jezcaudle/rails-caf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Learning loads about YAML and now it's working - sort of.

Browse Source
This commit is contained in:
Jez Caudle 2023-01-29 18:56:01 +00:00
parent 7c0681314d
commit 148ef4efdd
6 changed files with 198 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/home_controller.rb
View File

@ -2,7 +2,7 @@ class HomeController < ApplicationController
def index def index
if user_signed_in? if user_signed_in?
if current_user.admin? if current_user.admin?
@file = YAML.load_file(Rails.root.to_s + '/config/caf_text.yml')
else else
end end
end end

3
app/views/home/index.html.erb
View File

@ -28,6 +28,9 @@ Not Signed in.
<%= link_to "Add User" %> <%= link_to "Add User" %>
</p> </p>
<% @file["objectives"].each do |key, value| %>
<p><%= key%>:<%=value%></p>
<% end %>
<% end %> <% end %>
<% if current_user.user? %> <% if current_user.user? %>

137
config/caf_text.yml Normal file
View File

@ -0,0 +1,137 @@
objectives:
- objective:
name: Objective A - Managing security risk
description: Appropriate organisational structures, policies, and processes in place to understand, access and systematically manage security risks to the network and information systems supporting essential functions.
principles:
- principle:
name: A1 Governance
description: The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.
sub-principles:
- sub-principle:
name: A1.a Board Direction
description: You have effective organisational security management led at board level and articulated clearly in corresponding policies.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
condition: At least one
subprincipleitem:
- The security of network and information systems related to the operation of essential functions is not discussed or reported on regularly at board-level.
- Board-level discussions on the security of networks and information systems are based on partial or out-of-date information, without the benefit of expert guidance.
- The security of networks and information systems supporting your essential functions are not driven effectively by the direction set at board level.
- Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.
- subprincipleitemgroup:
type: Achieved
condition: All
subprincipleitem:
- Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.
- Regular board discussions on the security of network and information systems supporting the operation of your essential function take place, based on timely and accurate information and informed by expert guidance.
- There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.
- Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential function.
- sub-principle:
name: A1.b Roles and Responsibilities
description: Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
condition: At least one
subprincipleitem:
- Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis.
- Staff are assigned security responsibilities but without adequate authority or resources to fulfil them.
- Staff are unsure what their responsibilities are for the security of the essential function.
- subprincipleitemgroup:
type: Achieved
condition: All
subprincipleitem:
- Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.
- Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.
- There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential function.
- sub-principle:
name: A1.c Decision-making
description: You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks tonetwork and information systems related to the operation of essential functions areconsidered in the context of other organisational risks.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
condition: At least one
subprincipleitem:
- What should be relatively straightforward risk decisions are constantly referred up the chain, or not made.
- Risks are resolved informally (or ignored) at a local level when the use of a more formal risk reporting mechanism would be more appropriate.
- Decision-makers are unsure of what senior management's risk appetite is, or only understand it in vague terms such as "averse" or "cautious".
- Organisational structure causes risk decisions to be made in isolation. (e.g. engineering and IT don't talk to each other about risk).
- Risk priorities are too vague to make meaningful distinctions between them. (e.g. almost all risks are rated 'medium' or 'amber').
- subprincipleitemgroup:
type: Achieved
condition: All
subprincipleitem:
- Senior management have visibility of key risk decisions made throughout the organisation.
- Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management.
- Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.
- Risk management decisions are periodically reviewed to ensure their continued relevance and validity.
- principle:
name: A2Risk Management
description: The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management.
sub-principles:
- sub-principle:
name: A2.a Risk Management Process
description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
subprincipleitemgroups:
- subprincipalitemgroup:
type: Not
condition: At least one
subprincipleitem:
- Risk assessments are not based on a clearly defined set of threat assumptions.
- Risk assessment outputs are too complex or unwieldy to be consumed by decision-makers and are not effectively communicated in a clear and timely manner.
- Risk assessments for critical systems are a "one-off" activity (or not done at all).
- The security elements of projects or programmes are solely dependent on the completion of a risk management assessment without any regard to the outcomes.
- There is no systematic process in place to ensure that identified security risks are managed effectively.
- Systems are assessed in isolation, without consideration of dependencies and interactions with other systems. (e.g. interactions between IT and OT environments).
- Security requirements and mitigation's are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function.
- Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve.
- subprincipalitemgroup:
type: Partially
condition: All
subprincipleitem:
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
- Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.
- The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.
- Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.
- You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.
- You perform threat analysis and understand how generic threats apply to your organisation.
- subprincipleitemgroup:
type: Achieved
condition: All
subprincipleitem:
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
- Your approach to risk is focused on the possibility of adverse impact to your essential function, leading to a detailed understanding of how such impact might arise as a consequence of possible attacker actions and the security properties of your networks and information systems.
- Your risk assessments are based on a clearly understood set of threat assumptions, informed by an up-to-date understanding of security threats to your essential function and your sector.
- Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.
- The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.
- Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.
- Your risk assessments are dynamic and updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information.
- The effectiveness of your risk management process is reviewed periodically, and improvements made as required.
- You perform detailed threat analysis and understand how this applies to your organisation in the context of the threat to your sector and the wider CNI.
- sub-principle:
name: A2.b Assurance
description: You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
condition: At least one
subprincipalitem:
- A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value.
- Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.
- Assurance is assumed because there have been no known problems to date.
- subprincipleitemgroup:
type: Achieved
condition: All
subprincipleitem:
- You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.
- You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential functions.
- Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party.
- Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.
- The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.
- objective: Objective B - Protecting against cyber attack
- objective: Objective C - Detecting cyber security events
- objective: Objective D - Minimising the impact of cyber security incidents

50
config/caftest.yml Normal file
View File

@ -0,0 +1,50 @@
objectives:
# - objective:
# name: Risk
# description: Appropriate org structures etc
# principle:
# name: A1 Governance
# description: Governance description
# - sub-principle:
# name: one
# description: one
# - sub-principle:
# name: two
# description: two
#
#
# - objective:
# name: Obj2
# description: desc2
# - objective:
# name: Obj3
# description: desc3
- objective:
name: obj1
description: obj1 desc
principles:
- principle:
name: A1
description: A1 Desc
- principle:
name: A2
description: A2 Desc
columns:
- name: id
tests: # this block
- unique
- not_null
- name: col_a
- name: col_b
- objective:
name: obj2
description: obj2 desc
columns:
- name: id
tests: # is repeated down here
- unique
- not_null
- name: col_c
- name: col_d

5
db/migrate/20230127131552_add_condition_to_sub_principal_item_groups.rb Normal file
View File

@ -0,0 +1,5 @@
class AddConditionToSubPrincipalItemGroups < ActiveRecord::Migration[7.0]
def change
add_column :subprincipleitemgroups, :condition, :string
end
end

3
db/schema.rb generated
View File

@ -10,7 +10,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema[7.0].define(version: 2023_01_27_095856) do ActiveRecord::Schema[7.0].define(version: 2023_01_27_131552) do
create_table "action_text_rich_texts", charset: "utf8mb4", force: :cascade do |t| create_table "action_text_rich_texts", charset: "utf8mb4", force: :cascade do |t|
t.string "name", null: false t.string "name", null: false
t.text "body", size: :long t.text "body", size: :long
@ -95,6 +95,7 @@ ActiveRecord::Schema[7.0].define(version: 2023_01_27_095856) do
t.string "type" t.string "type"
t.datetime "created_at", null: false t.datetime "created_at", null: false
t.datetime "updated_at", null: false t.datetime "updated_at", null: false
t.string "condition"
t.index ["subprinciple_id"], name: "index_subprincipleitemgroups_on_subprinciple_id" t.index ["subprinciple_id"], name: "index_subprincipleitemgroups_on_subprinciple_id"
end end