being new user access requests. These are controls that are performed in an adhoc manner but often have a set of required attributes that need to be recorded and an approval workflow to occur in order to satisfy future audit requests about the new user process. The downside of the service desk systems is that they typically have very few guardrails to enforce the process flow, resulting is issues down the road.

Extending the new user thought for a bit, it’s a natural extension of the user account reviews functionality. It could allow linkage for user accounts being reviewed back to the original request for access (or access changes) to provide a clear trail of who authorized what access and when. It could be proactive and flag accounts created without an authorization.

The same workflow/service desk engine can be used for a variety of processes - managing change control and any other adhoc process that requires a specific set of attributes to be included and some approvals.

This is a pretty good explanation of the requirement and the benefits of this approach. In our use case, we use eramba as the single source of truth and try to avoid linking to external systems to reduce complexity.

For it to work for most use case, there would be a need for a workflow manager that could model approvals and changes.

We were able to accomplish this using UCF’s common control hub, maps the controls)
In its basic form, you can consult it freely and some of the information is available online.
In the paid version, , proposes standards, policies, audit methods, creates exportable versions of the mappings.
Some overly price commercial products have API’s connectivity with the hub.

Using the Compliance Packages and the UCF controls (partial screenshot of what we have)

image1059×750 80.3 KB

The internal controls page will display something like (to save columns, the package name is include in the Item ID) :

image1256×164 6.62 KB

The compliance analysis page :

image2567×463 36 KB

Ha! i just noticed this post rene! how cool , if you have some time some of this weeks could you show me how you used ucf ? i’ll drop you a quick email over support if you dont mind

Sure, I can usually be available between (7am - 9am eastern MTL), that way it wont be too late for you… or too early for me.

I am currently looking at using issues on controls as “ticketing system”. Since they are directly linked to the control, it’s perfect to record additional events/objects ( i.e. audit report requests received ). My only problem is that custom fields and notifications are not enabled on this page. Is this something we can enable quickly ( I don’t mind patching the code myself ) ?

We will start working on the project next week once we complete release (e|c)2.8.0, the plan for the first release of this platform will be:

• A catalogue (templates) of:
  • internal controls (control catalogue/internal controls) and policies (control catalogue / policies). They will hold already relationships to popular compliance requirements (we’ll start with PCI, ISO27k, CyberSecurity and CIS).
  • Vendor Assessment (compliance management / vendor assessments), assets (Asset Management /Asset Identification), liabilities (organization/liabilities) and third parties (organization/third party) which will not have any initial linkage to start with but will be helpful for the user as inspiration.

This catalogue content will be initially funded by eramba (in the future, expanded and improved by the community), we’ll load all the content on a database which will be managed by a website (opensourcegrc.org) running a cake3 application. For the first phase there will not be any user interface for this website. This will all be licenced under gnu or similar fully open-source license (not the case of eramba community or enterprise).

On eramba we need to build the basic UX to consume this database, the goal is that users can:

1- Add new items (on the sections we have templates) based on “Templates”.
2- Get automatic template suggestions on applicable policies and controls based on the compliance item they are editing

1 - Add from Template
On the sections we have templates for (Controls, Policies and Vendor Assessments) we need to enable under “Actions” a button called “Add from Template”

image2320×656 69.5 KB

When the button is clicked we need a light modal:

Title: Search Online Templates (www.opensourcegrc.org)
Field name: Search by using one or more comma separated tag
Field helper: Introduce up to ten comma separated search tags to search for $section at https://www.opensourcegrc.org public database

The search will launch an API rest call to our platform and search by comparing the provided tags against our item tags (all our items include tags).

Note: we need to handle timeouts larger than 10seconds elegantly.

If something is found the same modal expands (the search bar at the top) by listing the “name” (note, some sections call the item differently…so of course this needs to be a config setting depending on the modal) of the item and two buttons:

• Add: this opens what we call in eramba “Quick Add” with all fields pre-completed , the user can edit what they want and add it to their system
• Preview: this opens a new tab to our website (which wont have a frontend yet…)

1 - Suggestions from Template

This is likely to work on many other sections, but we’ll start with:

• Compliance Management / Compliance Analysis
• Compliance Management / Vendor Assessments

The idea is that we suggest from the database what suggestions we have in mind and if we dont have any we let them search for whatever they need (we use the logic described above).

In the case of compliance analysis, when an item is edited (from modal, not inline edit) we need to send an API request to our database with:

• compliance_package_regulators.(publisher name|name|version|language) + compliance_package.package_id + compliance_package_items.item_id

NOTE: we miss the “compliance_package_regulators.name” field currently

We then need to search that against our database, we need an exact match … we might find something or we might not find something. We need to make that clear on the form:

image1956×1116 167 KB

In blue we write: We found %s suggestions for this item, would you like to see them? … if we did not find anything … We could not find any suggestion for this item, feel free to search by yourself.

Clicking takes us to the modals described above.

The compliance suggestion is special as it relates to a compliance package … but assets, liabilities, etc are on other forms and although we cant search for suggestions we can anyway let them know we have a database.

image2324×1378 200 KB

In this case we will simply tell our DB hey im on this modal, let me know how many suggestions you have so i can put a message under the field.

Suggestions will have to be a setting as many people might not want to use them, under System / Settings / Connectors we will list an automatic list of modals were we have suggestions enabled and we’ll let the user choose if they want them or not. In the future in this place we’ll also define Web Hooks that will be used by notifications, workflows, dynamic status, etc.

Update: https://www.linkedin.com/posts/eramba_we-are-testing-the-first-version-of-eramba-activity-6610191361306054656-A3JR

Is there already some content? I have tried to get templates in the internal controls section, but I got back an error only
“The requested address ‘/templates/templates/getResults/SecurityService’ was not found on this server or you don’t have access to go there.”

Firstly blamed our Firewall guys, but there it seems ok.

Hello Fabian,

This feature is still beta version it contains only few items (compliance packages if I remember correctly)

Go to System / Settings / Access Lists, make sure all access lists are “complete” and no “missing” are there. Let us know if there were any missing ones please?

image2102×1120 238 KB

then try again…

regards,
esteban