The CAF is now populated from the YAML when a CAF is created
This commit is contained in:
parent
d96050c4fb
commit
3b53f930be
@ -32,12 +32,12 @@ class Caf < ApplicationRecord
|
|||||||
sub_principle_item_groups.each do |key,value|
|
sub_principle_item_groups.each do |key,value|
|
||||||
header = key["subprincipleitemgroup"]
|
header = key["subprincipleitemgroup"]
|
||||||
# <%= header["type"] %> - <%= header["condition"] %><br/>
|
# <%= header["type"] %> - <%= header["condition"] %><br/>
|
||||||
subpriitemgroup = subpri.subprincipleitemgroups.create(type: header["type"], condition: header["condition"])
|
subpriitemgroup = subpri.subprincipleitemgroups.create(kind: header["kind"], condition: header["condition"])
|
||||||
subprincipleitem = header["subprincipleitem"]
|
subprincipleitem = header["subprincipleitem"]
|
||||||
|
|
||||||
subprincipleitem.each do |subprinciple|
|
subprincipleitem.each do |subprinciple|
|
||||||
# <%= subprinciple %><br/>
|
# <%= subprinciple %><br/>
|
||||||
subpriitemgroup.subprinciples.create(description: subprinciple)
|
subpriitemgroup.subprincipleitems.create(description: subprinciple)
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|||||||
@ -12,7 +12,7 @@ objectives:
|
|||||||
description: You have effective organisational security management led at board level and articulated clearly in corresponding policies.
|
description: You have effective organisational security management led at board level and articulated clearly in corresponding policies.
|
||||||
subprincipleitemgroups:
|
subprincipleitemgroups:
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Not
|
kind: Not
|
||||||
condition: At least one
|
condition: At least one
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- The security of network and information systems related to the operation of essential functions is not discussed or reported on regularly at board-level.
|
- The security of network and information systems related to the operation of essential functions is not discussed or reported on regularly at board-level.
|
||||||
@ -20,7 +20,7 @@ objectives:
|
|||||||
- The security of networks and information systems supporting your essential functions are not driven effectively by the direction set at board level.
|
- The security of networks and information systems supporting your essential functions are not driven effectively by the direction set at board level.
|
||||||
- Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.
|
- Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Achieved
|
kind: Achieved
|
||||||
condition: All
|
condition: All
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.
|
- Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.
|
||||||
@ -32,14 +32,14 @@ objectives:
|
|||||||
description: Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
|
description: Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
|
||||||
subprincipleitemgroups:
|
subprincipleitemgroups:
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Not
|
kind: Not
|
||||||
condition: At least one
|
condition: At least one
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis.
|
- Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis.
|
||||||
- Staff are assigned security responsibilities but without adequate authority or resources to fulfil them.
|
- Staff are assigned security responsibilities but without adequate authority or resources to fulfil them.
|
||||||
- Staff are unsure what their responsibilities are for the security of the essential function.
|
- Staff are unsure what their responsibilities are for the security of the essential function.
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Achieved
|
kind: Achieved
|
||||||
condition: All
|
condition: All
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.
|
- Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.
|
||||||
@ -50,7 +50,7 @@ objectives:
|
|||||||
description: You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.
|
description: You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.
|
||||||
subprincipleitemgroups:
|
subprincipleitemgroups:
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Not
|
kind: Not
|
||||||
condition: At least one
|
condition: At least one
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- What should be relatively straightforward risk decisions are constantly referred up the chain, or not made.
|
- What should be relatively straightforward risk decisions are constantly referred up the chain, or not made.
|
||||||
@ -59,7 +59,7 @@ objectives:
|
|||||||
- Organisational structure causes risk decisions to be made in isolation. (e.g. engineering and IT don't talk to each other about risk).
|
- Organisational structure causes risk decisions to be made in isolation. (e.g. engineering and IT don't talk to each other about risk).
|
||||||
- Risk priorities are too vague to make meaningful distinctions between them. (e.g. almost all risks are rated 'medium' or 'amber').
|
- Risk priorities are too vague to make meaningful distinctions between them. (e.g. almost all risks are rated 'medium' or 'amber').
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Achieved
|
kind: Achieved
|
||||||
condition: All
|
condition: All
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- Senior management have visibility of key risk decisions made throughout the organisation.
|
- Senior management have visibility of key risk decisions made throughout the organisation.
|
||||||
@ -75,7 +75,7 @@ objectives:
|
|||||||
description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
|
description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
|
||||||
subprincipleitemgroups:
|
subprincipleitemgroups:
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Not
|
kind: Not
|
||||||
condition: At least one
|
condition: At least one
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- Risk assessments are not based on a clearly defined set of threat assumptions.
|
- Risk assessments are not based on a clearly defined set of threat assumptions.
|
||||||
@ -87,7 +87,7 @@ objectives:
|
|||||||
- Security requirements and mitigation's are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function.
|
- Security requirements and mitigation's are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function.
|
||||||
- Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve.
|
- Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve.
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Partially
|
kind: Partially
|
||||||
condition: All
|
condition: All
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
|
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
|
||||||
@ -97,7 +97,7 @@ objectives:
|
|||||||
- You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.
|
- You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.
|
||||||
- You perform threat analysis and understand how generic threats apply to your organisation.
|
- You perform threat analysis and understand how generic threats apply to your organisation.
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Achieved
|
kind: Achieved
|
||||||
condition: All
|
condition: All
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
|
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
|
||||||
@ -114,14 +114,14 @@ objectives:
|
|||||||
description: You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
|
description: You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
|
||||||
subprincipleitemgroups:
|
subprincipleitemgroups:
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Not
|
kind: Not
|
||||||
condition: At least one
|
condition: At least one
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value.
|
- A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value.
|
||||||
- Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.
|
- Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.
|
||||||
- Assurance is assumed because there have been no known problems to date.
|
- Assurance is assumed because there have been no known problems to date.
|
||||||
- subprincipleitemgroup:
|
- subprincipleitemgroup:
|
||||||
type: Achieved
|
kind: Achieved
|
||||||
condition: All
|
condition: All
|
||||||
subprincipleitem:
|
subprincipleitem:
|
||||||
- You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.
|
- You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.
|
||||||
|
|||||||
@ -1,4 +1,6 @@
|
|||||||
class RenameTypeToKindInSubprincipleitemgroup < ActiveRecord::Migration[7.0]
|
class RenameTypeToKindInSubprincipleitemgroup < ActiveRecord::Migration[7.0]
|
||||||
def change
|
change_table :subprincipleitemgroups do |t|
|
||||||
|
t.rename :type, :kind
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|||||||
4
db/schema.rb
generated
4
db/schema.rb
generated
@ -10,7 +10,7 @@
|
|||||||
#
|
#
|
||||||
# It's strongly recommended that you check this file into your version control system.
|
# It's strongly recommended that you check this file into your version control system.
|
||||||
|
|
||||||
ActiveRecord::Schema[7.0].define(version: 2023_01_27_131552) do
|
ActiveRecord::Schema[7.0].define(version: 2023_02_12_065945) do
|
||||||
create_table "action_text_rich_texts", charset: "utf8mb4", force: :cascade do |t|
|
create_table "action_text_rich_texts", charset: "utf8mb4", force: :cascade do |t|
|
||||||
t.string "name", null: false
|
t.string "name", null: false
|
||||||
t.text "body", size: :long
|
t.text "body", size: :long
|
||||||
@ -92,7 +92,7 @@ ActiveRecord::Schema[7.0].define(version: 2023_01_27_131552) do
|
|||||||
|
|
||||||
create_table "subprincipleitemgroups", charset: "utf8mb4", force: :cascade do |t|
|
create_table "subprincipleitemgroups", charset: "utf8mb4", force: :cascade do |t|
|
||||||
t.bigint "subprinciple_id", null: false
|
t.bigint "subprinciple_id", null: false
|
||||||
t.string "type"
|
t.string "kind"
|
||||||
t.datetime "created_at", null: false
|
t.datetime "created_at", null: false
|
||||||
t.datetime "updated_at", null: false
|
t.datetime "updated_at", null: false
|
||||||
t.string "condition"
|
t.string "condition"
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user