jezcaudle/rails-caf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

The CAF is now populated from the YAML when a CAF is created

Browse Source
This commit is contained in:
Jez Caudle 2023-02-12 07:19:21 +00:00
parent d96050c4fb
commit 3b53f930be
4 changed files with 18 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/models/caf.rb
View File

@ -32,12 +32,12 @@ class Caf < ApplicationRecord
sub_principle_item_groups.each do |key,value|
header = key["subprincipleitemgroup"]
# <%= header["type"] %> - <%= header["condition"] %><br/>
subpriitemgroup = subpri.subprincipleitemgroups.create(type: header["type"], condition: header["condition"])
subpriitemgroup = subpri.subprincipleitemgroups.create(kind: header["kind"], condition: header["condition"])
subprincipleitem = header["subprincipleitem"]
subprincipleitem.each do |subprinciple|
# <%= subprinciple %><br/>
subpriitemgroup.subprinciples.create(description: subprinciple)
subpriitemgroup.subprincipleitems.create(description: subprinciple)
end
end

22
config/caf_text.yml
View File

@ -12,7 +12,7 @@ objectives:
description: You have effective organisational security management led at board level and articulated clearly in corresponding policies.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
kind: Not
condition: At least one
subprincipleitem:
- The security of network and information systems related to the operation of essential functions is not discussed or reported on regularly at board-level.
@ -20,7 +20,7 @@ objectives:
- The security of networks and information systems supporting your essential functions are not driven effectively by the direction set at board level.
- Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.
- subprincipleitemgroup:
type: Achieved
kind: Achieved
condition: All
subprincipleitem:
- Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.
@ -32,14 +32,14 @@ objectives:
description: Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
kind: Not
condition: At least one
subprincipleitem:
- Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis.
- Staff are assigned security responsibilities but without adequate authority or resources to fulfil them.
- Staff are unsure what their responsibilities are for the security of the essential function.
- subprincipleitemgroup:
type: Achieved
kind: Achieved
condition: All
subprincipleitem:
- Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.
@ -50,7 +50,7 @@ objectives:
description: You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks tonetwork and information systems related to the operation of essential functions areconsidered in the context of other organisational risks.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
kind: Not
condition: At least one
subprincipleitem:
- What should be relatively straightforward risk decisions are constantly referred up the chain, or not made.
@ -59,7 +59,7 @@ objectives:
- Organisational structure causes risk decisions to be made in isolation. (e.g. engineering and IT don't talk to each other about risk).
- Risk priorities are too vague to make meaningful distinctions between them. (e.g. almost all risks are rated 'medium' or 'amber').
- subprincipleitemgroup:
type: Achieved
kind: Achieved
condition: All
subprincipleitem:
- Senior management have visibility of key risk decisions made throughout the organisation.
@ -75,7 +75,7 @@ objectives:
description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
kind: Not
condition: At least one
subprincipleitem:
- Risk assessments are not based on a clearly defined set of threat assumptions.
@ -87,7 +87,7 @@ objectives:
- Security requirements and mitigation's are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function.
- Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve.
- subprincipleitemgroup:
type: Partially
kind: Partially
condition: All
subprincipleitem:
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
@ -97,7 +97,7 @@ objectives:
- You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.
- You perform threat analysis and understand how generic threats apply to your organisation.
- subprincipleitemgroup:
type: Achieved
kind: Achieved
condition: All
subprincipleitem:
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
@ -114,14 +114,14 @@ objectives:
description: You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
subprincipleitemgroups:
- subprincipleitemgroup:
type: Not
kind: Not
condition: At least one
subprincipleitem:
- A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value.
- Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.
- Assurance is assumed because there have been no known problems to date.
- subprincipleitemgroup:
type: Achieved
kind: Achieved
condition: All
subprincipleitem:
- You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.

4
db/migrate/20230212065945_rename_type_to_kind_in_subprincipleitemgroup.rb
View File

@ -1,4 +1,6 @@
class RenameTypeToKindInSubprincipleitemgroup < ActiveRecord::Migration[7.0]
def change
change_table :subprincipleitemgroups do |t|
t.rename :type, :kind
end
end

4
db/schema.rb generated
View File

@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema[7.0].define(version: 2023_01_27_131552) do
ActiveRecord::Schema[7.0].define(version: 2023_02_12_065945) do
create_table "action_text_rich_texts", charset: "utf8mb4", force: :cascade do |t|
t.string "name", null: false
t.text "body", size: :long
@ -92,7 +92,7 @@ ActiveRecord::Schema[7.0].define(version: 2023_01_27_131552) do
create_table "subprincipleitemgroups", charset: "utf8mb4", force: :cascade do |t|
t.bigint "subprinciple_id", null: false
t.string "type"
t.string "kind"
t.datetime "created_at", null: false
t.datetime "updated_at", null: false
t.string "condition"