diff --git a/.env.example b/.env.example index c4f0132e..6f7d2e89 100644 --- a/.env.example +++ b/.env.example @@ -2,7 +2,7 @@ NEXTAUTH_URL=http://localhost:4002 # You can use openssl to generate a random 32 character key: openssl rand -base64 32 -NEXTAUTH_SECRET=rZTFtfNuSMajLnfFrWT2PZ3lX8WZv7W/Xs2H8hkEY6g= +NEXTAUTH_SECRET= # SMTP / Email settings SMTP_HOST= @@ -10,6 +10,7 @@ SMTP_PORT= SMTP_USER= SMTP_PASSWORD= SMTP_FROM= +BILLING_EMAIL= # If you are using Docker, you can retrieve the values from: docker-compose.yml DATABASE_URL=postgresql://:@localhost:5432/ @@ -30,34 +31,34 @@ RETRACED_API_KEY= RETRACED_PROJECT_ID= # Hide landing page and redirect to login page -HIDE_LANDING_PAGE=false +HIDE_LANDING_PAGE=true # SSO groups can be prefixed with this identifier in order to avoid conflicts with other groups. -# For example boxyhq-admin would be resolved to admin, boxyhq-member would be resolved to member, etc. -GROUP_PREFIX=boxyhq- +# For example unicis-admin would be resolved to admin, unicis-member would be resolved to member, etc. +GROUP_PREFIX=unicis- # Users will need to confirm their email before accessing the app feature -CONFIRM_EMAIL=false +CONFIRM_EMAIL=true # Disable non-business email signup DISABLE_NON_BUSINESS_EMAIL_SIGNUP=false # Mixpanel -NEXT_PUBLIC_MIXPANEL_TOKEN= +# NEXT_PUBLIC_MIXPANEL_TOKEN= # Enable Auth providers (comma separated) # Supported providers: github, google, saml, email, credentials -AUTH_PROVIDERS= +AUTH_PROVIDERS = email,credentials # OpenTelemetry OTEL_EXPORTER_OTLP_METRICS_ENDPOINT= OTEL_EXPORTER_OTLP_METRICS_HEADERS= OTEL_EXPORTER_OTLP_METRICS_PROTOCOL=grpc OTEL_EXPORTER_DEBUG=true -OTEL_PREFIX=boxyhq.saas +OTEL_PREFIX=unicis.saas -NEXT_PUBLIC_TERMS_URL='/terms' -NEXT_PUBLIC_PRIVACY_URL='/privacy' +NEXT_PUBLIC_TERMS_URL='https://www.unicis.tech/terms' +NEXT_PUBLIC_PRIVACY_URL='https://www.unicis.tech/privacy' NEXT_PUBLIC_DARK_MODE=false @@ -69,5 +70,9 @@ FEATURE_TEAM_WEBHOOK=true FEATURE_TEAM_API_KEY=true # Google reCAPTCHA -RECAPTCHA_SITE_KEY= -RECAPTCHA_SECRET_KEY= +# RECAPTCHA_SITE_KEY= +# RECAPTCHA_SECRET_KEY= + +# Matamo tracking +NEXT_PUBLIC_MATOMO_URL= +NEXT_PUBLIC_MATOMO_SITE_ID= diff --git a/.eslintrc.js b/.eslintrc.js index 5fd25a23..e4278f18 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -21,6 +21,15 @@ module.exports = { plugins: ['react', '@typescript-eslint'], rules: { '@typescript-eslint/no-explicit-any': 'warn', + // '@typescript-eslint/no-explicit-any': 'off', + '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }], + // 'react-hooks/exhaustive-deps': 'off', + // '@next/next/no-img-element': 'off', + // 'react/jsx-key': 'off', + // '@typescript-eslint/no-non-null-asserted-optional-chain': 'off', + // 'prefer-const': 'off', + // 'react/no-unescaped-entities': 'off', + // 'jsx-a11y/alt-text': 'off', }, settings: { react: { diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 36980b93..420335ca 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,3 +13,8 @@ updates: directory: '/' schedule: interval: 'weekly' + + - package-ecosystem: docker + directory: / + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..064dc6a4 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["beta2-community"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["beta2-community"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["javascript", "typescript"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + + # ℹ️ Command-line programs to run using the OS shell. + # πŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..f072eaba --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: 'Dependency Review' + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 32f8b795..3a58819e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,11 +11,19 @@ on: branches: - main +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - run: npm install - run: npm run check-lint - run: npm run check-format diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 00000000..0e3cc404 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["beta2-community"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + with: + sarif_file: results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..989dfdf4 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/.vscode/settings.json b/.vscode/settings.json index 35412482..2b78314e 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,4 +1,7 @@ { "WillLuke.nextjs.addTypesOnSave": true, - "WillLuke.nextjs.hasPrompted": true + "WillLuke.nextjs.hasPrompted": true, + "cSpell.words": [ + "socialgouv" + ] } \ No newline at end of file diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 7e8afe66..dd4fa191 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -60,7 +60,7 @@ representative at an online or offline event. Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at -deepak@boxyhq.com. +info@unicis.tech. All complaints will be reviewed and investigated promptly and fairly. All community leaders are obligated to respect the privacy and security of the diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..d0ec5e0d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,84 @@ +# Use the official Node.js image as the base image +FROM node:18.18.2@sha256:a17842484dd30af97540e5416c9a62943c709583977ba41481d601ecffb7f31b + +# Set the working directory in the container +WORKDIR /app + +# Copy package.json and package-lock.json to the working directory +COPY package*.json ./ + +# Install dependencies +RUN npm install --legacy-peer-deps + +# Set up database schema +# RUN npx prisma db push + +# Copy the entire application to the working directory +COPY . . + +# Expose the port on which your Next.js app will run +EXPOSE 4002 + +# Set the DATABASE_URL environment variable +# ENV DATABASE_URL="postgresql://platform:7emp1eAppe4rance5Rang3I5BNOffice@db.unicis.tech/unicis_platform?schema=platform" +# DEV DB -> ENV DATABASE_URL=postgresql://unicis_platform_dev:7emp1eAppe4rance5Rang3I5BNOffice-dev@srv-captain--db-dev:5432/unicis_platform_dev?sslmode=prefer + +ARG NEXTAUTH_URL=${NEXTAUTH_URL} +ENV NEXTAUTH_URL=${NEXTAUTH_URL} +ARG NEXTAUTH_SECRET=${NEXTAUTH_SECRET} +ENV NEXTAUTH_SECRET=${NEXTAUTH_SECRET} +ARG SMTP_HOST=${SMTP_HOST} +ENV SMTP_HOST=${SMTP_HOST} +ARG SMTP_PORT=${SMTP_PORT} +ENV SMTP_PORT=${SMTP_PORT} +ARG SMTP_USER=${SMTP_USER} +ENV SMTP_USER=${SMTP_USER} +ARG SMTP_PASSWORD=${SMTP_PASSWORD} +ENV SMTP_PASSWORD=${SMTP_PASSWORD} +ARG SMTP_FROM=${SMTP_FROM} +ENV SMTP_FROM=${SMTP_FROM} +ARG BILLING_EMAIL=${BILLING_EMAIL} +ENV BILLING_EMAIL=${BILLING_EMAIL} +ARG DATABASE_URL=${DATABASE_URL} +ENV DATABASE_URL=${DATABASE_URL} +ARG APP_URL=${APP_URL} +ENV APP_URL=${APP_URL} +ARG SVIX_URL=${SVIX_URL} +ENV SVIX_URL=${SVIX_URL} +ARG SVIX_API_KEY=${SVIX_API_KEY} +ENV SVIX_API_KEY=${SVIX_API_KEY} +# Users will need to confirm their email before accessing the app feature +ARG CONFIRM_EMAIL=${CONFIRM_EMAIL} +ENV CONFIRM_EMAIL=${CONFIRM_EMAIL} +# Matamo +ARG NEXT_PUBLIC_MATOMO_URL=${NEXT_PUBLIC_MATOMO_URL} +ENV NEXT_PUBLIC_MATOMO_URL=${NEXT_PUBLIC_MATOMO_URL} +ARG NEXT_PUBLIC_MATOMO_SITE_ID=${NEXT_PUBLIC_MATOMO_SITE_ID} +ENV NEXT_PUBLIC_MATOMO_SITE_ID=${NEXT_PUBLIC_MATOMO_SITE_ID} + +# AuditLogs +ARG RETRACED_URL=${RETRACED_URL} +ENV RETRACED_URL=${RETRACED_URL} +ARG RETRACED_API_KEY=${RETRACED_API_KEY} +ENV RETRACED_API_KEY=${RETRACED_API_KEY} +ARG RETRACED_PROJECT_ID=${RETRACED_PROJECT_ID} +ENV RETRACED_PROJECT_ID=${RETRACED_PROJECT_ID} + +# Team feature +ARG FEATURE_TEAM_SSO=${FEATURE_TEAM_SSO} +ENV FEATURE_TEAM_SSOL=${FEATURE_TEAM_SSO} +ARG FEATURE_TEAM_DSYNCL=${FEATURE_TEAM_DSYNC} +ENV FEATURE_TEAM_DSYNC=${FEATURE_TEAM_DSYNC} +ARG FEATURE_TEAM_AUDIT_LOG=${FEATURE_TEAM_AUDIT_LOG} +ENV FEATURE_TEAM_AUDIT_LOG=${FEATURE_TEAM_AUDIT_LOG} +ARG FEATURE_TEAM_WEBHOOK=${FEATURE_TEAM_WEBHOOK} +ENV FEATURE_TEAM_WEBHOOK=${FEATURE_TEAM_WEBHOOK} +ARG FEATURE_TEAM_API_KEY=${FEATURE_TEAM_API_KEY} +ENV FEATURE_TEAM_API_KEY=${FEATURE_TEAM_API_KEY} + + +# Build the Next.js app +RUN npm run build + +# Start the Next.js app +CMD ["npm", "start"] diff --git a/Dockerfile-bck b/Dockerfile-bck new file mode 100644 index 00000000..2d664124 --- /dev/null +++ b/Dockerfile-bck @@ -0,0 +1,17 @@ +# build environment +FROM node:latest as builder +RUN mkdir /usr/src/app +WORKDIR /usr/src/app +ENV PATH /usr/src/app/node_modules/.bin:$PATH +COPY . /usr/src/app +RUN npm install --force +RUN npm run build + +# production environment +FROM nginx:latest +RUN rm -rf /etc/nginx/conf.d +RUN mkdir -p /etc/nginx/conf.d +COPY ./default.conf /etc/nginx/conf.d/ +COPY --from=builder /usr/src/app/build /usr/share/nginx/html +EXPOSE 80 +CMD ["nginx", "-g", "daemon off;"] diff --git a/README.md b/README.md index 71d86597..bab8c8e4 100644 --- a/README.md +++ b/README.md @@ -1,52 +1,137 @@ - - - - BoxyHQ Banner - +# Unicis Platform Community Edition (free and open source) -

- Participating in -

+![GitHub followers](https://img.shields.io/github/followers/UnicisTech) +![GitHub Repo stars](https://img.shields.io/github/stars/UnicisTech/unicis-platform-ce) +[![GitHub forks](https://img.shields.io/github/forks/UnicisTech/unicis-platform-ce)](https://img.shields.io/github/forks/UnicisTech/unicis-platform-ce) +[![Mastodon Follow](https://img.shields.io/mastodon/follow/110267135494682486)](https://mastodon.xyz/@unicis_tech) +[![X (formerly Twitter) Follow](https://img.shields.io/twitter/follow/UnicisTech)](https://twitter.com/UnicisTech) +[![Static Badge](https://img.shields.io/badge/LinkedIn%2C%20https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Funicis-tech-o%C3%BC%2F?logo=LinkedIn&label=LinkedIn&link=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Funicis-tech-o%C3%BC%2F)](https://www.linkedin.com/company/unicis-tech-o%C3%BC/) +[![Discord](https://img.shields.io/discord/1110270854824214589)](https://discord.com/invite/8TwyeD97HD) -
- - ![Hacktoberfest](https://ziadoua.github.io/m3-Markdown-Badges/badges/Hacktoberfest2023/hacktoberfest20231.svg) -
-

+Unicis Platform Community Edition - an open core, enterprise-ready trust management platform for startups and SMEs. +[Learn how to get started](https://www.unicis.tech/docs/platform/install/unicis-platform-community-edition-hosted) with Unicis Platform Community Edition (Self-Hosted). -[⬆️ Take a look at our Issues ⬆️](https://github.com/boxyhq/saas-starter-kit/issues) +> [!NOTE] +> Unicis Platform Community Edition is currently in **BETA**. We value your [feedback](https://feedback.unicis.tech/) as we progress towards a stable release. -

+#### Free and open source community edition - all-in-one tools for security, privacy and compliance team ---- +![unicis-platform-beta-poster](https://www.unicis.tech/img/unicis-platform-beta-001.png) -# ⭐ Enterprise SaaS Starter Kit +Please star ⭐ the repo if you want us to continue developing and improving the Unicis Platform and [community support](https://www.unicis.tech/community)! πŸ˜€ -

- Github stargazers - Github issues - license - Twitter - LinkedIn - Discord -

+Subscribe to our [newsletter](https://www.unicis.tech/newsletter?mtm_campaign=github&mtm_source=github) to stay informed. -The Open Source Next.js SaaS boilerplate for Enterprise SaaS app development. +## πŸ“– Additional Resources -Please star ⭐ the repo if you want us to continue developing and improving the SaaS Starter Kit! πŸ˜€ +- [Unicis Platform getting started documentation](https://www.unicis.tech/docs/unicis_platform_intro) -## πŸ“– Additional Resources -Video - [BoxyHQ's SaaS Starter Kit: Your Ultimate Enterprise-Compliant Boilerplate](https://www.youtube.com/watch?v=oF8QIwQIhyo)
-Blog - [Enterprise-ready Saas Starter Kit](https://boxyhq.com/blog/enterprise-ready-saas-starter-kit) +## Applications + +- [Dashboard](https://www.unicis.tech/docs/platform/using/dashboard) +- [Tasks](https://www.unicis.tech/docs/platform/using/tasks) +- [Record of Processing Activities](https://www.unicis.tech/docs/platform/using/record-processing-actitivities) +- [Transfer Impact Assessment](https://www.unicis.tech/docs/platform/using/transfer-impact-assessment) +- [Cybersecurity Controls: MVSP](https://www.unicis.tech/docs/platform/using/cybersecurity-management-system) +- [Settings](https://www.unicis.tech/docs/platform/using/settings) + +## Frameworks Support + +We support the following framework controls, international standards and benchmarking: + +- [General Data Protection Regulation (GDPR)](https://www.unicis.tech/frameworks/gdpr) +- [Minimum Viable Secure Product (MVSP)](https://www.unicis.tech/frameworks/mvsp) +- [ISO/IEC 27001:2013 and ISO/IEC 27001:2022](https://www.unicis.tech/frameworks/iso27k) +- [National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0](https://www.unicis.tech/frameworks/nist-csf2) +- EU Cyber Resilience Act (coming soon) +- EU Digital Operational Resilience Act (DORA) (coming soon) +- EU The NIS2 Directive (coming soon) +- Payment Card Industry Data Security Standard PCI-DSS (coming soon) +- System and Organization Controls (SOC) (coming soon) +- Center for Internet Security (CIS) (coming soon) +- Cloud Security Alliance (CSA) (comming soon) +- C5 (Cloud Computing Compliance Criteria Catalogue) BSI (coming soon) +- Custom frameworks (coming soon) + +## πŸ’³ Plans + +> [!NOTE] +> For self-hosted Unicis Platform Community Edition Premium and Ultimate plans please reach out to us directly and it is only available via private repository, please see [pricing page](https://www.unicis.tech/pricing). + +### Community Plan + +Applications +- Record of Processing Activities +- Transfer Impact Assessment +- Cybersecurity Controls: MVSP +Features: +- SSO & SAML +- [Community Support](https://discord.com/invite/8TwyeD97HD) + +### Premium Plan + + +Everything in Community + +Applications: +- IA Chat (coming soon) +- Interactive Awareness Program (coming soon) +- Privacy Impact Assessment (coming soon) +- Cybersecurity Controls: MVSP + ISO27001 +- Cybersecurity Risk Management (coming soon) + +Features + +From Community +- Webhooks & API + +### Ultimate Plan -Next.js-based SaaS starter kit saves you months of development by starting you off with all the features that are the same in every product, so you can focus on what makes your app unique. +Everything in Premium + +Applications: +- Processor Questionnaire Checklist (coming soon) +- Cybersecurity Controls + NIST CSF2.0 standard +- Asset Inventory Management (coming soon) +- Benchmark Report (coming soon) +- Vendor Assessment Checklist (coming soon) +- Vendor Report (coming soon) + +Features + +From Premium +- Audit Logs + +For more details please visit the [pricing page](https://www.unicis.tech/pricing). + +## πŸ₯‡ Features + +- Create account +- Sign in with Email and Password +- Sign in with Magic Link +- Sign in with SAML SSO +- Sign in with Google [[Setting up Google OAuth](https://support.google.com/cloud/answer/6158849?hl=en)] +- Sign in with GitHub [[Creating a Github OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)] +- Directory Sync (SCIM) +- Update account +- Create team +- Invite users to the team +- Manage team members +- Update team settings +- Webhooks & Events +- Internationalization +- Audit logs +- Roles and Permissions +- Dark mode +- Billing ## πŸ› οΈ Built With +- [SaaS-Starter-Kit](https://github.com/boxyhq/saas-starter-kit/) - [Next.js](https://nextjs.org) -- [Tailwind CSS](https://tailwindcss.com) +- [Tailwind CSS](https://tailwindcss.com) and [Atlaskit](https://atlaskit.atlassian.com/) - [Postgres](https://www.postgresql.org) - [React](https://reactjs.org) - [Prisma](https://www.prisma.io) @@ -54,20 +139,11 @@ Next.js-based SaaS starter kit saves you months of development by starting you o - [SAML Jackson](https://github.com/boxyhq/jackson) (Provides SAML SSO, Directory Sync) - [Svix](https://www.svix.com/) (Provides Webhook Orchestration) - [Retraced](https://github.com/retracedhq/retraced) (Provides Audit Logs Service) +- Endpoints collection (Provided by [Osquery](https://osquery.io/)) ## πŸš€ Deployment - -Deploy with Vercel - - - -Deploy to Heroku - - - -Deploy to DO - +How to self-host [deployment documentation](https://www.unicis.tech/docs/platform/install/unicis-platform-community-edition-hosted). ## ✨ Getting Started @@ -84,17 +160,17 @@ Please follow these simple steps to get a local copy up and running. #### 1. Setup -- [Fork](https://github.com/boxyhq/saas-starter-kit/fork) the repository +- [Fork](https://github.com/UnicisTech/unicis-platform-ce/fork) the repository - Clone the repository by using this command: ```bash -git clone https://github.com//saas-starter-kit.git +git clone https://github.com//unicis-platform-ce.git ``` #### 2. Go to the project folder ```bash -cd saas-starter-kit +cd unicis-platform-ce ``` #### 3. Install dependencies @@ -161,34 +237,9 @@ npm run test:e2e _Note: HTML test report is generated inside the `report` folder. Currently supported browsers for test execution `chromium` and `firefox`_ -#### Fully customizable boilerplate out of the box, see images below πŸ‘‡πŸ‘‡πŸ‘‡ +## Changelog -![saas-starter-kit-poster](/public/saas-starter-kit-poster.png) - -## πŸ₯‡ Features - -- Create account -- Sign in with Email and Password -- Sign in with Magic Link -- Sign in with SAML SSO -- Sign in with Google [[Setting up Google OAuth](https://support.google.com/cloud/answer/6158849?hl=en)] -- Sign in with GitHub [[Creating a Github OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)] -- Directory Sync (SCIM) -- Update account -- Create team -- Invite users to the team -- Manage team members -- Update team settings -- Webhooks & Events -- Internationalization -- Audit logs -- Roles and Permissions -- Dark mode - -## ➑️ Coming Soon - -- Billing & subscriptions -- Unit and integration tests +Available on our website [changelog and released](https://www.unicis.tech/docs/platform/using/settings). ## ✨ Contributing @@ -201,23 +252,21 @@ Please try to create bug reports that are: - _Unique._ Do not duplicate existing opened issues. - _Scoped to a Single Bug._ One bug per report. -[Contributing Guide](https://github.com/boxyhq/saas-starter-kit/blob/main/CONTRIBUTING.md) +[Contributing Guide](https://github.com/UnicisTech/unicis-platform-ce/blob/main/CONTRIBUTING.md) -## 🀩 Community +## πŸ’° Support and Sponsor Us -- [Discord](https://discord.gg/uyb7pYt4Pa) (For live discussion with the Open-Source Community and BoxyHQ team) -- [Twitter](https://twitter.com/BoxyHQ) / [LinkedIn](https://www.linkedin.com/company/boxyhq) (Follow us) -- [Youtube](https://www.youtube.com/@boxyhq) (Watch community events and tutorials) -- [GitHub Issues](https://github.com/boxyhq/saas-starter-kit/issues) (Contributions, report issues, and product ideas) +Financially support the project via [GitHub Sponsors](https://github.com/sponsors/UnicisTech) and [Open Collective](https://opencollective.com/unicis-platform-ce). -## 🌍 Contributors +## 🀩 Community - - - +- [Discord](https://discord.com/invite/8TwyeD97HD) (For live discussion with the Open-Source Community and Unicis team) +- [X](https://twitter.com/UnicisTech) / [LinkedIn](https://www.linkedin.com/company/unicis-tech-oΓΌ/) / [Mastodon](https://mastodon.xyz/@unicis_tech) (Follow us) +- [Vimeo](https://vimeo.com/user183384852) (Watch community events and tutorials) +- [GitHub Issues](https://github.com/UnicisTech/unicis-platform-ce/issues) (Contributions, report issues, and product ideas) +- [Feedback and Roadmap portal](https://feedback.unicis.tech/). -Made with [contrib.rocks](https://contrib.rocks). ## πŸ›‘οΈ License -[Apache 2.0 License](https://github.com/boxyhq/saas-starter-kit/blob/main/LICENSE) +[Apache 2.0 License](https://github.com/UnicisTech/unicis-platform-ce/blob/community-edition/LICENSE) diff --git a/captain-definition b/captain-definition new file mode 100644 index 00000000..b434a578 --- /dev/null +++ b/captain-definition @@ -0,0 +1,4 @@ +{ + "schemaVersion": 2, + "dockerfilePath" :"./Dockerfile" +} \ No newline at end of file diff --git a/components/account/UpdateName.tsx b/components/account/UpdateName.tsx index 698d17c9..8f2c91c6 100644 --- a/components/account/UpdateName.tsx +++ b/components/account/UpdateName.tsx @@ -2,16 +2,17 @@ import * as Yup from 'yup'; import { useFormik } from 'formik'; import toast from 'react-hot-toast'; import { useTranslation } from 'next-i18next'; -import { Button, Input } from 'react-daisyui'; +import { Button } from 'react-daisyui'; import type { ApiResponse } from 'types'; -import { Card } from '@/components/shared'; +import { Card, InputWithLabel } from '@/components/shared'; import { defaultHeaders } from '@/lib/common'; import { User } from '@prisma/client'; import { useSession } from 'next-auth/react'; const schema = Yup.object().shape({ - name: Yup.string().required(), + firstName: Yup.string().required(), + lastName: Yup.string().required(), }); const UpdateName = ({ user }: { user: Partial }) => { @@ -20,7 +21,8 @@ const UpdateName = ({ user }: { user: Partial }) => { const formik = useFormik({ initialValues: { - name: user.name, + firstName: user.firstName, + lastName: user.lastName, }, enableReinitialize: true, validationSchema: schema, @@ -58,13 +60,26 @@ const UpdateName = ({ user }: { user: Partial }) => { {t('name')} {t('name-appearance')} - + diff --git a/components/auth/AgreeMessage.tsx b/components/auth/AgreeMessage.tsx index 6c254a44..9b95327e 100644 --- a/components/auth/AgreeMessage.tsx +++ b/components/auth/AgreeMessage.tsx @@ -10,19 +10,28 @@ const AgreeMessage = ({ text }) => { {t('terms')} + + {','}{' '} + + {t('privacy')} {' '} {t('and')}{' '} - {t('privacy')} + {t('security')}

); diff --git a/components/auth/Join.tsx b/components/auth/Join.tsx index 4fe61312..1fa53392 100644 --- a/components/auth/Join.tsx +++ b/components/auth/Join.tsx @@ -31,13 +31,15 @@ const Join = ({ recaptchaSiteKey }: JoinProps) => { const formik = useFormik({ initialValues: { - name: '', + firstName: '', + lastName: '', email: '', password: '', team: '', }, validationSchema: Yup.object().shape({ - name: Yup.string().required(), + firstName: Yup.string().required(), + lastName: Yup.string().required(), email: Yup.string().required().email(), password: Yup.string().required().min(passwordPolicies.minLength), team: Yup.string().required().min(3), @@ -79,11 +81,20 @@ const Join = ({ recaptchaSiteKey }: JoinProps) => {
+ + void; + team: Team; +}) => { + const { t } = useTranslation('common'); + + // console.log('countries', countries) + //TODO: #6 check if email exist in teamMembers and its admin or owner + const formik = useFormik({ + initialValues: { + companyName: '', + address: '', + zipCode: '', + country: 'Germany', + vatId: '', + email: '', + }, + validationSchema: Yup.object().shape({ + companyName: Yup.string().required(), + address: Yup.string().required(), + zipCode: Yup.string().required(), + country: Yup.string().required('Country is a required field.'), + vatId: Yup.string().required(), + email: Yup.string().required().email(), + }), + onSubmit: async (values) => { + console.log('values', { ...values, subscription: selectedSubscription }); + const response = await fetch(`/api/teams/${team.slug}/billing`, { + method: 'POST', + headers: defaultHeaders, + body: JSON.stringify({ ...values, subscription: selectedSubscription }), + }); + console.log('post billing response', response); + + const json = (await response.json()) as ApiResponse; + + if (!response.ok) { + toast.error(json.error.message); + return; + } + + toast.success(t('invitation-sent')); + // mutateInvitation(); + setVisible(false); + formik.resetForm(); + }, + }); + const toggleVisible = () => { + setVisible(!visible); + }; + + return ( + +
+ + {t('request-subscription', { subscription: selectedSubscription })} + + {/* {t('invite-member-message')} */} + +
+ + + + + + + + +
+ + + + + +
+ + ); +}; + +export default DetailsModal; diff --git a/components/billing/Pricing.tsx b/components/billing/Pricing.tsx new file mode 100644 index 00000000..b8b04490 --- /dev/null +++ b/components/billing/Pricing.tsx @@ -0,0 +1,143 @@ +import { Button } from 'react-daisyui'; +import { useTranslation } from 'next-i18next'; +import { SubscriptionStatus, Plan } from '@prisma/client'; +import React from 'react'; +import { TeamWithSubscription } from 'types'; + +interface PricingProps { + team: TeamWithSubscription; + plans: any[]; + setVisible: React.Dispatch>; + setSelectedSubscription: React.Dispatch>; +} + +const Pricing = ({ + team, + plans, + setSelectedSubscription, + setVisible, +}: PricingProps) => { + // const { team } = useTeam(); + const { t } = useTranslation('common'); + const currentStatus = team.subscription?.status; + console.log('team', team); + const currentPlan = + currentStatus === SubscriptionStatus.ACTIVE + ? team.subscription?.plan + : Plan.COMMUNITY; + // const initiateCheckout = async (price: string, quantity?: number) => { + // const res = await fetch( + // `/api/teams/${team?.slug}/payments/create-checkout-session`, + // { + // method: 'POST', + // headers: { + // 'Content-Type': 'application/json', + // }, + // body: JSON.stringify({ price, quantity }), + // } + // ); + + // const data = await res.json(); + + // if (data?.data?.url) { + // window.open(data.data.url, '_blank', 'noopener,noreferrer'); + // } else { + // toast.error( + // data?.error?.message || + // data?.error?.raw?.message || + // t('stripe-checkout-fallback-error') + // ); + // } + // }; + + // const hasActiveSubscription = (price: Price) => + // subscriptions.some((s) => s.priceId === price.id); + + return ( +
+
+ {plans.map((plan) => { + return ( +
+
+
+

+ {plan.name} +

+

Users: {plan.users}

+
+
+

+ {plan.price} +

+ {plan.subprice} +
+
+
+ {currentPlan === plan.id ? ( + + ) : ( + + )} +
+
    + {plan.applications.map((application: string) => ( +
  • + + + + +

    {application}

    +
    • + ))} +
+
+ ); + })} +
+
+ ); +}; + +export default Pricing; diff --git a/components/billing/WisePaymentCard.tsx b/components/billing/WisePaymentCard.tsx new file mode 100644 index 00000000..1cddd16d --- /dev/null +++ b/components/billing/WisePaymentCard.tsx @@ -0,0 +1,99 @@ +import Link from 'next/link'; +import { Card } from '@/components/shared'; +import { useTranslation } from 'next-i18next'; +import React from 'react'; +import { Button } from 'react-daisyui'; +import type { TeamWithSubscription, SubscriptionWithPayments } from 'types'; +import useTeamMembers from 'hooks/useTeamMembers'; +import { getTotalPrice, planPrice } from '@/lib/subscriptions'; +import { format } from 'date-fns/format'; + +interface WisePaymentCardProps { + team: TeamWithSubscription; +} + +const WisePaymentCard = ({ team }: WisePaymentCardProps) => { + const { t } = useTranslation('common'); + const subscription = team.subscription as SubscriptionWithPayments; + const { members, isError, isLoading } = useTeamMembers(team.slug); + + if (isLoading || isError || !members || !subscription) { + return null; + } + if (subscription.payments.length === 0) { + return null; + } + + const newestPayment = subscription.payments.reduce((latest, payment) => { + return payment.date > latest.date ? payment : latest; + }); + + console.log('newestPayment.paymentUrl', newestPayment.paymentUrl); + + return ( + + + + {t('wise-payment')} + {t('wise-payment-details')} + +
+

+ Team: + {team.name} +

+

+ Number of Members: + {members.length || ''} +

+

+ Price per user: + €{planPrice[subscription.plan]} +

+

+ Total: + €{getTotalPrice(subscription.plan, members.length)} +

+

+ Invoice Date: + {format(new Date(newestPayment.date), 'MMMM d, yyyy')} +

+

+ Next invoice Date: + + {format( + new Date(newestPayment.date).setDate( + new Date(newestPayment.date).getDate() + 30 + ), + 'MMMM d, yyyy' + )} + +

+
+ + {/* */} + +
+ + + +
+ + {/* */} + + ); +}; + +export default WisePaymentCard; diff --git a/components/billing/index.ts b/components/billing/index.ts new file mode 100644 index 00000000..3dd1f193 --- /dev/null +++ b/components/billing/index.ts @@ -0,0 +1,3 @@ +export { default as Pricing } from './Pricing'; +export { default as DetailsModal } from './DetailsModal'; +export { default as WisePaymentCard } from './WisePaymentCard'; diff --git a/components/defaultLanding/data/CSF2_1.json b/components/defaultLanding/data/CSF2_1.json new file mode 100644 index 00000000..909e29fd --- /dev/null +++ b/components/defaultLanding/data/CSF2_1.json @@ -0,0 +1,744 @@ +[ + { + "Code": "GV.OC-01", + "Section": "GOVERN", + "Control": "Organizational Context", + "Requirements": "The organizational mission is understood and informs cybersecurity risk management", + "Status": "Unknown" + }, + { + "Code": "GV.OC-02", + "Section": "GOVERN", + "Control": "Organizational Context", + "Requirements": "Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered", + "Status": "Unknown" + }, + { + "Code": "GV.OC-03", + "Section": "GOVERN", + "Control": "Organizational Context", + "Requirements": "Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed", + "Status": "Unknown" + }, + { + "Code": "GV.OC-04", + "Section": "GOVERN", + "Control": "Organizational Context", + "Requirements": "Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated", + "Status": "Unknown" + }, + { + "Code": "GV.OC-05", + "Section": "GOVERN", + "Control": "Organizational Context", + "Requirements": "Outcomes, capabilities, and services that the organization depends on are understood and communicated", + "Status": "Unknown" + }, + { + "Code": "GV.RM-01", + "Section": "GOVERN", + "Control": "Risk Management Strategy", + "Requirements": "Risk management objectives are established and agreed to by organizational stakeholders", + "Status": "Unknown" + }, + { + "Code": "GV.RM-02", + "Section": "GOVERN", + "Control": "Risk Management Strategy", + "Requirements": "Risk appetite and risk tolerance statements are established, communicated, and maintained", + "Status": "Unknown" + }, + { + "Code": "GV.RM-03", + "Section": "GOVERN", + "Control": "Risk Management Strategy", + "Requirements": "Cybersecurity risk management activities and outcomes are included in enterprise risk management processes", + "Status": "Unknown" + }, + { + "Code": "GV.RM-04", + "Section": "GOVERN", + "Control": "Risk Management Strategy", + "Requirements": "Strategic direction that describes appropriate risk response options is established and communicated", + "Status": "Unknown" + }, + { + "Code": "GV.RM-05", + "Section": "GOVERN", + "Control": "Risk Management Strategy", + "Requirements": "Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties", + "Status": "Unknown" + }, + { + "Code": "GV.RM-06", + "Section": "GOVERN", + "Control": "Risk Management Strategy", + "Requirements": "A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated", + "Status": "Unknown" + }, + { + "Code": "GV.RM-07", + "Section": "GOVERN", + "Control": "Risk Management Strategy", + "Requirements": "Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions", + "Status": "Unknown" + }, + { + "Code": "GV.RR-01", + "Section": "GOVERN", + "Control": "Roles, Responsibilities, and Authorities", + "Requirements": "Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving", + "Status": "Unknown" + }, + { + "Code": "GV.RR-02", + "Section": "GOVERN", + "Control": "Roles, Responsibilities, and Authorities", + "Requirements": "Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced", + "Status": "Unknown" + }, + { + "Code": "GV.RR-03", + "Section": "GOVERN", + "Control": "Roles, Responsibilities, and Authorities", + "Requirements": "Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies", + "Status": "Unknown" + }, + { + "Code": "GV.RR-04", + "Section": "GOVERN", + "Control": "Roles, Responsibilities, and Authorities", + "Requirements": "Cybersecurity is included in human resources practices", + "Status": "Unknown" + }, + { + "Code": "GV.PO-01", + "Section": "GOVERN", + "Control": "Policy", + "Requirements": "Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced", + "Status": "Unknown" + }, + { + "Code": "GV.PO-02", + "Section": "GOVERN", + "Control": "Policy", + "Requirements": "Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission", + "Status": "Unknown" + }, + { + "Code": "GV.OV-01", + "Section": "GOVERN", + "Control": "Oversight", + "Requirements": "Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction", + "Status": "Unknown" + }, + { + "Code": "GV.OV-02", + "Section": "GOVERN", + "Control": "Oversight", + "Requirements": "The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks", + "Status": "Unknown" + }, + { + "Code": "GV.OV-03", + "Section": "GOVERN", + "Control": "Oversight", + "Requirements": "Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed", + "Status": "Unknown" + }, + { + "Code": "GV.SC-01", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders", + "Status": "Unknown" + }, + { + "Code": "GV.SC-02", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally", + "Status": "Unknown" + }, + { + "Code": "GV.SC-03", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes", + "Status": "Unknown" + }, + { + "Code": "GV.SC-04", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "Suppliers are known and prioritized by criticality", + "Status": "Unknown" + }, + { + "Code": "GV.SC-05", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties", + "Status": "Unknown" + }, + { + "Code": "GV.SC-06", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships", + "Status": "Unknown" + }, + { + "Code": "GV.SC-07", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship", + "Status": "Unknown" + }, + { + "Code": "GV.SC-08", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "Relevant suppliers and other third parties are included in incident planning, response, and recovery activities", + "Status": "Unknown" + }, + { + "Code": "GV.SC-09", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle", + "Status": "Unknown" + }, + { + "Code": "GV.SC-10", + "Section": "GOVERN", + "Control": "Cybersecurity Supply Chain Risk Management", + "Requirements": "Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement", + "Status": "Unknown" + }, + { + "Code": "ID.AM-01", + "Section": "IDENTIFY", + "Control": "Asset Management", + "Requirements": "Inventories of hardware managed by the organization are maintained", + "Status": "Unknown" + }, + { + "Code": "ID.AM-02", + "Section": "IDENTIFY", + "Control": "Asset Management", + "Requirements": "Inventories of software, services, and systems managed by the organization are maintained", + "Status": "Unknown" + }, + { + "Code": "ID.AM-03", + "Section": "IDENTIFY", + "Control": "Asset Management", + "Requirements": "Representations of the organization's authorized network communication and internal and external network data flows are maintained", + "Status": "Unknown" + }, + { + "Code": "ID.AM-04", + "Section": "IDENTIFY", + "Control": "Asset Management", + "Requirements": "Inventories of services provided by suppliers are maintained", + "Status": "Unknown" + }, + { + "Code": "ID.AM-05", + "Section": "IDENTIFY", + "Control": "Asset Management", + "Requirements": "Assets are prioritized based on classification, criticality, resources, and impact on the mission", + "Status": "Unknown" + }, + { + "Code": "ID.AM-07", + "Section": "IDENTIFY", + "Control": "Asset Management", + "Requirements": "Inventories of data and corresponding metadata for designated data types are maintained", + "Status": "Unknown" + }, + { + "Code": "ID.AM-08", + "Section": "IDENTIFY", + "Control": "Asset Management", + "Requirements": "Systems, hardware, software, services, and data are managed throughout their life cycles", + "Status": "Unknown" + }, + { + "Code": "ID.RA-01", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Vulnerabilities in assets are identified, validated, and recorded", + "Status": "Unknown" + }, + { + "Code": "ID.RA-02", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Cyber threat intelligence is received from information sharing forums and sources", + "Status": "Unknown" + }, + { + "Code": "ID.RA-03", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Internal and external threats to the organization are identified and recorded", + "Status": "Unknown" + }, + { + "Code": "ID.RA-04", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded", + "Status": "Unknown" + }, + { + "Code": "ID.RA-05", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization", + "Status": "Unknown" + }, + { + "Code": "ID.RA-06", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Risk responses are chosen, prioritized, planned, tracked, and communicated", + "Status": "Unknown" + }, + { + "Code": "ID.RA-07", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Changes and exceptions are managed, assessed for risk impact, recorded, and tracked", + "Status": "Unknown" + }, + { + "Code": "ID.RA-08", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Processes for receiving, analyzing, and responding to vulnerability disclosures are established", + "Status": "Unknown" + }, + { + "Code": "ID.RA-09", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "The authenticity and integrity of hardware and software are assessed prior to acquisition and use", + "Status": "Unknown" + }, + { + "Code": "ID.RA-10", + "Section": "IDENTIFY", + "Control": "Risk Assessment", + "Requirements": "Critical suppliers are assessed prior to acquisition", + "Status": "Unknown" + }, + { + "Code": "ID.IM-01", + "Section": "IDENTIFY", + "Control": "Improvement", + "Requirements": "Improvements are identified from evaluations", + "Status": "Unknown" + }, + { + "Code": "ID.IM-02", + "Section": "IDENTIFY", + "Control": "Improvement", + "Requirements": "Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties", + "Status": "Unknown" + }, + { + "Code": "ID.IM-03", + "Section": "IDENTIFY", + "Control": "Improvement", + "Requirements": "Improvements are identified from execution of operational processes, procedures, and activities", + "Status": "Unknown" + }, + { + "Code": "ID.IM-04", + "Section": "IDENTIFY", + "Control": "Improvement", + "Requirements": "Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved", + "Status": "Unknown" + }, + { + "Code": "PR.AA-01", + "Section": "PROTECT", + "Control": "Identity Management, Authentication, and Access Requirements", + "Requirements": "Identities and credentials for authorized users, services, and hardware are managed by the organization", + "Status": "Unknown" + }, + { + "Code": "PR.AA-02", + "Section": "PROTECT", + "Control": "Identity Management, Authentication, and Access Requirements", + "Requirements": "Identities are proofed and bound to credentials based on the context of interactions", + "Status": "Unknown" + }, + { + "Code": "PR.AA-03", + "Section": "PROTECT", + "Control": "Identity Management, Authentication, and Access Requirements", + "Requirements": "Users, services, and hardware are authenticated", + "Status": "Unknown" + }, + { + "Code": "PR.AA-04", + "Section": "PROTECT", + "Control": "Identity Management, Authentication, and Access Requirements", + "Requirements": "Identity assertions are protected, conveyed, and verified", + "Status": "Unknown" + }, + { + "Code": "PR.AA-05", + "Section": "PROTECT", + "Control": "Identity Management, Authentication, and Access Requirements", + "Requirements": "Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties", + "Status": "Unknown" + }, + { + "Code": "PR.AA-06", + "Section": "PROTECT", + "Control": "Identity Management, Authentication, and Access Requirements", + "Requirements": "Physical access to assets is managed, monitored, and enforced commensurate with risk", + "Status": "Unknown" + }, + { + "Code": "PR.AT-01", + "Section": "PROTECT", + "Control": "Awareness and Training", + "Requirements": "Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind", + "Status": "Unknown" + }, + { + "Code": "PR.AT-02", + "Section": "PROTECT", + "Control": "Awareness and Training", + "Requirements": "Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind", + "Status": "Unknown" + }, + { + "Code": "PR.DS-01", + "Section": "PROTECT", + "Control": "Data Security", + "Requirements": "The confidentiality, integrity, and availability of data-at-rest are protected", + "Status": "Unknown" + }, + { + "Code": "PR.DS-02", + "Section": "PROTECT", + "Control": "Data Security", + "Requirements": "The confidentiality, integrity, and availability of data-in-transit are protected", + "Status": "Unknown" + }, + { + "Code": "PR.DS-10", + "Section": "PROTECT", + "Control": "Data Security", + "Requirements": "The confidentiality, integrity, and availability of data-in-use are protected", + "Status": "Unknown" + }, + { + "Code": "PR.DS-11", + "Section": "PROTECT", + "Control": "Data Security", + "Requirements": "Backups of data are created, protected, maintained, and tested", + "Status": "Unknown" + }, + { + "Code": "PR.PS-01", + "Section": "PROTECT", + "Control": "Platform Security", + "Requirements": "Configuration management practices are established and applied", + "Status": "Unknown" + }, + { + "Code": "PR.PS-02", + "Section": "PROTECT", + "Control": "Platform Security", + "Requirements": "Software is maintained, replaced, and removed commensurate with risk", + "Status": "Unknown" + }, + { + "Code": "PR.PS-03", + "Section": "PROTECT", + "Control": "Platform Security", + "Requirements": "Hardware is maintained, replaced, and removed commensurate with risk", + "Status": "Unknown" + }, + { + "Code": "PR.PS-04", + "Section": "PROTECT", + "Control": "Platform Security", + "Requirements": "Log records are generated and made available for continuous monitoring", + "Status": "Unknown" + }, + { + "Code": "PR.PS-05", + "Section": "PROTECT", + "Control": "Platform Security", + "Requirements": "Installation and execution of unauthorized software are prevented", + "Status": "Unknown" + }, + { + "Code": "PR.PS-06", + "Section": "PROTECT", + "Control": "Platform Security", + "Requirements": "Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle", + "Status": "Unknown" + }, + { + "Code": "PR.IR-01", + "Section": "PROTECT", + "Control": "Technology Infrastructure Resilience", + "Requirements": "Networks and environments are protected from unauthorized logical access and usage", + "Status": "Unknown" + }, + { + "Code": "PR.IR-02", + "Section": "PROTECT", + "Control": "Technology Infrastructure Resilience", + "Requirements": "The organization's technology assets are protected from environmental threats", + "Status": "Unknown" + }, + { + "Code": "PR.IR-03", + "Section": "PROTECT", + "Control": "Technology Infrastructure Resilience", + "Requirements": "Mechanisms are implemented to achieve resilience requirements in normal and adverse situations", + "Status": "Unknown" + }, + { + "Code": "PR.IR-04", + "Section": "PROTECT", + "Control": "Technology Infrastructure Resilience", + "Requirements": "Adequate resource capacity to ensure availability is maintained", + "Status": "Unknown" + }, + { + "Code": "DE.CM-01", + "Section": "DETECT", + "Control": "Continuous Monitoring", + "Requirements": "Networks and network services are monitored to find potentially adverse events", + "Status": "Unknown" + }, + { + "Code": "DE.CM-02", + "Section": "DETECT", + "Control": "Continuous Monitoring", + "Requirements": "The physical environment is monitored to find potentially adverse events", + "Status": "Unknown" + }, + { + "Code": "DE.CM-03", + "Section": "DETECT", + "Control": "Continuous Monitoring", + "Requirements": "Personnel activity and technology usage are monitored to find potentially adverse events", + "Status": "Unknown" + }, + { + "Code": "DE.CM-06", + "Section": "DETECT", + "Control": "Continuous Monitoring", + "Requirements": "External service provider activities and services are monitored to find potentially adverse events", + "Status": "Unknown" + }, + { + "Code": "DE.CM-09", + "Section": "DETECT", + "Control": "Continuous Monitoring", + "Requirements": "Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events", + "Status": "Unknown" + }, + { + "Code": "DE.AE-02", + "Section": "DETECT", + "Control": "Adverse Event Analysis", + "Requirements": "Potentially adverse events are analyzed to better understand associated activities", + "Status": "Unknown" + }, + { + "Code": "DE.AE-03", + "Section": "DETECT", + "Control": "Adverse Event Analysis", + "Requirements": "Information is correlated from multiple sources", + "Status": "Unknown" + }, + { + "Code": "DE.AE-04", + "Section": "DETECT", + "Control": "Adverse Event Analysis", + "Requirements": "The estimated impact and scope of adverse events are understood", + "Status": "Unknown" + }, + { + "Code": "DE.AE-06", + "Section": "DETECT", + "Control": "Adverse Event Analysis", + "Requirements": "Information on adverse events is provided to authorized staff and tools", + "Status": "Unknown" + }, + { + "Code": "DE.AE-07", + "Section": "DETECT", + "Control": "Adverse Event Analysis", + "Requirements": "Cyber threat intelligence and other contextual information are integrated into the analysis", + "Status": "Unknown" + }, + { + "Code": "DE.AE-08", + "Section": "DETECT", + "Control": "Adverse Event Analysis", + "Requirements": "Incidents are declared when adverse events meet the defined incident criteria", + "Status": "Unknown" + }, + { + "Code": "RS.MA-01", + "Section": "RESPOND", + "Control": "Incident Management", + "Requirements": "The incident response plan is executed in coordination with relevant third parties once an incident is declared", + "Status": "Unknown" + }, + { + "Code": "RS.MA-02", + "Section": "RESPOND", + "Control": "Incident Management", + "Requirements": "Incident reports are triaged and validated", + "Status": "Unknown" + }, + { + "Code": "RS.MA-03", + "Section": "RESPOND", + "Control": "Incident Management", + "Requirements": "Incidents are categorized and prioritized", + "Status": "Unknown" + }, + { + "Code": "RS.MA-04", + "Section": "RESPOND", + "Control": "Incident Management", + "Requirements": "Incidents are escalated or elevated as needed", + "Status": "Unknown" + }, + { + "Code": "RS.MA-05", + "Section": "RESPOND", + "Control": "Incident Management", + "Requirements": "The criteria for initiating incident recovery are applied", + "Status": "Unknown" + }, + { + "Code": "RS.AN-03", + "Section": "RESPOND", + "Control": "Incident Analysis", + "Requirements": "Analysis is performed to establish what has taken place during an incident and the root cause of the incident", + "Status": "Unknown" + }, + { + "Code": "RS.AN-06", + "Section": "RESPOND", + "Control": "Incident Analysis", + "Requirements": "Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved", + "Status": "Unknown" + }, + { + "Code": "RS.AN-07", + "Section": "RESPOND", + "Control": "Incident Analysis", + "Requirements": "Incident data and metadata are collected, and their integrity and provenance are preserved", + "Status": "Unknown" + }, + { + "Code": "RS.AN-08", + "Section": "RESPOND", + "Control": "Incident Analysis", + "Requirements": "An incident's magnitude is estimated and validated", + "Status": "Unknown" + }, + { + "Code": "RS.CO-02", + "Section": "RESPOND", + "Control": "Incident Response Reporting and Communication", + "Requirements": "Internal and external stakeholders are notified of incidents", + "Status": "Unknown" + }, + { + "Code": "RS.CO-03", + "Section": "RESPOND", + "Control": "Incident Response Reporting and Communication", + "Requirements": "Information is shared with designated internal and external stakeholders", + "Status": "Unknown" + }, + { + "Code": "RS.MI-01", + "Section": "RESPOND", + "Control": "Incident Mitigation", + "Requirements": "Incidents are contained", + "Status": "Unknown" + }, + { + "Code": "RS.MI-02", + "Section": "RESPOND", + "Control": "Incident Mitigation", + "Requirements": "Incidents are eradicated", + "Status": "Unknown" + }, + { + "Code": "RC.RP-01", + "Section": "RECOVER", + "Control": "Incident Recovery Plan Execution", + "Requirements": "The recovery portion of the incident response plan is executed once initiated from the incident response process", + "Status": "Unknown" + }, + { + "Code": "RC.RP-02", + "Section": "RECOVER", + "Control": "Incident Recovery Plan Execution", + "Requirements": "Recovery actions are selected, scoped, prioritized, and performed", + "Status": "Unknown" + }, + { + "Code": "RC.RP-03", + "Section": "RECOVER", + "Control": "Incident Recovery Plan Execution", + "Requirements": "The integrity of backups and other restoration assets is verified before using them for restoration", + "Status": "Unknown" + }, + { + "Code": "RC.RP-04", + "Section": "RECOVER", + "Control": "Incident Recovery Plan Execution", + "Requirements": "Critical mission Sections and cybersecurity risk management are considered to establish post-incident operational norms", + "Status": "Unknown" + }, + { + "Code": "RC.RP-05", + "Section": "RECOVER", + "Control": "Incident Recovery Plan Execution", + "Requirements": "The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed", + "Status": "Unknown" + }, + { + "Code": "RC.RP-06", + "Section": "RECOVER", + "Control": "Incident Recovery Plan Execution", + "Requirements": "The end of incident recovery is declared based on criteria, and incident-related documentation is completed", + "Status": "Unknown" + }, + { + "Code": "RC.CO-03", + "Section": "RECOVER", + "Control": "Incident Recovery Communication", + "Requirements": "Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders", + "Status": "Unknown" + }, + { + "Code": "RC.CO-04", + "Section": "RECOVER", + "Control": "Incident Recovery Communication", + "Requirements": "Public updates on incident recovery are shared using approved methods and messaging", + "Status": "Unknown" + } +] diff --git a/components/defaultLanding/data/ISO-CSC-controls-2013.json b/components/defaultLanding/data/ISO-CSC-controls-2013.json new file mode 100644 index 00000000..21f4da45 --- /dev/null +++ b/components/defaultLanding/data/ISO-CSC-controls-2013.json @@ -0,0 +1,800 @@ +[ + { + "Code": "A.5.1.1", + "Section": "Information security policies - Management direction for information security", + "Control": "Policies for information security", + "Requirements": "A set of policies for information and cybersecurity shall be defined, approved by C-level, published and communicated to employees and relevant external parties.", + "Status": "Unknown" + }, + { + "Code": "A.5.1.2", + "Section": "Information security policies - Management direction for information security", + "Control": "Review of the policies for information security", + "Requirements": "The policies for information and cybersecurity shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, communication and effectiveness.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.1", + "Section": "Organization of information security - Internal Organization", + "Control": "Information security roles and responsibilities", + "Requirements": "All information and cybersecurity roles and responsibilities shall be defined and allocated.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.2", + "Section": "Organization of information security - Internal Organization", + "Control": "Segregation of duties", + "Requirements": "Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.3", + "Section": "Organization of information security - Internal Organization", + "Control": "Contact with authorities", + "Requirements": "It is necessary to maintain proper communications with the relevant authorities.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.4", + "Section": "Organization of information security - Internal Organization", + "Control": "Contact with special interest groups", + "Requirements": "Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.5", + "Section": "Organization of information security - Internal Organization", + "Control": "Information security in project management", + "Requirements": "Throughout project management, the confidentiality of information should be discussed irrespective of project type", + "Status": "Unknown" + }, + { + "Code": "A.6.2.1", + "Section": "Organization of information security - Mobile devices and teleworking", + "Control": "Mobile device policy", + "Requirements": "To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted.", + "Status": "Unknown" + }, + { + "Code": "A.6.2.2", + "Section": "Organization of information security - Mobile devices and teleworking", + "Control": "Teleworking", + "Requirements": "To guard the accessed, processed, or stored information at teleworking sites, a policy and supporting security measures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.7.1.1", + "Section": "Human Resources Security - Prior to employment", + "Control": "Screening", + "Requirements": "Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.", + "Status": "Unknown" + }, + { + "Code": "A.7.1.2", + "Section": "Human Resources Security - Prior to employment", + "Control": "Terms and conditions of employment", + "Requirements": "Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.1 ", + "Section": "Human Resources Security - During employment", + "Control": "Management responsibilities", + "Requirements": "Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.2 ", + "Section": "Human Resources Security - During employment", + "Control": "Information security awareness, education and training", + "Requirements": "All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.3 ", + "Section": "Human Resources Security - During employment", + "Control": "Disciplinary process", + "Requirements": "A formal and informed administrative process will be in place to take action against employees who have committed an information security breach.", + "Status": "Unknown" + }, + { + "Code": "A.7.3.1 ", + "Section": "Human Resources Security - Termination and change of employment", + "Control": "Termination or change of employment responsibilities", + "Requirements": "Responsibility and information/cyber security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.1", + "Section": "Asset Management - Responsibility for assets", + "Control": "Inventory of assets", + "Requirements": "Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.2", + "Section": "Asset Management - Responsibility for assets", + "Control": "Ownership of assets", + "Requirements": "Assets in the inventory should have their owners (Asset-owner)", + "Status": "Unknown" + }, + { + "Code": "A.8.1.3", + "Section": "Asset Management - Responsibility for assets", + "Control": "Acceptable use of assets", + "Requirements": "Rules should be identified, documented, and implemented for the acceptable use of information and assets linked to information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.4 ", + "Section": "Asset Management - Responsibility for assets", + "Control": "Return of assets", + "Requirements": "Both workers and external stakeholders must return all the organizational assets in their possession upon termination of their job, contract or agreement", + "Status": "Unknown" + }, + { + "Code": "A.8.2.1 ", + "Section": "Asset Management - Information classification", + "Control": "Classification of information", + "Requirements": "Information should be classification in the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration", + "Status": "Unknown" + }, + { + "Code": "A.8.2.2 ", + "Section": "Asset Management - Information classification", + "Control": "Labelling of information", + "Requirements": "In accordance with the information classification scheme adopted by the organization, an adequate set of methods for labelling information should be established and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.2.3 ", + "Section": "Asset Management - Information classification", + "Control": "Handling of assets", + "Requirements": "Handling of assets in accordance with the organization’s information classification scheme should be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.1 ", + "Section": "Asset Management - Media handling", + "Control": "Management of removable media", + "Requirements": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.2 ", + "Section": "Asset Management - Media handling", + "Control": "Disposal of media", + "Requirements": "When not required by specific protocols, media should be disposed of securely.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.3 ", + "Section": "Asset Management - Media handling", + "Control": "Physical media transfer", + "Requirements": "Information media should be protected from unauthorized access, misuse or corruption during transportation.", + "Status": "Unknown" + }, + { + "Code": "A.9.1.1 ", + "Section": "Access Control - Business requirements of access control", + "Control": "Access control policy", + "Requirements": "An access control policy with supporting business and information security requirements should be established, documented, and reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.9.1.2 ", + "Section": "Access Control - Business requirements of access control", + "Control": "Access to networks and network services", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.1 ", + "Section": "Access Control - User access management", + "Control": "User registration and de-registration", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.2 ", + "Section": "Access Control - User access management", + "Control": "User access provisioning", + "Requirements": "A formal process for granting access to users should be put in place to grant or remove access privileges for all categories of users to all systems and services.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.3 ", + "Section": "Access Control - User access management", + "Control": "Management of privileged access rights", + "Requirements": "A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.4 ", + "Section": "Access Control - User access management", + "Control": "Management of secret authentication information of users", + "Requirements": "A structured management process should control the allocation of secret authentication information.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.5 ", + "Section": "Access Control - User access management", + "Control": "Review of user access rights", + "Requirements": "Access rights of users should be reviewed regularly by asset owners.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.6 ", + "Section": "Access Control - User access management", + "Control": "Removal or adjustment of access rights", + "Requirements": "Access rights of all employees and external users to information and information processing facilities should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.", + "Status": "Unknown" + }, + { + "Code": "A.9.3.1 ", + "Section": "Access Control - User responsibilities", + "Control": "Use of secret authentication information of users", + "Requirements": "Use of secret authentication information should be allowed for users to follow the organization’s practices.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.1 ", + "Section": "Access Control - System and application access control", + "Control": "Information access restriction", + "Requirements": "Access controls should be based on individual requirements for business applications and in compliance with a specified access control policy.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.2 ", + "Section": "Access Control - System and application access control", + "Control": "Secure log-on procedures", + "Requirements": "Access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.3 ", + "Section": "Access Control - System and application access control", + "Control": "Password management system", + "Requirements": "Password management systems should be cooperative to ensure the quality of the passwords.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.4 ", + "Section": "Access Control - System and application access control", + "Control": "Use of privileged utility programs", + "Requirements": "The use of utility programs that could bypass system and application controls should be limited and tightly controlled.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.5 ", + "Section": "Access Control - System and application access control", + "Control": "Access control to program source code", + "Requirements": "Access should be limited to the source code of the program.", + "Status": "Unknown" + }, + { + "Code": "A.10.1.1 ", + "Section": "Cryptography - Cryptographic controls", + "Control": "Policy on the use of cryptographic controls", + "Requirements": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.10.1.2 ", + "Section": "Cryptography - Cryptographic controls", + "Control": "Key management", + "Requirements": "A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.1 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Physical security perimeter", + "Requirements": "Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.2 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Physical entry controls", + "Requirements": "Appropriate access controls should protect places to ensure that only authorized employees are allowed access.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.3 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Securing offices, rooms and facilities", + "Requirements": "Physical security should be designed and implemented for the offices, rooms, and facilities.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.4 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Protecting against external and environmental threats", + "Requirements": "Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.5 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Working in secure areas", + "Requirements": "Procedures should be designed and implemented for working in safe areas.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.6 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Delivery and loading areas", + "Requirements": "It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.1 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Equipment siting and protection", + "Requirements": "To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.2 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Supporting utilities", + "Requirements": "Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.3 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Cabling security", + "Requirements": "Cable for power and telecommunications that carry data or support services should be safeguarded against interception, interference, or damage.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.4 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Equipment maintenance", + "Requirements": "To ensure its continued availability and integrity, the equipment should be correctly maintained.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.5 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Removal of assets", + "Requirements": "Without prior authorization, equipment, information, or software should not be taken off-site.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.6 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Security of equipment and assets off-premises", + "Requirements": "The security of off-site assets should be applied to the various risks of working outside the premises of the organization in mind.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.7 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Secure disposal or re-use of equipment", + "Requirements": "To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.8 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Unattended user equipment", + "Requirements": "Unattended equipment should be adequately protected by users.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.9 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Clear desk and clear screen policy", + "Requirements": "A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.1", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Documented operating procedures", + "Requirements": "Operating procedures should be documented and accessed by all users in need.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.2 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Change management", + "Requirements": "Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.3 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Capacity management", + "Requirements": "In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.4 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Separation of development, testing and operational environments", + "Requirements": "It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems.", + "Status": "Unknown" + }, + { + "Code": "A.12.2.1 ", + "Section": "Operations security - Protection from malware", + "Control": "Controls against malware", + "Requirements": "In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.12.3.1 ", + "Section": "Operations security - Backup", + "Control": "Information backup", + "Requirements": "In accordance with the agreed backup policy, copies of records, program and device images shall be collected and regularly tested.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.1 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Event logging", + "Requirements": "Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.2 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Protection of log information", + "Requirements": "Logging and log information should be secure from intrusion and unauthorized access.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.3 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Administrator and operator logs", + "Requirements": "The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.4 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Clock synchronization", + "Requirements": "Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.", + "Status": "Unknown" + }, + { + "Code": "A.12.5.1 ", + "Section": "Operations security - Control of operational software", + "Control": "Installation of software on operational systems", + "Requirements": "To control the installation of software on operating systems, procedures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.12.6.1 ", + "Section": "Operations security - Technical Vulnerability Management", + "Control": "Management of technical vulnerabilities", + "Requirements": "Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved", + "Status": "Unknown" + }, + { + "Code": "A.12.6.2 ", + "Section": "Operations security - Technical Vulnerability Management", + "Control": "Restrictions on software installation", + "Requirements": "Users should set and implement rules governing software installation.", + "Status": "Unknown" + }, + { + "Code": "A.12.7.1 ", + "Section": "Operations security - Information systems audit controls", + "Control": "Information system audit controls", + "Requirements": "The audit criteria and activities related to operating system verification should be carefully prepared and decided in order to reduce business process disturbance.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.1 ", + "Section": "Communications security - Network security management", + "Control": "Network controls", + "Requirements": "To protect information in systems and applications, networks should be managed and monitored.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.2 ", + "Section": "Communications security - Network security management", + "Control": "Security of network services", + "Requirements": "Security protocols, quality of service, and management criteria for all network services, whether in-house or outsourced, should be defined and included in-network services agreements.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.3 ", + "Section": "Communications security - Network security management", + "Control": "Segregation in networks", + "Requirements": "Network segregation should be established for information services, users, and information systems.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.1 ", + "Section": "Communications security - Information transfer", + "Control": "Information transfer policies and procedures", + "Requirements": "In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.2 ", + "Section": "Communications security - Information transfer", + "Control": "Agreements on information transfer", + "Requirements": "Agreements should address secure transfers between the organization and outside parties of business information.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.3 ", + "Section": "Communications security - Information transfer", + "Control": "Electronic messaging", + "Requirements": "Electronic messaging information should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.4 ", + "Section": "Communications security - Information transfer", + "Control": "Confidentiality or non-disclosure agreements", + "Requirements": "Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.", + "Status": "Unknown" + }, + { + "Code": "A.14.1.1 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Security requirements of information systems", + "Requirements": "Information security requirements for new information systems or enhancements to existing information systems should be included", + "Status": "Unknown" + }, + { + "Code": "A.14.1.2 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Securing application services on public networks", + "Requirements": "Application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification.", + "Status": "Unknown" + }, + { + "Code": "A.14.1.3 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Protecting application services transactions", + "Requirements": "In order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.1 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure development policy", + "Requirements": "Regulations for software and system development should be laid down and applied to organizational developments.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.2 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System change control procedures", + "Requirements": "Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.3 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Technical review of applications after operating platform changes", + "Requirements": "In changing operating platforms, critical applications of business should be revised and tested to ensure no adverse impacts on business or security.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.4 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Restrictions on changes to software packages", + "Requirements": "Software package modifications should be discouraged, restricted to the modifications necessary, and all changes controlled strictly.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.5 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure system engineering principles", + "Requirements": "In the implementation of any information system implementation project, standards for secure system engineered must be established, documented, maintained, and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.6 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure development environment", + "Requirements": "Organizations should create secure development environments and integration efforts for the entire life cycle of system development, and should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.7 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Outsourced development", + "Requirements": "The organization must monitor activity for the development of the outsourced system.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.8 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System security testing", + "Requirements": "During development, security functionality test should be conducted.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.9 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System acceptance testing", + "Requirements": "New information systems, enhancements, and updated versions should be equipped with acceptance testing services and related requirements.", + "Status": "Unknown" + }, + { + "Code": "A.14.3.1 ", + "Section": "System acquisition, development and maintenance - Test data", + "Control": "Protection of test data", + "Requirements": "Careful collection, security, and review of test data should be performed.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.1 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Information security policy for supplier relationships", + "Requirements": "The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.2 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Addressing security within supplier agreements", + "Requirements": "Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.3 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Information and communication technology supply chain", + "Requirements": "Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain.", + "Status": "Unknown" + }, + { + "Code": "A.15.2.1 ", + "Section": "Supplier relationships - Supplier service delivery management", + "Control": "Monitoring and review of supplier services", + "Requirements": "Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis.", + "Status": "Unknown" + }, + { + "Code": "A.15.2.2 ", + "Section": "Supplier relationships - Supplier service delivery management", + "Control": "Managing changes to supplier services", + "Requirements": "Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.1 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Responsibilities and procedures", + "Requirements": "In order to ensure a quick, efficient, and organized response to ISO 27001 Annex : A.16 Information Security Incident Management roles and procedures should be defined.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.2 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Reporting information security events", + "Requirements": "Information security incidents should be reported as quickly as possible through appropriate management channels.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.3 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Reporting information security weaknesses", + "Requirements": "Any information security vulnerabilities found or suspected in systems or services in which employees and contractors are using the information systems and services of the organization should be recorded and documented.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.4 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Assessment of and decision on information security events", + "Requirements": "Information security events should be analyzed and determined whether they should be listed as incidents related to information security.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.5 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Response to information security incidents", + "Requirements": "In the context of the documented procedures, information security incidents should be responded to.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.6 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Learning from information security incidents", + "Requirements": "To minimize the risk or effect of potential accidents, the experience obtained from the study and mitigation of information security accidents should be used.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.7 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Collection of evidence", + "Requirements": "The organization will define, obtain, procure and retain information as documentation and implement procedures.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.1 ", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Planning information security continuity", + "Requirements": "In adverse circumstances, e.g. during a crisis or a catastrophe, the company will determine the information security standards and consistency of information security management.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.2", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Implementing information security continuity", + "Requirements": "In order to ensure the necessary degree of consistency of information security to adverse circumstances, the company should define, document, execute, and maintain processes, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.3 ", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Verify, review and evaluate information security continuity", + "Requirements": "In order to ensure accurate and productive to adverse circumstances, the company must review on-going controls on safety information defined and enforced at regular intervals.", + "Status": "Unknown" + }, + { + "Code": "A.17.2.1 ", + "Section": "Information security aspects of business continuity management - Redundancies", + "Control": "Availability of information processing facilities", + "Requirements": "How information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.1 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Identification of applicable legislation and contractual requirements", + "Requirements": "Each of information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.2 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Intellectual property rights", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.3 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Protection of records", + "Requirements": "In accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.4 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Privacy and protection of personally identifiable information", + "Requirements": "Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.5 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Regulation of cryptographic controls", + "Requirements": "In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must be used.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.1 ", + "Section": "Compliance - Information security reviews", + "Control": "Independent review of information security", + "Requirements": "Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.2 ", + "Section": "Compliance - Information security reviews", + "Control": "Compliance with security policies and standards", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.3 ", + "Section": "Compliance - Information security reviews", + "Control": "Technical compliance review", + "Requirements": "Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + } +] diff --git a/components/defaultLanding/data/ISO-CSC-controls-2022.json b/components/defaultLanding/data/ISO-CSC-controls-2022.json new file mode 100644 index 00000000..37e88318 --- /dev/null +++ b/components/defaultLanding/data/ISO-CSC-controls-2022.json @@ -0,0 +1,653 @@ +[ + { + "Code": "A.5.1", + "Section": "Organizational controls", + "Control": "Policies for information security", + "Requirements": "A set of policies for information and cybersecurity shall be defined, approved by C-level, published and communicated to employees and relevant external parties.", + "Status": "Unknown" + }, + { + "Code": "A.5.2", + "Section": "Organizational controls", + "Control": "Information security roles and responsibilities", + "Requirements": "All information and cybersecurity roles and responsibilities shall be defined and allocated.", + "Status": "Unknown" + }, + { + "Code": "A.5.3", + "Section": "Organizational controls", + "Control": "Segregation of duties", + "Requirements": "Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.", + "Status": "Unknown" + }, + { + "Code": "A.5.4", + "Section": "Organizational controls", + "Control": "Management responsibilities", + "Requirements": "Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.5.5", + "Section": "Organizational controls", + "Control": "Contact with authorities", + "Requirements": "It is necessary to maintain proper communications with the relevant authorities.", + "Status": "Unknown" + }, + { + "Code": "A.5.6", + "Section": "Organizational controls", + "Control": "Contact with special interest groups", + "Requirements": "Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.", + "Status": "Unknown" + }, + { + "Code": "A.5.7", + "Section": "Organizational controls", + "Control": "Threat intelligence", + "Requirements": "Collect and analyse information relating to information security threats and use that information take mitigation action.", + "Status": "Unknown" + }, + { + "Code": "A.5.8", + "Section": "Organizational controls", + "Control": "Information security in projectmanagement", + "Requirements": "Throughout project management, the confidentiality of information should be discussed irrespective of project type.", + "Status": "Unknown" + }, + { + "Code": "A.5.9", + "Section": "Organizational controls", + "Control": "Inventory of information and other associated assets", + "Requirements": "Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained. And assets in the inventory should have their owners (Asset-owner).", + "Status": "Unknown" + }, + { + "Code": "A.5.10", + "Section": "Organizational controls", + "Control": "Acceptable use of information and other associated assets", + "Requirements": "Rules should be identified, documented, and implemented for the acceptable use of information and assets linked to information and information processing facilities. Handling of assets in accordance with the organization’s information classification scheme should be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.5.11", + "Section": "Organizational controls", + "Control": "Return of assets", + "Requirements": "Both workers and external stakeholders must return all the organizational assets in their possession upon termination of their job, contract or agreement.", + "Status": "Unknown" + }, + { + "Code": "A.5.12", + "Section": "Organizational controls", + "Control": "Classification of information", + "Requirements": "Information should be classification in the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration.", + "Status": "Unknown" + }, + { + "Code": "A.5.13", + "Section": "Organizational controls", + "Control": "Labelling of information", + "Requirements": "In accordance with the information classification scheme adopted by the organization, an adequate set of methods for labelling information should be established and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.5.14", + "Section": "Organizational controls", + "Control": "Information transfer", + "Requirements": "In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed. Agreements sElectronic messaging information should be adequately protected.hould address secure transfers between the organization and outside parties of business information. ", + "Status": "Unknown" + }, + { + "Code": "A.5.15", + "Section": "Organizational controls", + "Control": "Access control", + "Requirements": "An access control policy with supporting business and information security requirements should be established, documented, and reviewed. Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.5.16", + "Section": "Organizational controls", + "Control": "Identity management", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.5.17", + "Section": "Organizational controls", + "Control": "Authentication information", + "Requirements": "A structured management process should control the allocation of secret authentication information. Use of secret authentication information should be allowed for users to follow the organization’s practices. Password management systems should be cooperative to ensure the quality of the passwords.", + "Status": "Unknown" + }, + { + "Code": "A.5.18", + "Section": "Organizational controls", + "Control": "Access rights", + "Requirements": "A formal process for granting access to users should be put in place to grant or remove access privileges for all categories of users to all systems and services. Access rights of users should be reviewed regularly by asset owners. Access rights of all employees and external users to information and information processing facilities should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.", + "Status": "Unknown" + }, + { + "Code": "A.5.19", + "Section": "Organizational controls", + "Control": "Information security in supplier relationships", + "Requirements": "The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.", + "Status": "Unknown" + }, + { + "Code": "A.5.20", + "Section": "Organizational controls", + "Control": "Addressing information security within supplier agreements", + "Requirements": "Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements.", + "Status": "Unknown" + }, + { + "Code": "A.5.21", + "Section": "Organizational controls", + "Control": "Managing information security in the information \nand communication technology (ICT) supply-chain", + "Requirements": "Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain.", + "Status": "Unknown" + }, + { + "Code": "A.5.22", + "Section": "Organizational controls", + "Control": "Monitoring, review and change management of supplier services", + "Requirements": "Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis. Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.5.23", + "Section": "Organizational controls", + "Control": "Information security for use of cloud services", + "Requirements": "Set security requirements for cloud services in order to have better protection of your information in the cloud. This includes purchasing, using, managing, and terminating the use of cloud services.", + "Status": "Unknown" + }, + { + "Code": "A.5.24", + "Section": "Organizational controls", + "Control": "Information security incident management planning and preparation", + "Requirements": "In order to ensure a quick, efficient, and organized response to Information Security Incident Management roles and procedures should be defined.", + "Status": "Unknown" + }, + { + "Code": "A.5.25", + "Section": "Organizational controls", + "Control": "Assessment and decision on information security events", + "Requirements": "Information security events should be analyzed and determined whether they should be listed as incidents related to information security.", + "Status": "Unknown" + }, + { + "Code": "A.5.26", + "Section": "Organizational controls", + "Control": "Response to information security incidents", + "Requirements": "In the context of the documented procedures, information security incidents should be responded to.", + "Status": "Unknown" + }, + { + "Code": "A.5.27", + "Section": "Organizational controls", + "Control": "Learning from information security incidents", + "Requirements": "To minimize the risk or effect of potential accidents, the experience obtained from the study and mitigation of information security accidents should be used.", + "Status": "Unknown" + }, + { + "Code": "A.5.28", + "Section": "Organizational controls", + "Control": "Collection of evidence", + "Requirements": "The organization will define, obtain, procure and retain information as documentation and implement procedures.", + "Status": "Unknown" + }, + { + "Code": "A.5.29", + "Section": "Organizational controls", + "Control": "Information security during disruption", + "Requirements": "In adverse circumstances, e.g. during a crisis or a catastrophe, the company will determine the information securityIn order to ensure the necessary degree of consistency of information security to adverse circumstances, the company should define, document, execute, and maintain processes, procedures, and controls. standards and consistency of information security management. In order to ensure accurate and productive to adverse circumstances, the company must review on-going controls on safety information defined and enforced at regular intervals.", + "Status": "Unknown" + }, + { + "Code": "A.5.30", + "Section": "Organizational controls", + "Control": "ICT readiness for business continuity", + "Requirements": "Information and communication technology to be ready for potential disruptions so that required information and assets are available when needed. This includes readiness planning, implementation, maintenance, and testing.", + "Status": "Unknown" + }, + { + "Code": "A.5.31", + "Section": "Organizational controls", + "Control": "Legal, statutory, regulatory and contractual requirements", + "Requirements": "Each of information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements. In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must be used.", + "Status": "Unknown" + }, + { + "Code": "A.5.32", + "Section": "Organizational controls", + "Control": "Intellectual property rights", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.5.33", + "Section": "Organizational controls", + "Control": "Protection of records", + "Requirements": "In accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.", + "Status": "Unknown" + }, + { + "Code": "A.5.34", + "Section": "Organizational controls", + "Control": "Privacy and protection of personal identifiable information (PII)", + "Requirements": "Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.", + "Status": "Unknown" + }, + { + "Code": "A.5.35", + "Section": "Organizational controls", + "Control": "Independent review of information security", + "Requirements": "Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.5.36", + "Section": "Organizational controls", + "Control": "Compliance with policies, rules and standards for information security", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon. Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.5.37", + "Section": "Organizational controls", + "Control": "Documented operating procedures", + "Requirements": "Operating procedures should be documented and accessed by all users in need.", + "Status": "Unknown" + }, + { + "Code": "A.6.1", + "Section": "People controls", + "Control": "Screening", + "Requirements": "Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.", + "Status": "Unknown" + }, + { + "Code": "A.6.2", + "Section": "People controls", + "Control": "Terms and conditions of employment", + "Requirements": "Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.", + "Status": "Unknown" + }, + { + "Code": "A.6.3", + "Section": "People controls", + "Control": "Information security awareness, education and training", + "Requirements": "All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.", + "Status": "Unknown" + }, + { + "Code": "A.6.4", + "Section": "People controls", + "Control": "Disciplinary process", + "Requirements": "A formal and informed administrative process will be in place to take action against employees who have committed an information security breach.", + "Status": "Unknown" + }, + { + "Code": "A.6.5", + "Section": "People controls", + "Control": "Responsibilities after termination or change of employment", + "Requirements": "Responsibility and information/cyber security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.", + "Status": "Unknown" + }, + { + "Code": "A.6.6", + "Section": "People controls", + "Control": "Confidentiality or non-disclosure agreements", + "Requirements": "Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.", + "Status": "Unknown" + }, + { + "Code": "A.6.7", + "Section": "People controls", + "Control": "Remote working", + "Requirements": "To guard the accessed, processed, or stored information at remote sites, a policy and supporting security measures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.6.8", + "Section": "People controls", + "Control": "Information security event reporting", + "Requirements": "Information security incidents should be reported as quickly as possible through appropriate management channels. Any information security vulnerabilities found or suspected in systems or services in which employees and contractors are using the information systems and services of the organization should be recorded and documented.", + "Status": "Unknown" + }, + { + "Code": "A.7.1", + "Section": "Physical controls", + "Control": "Physical security perimeters", + "Requirements": "Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.2", + "Section": "Physical controls", + "Control": "Physical entry", + "Requirements": "Appropriate access controls should protect places to ensure that only authorized employees are allowed access. It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.", + "Status": "Unknown" + }, + { + "Code": "A.7.3", + "Section": "Physical controls", + "Control": "Securing offices, rooms and facilities", + "Requirements": "Physical security should be designed and implemented for the offices, rooms, and facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.4", + "Section": "Physical controls", + "Control": "Physical security monitoring", + "Requirements": "Monitor sensitive areas in order to enable only authorized people to access them. This might include your offices, production facilities, warehouses, and other premises.", + "Status": "Unknown" + }, + { + "Code": "A.7.5", + "Section": "Physical controls", + "Control": "Protecting against physical and environmental threats", + "Requirements": "Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.", + "Status": "Unknown" + }, + { + "Code": "A.7.6", + "Section": "Physical controls", + "Control": "Working in secure areas", + "Requirements": "Procedures should be designed and implemented for working in safe areas.", + "Status": "Unknown" + }, + { + "Code": "A.7.7", + "Section": "Physical controls", + "Control": "Clear desk and clear screen", + "Requirements": "A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.8", + "Section": "Physical controls", + "Control": "Equipment siting and protection", + "Requirements": "To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.", + "Status": "Unknown" + }, + { + "Code": "A.7.9", + "Section": "Physical controls", + "Control": "Security of assets off-premises", + "Requirements": "The security of off-site assets should be applied to the various risks of working outside the premises of the organization in mind.", + "Status": "Unknown" + }, + { + "Code": "A.7.10", + "Section": "Physical controls", + "Control": "Storage media", + "Requirements": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. When not required by specific protocols, media should be disposed of securely. Information media should be protected from unauthorized access, misuse or corruption during transportation. Without prior authorization, equipment, information, or software should not be taken off-site.", + "Status": "Unknown" + }, + { + "Code": "A.7.11", + "Section": "Physical controls", + "Control": "Supporting utilities", + "Requirements": "Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.", + "Status": "Unknown" + }, + { + "Code": "A.7.12", + "Section": "Physical controls", + "Control": "Cabling security", + "Requirements": "Cable for power and telecommunications that carry data or support services should be safeguarded against interception, interference, or damage.", + "Status": "Unknown" + }, + { + "Code": "A.7.13", + "Section": "Physical controls", + "Control": "Equipment maintenance", + "Requirements": "To ensure its continued availability and integrity, the equipment should be correctly maintained.", + "Status": "Unknown" + }, + { + "Code": "A.7.14", + "Section": "Physical controls", + "Control": "Secure disposal or re-use of equipment", + "Requirements": "To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.8.1", + "Section": "Technological controls", + "Control": "User end point devices", + "Requirements": "To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted. Unattended equipment should be adequately protected by users.", + "Status": "Unknown" + }, + { + "Code": "A.8.2", + "Section": "Technological controls", + "Control": "Privileged access rights", + "Requirements": "A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.", + "Status": "Unknown" + }, + { + "Code": "A.8.3", + "Section": "Technological controls", + "Control": "Information access restriction", + "Requirements": "Access controls should be based on individual requirements for business applications and in compliance with a specified access control policy.", + "Status": "Unknown" + }, + { + "Code": "A.8.4", + "Section": "Technological controls", + "Control": "Access to source code", + "Requirements": "Access should be limited to the source code of the program.", + "Status": "Unknown" + }, + { + "Code": "A.8.5", + "Section": "Technological controls", + "Control": "Secure authentication", + "Requirements": "Access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.", + "Status": "Unknown" + }, + { + "Code": "A.8.6", + "Section": "Technological controls", + "Control": "Capacity management", + "Requirements": "In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.", + "Status": "Unknown" + }, + { + "Code": "A.8.7", + "Section": "Technological controls", + "Control": "Protection against malware", + "Requirements": "In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.8", + "Section": "Technological controls", + "Control": "Management of technical vulnerabilities", + "Requirements": "Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved. Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.8.9", + "Section": "Technological controls", + "Control": "Configuration management", + "Requirements": "Manage the whole cycle of security configuration for your technology to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring, and review.", + "Status": "Unknown" + }, + { + "Code": "A.8.10", + "Section": "Technological controls", + "Control": "Information deletion", + "Requirements": "Delete data when no longer required, in order to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media, or cloud services.", + "Status": "Unknown" + }, + { + "Code": "A.8.11", + "Section": "Technological controls", + "Control": "Data masking", + "Requirements": "Use data masking together with access control in order to limit the exposure of sensitive information. This primarily means personal data, because they are heavily regulated through privacy regulations, but it could also include other categories of sensitive data.", + "Status": "Unknown" + }, + { + "Code": "A.8.12", + "Section": "Technological controls", + "Control": "Data leakage prevention", + "Requirements": "Apply various data leakage measures in order to avoid unauthorized disclosure of sensitive information, and if such incidents happen, to detect them in a timely manner. This includes information in IT systems, networks, or any devices.", + "Status": "Unknown" + }, + { + "Code": "A.8.13", + "Section": "Technological controls", + "Control": "Information backup", + "Requirements": "In accordance with the agreed backup policy, copies of records, program and device images shall be collected and regularly tested.", + "Status": "Unknown" + }, + { + "Code": "A.8.14", + "Section": "Technological controls", + "Control": "Redundancy of information processing facilities", + "Requirements": "How information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems.", + "Status": "Unknown" + }, + { + "Code": "A.8.15", + "Section": "Technological controls", + "Control": "Logging", + "Requirements": "Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events. Logging and log information should be secure from intrusion and unauthorized access. The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.", + "Status": "Unknown" + }, + { + "Code": "A.8.16", + "Section": "Technological controls", + "Control": "Monitoring activities", + "Requirements": "Monitor systems in order to recognize unusual activities and, if needed, to activate the appropriate incident response. This includes monitoring of your IT systems, networks, and applications.", + "Status": "Unknown" + }, + { + "Code": "A.8.17", + "Section": "Technological controls", + "Control": "Clock synchronization", + "Requirements": "Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.", + "Status": "Unknown" + }, + { + "Code": "A.8.18", + "Section": "Technological controls", + "Control": "Use of privileged utility programs", + "Requirements": "The use of utility programs that could bypass system and application controls should be limited and tightly controlled.", + "Status": "Unknown" + }, + { + "Code": "A.8.19", + "Section": "Technological controls", + "Control": "Installation of software on operational systems", + "Requirements": "To control the installation of software on operating systems, procedures should be implemented. Users should set and implement rules governing software installation.", + "Status": "Unknown" + }, + { + "Code": "A.8.20", + "Section": "Technological controls", + "Control": "Networks security", + "Requirements": "To protect information in systems and applications, networks should be managed and monitored.", + "Status": "Unknown" + }, + { + "Code": "A.8.21", + "Section": "Technological controls", + "Control": "Security of network services", + "Requirements": "Security protocols, quality of service, and management criteria for all network services, whether in-house or outsourced, should be defined and included in-network services agreements.", + "Status": "Unknown" + }, + { + "Code": "A.8.22", + "Section": "Technological controls", + "Control": "Segregation of networks", + "Requirements": "Network segregation should be established for information services, users, and information systems.", + "Status": "Unknown" + }, + { + "Code": "A.8.23", + "Section": "Technological controls", + "Control": "Web filtering", + "Requirements": "Manage which websites users are accessing, in order to protect your IT systems. This way, you can prevent your systems from being compromised by malicious code, and also prevent users from using illegal materials from the Internet.", + "Status": "Unknown" + }, + { + "Code": "A.8.24", + "Section": "Technological controls", + "Control": "Use of cryptography", + "Requirements": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented. A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.", + "Status": "Unknown" + }, + { + "Code": "A.8.25", + "Section": "Technological controls", + "Control": "Secure development life cycle", + "Requirements": "Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle.", + "Status": "Unknown" + }, + { + "Code": "A.8.26", + "Section": "Technological controls", + "Control": "Application security requirements", + "Requirements": "Application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification. In order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.", + "Status": "Unknown" + }, + { + "Code": "A.8.27", + "Section": "Technological controls", + "Control": "Secure system architecture and engineering principles", + "Requirements": "In the implementation of any information system implementation project, standards for secure system engineered must be established, documented, maintained, and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.28", + "Section": "Technological controls", + "Control": "Secure coding", + "Requirements": "Establish secure coding principles and apply them to your software development in order to reduce security vulnerabilities in the software. This could include activities before, during, and after the coding.", + "Status": "Unknown" + }, + { + "Code": "A.8.29", + "Section": "Technological controls", + "Control": "Security testing in development and acceptance", + "Requirements": "During development, security functionality test should be conducted. New information systems, enhancements, and updated versions should be equipped with acceptance testing services and related requirements.", + "Status": "Unknown" + }, + { + "Code": "A.8.30", + "Section": "Technological controls", + "Control": "Outsourced development", + "Requirements": "The organization must monitor activity for the development of the outsourced system.", + "Status": "Unknown" + }, + { + "Code": "A.8.31", + "Section": "Technological controls", + "Control": "Separation of development, test and production environments", + "Requirements": "It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems. Organizations should create secure development environments and integration efforts for the entire life cycle of system development, and should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.8.32", + "Section": "Technological controls", + "Control": "Change management", + "Requirements": "Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled. Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle. In changing operating platforms, critical applications of business should be revised and tested to ensure no adverse impacts on business or security. Software package modifications should be discouraged, restricted to the modifications necessary, and all changes controlled strictly.", + "Status": "Unknown" + }, + { + "Code": "A.8.33", + "Section": "Technological controls", + "Control": "Test information", + "Requirements": "Careful collection, security, and review of test data should be performed.", + "Status": "Unknown" + }, + { + "Code": "A.8.34", + "Section": "Technological controls", + "Control": "Protection of information systems during audit testing", + "Requirements": "The audit criteria and activities related to operating system verification should be carefully prepared and decided in order to reduce business process disturbance.", + "Status": "Unknown" + } +] diff --git a/components/defaultLanding/data/MVPS-controls.json b/components/defaultLanding/data/MVPS-controls.json index 4034cafa..bc5f7349 100644 --- a/components/defaultLanding/data/MVPS-controls.json +++ b/components/defaultLanding/data/MVPS-controls.json @@ -1,303 +1,303 @@ { -"MVPS-Controls":[ - { - "Code": "MVSP-1.1", - "Section": "Business controls", - "Control": "Vulnerability reports", - "Requirements": "Publish the point of contact for security reports on your website\nRespond to security reports within a reasonable time frame", - "Status": "Unknown" - }, - { - "Code": "MVSP-1.2", - "Section": "Business controls", - "Control": "Customer testing", - "Requirements": "On request, enable your customers or their delegates to test the security of your application\nTest on a non-production environment if it closely resembles the production environment in functionality\nEnsure non-production environments do not contain production data", - "Status": "Defined" - }, - { - "Code": "MVSP-1.3", - "Section": "Business controls", - "Control": "Self-assessment", - "Requirements": "Perform annual (at a minimum) security self-assessments using this document", - "Status": "Nonexistent" - }, - { - "Code": "MVSP-1.4", - "Section": "Business controls", - "Control": "External testing", - "Requirements": "Contract a security vendor to perform annual, comprehensive penetration tests on your systems", - "Status": "Unknown" - }, - { - "Code": "MVSP-1.5", - "Section": "Business controls", - "Control": "Training", - "Requirements": "Implement role-specific security training for your personnel that is relevant to their business function", - "Status": "Not applicable" - }, - { - "Code": "MVSP-1.6", - "Section": "Business controls", - "Control": "Compliance", - "Requirements": "Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18\nComply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses\nEnsure data localization requirements are implemented in line with local regulations and contractual obligations", - "Status": "Defined" - }, - { - "Code": "MVSP-1.7", - "Section": "Business controls", - "Control": "Incident handling", - "Requirements": "Notify your customers about a breach without undue delay, no later than 72 hours upon discovery\nInclude the following information in the notification: \n- Relevant point of contact\n- Preliminary technical analysis of the breach\n- Remediation plan with reasonable timelines", - "Status": "Unknown" - }, - { - "Code": "MVSP-1.8", - "Section": "Business controls", - "Control": "Data handling", - "Requirements": "Ensure media sanitization processes based on NIST SP 800-88 or equivalent are implemented", - "Status": "Managed" - }, - { - "Code": "MVSP-2.1", - "Section": "Application design controls", - "Control": "Single Sign-On", - "Requirements": "Implement single sign-on using modern and industry standard protocols", - "Status": "Unknown" - }, - { - "Code": "MVSP-2.2", - "Section": "Application design controls", - "Control": "HTTPS-only", - "Requirements": "Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443)\nNote: This does not apply to secure protocols designed to run on top of unencrypted connections, such as OCSP\nScan and address issues using freely available modern TLS scanning tools\nInclude the Strict-Transport-Security header on all pages with the includeSubdomains directive", - "Status": "Unknown" - }, - { - "Code": "MVSP-2.3", - "Section": "Application design controls", - "Control": "Security Headers", - "Requirements": "Apply appropriate security headers to reduce the application attack surface and limit post exploitation: \n- Set a minimally permissive Content Security Policy \n- Limit the ability to iframe sensitive application content where appropriate", - "Status": "Optimized" - }, - { - "Code": "MVSP-2.4", - "Section": "Application design controls", - "Control": "Password policy", - "Requirements": "If password authentication is used in addition to single sign-on: \n- Do not limit the permitted characters that can be used \n- Do not limit the length of the password to anything below 64 characters \n- Do not use secret questions as a sole password reset requirement \n- Require email verification of a password change request \n- Require the current password in addition to the new password during password change \n- Store passwords in a hashed and salted format using a memory-hard or CPU-hard one-way hash function \n- Enforce appropriate account lockout and brute-force protection on account access", - "Status": "Initial" - }, - { - "Code": "MVSP-2.5", - "Section": "Application design controls", - "Control": "Security libraries", - "Requirements": "Use frameworks, template languages, or libraries that systemically address implementation weaknesses by escaping the outputs and sanitizing the inputs\nExample: ORM for database access, UI framework for rendering DOM", - "Status": "Limited" - }, - { - "Code": "MVSP-2.6", - "Section": "Application design controls", - "Control": "Dependency Patching", - "Requirements": "Apply security patches with a severity score of \"medium\" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release", - "Status": "Unknown" - }, - { - "Code": "MVSP-2.7", - "Section": "Application design controls", - "Control": "Logging", - "Requirements": "Keep logs of:\n- Users logging in and out\n- Read, write, delete operations on application and system\n- Security settings changes (including disabling logging)\n- Application owner access to customer data (access transparency)\n\nLogs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads. Users\n and objects", - "Status": "Unknown" - }, - { - "Code": "MVSP-2.8", - "Section": "Application design controls", - "Control": "Encryption", - "Requirements": "Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.1", - "Section": "Application implementation controls", - "Control": "List of data", - "Requirements": "Maintain a list of sensitive data types that the application is expected to process", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.2", - "Section": "Application implementation controls", - "Control": "Data flow diagram", - "Requirements": "Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.3", - "Section": "Application implementation controls", - "Control": "Vulnerability prevention", - "Requirements": "Train your developers and implement development guidelines to prevent at least the following vulnerabilities: \n- Authorization bypass. Example: Accessing other customers' data or admin features from a regular account \n- Insecure session ID. Examples: Guessable token; a token stored in an insecure location (e.g. cookie without secure and httpOnly flags set) \n- Injections. Examples: SQL injection, NoSQL injection, XXE, OS command injection \n- Cross-site scripting. Examples: Calling insecure JavaScript functions, performing insecure DOM manipulations, echoing back user input into HTML without escaping \n- Cross-site request forgery. Example: Accepting requests with an Origin header from a different domain \n- Use of vulnerable libraries. Example: Using server-side frameworks or JavaScript libraries with known vulnerabilities", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.4", - "Section": "Application implementation controls", - "Control": "Time to fix vulnerabilities", - "Requirements": "Produce and deploy patches to address application vulnerabilities that materially impact security within 90 days of discovery", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.5", - "Section": "Application implementation controls", - "Control": "Build process", - "Requirements": "Build processes must be fully scripted\/automated and generate provenance (SLSA Level 1)", - "Status": "Unknown" - }, - { - "Code": "MVSP-4.1", - "Section": "Operational controls", - "Control": "Physical access", - "Requirements": "Validate the physical security of relevant facilities by ensuring the following controls are in place: \n- Layered perimeter controls and interior barriers \n- Managed access to keys \n- Entry and exit logs \n- Appropriate response plan for intruder alerts", - "Status": "Unknown" - }, - { - "Code": "MVSP-4.2", - "Section": "Operational controls", - "Control": "Logical access", - "Requirements": "- Limit sensitive data access exclusively to users with a legitimate need. The data owner must authorize such access \n- Deactivate redundant accounts and expired access grants in a timely manner \n- Perform regular reviews of access to validate need to know \n- Ensure remote access to customer data or production systems requires the use of Multi-Factor Authentication", - "Status": "Unknown" - }, - { - "Code": "MVSP-4.3", - "Section": "Operational controls", - "Control": "Sub-processors", - "Requirements": "- Publish a list of third-party companies with access to customer data on your website \n- Assess third-party companies annually against this baseline", - "Status": "Unknown" - }, - { - "Code": "MVSP-4.4", - "Section": "Operational controls", - "Control": "Backup and Disaster recovery", - "Requirements": "- Securely back up all data to a different location than where the application is running \n- Maintain and periodically test disaster recovery plans \n- Periodically test backup restoration", - "Status": "Unknown" - } -], -"Selection":[ - { - "Status": "Unknown", - "Maturity level": 0, - "Meaning": "Has not even been checked yet", - "Column4": " " - }, - { - "Status": "Not applicable", - "Maturity level": 0, - "Meaning": "Management can ignore them" - }, - { - "Status": "Nonexistent", - "Maturity level": 1, - "Meaning": "Complete lack of recognizable policy, procedure, control etc." - }, - { - "Status": "Initial", - "Maturity level": 2, - "Meaning": "Development has barely started and will require significant work to fulfill the requirements" - }, - { - "Status": "Limited", - "Maturity level": 3, - "Meaning": "Progressing nicely but not yet complete" - }, - { - "Status": "Defined", - "Maturity level": 4, - "Meaning": "Development is more or less complete although detail is lacking and\/or it is not yet implemented, enforced and actively supported by top management" - }, - { - "Status": "Managed", - "Maturity level": 5, - "Meaning": "Development is complete, the process\/control has been implemented and recently started operating" - }, - { - "Status": "Optimized", - "Maturity level": 6, - "Meaning": "The requirement is fully satisfied, is operating fully as expected, is being actively monitored and improved, and there is substantial evidence to prove all that to the auditors" - } -], -"Dashboard":[ - { - "Status": "Unknown", - "Percentage": 0.68 - }, - { - "Status": "Not applicable", - "Percentage": 0.04 - }, - { - "Status": "Nonexistent", - "Percentage": 0.04 - }, - { - "Status": "Initial", - "Percentage": 0.04 - }, - { - "Status": "Limited", - "Percentage": 0.04 - }, - { - "Status": "Defined", - "Percentage": 0.08 - }, - { - "Status": "Managed", - "Percentage": 0.04 - }, - { - "Status": "Optimized", - "Percentage": 0.04, - "Column11": "https:\/\/www.chartjs.org\/docs\/latest\/charts\/radar.html" - }, - { - "Column4": "https:\/\/www.chartjs.org\/docs\/latest\/samples\/other-charts\/pie.html" - }, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - { - "Status": "Section", - "Percentage": "Maturity level" - }, - { - "Status": "Business controls", - "Percentage": 3 - }, - { - "Status": "Application design controls", - "Percentage": 4 - }, - { - "Status": "Application implementation controls", - "Percentage": 2 - }, - { - "Status": "Operational controls", - "Percentage": 1 - } -] -} \ No newline at end of file + "MVPS-Controls": [ + { + "Code": "MVSP-1.1", + "Section": "Business controls", + "Control": "Vulnerability reports", + "Requirements": "Publish the point of contact for security reports on your website\nRespond to security reports within a reasonable time frame", + "Status": "Unknown" + }, + { + "Code": "MVSP-1.2", + "Section": "Business controls", + "Control": "Customer testing", + "Requirements": "On request, enable your customers or their delegates to test the security of your application\nTest on a non-production environment if it closely resembles the production environment in functionality\nEnsure non-production environments do not contain production data", + "Status": "Defined" + }, + { + "Code": "MVSP-1.3", + "Section": "Business controls", + "Control": "Self-assessment", + "Requirements": "Perform annual (at a minimum) security self-assessments using this document", + "Status": "Nonexistent" + }, + { + "Code": "MVSP-1.4", + "Section": "Business controls", + "Control": "External testing", + "Requirements": "Contract a security vendor to perform annual, comprehensive penetration tests on your systems", + "Status": "Unknown" + }, + { + "Code": "MVSP-1.5", + "Section": "Business controls", + "Control": "Training", + "Requirements": "Implement role-specific security training for your personnel that is relevant to their business function", + "Status": "Not applicable" + }, + { + "Code": "MVSP-1.6", + "Section": "Business controls", + "Control": "Compliance", + "Requirements": "Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18\nComply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses\nEnsure data localization requirements are implemented in line with local regulations and contractual obligations", + "Status": "Defined" + }, + { + "Code": "MVSP-1.7", + "Section": "Business controls", + "Control": "Incident handling", + "Requirements": "Notify your customers about a breach without undue delay, no later than 72 hours upon discovery\nInclude the following information in the notification: \n- Relevant point of contact\n- Preliminary technical analysis of the breach\n- Remediation plan with reasonable timelines", + "Status": "Unknown" + }, + { + "Code": "MVSP-1.8", + "Section": "Business controls", + "Control": "Data handling", + "Requirements": "Ensure media sanitization processes based on NIST SP 800-88 or equivalent are implemented", + "Status": "Managed" + }, + { + "Code": "MVSP-2.1", + "Section": "Application design controls", + "Control": "Single Sign-On", + "Requirements": "Implement single sign-on using modern and industry standard protocols", + "Status": "Unknown" + }, + { + "Code": "MVSP-2.2", + "Section": "Application design controls", + "Control": "HTTPS-only", + "Requirements": "Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443)\nNote: This does not apply to secure protocols designed to run on top of unencrypted connections, such as OCSP\nScan and address issues using freely available modern TLS scanning tools\nInclude the Strict-Transport-Security header on all pages with the includeSubdomains directive", + "Status": "Unknown" + }, + { + "Code": "MVSP-2.3", + "Section": "Application design controls", + "Control": "Security Headers", + "Requirements": "Apply appropriate security headers to reduce the application attack surface and limit post exploitation: \n- Set a minimally permissive Content Security Policy \n- Limit the ability to iframe sensitive application content where appropriate", + "Status": "Optimized" + }, + { + "Code": "MVSP-2.4", + "Section": "Application design controls", + "Control": "Password policy", + "Requirements": "If password authentication is used in addition to single sign-on: \n- Do not limit the permitted characters that can be used \n- Do not limit the length of the password to anything below 64 characters \n- Do not use secret questions as a sole password reset requirement \n- Require email verification of a password change request \n- Require the current password in addition to the new password during password change \n- Store passwords in a hashed and salted format using a memory-hard or CPU-hard one-way hash function \n- Enforce appropriate account lockout and brute-force protection on account access", + "Status": "Initial" + }, + { + "Code": "MVSP-2.5", + "Section": "Application design controls", + "Control": "Security libraries", + "Requirements": "Use frameworks, template languages, or libraries that systemically address implementation weaknesses by escaping the outputs and sanitizing the inputs\nExample: ORM for database access, UI framework for rendering DOM", + "Status": "Limited" + }, + { + "Code": "MVSP-2.6", + "Section": "Application design controls", + "Control": "Dependency Patching", + "Requirements": "Apply security patches with a severity score of \"medium\" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release", + "Status": "Unknown" + }, + { + "Code": "MVSP-2.7", + "Section": "Application design controls", + "Control": "Logging", + "Requirements": "Keep logs of:\n- Users logging in and out\n- Read, write, delete operations on application and system\n- Security settings changes (including disabling logging)\n- Application owner access to customer data (access transparency)\n\nLogs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads. Users\n and objects", + "Status": "Unknown" + }, + { + "Code": "MVSP-2.8", + "Section": "Application design controls", + "Control": "Encryption", + "Requirements": "Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.1", + "Section": "Application implementation controls", + "Control": "List of data", + "Requirements": "Maintain a list of sensitive data types that the application is expected to process", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.2", + "Section": "Application implementation controls", + "Control": "Data flow diagram", + "Requirements": "Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.3", + "Section": "Application implementation controls", + "Control": "Vulnerability prevention", + "Requirements": "Train your developers and implement development guidelines to prevent at least the following vulnerabilities: \n- Authorization bypass. Example: Accessing other customers' data or admin features from a regular account \n- Insecure session ID. Examples: Guessable token; a token stored in an insecure location (e.g. cookie without secure and httpOnly flags set) \n- Injections. Examples: SQL injection, NoSQL injection, XXE, OS command injection \n- Cross-site scripting. Examples: Calling insecure JavaScript functions, performing insecure DOM manipulations, echoing back user input into HTML without escaping \n- Cross-site request forgery. Example: Accepting requests with an Origin header from a different domain \n- Use of vulnerable libraries. Example: Using server-side frameworks or JavaScript libraries with known vulnerabilities", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.4", + "Section": "Application implementation controls", + "Control": "Time to fix vulnerabilities", + "Requirements": "Produce and deploy patches to address application vulnerabilities that materially impact security within 90 days of discovery", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.5", + "Section": "Application implementation controls", + "Control": "Build process", + "Requirements": "Build processes must be fully scripted/automated and generate provenance (SLSA Level 1)", + "Status": "Unknown" + }, + { + "Code": "MVSP-4.1", + "Section": "Operational controls", + "Control": "Physical access", + "Requirements": "Validate the physical security of relevant facilities by ensuring the following controls are in place: \n- Layered perimeter controls and interior barriers \n- Managed access to keys \n- Entry and exit logs \n- Appropriate response plan for intruder alerts", + "Status": "Unknown" + }, + { + "Code": "MVSP-4.2", + "Section": "Operational controls", + "Control": "Logical access", + "Requirements": "- Limit sensitive data access exclusively to users with a legitimate need. The data owner must authorize such access \n- Deactivate redundant accounts and expired access grants in a timely manner \n- Perform regular reviews of access to validate need to know \n- Ensure remote access to customer data or production systems requires the use of Multi-Factor Authentication", + "Status": "Unknown" + }, + { + "Code": "MVSP-4.3", + "Section": "Operational controls", + "Control": "Sub-processors", + "Requirements": "- Publish a list of third-party companies with access to customer data on your website \n- Assess third-party companies annually against this baseline", + "Status": "Unknown" + }, + { + "Code": "MVSP-4.4", + "Section": "Operational controls", + "Control": "Backup and Disaster recovery", + "Requirements": "- Securely back up all data to a different location than where the application is running \n- Maintain and periodically test disaster recovery plans \n- Periodically test backup restoration", + "Status": "Unknown" + } + ], + "Selection": [ + { + "Status": "Unknown", + "Maturity level": 0, + "Meaning": "Has not even been checked yet", + "Column4": " " + }, + { + "Status": "Not applicable", + "Maturity level": 0, + "Meaning": "Management can ignore them" + }, + { + "Status": "Nonexistent", + "Maturity level": 1, + "Meaning": "Complete lack of recognizable policy, procedure, control etc." + }, + { + "Status": "Initial", + "Maturity level": 2, + "Meaning": "Development has barely started and will require significant work to fulfill the requirements" + }, + { + "Status": "Limited", + "Maturity level": 3, + "Meaning": "Progressing nicely but not yet complete" + }, + { + "Status": "Defined", + "Maturity level": 4, + "Meaning": "Development is more or less complete although detail is lacking and/or it is not yet implemented, enforced and actively supported by top management" + }, + { + "Status": "Managed", + "Maturity level": 5, + "Meaning": "Development is complete, the process/control has been implemented and recently started operating" + }, + { + "Status": "Optimized", + "Maturity level": 6, + "Meaning": "The requirement is fully satisfied, is operating fully as expected, is being actively monitored and improved, and there is substantial evidence to prove all that to the auditors" + } + ], + "Dashboard": [ + { + "Status": "Unknown", + "Percentage": 0.68 + }, + { + "Status": "Not applicable", + "Percentage": 0.04 + }, + { + "Status": "Nonexistent", + "Percentage": 0.04 + }, + { + "Status": "Initial", + "Percentage": 0.04 + }, + { + "Status": "Limited", + "Percentage": 0.04 + }, + { + "Status": "Defined", + "Percentage": 0.08 + }, + { + "Status": "Managed", + "Percentage": 0.04 + }, + { + "Status": "Optimized", + "Percentage": 0.04, + "Column11": "https://www.chartjs.org/docs/latest/charts/radar.html" + }, + { + "Column4": "https://www.chartjs.org/docs/latest/samples/other-charts/pie.html" + }, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + { + "Status": "Section", + "Percentage": "Maturity level" + }, + { + "Status": "Business controls", + "Percentage": 3 + }, + { + "Status": "Application design controls", + "Percentage": 4 + }, + { + "Status": "Application implementation controls", + "Percentage": 2 + }, + { + "Status": "Operational controls", + "Percentage": 1 + } + ] +} diff --git a/components/defaultLanding/data/availableExtensions.json b/components/defaultLanding/data/availableExtensions.json index 1bbafa94..3c3b9318 100644 --- a/components/defaultLanding/data/availableExtensions.json +++ b/components/defaultLanding/data/availableExtensions.json @@ -1,18 +1,18 @@ { - "availableExtensions": { - "pdf": "application/pdf", - "7z": "application/x-7z-compressed", - "zip": "application/zip", - "tar": "application/x-tar", - "gz": "application/gzip", - "docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", - "xls": "application/vnd.ms-excel", - "csv": "text/csv", - "json": "application/json", - "xml": "application/xml", - "txt": "text/plain", - "ods": "application/vnd.oasis.opendocument.spreadsheet", - "rtf": "application/rtf", - "odt": "application/vnd.oasis.opendocument.text" - } - } \ No newline at end of file + "availableExtensions": { + "pdf": "application/pdf", + "7z": "application/x-7z-compressed", + "zip": "application/zip", + "tar": "application/x-tar", + "gz": "application/gzip", + "docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "xls": "application/vnd.ms-excel", + "csv": "text/csv", + "json": "application/json", + "xml": "application/xml", + "txt": "text/plain", + "ods": "application/vnd.oasis.opendocument.spreadsheet", + "rtf": "application/rtf", + "odt": "application/vnd.oasis.opendocument.text" + } +} diff --git a/components/defaultLanding/data/configs/countries.ts b/components/defaultLanding/data/configs/countries.ts new file mode 100644 index 00000000..1f32367e --- /dev/null +++ b/components/defaultLanding/data/configs/countries.ts @@ -0,0 +1,269 @@ +export default [ + { label: 'Andorra', value: 'andorra' }, + { label: 'United Arab Emirates', value: 'united arab emirates' }, + { label: 'Afghanistan', value: 'afghanistan' }, + { label: 'Antigua and Barbuda', value: 'antigua and barbuda' }, + { label: 'Anguilla', value: 'anguilla' }, + { label: 'Albania', value: 'albania' }, + { label: 'Armenia', value: 'armenia' }, + { label: 'Netherlands Antilles', value: 'netherlands antilles' }, + { label: 'Angola', value: 'angola' }, + { label: 'Antarctica', value: 'antarctica' }, + { label: 'Argentina', value: 'argentina' }, + { label: 'American Samoa', value: 'american samoa' }, + { label: 'Austria', value: 'austria' }, + { label: 'Australia', value: 'australia' }, + { label: 'Aruba', value: 'aruba' }, + { label: 'Azerbaijan', value: 'azerbaijan' }, + { label: 'Bosnia and Herzegovina', value: 'bosnia and herzegovina' }, + { label: 'Barbados', value: 'barbados' }, + { label: 'Bangladesh', value: 'bangladesh' }, + { label: 'Belgium', value: 'belgium' }, + { label: 'Burkina Faso', value: 'burkina faso' }, + { label: 'Bulgaria', value: 'bulgaria' }, + { label: 'Bahrain', value: 'bahrain' }, + { label: 'Burundi', value: 'burundi' }, + { label: 'Benin', value: 'benin' }, + { label: 'Bermuda', value: 'bermuda' }, + { label: 'Brunei', value: 'brunei' }, + { label: 'Bolivia', value: 'bolivia' }, + { label: 'Brazil', value: 'brazil' }, + { label: 'Bahamas', value: 'bahamas' }, + { label: 'Bhutan', value: 'bhutan' }, + { label: 'Bouvet Island', value: 'bouvet island' }, + { label: 'Botswana', value: 'botswana' }, + { label: 'Belarus', value: 'belarus' }, + { label: 'Belize', value: 'belize' }, + { label: 'Canada', value: 'canada' }, + { label: 'Cocos [Keeling] Islands', value: 'cocos [keeling] islands' }, + { label: 'Congo [DRC]', value: 'congo [drc]' }, + { label: 'Central African Republic', value: 'central african republic' }, + { label: 'Congo [Republic]', value: 'congo [republic]' }, + { label: 'Switzerland', value: 'switzerland' }, + { label: "CΓ΄te d'Ivoire", value: "cΓ΄te d'ivoire" }, + { label: 'Cook Islands', value: 'cook islands' }, + { label: 'Chile', value: 'chile' }, + { label: 'Cameroon', value: 'cameroon' }, + { label: 'China', value: 'china' }, + { label: 'Colombia', value: 'colombia' }, + { label: 'Costa Rica', value: 'costa rica' }, + { label: 'Cuba', value: 'cuba' }, + { label: 'Cape Verde', value: 'cape verde' }, + { label: 'Christmas Island', value: 'christmas island' }, + { label: 'Cyprus', value: 'cyprus' }, + { label: 'Czech Republic', value: 'czech republic' }, + { label: 'Germany', value: 'germany' }, + { label: 'Djibouti', value: 'djibouti' }, + { label: 'Denmark', value: 'denmark' }, + { label: 'Dominica', value: 'dominica' }, + { label: 'Dominican Republic', value: 'dominican republic' }, + { label: 'Algeria', value: 'algeria' }, + { label: 'Ecuador', value: 'ecuador' }, + { label: 'Estonia', value: 'estonia' }, + { label: 'Egypt', value: 'egypt' }, + { label: 'Western Sahara', value: 'western sahara' }, + { label: 'Eritrea', value: 'eritrea' }, + { label: 'Spain', value: 'spain' }, + { label: 'Ethiopia', value: 'ethiopia' }, + { label: 'Finland', value: 'finland' }, + { label: 'Fiji', value: 'fiji' }, + { + label: 'Falkland Islands [Islas Malvinas]', + value: 'falkland islands [islas malvinas]', + }, + { label: 'Micronesia', value: 'micronesia' }, + { label: 'Faroe Islands', value: 'faroe islands' }, + { label: 'France', value: 'france' }, + { label: 'Gabon', value: 'gabon' }, + { label: 'United Kingdom', value: 'united kingdom' }, + { label: 'Grenada', value: 'grenada' }, + { label: 'Georgia', value: 'georgia' }, + { label: 'French Guiana', value: 'french guiana' }, + { label: 'Guernsey', value: 'guernsey' }, + { label: 'Ghana', value: 'ghana' }, + { label: 'Gibraltar', value: 'gibraltar' }, + { label: 'Greenland', value: 'greenland' }, + { label: 'Gambia', value: 'gambia' }, + { label: 'Guinea', value: 'guinea' }, + { label: 'Guadeloupe', value: 'guadeloupe' }, + { label: 'Equatorial Guinea', value: 'equatorial guinea' }, + { label: 'Greece', value: 'greece' }, + { + label: 'South Georgia and the South Sandwich Islands', + value: 'south georgia and the south sandwich islands', + }, + { label: 'Guatemala', value: 'guatemala' }, + { label: 'Guam', value: 'guam' }, + { label: 'Guinea-Bissau', value: 'guinea-bissau' }, + { label: 'Guyana', value: 'guyana' }, + { label: 'Gaza Strip', value: 'gaza strip' }, + { label: 'Hong Kong', value: 'hong kong' }, + { + label: 'Heard Island and McDonald Islands', + value: 'heard island and mcdonald islands', + }, + { label: 'Honduras', value: 'honduras' }, + { label: 'Croatia', value: 'croatia' }, + { label: 'Haiti', value: 'haiti' }, + { label: 'Hungary', value: 'hungary' }, + { label: 'Indonesia', value: 'indonesia' }, + { label: 'Ireland', value: 'ireland' }, + { label: 'Israel', value: 'israel' }, + { label: 'Isle of Man', value: 'isle of man' }, + { label: 'India', value: 'india' }, + { + label: 'British Indian Ocean Territory', + value: 'british indian ocean territory', + }, + { label: 'Iraq', value: 'iraq' }, + { label: 'Iran', value: 'iran' }, + { label: 'Iceland', value: 'iceland' }, + { label: 'Italy', value: 'italy' }, + { label: 'Jersey', value: 'jersey' }, + { label: 'Jamaica', value: 'jamaica' }, + { label: 'Jordan', value: 'jordan' }, + { label: 'Japan', value: 'japan' }, + { label: 'Kenya', value: 'kenya' }, + { label: 'Kyrgyzstan', value: 'kyrgyzstan' }, + { label: 'Cambodia', value: 'cambodia' }, + { label: 'Kiribati', value: 'kiribati' }, + { label: 'Comoros', value: 'comoros' }, + { label: 'Saint Kitts and Nevis', value: 'saint kitts and nevis' }, + { label: 'North Korea', value: 'north korea' }, + { label: 'South Korea', value: 'south korea' }, + { label: 'Kuwait', value: 'kuwait' }, + { label: 'Cayman Islands', value: 'cayman islands' }, + { label: 'Kazakhstan', value: 'kazakhstan' }, + { label: 'Laos', value: 'laos' }, + { label: 'Lebanon', value: 'lebanon' }, + { label: 'Saint Lucia', value: 'saint lucia' }, + { label: 'Liechtenstein', value: 'liechtenstein' }, + { label: 'Sri Lanka', value: 'sri lanka' }, + { label: 'Liberia', value: 'liberia' }, + { label: 'Lesotho', value: 'lesotho' }, + { label: 'Lithuania', value: 'lithuania' }, + { label: 'Luxembourg', value: 'luxembourg' }, + { label: 'Latvia', value: 'latvia' }, + { label: 'Libya', value: 'libya' }, + { label: 'Morocco', value: 'morocco' }, + { label: 'Monaco', value: 'monaco' }, + { label: 'Moldova', value: 'moldova' }, + { label: 'Montenegro', value: 'montenegro' }, + { label: 'Madagascar', value: 'madagascar' }, + { label: 'Marshall Islands', value: 'marshall islands' }, + { label: 'N. Macedonia', value: 'macedonia' }, + { label: 'Mali', value: 'mali' }, + { label: 'Myanmar [Burma]', value: 'myanmar [burma]' }, + { label: 'Mongolia', value: 'mongolia' }, + { label: 'Macau', value: 'macau' }, + { label: 'Northern Mariana Islands', value: 'northern mariana islands' }, + { label: 'Martinique', value: 'martinique' }, + { label: 'Mauritania', value: 'mauritania' }, + { label: 'Montserrat', value: 'montserrat' }, + { label: 'Malta', value: 'malta' }, + { label: 'Mauritius', value: 'mauritius' }, + { label: 'Maldives', value: 'maldives' }, + { label: 'Malawi', value: 'malawi' }, + { label: 'Mexico', value: 'mexico' }, + { label: 'Malaysia', value: 'malaysia' }, + { label: 'Mozambique', value: 'mozambique' }, + { label: 'Namibia', value: 'namibia' }, + { label: 'New Caledonia', value: 'new caledonia' }, + { label: 'Niger', value: 'niger' }, + { label: 'Norfolk Island', value: 'norfolk island' }, + { label: 'Nigeria', value: 'nigeria' }, + { label: 'Nicaragua', value: 'nicaragua' }, + { label: 'Netherlands', value: 'netherlands' }, + { label: 'Norway', value: 'norway' }, + { label: 'Nepal', value: 'nepal' }, + { label: 'Nauru', value: 'nauru' }, + { label: 'Niue', value: 'niue' }, + { label: 'New Zealand', value: 'new zealand' }, + { label: 'Oman', value: 'oman' }, + { label: 'Panama', value: 'panama' }, + { label: 'Peru', value: 'peru' }, + { label: 'French Polynesia', value: 'french polynesia' }, + { label: 'Papua New Guinea', value: 'papua new guinea' }, + { label: 'Philippines', value: 'philippines' }, + { label: 'Pakistan', value: 'pakistan' }, + { label: 'Poland', value: 'poland' }, + { label: 'Saint Pierre and Miquelon', value: 'saint pierre and miquelon' }, + { label: 'Pitcairn Islands', value: 'pitcairn islands' }, + { label: 'Puerto Rico', value: 'puerto rico' }, + { label: 'Palestinian Territories', value: 'palestinian territories' }, + { label: 'Portugal', value: 'portugal' }, + { label: 'Palau', value: 'palau' }, + { label: 'Paraguay', value: 'paraguay' }, + { label: 'Qatar', value: 'qatar' }, + { label: 'RΓ©union', value: 'rΓ©union' }, + { label: 'Romania', value: 'romania' }, + { label: 'Serbia', value: 'serbia' }, + { label: 'Russia', value: 'russia' }, + { label: 'Rwanda', value: 'rwanda' }, + { label: 'Saudi Arabia', value: 'saudi arabia' }, + { label: 'Solomon Islands', value: 'solomon islands' }, + { label: 'Seychelles', value: 'seychelles' }, + { label: 'Sudan', value: 'sudan' }, + { label: 'Sweden', value: 'sweden' }, + { label: 'Singapore', value: 'singapore' }, + { label: 'Saint Helena', value: 'saint helena' }, + { label: 'Slovenia', value: 'slovenia' }, + { label: 'Svalbard and Jan Mayen', value: 'svalbard and jan mayen' }, + { label: 'Slovakia', value: 'slovakia' }, + { label: 'Sierra Leone', value: 'sierra leone' }, + { label: 'San Marino', value: 'san marino' }, + { label: 'Senegal', value: 'senegal' }, + { label: 'Somalia', value: 'somalia' }, + { label: 'Suriname', value: 'suriname' }, + { label: 'SΓ£o TomΓ© and PrΓ­ncipe', value: 'sΓ£o tomΓ© and prΓ­ncipe' }, + { label: 'El Salvador', value: 'el salvador' }, + { label: 'Syria', value: 'syria' }, + { label: 'Swaziland', value: 'swaziland' }, + { label: 'Turks and Caicos Islands', value: 'turks and caicos islands' }, + { label: 'Chad', value: 'chad' }, + { + label: 'French Southern Territories', + value: 'french southern territories', + }, + { label: 'Togo', value: 'togo' }, + { label: 'Thailand', value: 'thailand' }, + { label: 'Tajikistan', value: 'tajikistan' }, + { label: 'Tokelau', value: 'tokelau' }, + { label: 'Timor-Leste', value: 'timor-leste' }, + { label: 'Turkmenistan', value: 'turkmenistan' }, + { label: 'Tunisia', value: 'tunisia' }, + { label: 'Tonga', value: 'tonga' }, + { label: 'Turkey', value: 'turkey' }, + { label: 'Trinidad and Tobago', value: 'trinidad and tobago' }, + { label: 'Tuvalu', value: 'tuvalu' }, + { label: 'Taiwan', value: 'taiwan' }, + { label: 'Tanzania', value: 'tanzania' }, + { label: 'Ukraine', value: 'ukraine' }, + { label: 'Uganda', value: 'uganda' }, + { + label: 'U.S. Minor Outlying Islands', + value: 'u.s. minor outlying islands', + }, + { label: 'United States', value: 'united states' }, + { label: 'Uruguay', value: 'uruguay' }, + { label: 'Uzbekistan', value: 'uzbekistan' }, + { label: 'Vatican City', value: 'vatican city' }, + { + label: 'Saint Vincent and the Grenadines', + value: 'saint vincent and the grenadines', + }, + { label: 'Venezuela', value: 'venezuela' }, + { label: 'British Virgin Islands', value: 'british virgin islands' }, + { label: 'U.S. Virgin Islands', value: 'u.s. virgin islands' }, + { label: 'Vietnam', value: 'vietnam' }, + { label: 'Vanuatu', value: 'vanuatu' }, + { label: 'Wallis and Futuna', value: 'wallis and futuna' }, + { label: 'Samoa', value: 'samoa' }, + { label: 'Kosovo', value: 'kosovo' }, + { label: 'Yemen', value: 'yemen' }, + { label: 'Mayotte', value: 'mayotte' }, + { label: 'South Africa', value: 'south africa' }, + { label: 'Zambia', value: 'zambia' }, + { label: 'Zimbabwe', value: 'zimbabwe' }, + { label: 'Other', value: 'other' }, +]; diff --git a/components/defaultLanding/data/configs/csc.ts b/components/defaultLanding/data/configs/csc.ts index f7df4439..bf9b55d3 100644 --- a/components/defaultLanding/data/configs/csc.ts +++ b/components/defaultLanding/data/configs/csc.ts @@ -1,7 +1,19 @@ -//import json from "../../../data/MVPS-controls.json"; -import json from '../MVPS-controls.json'; +import defaultJson from '../MVPS-controls.json'; +import iso2013Json from '../ISO-CSC-controls-2013.json'; +import iso2022Json from '../ISO-CSC-controls-2022.json'; +import nistcsfv2 from '../CSF2_1.json'; +import { Section } from 'types'; -const controls = json['MVPS-Controls']; +const controls = { + '2013': iso2013Json, + '2022': iso2022Json, + default: defaultJson['MVPS-Controls'], + nistcsfv2: nistcsfv2.map((item) => ({ + ...item, + Control: `${item.Code}: ${item.Control}`, + ControlLabel: item.Control, + })), +}; const sections = [ { @@ -22,6 +34,13 @@ const sections = [ }, ]; +const isoOptions = [ + { label: 'ISO/IEC 27001:2013', value: '2013' }, + { label: 'ISO/IEC 27001:2022', value: '2022' }, + { label: 'MVSP v1.0-20211007', value: 'default' }, + { label: 'NIST CSF v2', value: 'nistcsfv2' }, +]; + const perPageOptions: { label: string; value: number }[] = [ { label: '5', @@ -45,17 +64,135 @@ const perPageOptions: { label: string; value: number }[] = [ }, ]; -const controlOptions = controls.map( - ({ Code, Control, Requirements, Section }) => ({ - label: Control, - value: { - code: Code, - control: Control, - requirements: Requirements, - section: Section, - }, - }) -); +const trimToSecondDot = (inputString: string): string => + inputString.split('.').slice(0, 2).join('.'); + +const getSectionsLabels = (iso: string) => { + switch (iso) { + case '2022': + case 'default': + case 'nistcsfv2': + return getSections(iso).map(({ label }) => label); + // case 'nistcsfv2': + // return getFunctions().map(({ label }) => label) + //For ISO 2013 we should merge the sections because of their big amount + case '2013': + default: { + const labelSet = new Set(); + controls[iso].forEach((item) => { + labelSet.add(trimToSecondDot(item.Code)); + }); + + const sections = Array.from(labelSet).map( + (label) => + label + + ' ' + + controls[iso] + .find(({ Code }) => Code.includes(label)) + ?.Section.split(' - ')[0] + ); + + return sections; + } + } +}; + +const getControlOptions = (iso: string) => + controls[iso].map( + ({ Code, Control, Requirements, Section, ControlLabel }) => ({ + label: `${Code}: ${Section}, ${ControlLabel ? ControlLabel : Control}`, + value: { + code: Code, + control: Control, + requirements: Requirements, + section: Section, + controlLabel: ControlLabel, + }, + }) + ); + +const mergePoints = (d) => { + const merged = [ + d[0], + (d[1] + d[2]) / 2, + (d[3] + d[4] + d[5]) / 3, + (d[6] + d[7] + d[8]) / 3, + (d[9] + d[10] + d[11] + d[12]) / 4, + d[13], + (d[14] + d[15]) / 2, + (d[16] + d[17] + d[18] + d[19] + d[20] + d[21] + d[22]) / 7, + (d[23] + d[24]) / 2, + (d[25] + d[26] + d[27]) / 3, + (d[28] + d[29]) / 2, + d[30], + (d[31] + d[32]) / 2, + (d[33] + d[34]) / 2, + ]; + + const rounded = merged.map((value) => Math.round(value)); + + return rounded; +}; + +const getRadarChartLabels = (iso: string) => { + const labels = getSectionsLabels(iso); + return labels.map((label) => label.split(' ')); +}; + +const getSections = (iso: string): Section[] => { + const sectionSet = new Set(); + + if (controls[iso]) { + controls[iso].forEach((item) => { + sectionSet.add(item.Section); + }); + } + + const sections: Section[] = Array.from(sectionSet).map((section) => ({ + label: section, + value: section, + })); + + return sections; +}; + +// // Functions that used in CSF2 +// const getFunctions = (): { label: string; value: string }[] => { +// const functionSet = new Set(); + +// nistcsfv2.forEach(item => { +// functionSet.add(item.Function); +// }); + +// const functions = Array.from(functionSet).map(item => ({ +// label: item, +// value: item, +// })); + +// return functions; +// } + +const getSectionFilterOptions = (iso: string) => { + if (iso !== '2013') { + return getSections(iso); + } + + const labels = getSectionsLabels(iso); + const options = labels.map((label) => ({ + label, + value: removeBeforeFirstSpace(label), + })); + + return options; +}; + +const removeBeforeFirstSpace = (string) => { + const parts = string.split(' '); + if (parts.length > 1) { + return parts.slice(1).join(' '); + } + return string; +}; const statusOptions: { label: string; value: number }[] = [ { @@ -92,6 +229,29 @@ const statusOptions: { label: string; value: number }[] = [ }, ]; +const taskStatusOptions: { label: string; value: number }[] = [ + { + label: 'To Do', + value: 0, + }, + { + label: 'In Progress', + value: 1, + }, + { + label: 'In Review', + value: 2, + }, + { + label: 'Feedback', + value: 3, + }, + { + label: 'Done', + value: 4, + }, +]; + const colourStyles = { control: (styles: any) => ({ ...styles }), option: (styles: any, { data }: any) => { @@ -159,10 +319,15 @@ const colourStyles = { export { colourStyles, - controlOptions, + mergePoints, + getRadarChartLabels, + getControlOptions, + getSections, + getSectionFilterOptions, statusOptions, - json, + taskStatusOptions, sections, perPageOptions, controls, + isoOptions, }; diff --git a/components/defaultLanding/data/statuses.json b/components/defaultLanding/data/statuses.json index 59705183..bd37900c 100644 --- a/components/defaultLanding/data/statuses.json +++ b/components/defaultLanding/data/statuses.json @@ -19,4 +19,4 @@ "label": "Done", "value": "done" } -] \ No newline at end of file +] diff --git a/components/emailTemplates/EmailLayout.tsx b/components/emailTemplates/EmailLayout.tsx index 2dae996e..1cdb6268 100644 --- a/components/emailTemplates/EmailLayout.tsx +++ b/components/emailTemplates/EmailLayout.tsx @@ -15,15 +15,12 @@ interface EmailLayoutProps { } const EmailLayout = ({ children }: EmailLayoutProps) => { + console.log('EmailLayout', app.logoUrl); return ( - {app.name} + {app.name}
{children} diff --git a/components/emailTemplates/ResetPassword.tsx b/components/emailTemplates/ResetPassword.tsx index fb379cd9..a8cec0cb 100644 --- a/components/emailTemplates/ResetPassword.tsx +++ b/components/emailTemplates/ResetPassword.tsx @@ -29,8 +29,7 @@ const ResetPasswordEmail = ({ url }: ResetPasswordEmailProps) => { diff --git a/components/emailTemplates/WelcomeEmail.tsx b/components/emailTemplates/WelcomeEmail.tsx index 5c19b017..04223812 100644 --- a/components/emailTemplates/WelcomeEmail.tsx +++ b/components/emailTemplates/WelcomeEmail.tsx @@ -31,8 +31,7 @@ const WelcomeEmail = ({ name, subject, team }: WelcomeEmailProps) => {
-

{t("sign-up-message")}

+

{t('sign-up-message')}

); diff --git a/components/interfaces/CSC/CscAuditLogs.tsx b/components/interfaces/CSC/CscAuditLogs.tsx index 9cfd71da..a3d65f71 100644 --- a/components/interfaces/CSC/CscAuditLogs.tsx +++ b/components/interfaces/CSC/CscAuditLogs.tsx @@ -1,34 +1,31 @@ -import React from 'react' +import React from 'react'; import type { Task } from '@prisma/client'; import type { CscAuditLog } from 'types'; import { IssuePanelContainer } from 'sharedStyles'; +const CscAuditLogs = ({ task }: { task: Task }) => { + const taskProperties = task?.properties as any; + const auditLogs = taskProperties.csc_audit_logs as CscAuditLog[] | undefined; + return ( + +
+ {auditLogs && + auditLogs + .sort((a, b) => b.date - a.date) + .map((log, index) => { + return ( +
+

User: {log.actor.name}

+

Action: {log.event}

+

Date: {new Date(log.date).toLocaleDateString()}

+

Previous value: {log.diff.prevValue}

+

Next value: {log.diff.nextValue}

+
+ ); + })} +
+ + ); +}; -const CscAuditLogs = ({ - task -} : { - task: Task -}) => { - const taskProperties = task?.properties as any - const auditLogs = taskProperties.csc_audit_logs as CscAuditLog[] | undefined - return ( - -
-

CSC audit logs

- {auditLogs && auditLogs.sort((a, b) => b.date - a.date).map((log) => { - return ( -
-

User: {log.actor.name}

-

Action: {log.event}

-

Date: {new Date(log.date).toLocaleDateString()}

-

Previous value: {log.diff.prevValue}

-

Next value: {log.diff.nextValue}

-
- ) - })} -
- - ) -} - -export default CscAuditLogs \ No newline at end of file +export default CscAuditLogs; diff --git a/components/interfaces/CSC/PieChart.tsx b/components/interfaces/CSC/PieChart.tsx index a6d8d0ca..568fb068 100644 --- a/components/interfaces/CSC/PieChart.tsx +++ b/components/interfaces/CSC/PieChart.tsx @@ -1,59 +1,52 @@ -import React from "react"; -import { Chart as ChartJS, ArcElement, Tooltip, Legend } from "chart.js"; -import { Pie } from "react-chartjs-2"; -import { statusOptions } from "@/components/defaultLanding/data/configs/csc"; +import React from 'react'; +import { Chart as ChartJS, ArcElement, Tooltip, Legend } from 'chart.js'; +import { Pie } from 'react-chartjs-2'; +import { + statusOptions, + taskStatusOptions, +} from '@/components/defaultLanding/data/configs/csc'; +import { UnicisPages } from 'types'; ChartJS.register(ArcElement, Tooltip, Legend); -const countStatuses = (statuses: { [key: string]: string; }) => { - const labels = statusOptions.map(({ label }) => label); +const countStatuses = ( + statuses: { [key: string]: string }, + page_name: UnicisPages +) => { + let labels; + + if (page_name === 'task') { + labels = taskStatusOptions.map(({ label }) => label); + } else { + labels = statusOptions.map(({ label }) => label); + } const countArray = labels.map( (name) => Object.entries(statuses).filter(([_, status]) => status === name).length ); + return countArray; }; -const PieChart = ({ - statuses - }: { - statuses: { [key: string]: string; } +const PieChart = ({ + statuses, + barColor, + labels, + page_name, +}: { + page_name: UnicisPages; + statuses: { [key: string]: string }; + barColor: any[]; + labels: any[]; }) => { const data = { - labels: [ - "Unknown", - "Not Applicable", - "Not Performed", - "Performed Informally", - "Planned", - "Well Defined", - "Quantitatively Controlled", - "Continuously Improving", - ], + labels: labels, datasets: [ { - label: "# of Controls", - data: countStatuses(statuses), - backgroundColor: [ - "rgba(241, 241, 241, 1)", - "rgba(178, 178, 178, 1)", - "rgba(255, 0, 0, 1)", - "rgba(202, 0, 63, 1)", - "rgba(102, 102, 102, 1)", - "rgba(255, 190, 0, 1)", - "rgba(106, 217, 0, 1)", - "rgba(47, 143, 0, 1)", - ], - borderColor: [ - "rgba(241, 241, 241, 1)", - "rgba(178, 178, 178, 1)", - "rgba(255, 0, 0, 1)", - "rgba(202, 0, 63, 1)", - "rgba(102, 102, 102, 1)", - "rgba(255, 190, 0, 1)", - "rgba(106, 217, 0, 1)", - "rgba(47, 143, 0, 1)", - ], + label: '# of Controls', + data: countStatuses(statuses, page_name), + backgroundColor: barColor, + borderColor: barColor, borderWidth: 1, }, ], @@ -62,20 +55,20 @@ const PieChart = ({ const options: any = { plugins: { legend: { - position: "right", + position: 'top', }, title: { display: true, - text: "Controls", + text: 'Controls', }, }, maintainAspectRatio: false, - responsive: true + responsive: true, }; - countStatuses(statuses); + countStatuses(statuses, page_name); - return ; + return ; }; export default PieChart; diff --git a/components/interfaces/CSC/RadarChart.tsx b/components/interfaces/CSC/RadarChart.tsx index f6dbdc77..eb558bd5 100644 --- a/components/interfaces/CSC/RadarChart.tsx +++ b/components/interfaces/CSC/RadarChart.tsx @@ -1,4 +1,4 @@ -import React from "react"; +import React from 'react'; import { Chart as ChartJS, RadialLinearScale, @@ -7,9 +7,15 @@ import { Filler, Tooltip, Legend, -} from "chart.js"; -import { Radar } from "react-chartjs-2"; -import { sections, controls, statusOptions } from "@/components/defaultLanding/data/configs/csc"; +} from 'chart.js'; +import { Radar } from 'react-chartjs-2'; +import { + controls, + statusOptions, + getRadarChartLabels, + mergePoints, + getSections, +} from '@/components/defaultLanding/data/configs/csc'; ChartJS.register( RadialLinearScale, @@ -20,33 +26,42 @@ ChartJS.register( Legend ); -const getMaturityLevels = (statuses: { [key: string]: string; }) => { - if (typeof statusOptions === "undefined") { - return - } +const getMaturityLevels = ( + statuses: { [key: string]: string }, + ISO: string +) => { + const sections = getSections(ISO); const data = sections .map(({ label }) => label) .map((label) => { - const totalControls = controls - .filter(({ Section }) => Section === label) - .map(({ Control }) => Control); + const totalControls = controls[ISO].filter( + ({ Section }) => Section === label + ).map(({ Control }) => Control); const totalControlsValue = totalControls.reduce( (accumulator, control) => - statusOptions.find(({ label }) => label === statuses[control])?.value! + accumulator, + (statusOptions.find(({ label }) => label === statuses[control]) + ?.value || 0) + accumulator, 0 ); return totalControlsValue / totalControls.length; }); const roundedData = data.map((value) => Math.round(value)); - return roundedData; + + if (ISO != '2013') { + return roundedData; + } else { + const mergedPoints = mergePoints(roundedData); + return mergedPoints; + } }; const RadarChart = ({ - statuses + statuses, + ISO, }: { - statuses: { [key: string]: string; } + statuses: { [key: string]: string }; + ISO; }) => { - getMaturityLevels(statuses); const options = { plugins: { legend: { @@ -60,21 +75,21 @@ const RadarChart = ({ }, }, maintainAspectRatio: false, - responsive: true + responsive: true, }; const data = { - labels: sections.map(({ label }) => label).map((label) => label.split(" ")), + labels: getRadarChartLabels(ISO), datasets: [ { - label: "Maturity level from 0 to 6", - data: getMaturityLevels(statuses), - backgroundColor: "rgba(255, 99, 132, 0.2)", - borderColor: "rgba(255, 99, 132, 1)", + label: 'Maturity level from 0 to 6', + data: getMaturityLevels(statuses, ISO), + backgroundColor: 'rgba(255, 99, 132, 0.2)', + borderColor: 'rgba(255, 99, 132, 1)', borderWidth: 1, }, ], }; - return ; + return ; }; export default RadarChart; diff --git a/components/interfaces/CSC/SectionFilter.tsx b/components/interfaces/CSC/SectionFilter.tsx index 938e11b3..368d6fbd 100644 --- a/components/interfaces/CSC/SectionFilter.tsx +++ b/components/interfaces/CSC/SectionFilter.tsx @@ -1,21 +1,25 @@ -import React, {Dispatch, SetStateAction} from "react"; -import Select from "@atlaskit/select"; -import { sections } from "@/components/defaultLanding/data/configs/csc"; -import { WithoutRing } from "sharedStyles"; +import React, { Dispatch, SetStateAction } from 'react'; +import Select from '@atlaskit/select'; +import { getSectionFilterOptions } from '@/components/defaultLanding/data/configs/csc'; +import { WithoutRing } from 'sharedStyles'; -const SectionFilter = ({ - setSectionFilter +const SectionFilter = ({ + ISO, + setSectionFilter, }: { - setSectionFilter: Dispatch> + ISO: string; + setSectionFilter: Dispatch< + SetStateAction<{ label: string; value: string }[] | null> + >; }) => { return ( -
+
{ - return ( - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
StatusMeaning
UnknownHas not even been checked yet
Not ApplicableManagement can ignore them
Not PerformedComplete lack of recognizable policy, procedure, control etc.
Performed InformallyDevelopment has barely started and will require significant work to fulfill the requirements
PlannedProgressing nicely but not yet complete
Well DefinedDevelopment is more or less complete, although detail is lacking and/or it is not yet implemented, enforced and actively supported by top management
Quantitatively ControlledDevelopment is complete, the process/control has been implemented and recently started operating
Continuously ImprovingThe requirement is fully satisfied, is operating fully as expected, is being actively monitored and improved, and there is substantial evidence to prove all that to the auditors
- - ) -} + return ( + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StatusMeaning
UnknownHas not even been checked yet
Not ApplicableManagement can ignore them
Not PerformedComplete lack of recognizable policy, procedure, control etc.
Performed Informally + Development has barely started and will require significant work to + fulfill the requirements +
PlannedProgressing nicely but not yet complete
Well Defined + Development is more or less complete, although detail is lacking + and/or it is not yet implemented, enforced and actively supported by + top management +
Quantitatively Controlled + Development is complete, the process/control has been implemented + and recently started operating +
Continuously Improving + The requirement is fully satisfied, is operating fully as expected, + is being actively monitored and improved, and there is substantial + evidence to prove all that to the auditors +
+ ); +}; const PopupContent = () => { - return ( -
- - - ) -} + return ( +
+
+ + ); +}; const StatusHeader = () => { - const [isOpen, setIsOpen] = useState(false) - return ( - setIsOpen(false)} - placement="bottom-start" - content={() => } - trigger={(triggerProps) => ( -
- Status - -
- )} - /> - ) -} + const [isOpen, setIsOpen] = useState(false); + return ( + setIsOpen(false)} + placement="bottom-start" + content={() => } + trigger={(triggerProps) => ( +
+ Status + +
+ )} + /> + ); +}; -export default StatusHeader \ No newline at end of file +export default StatusHeader; diff --git a/components/interfaces/CSC/StatusSelector.tsx b/components/interfaces/CSC/StatusSelector.tsx index 2a63c63b..772eb37e 100644 --- a/components/interfaces/CSC/StatusSelector.tsx +++ b/components/interfaces/CSC/StatusSelector.tsx @@ -1,18 +1,28 @@ -import React, { useState } from "react"; -import Select from "@atlaskit/select"; -import { statusOptions, colourStyles } from "@/components/defaultLanding/data/configs/csc"; -import { WithoutRing } from "sharedStyles"; +import React, { useEffect, useState } from 'react'; +import Select from '@atlaskit/select'; +import { + statusOptions, + colourStyles, +} from '@/components/defaultLanding/data/configs/csc'; +import { WithoutRing } from 'sharedStyles'; -const StatusSelector = ({ - statusValue, - control, - handler +const StatusSelector = ({ + isDisabled, + statusValue, + control, + handler, }: { + isDisabled: boolean; statusValue: string; control: string; handler: (control: string, value: string) => Promise; }) => { const [value, setValue] = useState(statusValue); + + useEffect(() => { + setValue(statusValue); + }, [statusValue]); + return (
*/} -
+
- - - - - - + + + + + + - {pageData.map((option, index) => - - + {pageData.map((option) => ( + + + - - )} + ))}
CodeSectionControlRequirementsTickets + Code + + Section + + Control + + Requirements + + + + Tasks +
- {option.value.code} -
{option.value.code}{option.value.section} - {option.value.section} + {option.value.controlLabel || option.value.control} - {option.value.control} + + {option.value.requirements} + - {option.value.requirements} - - {canAccess('task', ['update']) - ?
- + {canAccess('task', ['update']) ? ( +
+ + task.properties?.[cscControlsProp]?.find( + (item: string) => item === option.value.control + ) + ).length + } + />
- : {statuses[option.value.control]} - } + ) : ( + + {statuses[option.value.control]} + + )}
- {canAccess('task', ['update']) - ? - : - } - + {canAccess('task', ['update']) ? ( + + ) : ( + + )}
- {pageData.length - ?
-
- - - + {pageData.length ? ( +
+
+
+ + + +
- : null - } + ) : null} - ) -} + ); +}; -export default StatusesTable \ No newline at end of file +export default StatusesTable; diff --git a/components/interfaces/CSC/TaskSelector.tsx b/components/interfaces/CSC/TaskSelector.tsx index 462e1622..9f9d41b7 100644 --- a/components/interfaces/CSC/TaskSelector.tsx +++ b/components/interfaces/CSC/TaskSelector.tsx @@ -1,46 +1,67 @@ -import React, { useState, useEffect } from 'react' -import Select from '@atlaskit/select' +import React, { useState, useEffect } from 'react'; +import Select from '@atlaskit/select'; import { WithoutRing } from 'sharedStyles'; -import type { Task } from "@prisma/client"; -import type { CscOption } from 'types'; +import { getCscControlsProp } from '@/lib/csc'; +import type { Task } from '@prisma/client'; +import type { CscOption, ISO } from 'types'; -const TaskSelector = ({ - tasks, - control, - handler -} : { - tasks: Array - control: string, - handler: (action: string, dataToRemove: any, control: string) => Promise +const TaskSelector = ({ + tasks, + control, + handler, + ISO, +}: { + tasks: Array; + control: string; + handler: ( + action: string, + dataToRemove: any, + control: string + ) => Promise; + ISO: ISO; }) => { - const [value, setValue] = useState([]) - const [options, setOptions] = useState([]) + const [value, setValue] = useState([]); + const [options, setOptions] = useState([]); - useEffect(() => { - const options = tasks.map(task => ({ label: task.title, value: task.taskNumber })) - const selectedOptions = tasks.filter((task: any) => task.properties?.csc_controls?.find((item: string) => item === control))?.map(issue => ({ label: issue.title, value: issue.taskNumber })) - setOptions(options) - setValue(selectedOptions) - }, []) - return ( - - { + const { action, option, removedValue, removedValues } = actionMeta; + setValue([...selectedIssue]); + const dataToRemove = option + ? [option] + : removedValue + ? [removedValue] + : removedValues; + handler(action, dataToRemove, control); + }} + value={value} + placeholder="Tasks" + isMulti + /> + + ); +}; -export default TaskSelector \ No newline at end of file +export default TaskSelector; diff --git a/components/interfaces/CSC/TasksList.tsx b/components/interfaces/CSC/TasksList.tsx index f6e460ab..bb8a2aa0 100644 --- a/components/interfaces/CSC/TasksList.tsx +++ b/components/interfaces/CSC/TasksList.tsx @@ -1,31 +1,35 @@ -import React, { useState } from 'react' -import Link from "next/link"; -import { useRouter } from "next/router"; -import type { Task } from "@prisma/client"; +import React, { useState } from 'react'; +import Link from 'next/link'; +import { useRouter } from 'next/router'; +import type { Task } from '@prisma/client'; const TasksList = ({ - tasks, - control, + tasks, + control, }: { - tasks: Array - control: string, + tasks: Array; + control: string; }) => { - const [selectedTasks] = useState>(tasks.filter((task: any) => task.properties?.csc_controls?.find((item: string) => item === control))) + const [selectedTasks] = useState>( + tasks.filter((task: any) => + task.properties?.csc_controls?.find((item: string) => item === control) + ) + ); - const router = useRouter(); - const { slug } = router.query; + const router = useRouter(); + const { slug } = router.query; - return ( -
- {selectedTasks.map(task => ( - -
- {task.title} -
- - ))} -
- ) -} + return ( +
+ {selectedTasks.map((task, index) => ( + +
+ {task.title} +
+ + ))} +
+ ); +}; -export default TasksList \ No newline at end of file +export default TasksList; diff --git a/components/interfaces/CSC/index.ts b/components/interfaces/CSC/index.ts index 43f92102..7f2a1d7a 100644 --- a/components/interfaces/CSC/index.ts +++ b/components/interfaces/CSC/index.ts @@ -2,6 +2,7 @@ export { default as StatusesTable } from './StatusesTable'; export { default as PieChart } from './PieChart'; export { default as RadarChart } from './RadarChart'; export { default as SectionFilter } from './SectionFilter'; -export { default as StatusFilter } from './StatusFilter'; +export { default as StatusCscFilter } from './StatusFilter'; export { default as CscPanel } from './issue_panel/CscPanel'; export { default as CscAuditLogs } from './CscAuditLogs'; +export { default as TaskStatusesDetail } from '../TeamDashboard/TaskStatusesDetail'; diff --git a/components/interfaces/CSC/issue_panel/ControlBlock.tsx b/components/interfaces/CSC/issue_panel/ControlBlock.tsx index 6957e884..72b13e77 100644 --- a/components/interfaces/CSC/issue_panel/ControlBlock.tsx +++ b/components/interfaces/CSC/issue_panel/ControlBlock.tsx @@ -1,17 +1,24 @@ -import React, { useState, useCallback, Dispatch, SetStateAction } from 'react' -import axios from "axios"; -import toast from "react-hot-toast"; -import { useRouter } from "next/router"; -import Select from '@atlaskit/select' -import Button, { LoadingButton } from '@atlaskit/button' -import TrashIcon from '@atlaskit/icon/glyph/trash' -import TextArea from '@atlaskit/textarea' -import Textfield from '@atlaskit/textfield' -import { WithoutRing } from "sharedStyles" -import { controlOptions } from '@/components/defaultLanding/data/configs/csc'; -import StatusSelector from '../StatusSelector' +import React, { + useState, + useCallback, + Dispatch, + SetStateAction, + useMemo, +} from 'react'; +import axios from 'axios'; +import toast from 'react-hot-toast'; +import { useRouter } from 'next/router'; +import Select from '@atlaskit/select'; +import { LoadingButton } from '@atlaskit/button'; +import TrashIcon from '@atlaskit/icon/glyph/trash'; +import TextArea from '@atlaskit/textarea'; +import Textfield from '@atlaskit/textfield'; +import { WithoutRing } from 'sharedStyles'; +import { getControlOptions } from '@/components/defaultLanding/data/configs/csc'; +import StatusSelector from '../StatusSelector'; const ControlBlock = ({ + ISO, status, control, controls, @@ -19,8 +26,9 @@ const ControlBlock = ({ isSaving, isDeleting, deleteControlHandler, - setStatuses + setStatuses, }: { + ISO: string; status: string; control: string; controls: string[]; @@ -28,24 +36,28 @@ const ControlBlock = ({ isSaving: boolean; isDeleting: boolean; deleteControlHandler: (control: string) => void; - setStatuses: Dispatch> + setStatuses: Dispatch< + SetStateAction<{ + [key: string]: string; + }> + >; }) => { + console.log('status control block', status); const router = useRouter(); const { slug } = router.query; - const [isButtonLoading, setIsButtonLoading] = useState(false) - const controlData = controlOptions.find(({ value }) => value.control === control)?.value + const [isButtonLoading, setIsButtonLoading] = useState(false); + + const controlOptions = useMemo(() => getControlOptions(ISO), [ISO]); + const controlData = controlOptions.find( + ({ value }) => value.control === control + )?.value; const statusHandler = useCallback(async (control: string, value: string) => { - const response = await axios.put( - `/api/teams/${slug}/csc`, - { - control, - value, - } - ); + const response = await axios.put(`/api/teams/${slug}/csc`, { + control, + value, + }); const { data, error } = response.data; @@ -53,38 +65,52 @@ const ControlBlock = ({ toast.error(error.message); return; } else { - toast.success("Status changed!") + toast.success('Status changed!'); } - setStatuses(data.statuses) - }, []) + setStatuses(data.statuses); + }, []); return ( <>
-

Select a control

-
+

Select a control

+