Right now I’m a little confused. What is the aim of the field “current compliant status”? The helptext says the following, which is reasonable to me, I would set to “compliant” and set in turn the compliance efficacy to 10 %.
But now in the Mitigation Tab we have the following helptext, which tells me the contrary:
What is the preferred way to input in Eramba if we are not yet compliant but want to be?
This has come up a few times so is evidently not clear, our intention was to document:
- what your intention is (the current compliance status…which is wrongly named…it should be “Strategy”)
- what you use to deal with that intention (controls, policies, projects, etc)
- how you actually are doing (the status of the control, policies etc)
we need to clear up this a little bit … https://github.com/eramba/eramba_v2/issues/2158
does my explanation help to understand?
Yes it does, thanks. So the text for the “compliance status” is correct but it should be adjusted in the mitigation tab.
This way it absolutely makes sense.
for: Compliance Strategy
Select one or more controls (from Control Catalogue / Security Services) used to mitigate this compliance requirement. If you havent got controls you can still select mitigation policies or alternatively, set this requirement as “Not Compliant” and create a “Mitigation Project”
Select one or more controls (from Control Catalogue / Security Services) used to mitigate this compliance requirement.