diff --git a/Gemfile b/Gemfile index a9d4b13..a053325 100644 --- a/Gemfile +++ b/Gemfile @@ -4,12 +4,16 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" } gem 'devise' gem 'cancancan' -ruby "3.3.0" +ruby "3.3.5" + +gem 'fiddle' +gem 'ostruct' +gem 'logger' gem "nokogiri", force_ruby_platform: true # Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main" -gem "rails", "~> 7.1.3.2" +gem "rails", "~> 7.1.4" # The original asset pipeline for Rails [https://github.com/rails/sprockets-rails] gem "sprockets-rails" diff --git a/Gemfile.lock b/Gemfile.lock index 4f5e77a..4a84382 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,35 +1,35 @@ GEM remote: https://rubygems.org/ specs: - actioncable (7.1.3.2) - actionpack (= 7.1.3.2) - activesupport (= 7.1.3.2) + actioncable (7.1.4) + actionpack (= 7.1.4) + activesupport (= 7.1.4) nio4r (~> 2.0) websocket-driver (>= 0.6.1) zeitwerk (~> 2.6) - actionmailbox (7.1.3.2) - actionpack (= 7.1.3.2) - activejob (= 7.1.3.2) - activerecord (= 7.1.3.2) - activestorage (= 7.1.3.2) - activesupport (= 7.1.3.2) + actionmailbox (7.1.4) + actionpack (= 7.1.4) + activejob (= 7.1.4) + activerecord (= 7.1.4) + activestorage (= 7.1.4) + activesupport (= 7.1.4) mail (>= 2.7.1) net-imap net-pop net-smtp - actionmailer (7.1.3.2) - actionpack (= 7.1.3.2) - actionview (= 7.1.3.2) - activejob (= 7.1.3.2) - activesupport (= 7.1.3.2) + actionmailer (7.1.4) + actionpack (= 7.1.4) + actionview (= 7.1.4) + activejob (= 7.1.4) + activesupport (= 7.1.4) mail (~> 2.5, >= 2.5.4) net-imap net-pop net-smtp rails-dom-testing (~> 2.2) - actionpack (7.1.3.2) - actionview (= 7.1.3.2) - activesupport (= 7.1.3.2) + actionpack (7.1.4) + actionview (= 7.1.4) + activesupport (= 7.1.4) nokogiri (>= 1.8.5) racc rack (>= 2.2.4) @@ -37,35 +37,35 @@ GEM rack-test (>= 0.6.3) rails-dom-testing (~> 2.2) rails-html-sanitizer (~> 1.6) - actiontext (7.1.3.2) - actionpack (= 7.1.3.2) - activerecord (= 7.1.3.2) - activestorage (= 7.1.3.2) - activesupport (= 7.1.3.2) + actiontext (7.1.4) + actionpack (= 7.1.4) + activerecord (= 7.1.4) + activestorage (= 7.1.4) + activesupport (= 7.1.4) globalid (>= 0.6.0) nokogiri (>= 1.8.5) - actionview (7.1.3.2) - activesupport (= 7.1.3.2) + actionview (7.1.4) + activesupport (= 7.1.4) builder (~> 3.1) erubi (~> 1.11) rails-dom-testing (~> 2.2) rails-html-sanitizer (~> 1.6) - activejob (7.1.3.2) - activesupport (= 7.1.3.2) + activejob (7.1.4) + activesupport (= 7.1.4) globalid (>= 0.3.6) - activemodel (7.1.3.2) - activesupport (= 7.1.3.2) - activerecord (7.1.3.2) - activemodel (= 7.1.3.2) - activesupport (= 7.1.3.2) + activemodel (7.1.4) + activesupport (= 7.1.4) + activerecord (7.1.4) + activemodel (= 7.1.4) + activesupport (= 7.1.4) timeout (>= 0.4.0) - activestorage (7.1.3.2) - actionpack (= 7.1.3.2) - activejob (= 7.1.3.2) - activerecord (= 7.1.3.2) - activesupport (= 7.1.3.2) + activestorage (7.1.4) + actionpack (= 7.1.4) + activejob (= 7.1.4) + activerecord (= 7.1.4) + activesupport (= 7.1.4) marcel (~> 1.0) - activesupport (7.1.3.2) + activesupport (7.1.4) base64 bigdecimal concurrent-ruby (~> 1.0, >= 1.0.2) @@ -110,6 +110,7 @@ GEM drb (2.2.1) erubi (1.12.0) ffi (1.16.3) + fiddle (1.1.2) globalid (1.2.1) activesupport (>= 6.1) i18n (1.14.4) @@ -128,6 +129,7 @@ GEM jbuilder (2.11.5) actionview (>= 5.0.0) activesupport (>= 5.0.0) + logger (1.6.1) loofah (2.22.0) crass (~> 1.0.2) nokogiri (>= 1.12.0) @@ -145,7 +147,7 @@ GEM msgpack (1.7.2) mutex_m (0.2.0) mysql2 (0.5.6) - net-imap (0.4.10) + net-imap (0.4.16) date net-protocol net-pop (0.1.2) @@ -159,6 +161,7 @@ GEM mini_portile2 (~> 2.8.2) racc (~> 1.4) orm_adapter (0.5.0) + ostruct (0.6.0) psych (5.1.2) stringio public_suffix (5.0.5) @@ -173,20 +176,20 @@ GEM rackup (1.0.0) rack (< 3) webrick - rails (7.1.3.2) - actioncable (= 7.1.3.2) - actionmailbox (= 7.1.3.2) - actionmailer (= 7.1.3.2) - actionpack (= 7.1.3.2) - actiontext (= 7.1.3.2) - actionview (= 7.1.3.2) - activejob (= 7.1.3.2) - activemodel (= 7.1.3.2) - activerecord (= 7.1.3.2) - activestorage (= 7.1.3.2) - activesupport (= 7.1.3.2) + rails (7.1.4) + actioncable (= 7.1.4) + actionmailbox (= 7.1.4) + actionmailer (= 7.1.4) + actionpack (= 7.1.4) + actiontext (= 7.1.4) + actionview (= 7.1.4) + activejob (= 7.1.4) + activemodel (= 7.1.4) + activerecord (= 7.1.4) + activestorage (= 7.1.4) + activesupport (= 7.1.4) bundler (>= 1.15.0) - railties (= 7.1.3.2) + railties (= 7.1.4) rails-dom-testing (2.2.0) activesupport (>= 5.0.0) minitest @@ -194,9 +197,9 @@ GEM rails-html-sanitizer (1.6.0) loofah (~> 2.21) nokogiri (~> 1.14) - railties (7.1.3.2) - actionpack (= 7.1.3.2) - activesupport (= 7.1.3.2) + railties (7.1.4) + actionpack (= 7.1.4) + activesupport (= 7.1.4) irb rackup (>= 1.0.0) rake (>= 12.2) @@ -270,13 +273,16 @@ DEPENDENCIES capybara debug devise + fiddle image_processing (~> 1.2) importmap-rails jbuilder + logger mysql2 (~> 0.5) nokogiri + ostruct puma (>= 5.0) - rails (~> 7.1.3.2) + rails (~> 7.1.4) selenium-webdriver spring sprockets-rails @@ -286,7 +292,7 @@ DEPENDENCIES web-console RUBY VERSION - ruby 3.3.0p0 + ruby 3.3.5p100 BUNDLED WITH 2.5.3 diff --git a/config/caf_text.yml b/config/caf_text.yml index 587cc86..a372bb4 100644 --- a/config/caf_text.yml +++ b/config/caf_text.yml @@ -1,5 +1,5 @@ objectives: - - objective: + - objective: name: Objective A - Managing security risk description: Appropriate organisational structures, policies, and processes in place to understand, access and systematically manage security risks to the network and information systems supporting essential functions. principles: @@ -42,9 +42,9 @@ objectives: kind: Achieved condition: All subprincipleitem: - - Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose. + - Key roles and responsibilities for the security of network and information systems supporting your essential function(s) have been identified. These are reviewed regularly to ensure they remain fit for purpose. - Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties. - - There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential function. + - There is clarity on who in your organisation has overall accountability for the security of the network and information systems supporting your essential function(s). - sub-principle: name: A1.c Decision-making description: You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks. @@ -63,7 +63,7 @@ objectives: condition: All subprincipleitem: - Senior management have visibility of key risk decisions made throughout the organisation. - - Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management. + - Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function(s), as set by senior management. - Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need. - Risk management decisions are periodically reviewed to ensure their continued relevance and validity. - principle: @@ -129,9 +129,241 @@ objectives: - Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party. - Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way. - The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use. + - principle: + name: Principle A3 Asset Management + description: Everything required to deliver, maintain or support network and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling). + sub-principles: + - sub-principle: + name: A3.a Asset Management + description: None + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - Inventories of assets relevant to the essential function(s) are incomplete, non-existent, or inadequately detailed. + - Only certain domains or types of asset are documented and understood. Dependencies between assets are not understood (such as the dependencies between IT and OT). + - Information assets, which could include personally identifiable information and / or important / critical data, are stored for long periods of time with no clear business need or retention policy. + - Knowledge critical to the management, operation, or recovery of the essential function(s) is held by one or two key individuals with no succession plan. + - Asset inventories are neglected and out of date. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - All assets relevant to the secure operation of essential function(s) are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date. + - Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised and recorded. + - You have prioritised your assets according to their importance to the operation of the essential function(s). + - You have assigned responsibility for managing all assets, including physical assets, relevant to the operation of the essential function(s). + - Assets relevant to the essential function(s) are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal. + - principle: + name: Principle A4 Supply Chain + description: The organisation understands and manages security risks to network and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. + sub-principles: + - sub-principle: + name: A4.a Supply Chain + description: None + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - You do not know what data belonging to you is held by suppliers, or how it is managed. + - Elements of the supply chain for essential function(s) are subcontracted and you have little or no visibility of the sub-contractors. + - You have no understanding of which contracts are relevant and / or relevant contracts do not specify appropriate security obligations. + - Suppliers have access to systems that provide your essential function(s) that is unrestricted, not monitored or bypasses your own security controls. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You understand the general risks suppliers may pose to your essential function(s). + - You know the extent of your supply chain that supports your essential function(s), including sub-contractors. + - You understand which contracts are relevant and you include appropriate security obligations in relevant contracts. + - You are aware of all third-party connections and have assurance that they meet your organisation’s security requirements. + - Your approach to security incident management considers incidents that might arise in your supply chain. + - You have confidence that information shared with suppliers that is necessary for the operation of your essential function(s) is appropriately protected from well-known attacks and known vulnerabilities. + -subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - You have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes. + - Your approach to supply chain risk management considers the risks to your essential function(s) arising from supply chain subversion by capable and well-resourced attackers. + - You have confidence that information shared with suppliers that is essential to the operation of your function(s) is appropriately protected from sophisticated attacks. + - You understand which contracts are relevant and you include appropriate security obligations in relevant contracts. You have a proactive approach to contract management which may include a contract management plan for relevant contracts. + - Customer / supplier ownership of responsibilities is laid out in contracts. + - All network connections and data sharing with third parties are managed effectively and proportionately. + - When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents. + - objective: + name: Objective B - Protecting against cyber attack + description: Proportionate security measures are in place to protect the network and information systems supporting essential functions from cyber attack. + principles: + - principle: + name: B1 Service Protection Policies, Processes and Procedures + description: The organisation defines, implements, communicates and enforces appropriate policies, processes and procedures that direct its overall approach to securing systems and data that support operation of essential functions. + sub-principles: + - sub-principle: + name: B1.a Policy, Process and Procedure Development + description: You have developed and continue to improve a set of cyber security and resilience policies, processes and procedures that manage and mitigate the risk of adverse impact on your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - Your policies, processes and procedures are absent or incomplete. + - Policies, processes and procedures are not applied universally or consistently. + - People often or routinely circumvent policies, processes and procedures to achieve business objectives. + - Your organisation’s security governance and risk management approach has no bearing on your policies, processes and procedures. + - System security is totally reliant on users' careful and consistent application of manual security processes. + - Policies, processes and procedures have not been reviewed in response to major changes (e.g. technology or regulatory framework), or within a suitable period. + - Policies, processes and procedures are not readily available to staff, too detailed to remember, or too hard to understand. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - Most of your policies, processes and procedures are followed and their application is monitored. + - Your policies, processes and procedures are integrated with other organisational policies, processes and procedures, including HR assessments of individuals' trustworthiness. + - All staff are aware of their responsibilities under your policies, processes and procedures. All breaches of policies, processes and procedures with the potential to adversely impact the essential function(s) are fully investigated. Other breaches are tracked, assessed for trends and action is taken to understand and address. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - All your policies, processes and procedures are followed, their correct application and security effectiveness is evaluated. + - Your policies, processes and procedures are integrated with other organisational policies, processes and procedures, including HR assessments of individuals' trustworthiness. + - Your policies, processes and procedures are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities. + - Appropriate action is taken to address all breaches of policies, processes and procedures with potential to adversely impact the essential function(s) including aggregated breaches. + - principle: + name: Principle B2 Identity and Access Control + description: The organisation understands, documents and manages access to network and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. + sub-principles: + - sub-principle: + name: B2.a Identity Verification, Authentication and Authorisation + description: You robustly verify, authenticate and authorise access to the network and information systems supporting your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - Initial identity verification is not robust enough to provide an acceptable level of confidence of a user’s identity profile. + - Authorised users and systems with access to networks or information systems on which your essential function(s) depends cannot be individually identified. + - Unauthorised individuals or devices can access your network or information systems on which your essential function(s) depends. + - The number of authorised users and systems that have access to your network and information systems are not limited to the minimum necessary. + - Your approach to authenticating users, devices and systems does not follow up to date best practice. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - Your process of initial identity verification is robust enough to provide a reasonable level of confidence of a user’s identity profile before allowing an authorised user access to network and information systems that support your essential function(s). + - All authorised users and systems with access to network or information systems on which your essential function(s) depends are individually identified and authenticated. + - The number of authorised users and systems that have access to essential function(s) network and information systems is limited to the minimum necessary. + - You use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all network and information systems that operate or support your essential function(s). + - You individually authenticate and authorise all remote access to all your network and information systems that support your essential function(s). + - The list of users and systems with access to network and information systems supporting and delivering the essential function(s) is reviewed on a regular basis, at least annually. + - Your approach to authenticating users, devices and systems follows up to date best practice. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - Your process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to network and information systems that support your essential function(s). + - Only authorised and individually authenticated users can physically access and logically connect to your network or information systems on which your essential function(s) depends. + - The number of authorised users and systems that have access to all your network and information systems supporting the essential function(s) is limited to the minimum necessary. + - You use additional authentication mechanisms, such as multi-factor (MFA), for all user access, including remote access, to all network and information systems that operate or support your essential function(s). + - The list of users and systems with access to network and information systems supporting and delivering the essential function(s) is reviewed on a regular basis, at least every six months. + - Your approach to authenticating users, devices and systems follows up to date best practice. + - sub-principle: + name: B2.b Device Management + description: You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - Users can connect to your network and information systems supporting your essential function(s) using devices that are not corporately owned and managed. + - Privileged users can perform privileged operations from devices that are not corporately owned and managed. + - You have not gained assurance in the security of any third-party devices or networks connected to your systems. + - Physically connecting a device to your network and information systems gives that device access without device or user authentication. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - Only corporately owned and managed devices can access your essential function(s) network and information systems. + - All privileged operations are performed from corporately owned and managed devices. + - These devices provide sufficient separation, using a risk-based approach, from the activities of standard users. + - You have sought to understand the security properties of third-party devices and networks before they can be connected to your systems. + - You have taken appropriate steps to mitigate any risks identified. + - The act of connecting to a network port or cable does not grant access to any systems. + - You are able to detect unknown devices being connected to your network and information systems and investigate such incidents. + -subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - All privileged operations performed on your network and information systems supporting your essential function(s) are conducted from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations. + - You either obtain independent and professional assurance of the security of third-party devices or networks before they connect to your network and information systems, or you only allow third-party devices or networks that are dedicated to supporting your network and information systems to connect. + - You perform certificate-based device identity management and only allow known devices to access systems necessary for the operation of your essential function(s). + - You perform regular scans to detect unknown devices and investigate any findings. + - sub-principle: + name: B2.c Privileged User Management + description: You closely manage privileged user access to network and information systems supporting your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - The identities of the individuals with privileged access to network and information systems (infrastructure, platforms, software, configuration etc) supporting your essential function(s) are not known or not managed. + - Privileged user access to network and information systems supporting your essential function(s) is via weak authentication mechanisms (e.g. only simple passwords). + - The list of privileged users has not been reviewed recently (e.g. within the last 12 months). + - Privileged user access is granted on a system-wide basis rather than by role or function(s). + - Privileged user access to your essential function(s) is via generic, shared or default name accounts. + - Where there are “always on” terminals which can perform privileged actions (such as in a control room), there are no additional controls (e.g. physical controls) to ensure access is appropriately restricted. + - There is no logical separation between roles that an individual may have and hence the actions they perform (e.g. access to corporate email and privilege user actions). + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - All privileged user access to network and information systems supporting your essential function(s) requires strong authentication, such as multi-factor (MFA). + - The identities of the individuals with privileged access to network and information systems (infrastructure, platforms, software, configuration etc) supporting your essential function(s) are known and managed. This includes third parties. + - Activity by privileged users is routinely reviewed and validated (e.g. at least annually). + - Privileged users are only granted specific privileged user access rights which are essential to their business role or function. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - Privileged user access to network and information systems supporting your essential function(s) is carried out from dedicated separate accounts that are closely monitored and managed. + - The issuing of temporary, time-bound rights for privileged user access and / or external third-party support access is in place. + - Privileged user access rights are regularly reviewed and always updated as part of your joiners, movers and leavers process. + - All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation. + - sub-principle: + name: B2.d Identity and Access Management (IdAM) + description: You closely manage and maintain identity and access control for users, devices and systems accessing the network and information systems supporting your essential function(s). + subprincipleitemgroup: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - Greater access rights are granted than necessary. + - Identity validation and requirement for access of a user, device or systems is not carried out. + - User access rights are not reviewed when users change roles. + - User access rights remain active when users leave your organisation. + - Access rights granted to devices or systems to access other devices and systems are not reviewed on a regular basis (at least annually). + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You follow a robust procedure to verify each user and issue the minimum required access rights. + - You regularly review access rights and those no longer needed are revoked. + - User access rights are reviewed when users change roles via your joiners, leavers and movers process. + - All user, device and system access to the systems supporting the essential function(s) is logged and monitored, but it is not compared to other log data or access records. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - You follow a robust procedure to verify each user and issue the minimum required access rights, and the application of the procedure is regularly audited. + - User access rights are reviewed both when people change roles via your joiners, leavers and movers process and at regular intervals - at least annually. + - All user, device and systems access to the systems supporting the essential function(s) is logged and monitored. + - You regularly review access logs and correlate this data with other access records and expected activity. + - Attempts by unauthorised users, devices or systems to connect to the systems supporting the essential function(s) are alerted, promptly assessed and investigated. + + + - # - objective: - # name: Objective B - Protecting against cyber attack # # - objective: # name: Objective C - Detecting cyber security events diff --git a/config/routes.rb b/config/routes.rb index e24b401..a76e8b6 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -6,7 +6,9 @@ Rails.application.routes.draw do resources :cafs end - resources :subprincipleitems, only: [:edit, :update] + resources 'cafs', only: [:show] do + resources :subprincipleitems, only: [:edit, :update] + end authenticated :user do root to: 'home#index', as: :authenticated_root