diff --git a/app/models/caf.rb b/app/models/caf.rb
index b3a53aa..bc91308 100644
--- a/app/models/caf.rb
+++ b/app/models/caf.rb
@@ -32,12 +32,12 @@ class Caf < ApplicationRecord
sub_principle_item_groups.each do |key,value|
header = key["subprincipleitemgroup"]
# <%= header["type"] %> - <%= header["condition"] %>
- subpriitemgroup = subpri.subprincipleitemgroups.create(type: header["type"], condition: header["condition"])
+ subpriitemgroup = subpri.subprincipleitemgroups.create(kind: header["kind"], condition: header["condition"])
subprincipleitem = header["subprincipleitem"]
subprincipleitem.each do |subprinciple|
# <%= subprinciple %>
- subpriitemgroup.subprinciples.create(description: subprinciple)
+ subpriitemgroup.subprincipleitems.create(description: subprinciple)
end
end
diff --git a/config/caf_text.yml b/config/caf_text.yml
index e1eff2c..89cd731 100644
--- a/config/caf_text.yml
+++ b/config/caf_text.yml
@@ -12,7 +12,7 @@ objectives:
description: You have effective organisational security management led at board level and articulated clearly in corresponding policies.
subprincipleitemgroups:
- subprincipleitemgroup:
- type: Not
+ kind: Not
condition: At least one
subprincipleitem:
- The security of network and information systems related to the operation of essential functions is not discussed or reported on regularly at board-level.
@@ -20,7 +20,7 @@ objectives:
- The security of networks and information systems supporting your essential functions are not driven effectively by the direction set at board level.
- Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.
- subprincipleitemgroup:
- type: Achieved
+ kind: Achieved
condition: All
subprincipleitem:
- Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.
@@ -32,14 +32,14 @@ objectives:
description: Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
subprincipleitemgroups:
- subprincipleitemgroup:
- type: Not
+ kind: Not
condition: At least one
subprincipleitem:
- Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis.
- Staff are assigned security responsibilities but without adequate authority or resources to fulfil them.
- Staff are unsure what their responsibilities are for the security of the essential function.
- subprincipleitemgroup:
- type: Achieved
+ kind: Achieved
condition: All
subprincipleitem:
- Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.
@@ -50,7 +50,7 @@ objectives:
description: You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.
subprincipleitemgroups:
- subprincipleitemgroup:
- type: Not
+ kind: Not
condition: At least one
subprincipleitem:
- What should be relatively straightforward risk decisions are constantly referred up the chain, or not made.
@@ -59,7 +59,7 @@ objectives:
- Organisational structure causes risk decisions to be made in isolation. (e.g. engineering and IT don't talk to each other about risk).
- Risk priorities are too vague to make meaningful distinctions between them. (e.g. almost all risks are rated 'medium' or 'amber').
- subprincipleitemgroup:
- type: Achieved
+ kind: Achieved
condition: All
subprincipleitem:
- Senior management have visibility of key risk decisions made throughout the organisation.
@@ -75,7 +75,7 @@ objectives:
description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
subprincipleitemgroups:
- subprincipleitemgroup:
- type: Not
+ kind: Not
condition: At least one
subprincipleitem:
- Risk assessments are not based on a clearly defined set of threat assumptions.
@@ -87,7 +87,7 @@ objectives:
- Security requirements and mitigation's are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function.
- Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve.
- subprincipleitemgroup:
- type: Partially
+ kind: Partially
condition: All
subprincipleitem:
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
@@ -97,7 +97,7 @@ objectives:
- You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.
- You perform threat analysis and understand how generic threats apply to your organisation.
- subprincipleitemgroup:
- type: Achieved
+ kind: Achieved
condition: All
subprincipleitem:
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
@@ -114,14 +114,14 @@ objectives:
description: You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
subprincipleitemgroups:
- subprincipleitemgroup:
- type: Not
+ kind: Not
condition: At least one
subprincipleitem:
- A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value.
- Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.
- Assurance is assumed because there have been no known problems to date.
- subprincipleitemgroup:
- type: Achieved
+ kind: Achieved
condition: All
subprincipleitem:
- You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.
diff --git a/db/migrate/20230212065945_rename_type_to_kind_in_subprincipleitemgroup.rb b/db/migrate/20230212065945_rename_type_to_kind_in_subprincipleitemgroup.rb
index 4e4cba6..d9330b3 100644
--- a/db/migrate/20230212065945_rename_type_to_kind_in_subprincipleitemgroup.rb
+++ b/db/migrate/20230212065945_rename_type_to_kind_in_subprincipleitemgroup.rb
@@ -1,4 +1,6 @@
class RenameTypeToKindInSubprincipleitemgroup < ActiveRecord::Migration[7.0]
- def change
+ change_table :subprincipleitemgroups do |t|
+ t.rename :type, :kind
end
+
end
diff --git a/db/schema.rb b/db/schema.rb
index db73087..83723b1 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema[7.0].define(version: 2023_01_27_131552) do
+ActiveRecord::Schema[7.0].define(version: 2023_02_12_065945) do
create_table "action_text_rich_texts", charset: "utf8mb4", force: :cascade do |t|
t.string "name", null: false
t.text "body", size: :long
@@ -92,7 +92,7 @@ ActiveRecord::Schema[7.0].define(version: 2023_01_27_131552) do
create_table "subprincipleitemgroups", charset: "utf8mb4", force: :cascade do |t|
t.bigint "subprinciple_id", null: false
- t.string "type"
+ t.string "kind"
t.datetime "created_at", null: false
t.datetime "updated_at", null: false
t.string "condition"