Feature - opensourcegrc.org (wikipedia of grc)

we are actually in the process of implementing their policies in eramba. Having some difficulty extracting the controls from the policies at the moment.

The only thing eramba doesnt have that;s missing is a request tracker with custom fields. We are using Google form to log requests right now ( i.e. access request, audit request, etc )

creating controls is a bit of an art - we made many mistakes in the past until we found a way worked for us best, you can watch this video (very boring one) that shows how we do compliance:

we dont have many things…but thank you for the diplomacy :slight_smile:

this is a bit like a service desk portal? companies use remedy, etc kind of thing but maybe im not understanding the challenge well?

It is a bit like a service desk portal, but it tends to be more specific than that for audit related tasks. For many of our clients, we typically jump on whatever service desk they’re using (Zendesk, JIRA, custom made, etc.) and use that to help them implement their new controls with a prime example being new user access requests. These are controls that are performed in an adhoc manner but often have a set of required attributes that need to be recorded and an approval workflow to occur in order to satisfy future audit requests about the new user process. The downside of the service desk systems is that they typically have very few guardrails to enforce the process flow, resulting is issues down the road.

Extending the new user thought for a bit, it’s a natural extension of the user account reviews functionality. It could allow linkage for user accounts being reviewed back to the original request for access (or access changes) to provide a clear trail of who authorized what access and when. It could be proactive and flag accounts created without an authorization.

The same workflow/service desk engine can be used for a variety of processes - managing change control and any other adhoc process that requires a specific set of attributes to be included and some approvals.

1 Like

This is a pretty good explanation of the requirement and the benefits of this approach. In our use case, we use eramba as the single source of truth and try to avoid linking to external systems to reduce complexity.

For it to work for most use case, there would be a need for a workflow manager that could model approvals and changes.

We were able to accomplish this using UCF’s common control hub, maps the controls)
In its basic form, you can consult it freely and some of the information is available online.
In the paid version, , proposes standards, policies, audit methods, creates exportable versions of the mappings.
Some overly price commercial products have API’s connectivity with the hub.

Using the Compliance Packages and the UCF controls (partial screenshot of what we have)

The internal controls page will display something like (to save columns, the package name is include in the Item ID) :

The compliance analysis page :

Ha! i just noticed this post rene! how cool , if you have some time some of this weeks could you show me how you used ucf ? i’ll drop you a quick email over support if you dont mind

Sure, I can usually be available between (7am - 9am eastern MTL), that way it wont be too late for you… or too early for me.

I am currently looking at using issues on controls as “ticketing system”. Since they are directly linked to the control, it’s perfect to record additional events/objects ( i.e. audit report requests received ). My only problem is that custom fields and notifications are not enabled on this page. Is this something we can enable quickly ( I don’t mind patching the code myself ) ?

We will start working on the project next week once we complete release (e|c)2.8.0, the plan for the first release of this platform will be:

  • A catalogue (templates) of:
    • internal controls (control catalogue/internal controls) and policies (control catalogue / policies). They will hold already relationships to popular compliance requirements (we’ll start with PCI, ISO27k, CyberSecurity and CIS).
    • Vendor Assessment (compliance management / vendor assessments), assets (Asset Management /Asset Identification), liabilities (organization/liabilities) and third parties (organization/third party) which will not have any initial linkage to start with but will be helpful for the user as inspiration.

This catalogue content will be initially funded by eramba (in the future, expanded and improved by the community), we’ll load all the content on a database which will be managed by a website (opensourcegrc.org) running a cake3 application. For the first phase there will not be any user interface for this website. This will all be licenced under gnu or similar fully open-source license (not the case of eramba community or enterprise).

On eramba we need to build the basic UX to consume this database, the goal is that users can:

1- Add new items (on the sections we have templates) based on “Templates”.
2- Get automatic template suggestions on applicable policies and controls based on the compliance item they are editing


1 - Add from Template
On the sections we have templates for (Controls, Policies and Vendor Assessments) we need to enable under “Actions” a button called “Add from Template”

When the button is clicked we need a light modal:

Title: Search Online Templates (www.opensourcegrc.org)
Field name: Search by using one or more comma separated tag
Field helper: Introduce up to ten comma separated search tags to search for $section at https://www.opensourcegrc.org public database

The search will launch an API rest call to our platform and search by comparing the provided tags against our item tags (all our items include tags).

Note: we need to handle timeouts larger than 10seconds elegantly.

If something is found the same modal expands (the search bar at the top) by listing the “name” (note, some sections call the item differently…so of course this needs to be a config setting depending on the modal) of the item and two buttons:

  • Add: this opens what we call in eramba “Quick Add” with all fields pre-completed , the user can edit what they want and add it to their system
  • Preview: this opens a new tab to our website (which wont have a frontend yet…)

1 - Suggestions from Template

This is likely to work on many other sections, but we’ll start with:

  • Compliance Management / Compliance Analysis
  • Compliance Management / Vendor Assessments

The idea is that we suggest from the database what suggestions we have in mind and if we dont have any we let them search for whatever they need (we use the logic described above).

In the case of compliance analysis, when an item is edited (from modal, not inline edit) we need to send an API request to our database with:

  • compliance_package_regulators.(publisher name|name|version|language) + compliance_package.package_id + compliance_package_items.item_id

NOTE: we miss the “compliance_package_regulators.name” field currently

We then need to search that against our database, we need an exact match … we might find something or we might not find something. We need to make that clear on the form:

In blue we write: We found %s suggestions for this item, would you like to see them? … if we did not find anything … We could not find any suggestion for this item, feel free to search by yourself.

Clicking takes us to the modals described above.

The compliance suggestion is special as it relates to a compliance package … but assets, liabilities, etc are on other forms and although we cant search for suggestions we can anyway let them know we have a database.

In this case we will simply tell our DB hey im on this modal, let me know how many suggestions you have so i can put a message under the field.

Suggestions will have to be a setting as many people might not want to use them, under System / Settings / Connectors we will list an automatic list of modals were we have suggestions enabled and we’ll let the user choose if they want them or not. In the future in this place we’ll also define Web Hooks that will be used by notifications, workflows, dynamic status, etc.

1 Like

Update: https://www.linkedin.com/posts/eramba_we-are-testing-the-first-version-of-eramba-activity-6610191361306054656-A3JR

Is there already some content? I have tried to get templates in the internal controls section, but I got back an error only
“The requested address ‘/templates/templates/getResults/SecurityService’ was not found on this server or you don’t have access to go there.”

Firstly blamed our Firewall guys, but there it seems ok.

Hello Fabian,

This feature is still beta version it contains only few items (compliance packages if I remember correctly)

Go to System / Settings / Access Lists, make sure all access lists are “complete” and no “missing” are there. Let us know if there were any missing ones please?

then try again…

regards,
esteban

hm, no “missing” here.
But I’ve just seen in the health check that there is a NOK for read-write permissions of the tmp-folder. Might this be the issue? I’ll check asap.

Edit: checked after giving permissions: same issue. I’ll investigate tomorrow again, too much other issues with other systems at the moment…

:frowning:

let us know over support !!! good luck fabian!! happy new year!!

We have in mind a landing page like this:

landing (4)

  • The top corner describes the logged in user (this is different if the user is not logged in, probably the same but inviting them to create an account)
  • We have three columns:
    • The first has a dropdown with all available compliance packages , the user selects one compliance package and the column is shown … if that package has another compliance packages a second drop down is available … the same with a third. when the first package is selected, the list of possible controls and policies is also loaded.
    • The second column has recommended internal controls that are linked to the main compliance package
    • The third recommended policies that are linked to the main compliance package
  • A user can download with CSV:
    • the full table (compliance, controls and policies) where control and policies are only titles
    • the table with the full controls or policies, in this case they download all its details

The mouse over a control or policy open a dialog with the details of the control and the possibility to download it as a CSV

Mouse over a compliance package shows details too:

The question on how content is created on the system is by using web-forms a bit like eramba has where the following can be uploaded:

  • compliance packages
  • mapping of compliance packages
  • controls
  • policies (documents)

We will begin by providing form for control and policies. Compliance Packages and mappings will come later on. The following fields must be available for the user on each case:

Controls:

  • title
  • objective
  • testing methodology (audit_metric_description)
  • testing success criteria (audit_success_criteria)
  • tags (are they used for the search engine in eramba user interface? if yes, then yes)

Documents:

  • Title
  • Short Description
  • Document Type
  • Content

The problem with documents is the content, we want that to be part of what the users upload to this web and therefore we need a powerful WYSIWYG (no media content allowed). This editor will need to allow users to download this content in word format (or compatible).

Users will need a way to suggest changes on existing policies, controls, mappings, etc:

  • Something new (a policy, etc)
  • Change something (a correction)
  • Delete something which is wrong

Each case will need to be handled differently. No idea how yet. Users will also need a way to make comments on items. It seems like items can have suggestions and comments attached to them and they should be down as a list. Wikipedia splits “talks” (comments) from “articles changes” … but the UX is hard to follow at least for me:

New layout, we include “tabs”, the landing by default falls on the “Compliance” tab

Policies, Internal Controls have the same layout

Hello,

Update for this week, we completed the main framework for the portal, database schema is there and basic relationships too. We loaded the system with a dummy database to have a sense of its usability.

screencast 2020-05-05 12-44-17

We worked a lot on mappings too, a genuine pain in the ass ! but we got were we wanted with a base of mappings which we think are useful:

Today we will include:

  • sorting
  • filters
  • a few fixes on UX

Next week we’ll start with account and role management, that will be the launching point for items versioning / comments / discussions a vital functionality of a wikipedia style portal.

Stay tuned!

821 days after coming up with this idea while i was in south Norway doing some customer stuff i think we can finally call this project a solid beta

user management , approvals, emails, functional testing, security testing, t&c’s, privacy, basic content seems all there and even integration with eramba works … so is now time to use it and start that even slower process of maturing it at the expense of users frustrations :slight_smile:

i’ll drop an email to the people that registered to let them know about this update

many thanks and lets hope this brings some sort of value to the community