pep-un / oxomium Goto Github PK

The Organization - Policy - Mesure indirection append to be painfull.
We probably need to get ride of the Policy class and represent Policy as a bunch of Mesure

• Initial risk
• Risk traitement (Action)
• Residual risk

Relation between risk and Action

Mesure -> Measure

The controler must be in capacity to prove the control and add an attachement.

Implement an audit log of all change on object with simple-history :

https://django-simple-history.readthedocs.io/en/latest/quick_start.html

Update ISO27701:2013 to correctly represents the security control

Create the security control list for ISO27001:2022.

need a set of Policy to import during the setup th have a more usabel tool.

• Witch format ? JSON, CSV, Other ?
• What is the import process ?

Upgrade forms tom implemente logics and restrictions.
For exemple, if a Conformity is not applicable, all other field should be disabled.

When we affect a Policy to an Organization, we need te create automaticaly all Conformity item.
At the revers, we need to delete them when the Policy is unassociate.

Add an attachment in the form to allow to add proof or additional data related to the topic.

Some measure may be not applicable, We need to add a check box to allow it.
Comment wil be used to explain why

Classes names are not coherant with the wording used in ISO27000 framwork.

To have a more clear code and interface it's importante to clarify the wording and to update the classes names and display accordingly.

Status must be change automatically at the start of a period from "Scheduled" to "To Be Evaluated".

Additionally, at the end of the period, they must be changed to Missed, if they ave not been evaluated.

Alllow to track audits and audits findings.
This is a prerequisit to actions and actions plan

CCIP should allow to have an hoverview of all Actions with teh followinf information :

• the phase : Plan Do Check Act (or something else ? PCAS / DMAIC / A3 / 8D / PSP ?)
• Planification date, estimated and effective start date and end date
• the status (0% to 100%) with update date
• the owner,
• the priority,
• the associated Policy/Measure,
• the Organization,
• the formal Check by who and when
• Comment
• others ?

Extend User Model to implement Organization attachement and Organization based restriction

Implement sorted and filtered table.

https://django-tables2.readthedocs.io/en/latest/

Create a planed report to receive daily / weekly / monthly status.
Create an email notification for action near to expiration date.

This page must provide an overview off all item affected to the user (compliance, audit, CAPA, ...)

it may be usefull in international context, to display if the policy is writen in english or in a other language.

Review the OWASP TOP 10, an describe in Security.md how we handle each risque.

The conformity is actualy evaluat an a scal from 0 to 100.

Other system may be more pertinant :

• CMMI Maturity level
• Conform / parcialy conforme / unconforme
• Scan from 1 to 5

What is the best choice ?

Add link to creat Actions from Conformiy and Finding.
Add the visibility on the number of action listed to a Conformity or a Finding.
Add direct link to the list of action related to a Conformity or an Finding

Had link to open Finding or Conformity from Action. (Detail View or in the form ?)

Add a new menu to see the plan of controls my year/months/weeks and be able to planifie unplaned control or replanifie the existing one.

I didn't succeed to find the way to add this "filter".