Question - Compliance Status compliant vs. not compliant

Forum - Software
#1

Hi

Right now I’m a little confused. What is the aim of the field “current compliant status”? The helptext says the following, which is reasonable to me, I would set to “compliant” and set in turn the compliance efficacy to 10 %.
image

But now in the Mitigation Tab we have the following helptext, which tells me the contrary:

image
image1120×119 5.16 KB

What is the preferred way to input in Eramba if we are not yet compliant but want to be?

Regards
Fabian

#2

This has come up a few times so is evidently not clear, our intention was to document:

  • what your intention is (the current compliance status…which is wrongly named…it should be “Strategy”)
  • what you use to deal with that intention (controls, policies, projects, etc)
  • how you actually are doing (the status of the control, policies etc)

we need to clear up this a little bit … https://github.com/eramba/eramba_v2/issues/2158

does my explanation help to understand?

#3

Yes it does, thanks. So the text for the “compliance status” is correct but it should be adjusted in the mitigation tab.

This way it absolutely makes sense.

#4

Changes:

image
image1900×384 13.5 KB

image
image504×872 7.69 KB

image
image1386×532 49.1 KB

image
image1918×842 55 KB

image
image1988×458 31.9 KB

for: Compliance Strategy

Change:
Select one or more controls (from Control Catalogue / Security Services) used to mitigate this compliance requirement. If you havent got controls you can still select mitigation policies or alternatively, set this requirement as “Not Compliant” and create a “Mitigation Project”

For:
Select one or more controls (from Control Catalogue / Security Services) used to mitigate this compliance requirement.