The difference between “related” and “parent” is significant. Is this by design and I’m simply not understanding how these relationships vary depending on the context? Being somewhat new to GRC this is confusing. I would prefer they be defined consistently across all screens/contexts.
I don’t know the answer here, but from my limited testing it seems like inheritance of properties seem to (only) go one level. I might be mistaken, but that would mean that the things you say is related should actually contain the Legal Constraints (or other stuff) it makes sense to inherit - and not two layers down.
In my view tracking constraints of child items might not be that relevant - otherwise it would be better to assess the risk on that item instead. So if I have a IT system (ie. Eramba) deployed on a Platform (ie. AWS), I would like to inherit the AWS constraints. When assessing AWS, I wouldn’t normally have a scope that includes what is deployed on that platform (maybe that’s just me…).
We basically follow that same path…we many times were asked that a risk that applies the top asset affects or includes in the risk all child but although we might include that it will be an optional flag while creating the risk. The asset module child/parent is going to be oriented to the vulnerabilities features we want to include on the system.
