What's new with the SimpleRisk 20200711-001 release?
by Josh Sokol (Creator & CEO of SimpleRisk)

This past weekend, SimpleRisk went live with our Q2 2020 release.  Like the releases before it, a tremendous amount of effort went into packing in as many features and functionality as possible, while retaining the underlying simplicity.  In addition, our HackerOne Bug Bounty program continues to help us to identify and fix potential security vulnerabilities and we've corrected a number of bugs, as well.  The full release notes for this release can be downloaded here.  What follows is a description of all of the new features, bug fixes, and security fixes that were included in these two releases.

SimpleRisk Core

We added a ton of new functionality into the SimpleRisk Core.  First and foremost was the addition of a brand new Risk Catalog, which has been pre-populated with a list of 32 different high level risk events and descriptions along with their associated NIST category and function.  You can add your own risks into the catalog, as well, and then map these risks to your assessed risks, creating a risk hierarchy for advanced reporting and management.

Risk Catalog in SimpleRisk

Another major enhancement, and one that numerous customers requested, is the ability to map multiple different framework and control names for each defined control.  This is especially useful when using a common control framework, such as the ComplianceForge Secure Controls Framework, that is already integrated into SimpleRisk.  Previously you would have only been able to have a single control name with the control mapped to multiple frameworks.  Now, you can effectively have multiple framework aliases for a given control.

Control Mappings to Multiple Frameworks in SimpleRisk

Other new functionality added into the SimpleRisk Core with this release includes:

  • Added new user permissions for finer-grained control over Governance, Risk Management, and Compliance.
  • Added several new fields to aid in tracking documents in the “Document Program” section of Governance which integrates with Email Notification for document review reminders.
  • Added the ability to attach files to exceptions defined under the Define Exceptions menu in Governance.
  • Added the ability to view the Comment field from Risk Management in the Dynamic Risk Report
  • Added new reporting around teams, users, roles, and permissions and additional reporting that has been integrated with Team Separation.
  • Added new fields to track the validation details for each control
  • SimpleRisk will now retain your control selections after adding a new test to a control in Compliance.
  • Added a Sort By dropdown to the “Risks and Assets” report allowing users to sort by “Asset Name” or “Risk Value”
  • Risks and Controls report now sorts by inherent risk.
  • Selecting a “Control Framework” will now prune unrelated values from the other filter dropdown menus.
  • Added the ability to customize what columns are shown on the Active Audits page in Compliance similar to the Dynamic Risk Report.
  • Added the ability to filter columns in various places where data tables are displayed in SimpleRisk. These will function just like the ones recently added to the Dynamic Risk Report in a previous release.
  • Control Framework names are now in alphabetical order in dropdowns.
  • Saved reports in the Dynamic Risk Report now save the filters in the report columns as well.
  • Admins can now view the details of disabled users on the User Management page.
  • Removed Obsolete reports from the Reporting section.
  • Updated the “User Management” menu to use tabs to separate functionality.
  • Updated the Overview pie chart to read “Mitigation Planned Vs Unplanned”
  • Added a new health check to ensure the SimpleRisk Base URL is set and matches the one used in the instance.
  • Made the health check a tabular page layout.
  • Added a timeout to the services call if no connection is made in 5 seconds.

There were a number of bugs that were also addressed in this release:

  • Fixed an issue where Documents could display they were assigned to a framework even though none has been assigned.
  • Fixed an issue where updating an existing questionnaire question and then adding a sub-template to an answer would remove all other answers to the question, when the changes were saved.
  • Fixed an issue where users would not be alerted when an improper file type was used while submitting a mitigation.
  • Fixed an issue where names containing an apostrophe would be displayed incorrectly on the Risk Dashboard.
  • Fixed an issue where audit log entries did not properly reflect when a users’ team was changed.
  • Fixed an issue where All Open Risks by Team would not display correctly with Team-Based Separation Extra.
  • Fixed an issue where sorting by Subject would not work as intended in the Dynamic Risk Report.
  • Fixed an issue where user created frameworks that were disabled would not appear in the inactive frameworks tab.
  • Updated the proxy settings to function with registering instances.

Security fixes included with this release include:

  • Fixed a SQL injection vulnerability.
  • Updated debug log functions so they may no longer overwrite files in the web root.
  • Generating new password tokens now invalidates old tokens immediately, regardless of how much time they were set to remain active.
  • Fixed several XSS vulnerabilities.

SimpleRisk Extras

The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core.  This release included two major new additions to our SimpleRisk Extra arsenal as well as some new functionality and bug fixes:

Incident Management: Based on the NIST 800-61 Computer Security Incident Handling Guide, this brand new SimpleRisk Extra provides a bridge between the events and incidents happening within your organization and the risks and assets that they are associated with.  The initial release includes incident preparation tasks, the ability to submit incidents, pre-canned Playbooks for handling nine different types of incidents, and the tracking of incidents through to resolution.  Future iterations will include custom Playbooks, tracking Lessons Learned, and more.

Incident Management with SimpleRisk

Organizational Hierarchy: Over the years, we've had a number of customers ask for separation functionality beyond what Team-Based Separation handles.  They were looking to set up Business Units for their Legal, Human Resources, Trade Compliance, Information Technology, and other departments where one BU would not see the users or teams from another BU.  With the introduction of the new Organizational Hierarchy Extra, this level of filtering is now available.  Future iterations of this Extra will impact which assets a BU sees along with the ability to define different risk submission templates for each.

Risk Assessment:

  • Added the ability to track and update risks that are created through questionnaires.
  • Added the ability to associate controls to risks created through questionnaires.
  • Added the question and answer that created a risk to the Additional Notes field.
  • Added the ability to tie risks created through questionnaires to projects.
  • Fixed an initial PHP Fatal Error when activating the Extra on a fresh installation.

Import-Export:

  • Fixed a bug affecting the import of tags that are not unique or were not already in the database.
  • Updated to work with the new framework and control mappings.

Email Notification:

  • Fixed a bug affecting the ability to save configuration changes when using the Safari browser.

ComplianceForge SCF:

  • Updated to work with the new framework and control mappings so that it reflects the actual control that is linked to the common control.