SimpleRisk Core
The SimpleRisk 20210930-001 release includes a number of new features, bug fixes and security updates. Three key areas we focused on were:
- Overall usability and a variety of reporting enhancements;
- Ability to associate risks with audit tests;
- Expanded the types of details that can be associated with the “Plan Project” function.
We’ve also made improvements to the Governance component of SimpleRisk, as you are now able to set a Control Type to be associated with a control and track fail states directly in the control details. The default Control Types are:
- Standalone
- Project
- Enterprise
When an Enterprise control is audited and fails an audit test, the system will automatically set a Control Status to “Fail” and submit any new associated risk(s) based on the audit test failure. This not only allows you to more effectively track failures that you identify outside the scope of a given audit test it also ensures you have the ability to continually track any additional risks identified due to a control audit failure.
To begin using this new feature, you will first need to select “Enterprise” as the Control Type. Please note that by default, “Standalone” will be the only Control Type associated with controls, so you will need to select the “Enterprise Type” for the automated tracking of the control fail state to work properly. Once “Enterprise” is selected and saved, you will be ready to realize the benefits this new functionality brings to compliance auditing.
Now when a Compliance Audit Test for that control takes place, the control status can be updated based on the result. At the same time, if that audit test fails, the user will have the ability to submit a risk that will be directly associated with that control. That way, if the test is run again and that risk is still open and being tracked, it will automatically remain associated with the test and displayed in the “Risks” section at the bottom.
We also introduced a brand new Vulnerability Management Extra with this release. This Extra takes the functionality once rolled into the Import/Export Extra and completely reworks the way we approach vulnerability management. Where before we would pull any and all vulnerabilities from a given instance of your application of choice we now offer the ability to filter this down by site and risk level and provide the opportunity to triage the entries added before generating risks. This extra is offered free of charge to all users who already possess a license to import/export and should already be available for download.
Other new features that were added to enhance the usability of SimpleRisk include:
- Added all Customization fields to the Dynamic Risk Report, including those that appear in an active template.
- Added audit logging for documentation reviews.
- Added the ability to select jquery CDN or local for restricted environments.
- Updated to a lower resource intensive version of the font system in place.
- Added filters to the Risks and Controls Report.
- Added filters to the Risks and Assets Report.
- Added Reporting for Risk Mapping to the Dynamic Risk Report
- Added the ability to edit asset names in the Asset Management menu.
- Added several improvements and details to the Risks and Assets report including new fields for highest residual risk, average residual risk, highest inherent risk, and average inherent risk.
- Added a filter for Projects to the Risks and Assets report.
- Risks and Controls report now displays the color of the highest risk score in the table header for each control.
- Added the ability to edit asset names directly through the “Edit Assets” menu in the “Asset Management” section.
- Added the ability to edit Project names in the “Plan Project” menu.
- Added additional details associated with Projects. (Due Date, Consultant, Business Owner, Data Classification.)
- Added additional debugging to the Upgrade Extra.
- Added a Healthcheck to ensure php max_var_char is set properly.
- Added a Healthcheck to ensure php-gd and php-zip are present.
This release also included the following bug fixes for the SimpleRisk Core:
- Fixed an issue where changing the date format would result in the Document Program next review date not automatically populating.
- Updated the display method for active audits to support high volumes of active audits.
- Fixed an issue where users could configure the risk scoring levels into a state that was not functional and could not be corrected through the UI.
- Fixed an issue where custom fields continued to not be exported unless currently assigned to a template.
- Updated jquery CDN to use google instead of jquery’s CDN.
- Fixed an issue where sorting by Next Review Date in the Dynamic Risk Report would cause the report to indefinitely say “Processing”.
- Fixed an issue where submitting a risk with any template outside of the default would cause affected assets to not poll correctly.
- Fixed a bug where users were unable to upgrade the Upgrade Extra unless they were on the newest release.
- Fixed an issue where the link generated for Management Review yes/no in All Open Risks Assigned to “Me” incorrectly adds 1000 to the url for the risk ID.
- Fixed an issue where All Risks Assigned to “Me” report did not function as intended when the Team-Based Separation extra was not present or otherwise turned off.
- Fixed a bug where admin users could add users with invalid e-mail addresses.
- Fixed an issue where using the SimpleRisk API would create a session for the user that could be used to gain access to the UI.
- Fixed a bug where removing the Risk Scoring Method field would result in the risk being unable to be scored or displayed properly.
We also fixed a number of potential Cross-Site Scripting vulnerabilities as well as an issue allowing for circumvention of permissions regarding the ability to view all Asset Valuations.
SimpleRisk Extras
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This release included a ton of new functionality as well as several bug fixes to our SimpleRisk Extras:
Customization
- Fixed a bug where removing the Risk Scoring Method field would result in the risk being unable to be scored or displayed properly.
- Fixed an issue where removing the Supporting Documentation field would break the ability to submit risks.
Custom Authentication
- Added the ability to manage and map Roles and Teams to users using LDAP or SAML. A new claim/assertion may be required to make those values available to SimpleRisk.
Risk Assessment
- Fixed a bug where Risk Submission via the Risk Analysis did not function.
- Fixed a bug where not entering certain fields during risk submission of a pending risk would prevent the confirmation messages from displaying.
- Fixed an issue where Risk Analysis did not use the correct submission date format.
- Fixed an issue where fill in the blank questions could not be edited.
Import-Export
- Updated the Extra to function with multiple templates and export the template associated with a risk, and it may now be selected during import as well.
Email Notification
- Fixed a bug where the middle date range for sending a notification for the Document Program would not send as intended.
- Fixed an issue where the 3rd and furthest out date e-mail notification for Document Program would display $due_date instead of the number of days until due.
Incident Management
- Added permissions for Incident Management.
Team-Based Separation
- Fixed a bug where asset management using Team-Based separation would not block the view of assets properly.