The SimpleRisk 20210625-001 release includes a number of new features, bug fixes and security updates. When we held our last Customer Advisory Board meeting in Q1 2021, one of the points of feedback was that while the members felt like SimpleRisk was incredibly simple and intuitive to use, they thought that it would be good to include context-based help for those users who aren't accustomed to SimpleRisk or risk management activities in general. Thus, this release introduces a new "About This Page' feature under the help (question mark) menu in the top right corner of your SimpleRisk instance. When selected, this will redirect the user to a page in our support portal designed to explain the functionality of the page. As of writing this release update, we have built out the pages for the Risk Management functionality in SimpleRisk. As you can imagine, this is no small undertaking and we will continue to build out these tutorials for the rest of the product over the coming months.
Another major new feature adding in the 20210625-001 release was the inclusion of an automated backup scheduling system. Users with administrative privileges can now go to their Configure -> Settings menu and select the new "Backups" tab in order to configure this functionality. You are now able to specify an Hourly, Daily, Weekly or Monthly backup schedule for your SimpleRisk instance along with how long to keep the backups around for.
For this to work properly, you will need to follow the provided instructions on placing a cron job for scheduling, but once that has been configured, you will be able to view and download the backups directly from that tab.
Other new features that were added to enhance the usability of SimpleRisk includes:
- Increased granularity in the audit logs for risks
- Increased the information retained in the audit log of audit tests
- Added the ability to use custom impact descriptions for the Contributing Risk scoring methodology
- When no mitigating control is available for a mitigation the system will now report “No Control Available”
- Updated mouseover descriptions for User Permissions.
- The control short name is now displayed with audit tests.
- Removed the ability for admins to remove their own admin rights.
- Admins can no longer change what teams they belong to as they have access to all risks.
- Updated the Dynamic Risk Report so that when you group by a value that can have multiple checked for a single risk (ie. "teams"), it only shows that group once with all associated risks. In previous releases, it splits it out so if you assign a risk to multiple teams, that shows as a separate grouping.
- Added Project Status (Active, On Hold, etc.) to the Dynamic Risk Report.
- Filters on the Define Tests page are now kept after editing a test.
- Filters on the Define Control Frameworks page are now kept after editing a control.
- The Management Review filter found on Plan Mitigations and Perform Reviews is now a dropdown to be in line with mitigation planned.
- Added a “Back” button to the Manage Users tab in User Management when editing a user.
- Updated from unsupported Zend Escaper to the newer Laminas Escaper.
- Added Risk Scoring to the dynamic risk report to allow users to display a column of the current risk scoring methods in use for risks listed in the table.
- Added a field to display the Inherent Risk score from 30/60/90 days ago in the Dynamic Risk Report.
- Added the ability to view the contributing risk likelihood and impact values in the Dynamic Risk Report.
- Increased control_number field size to 50 characters.
- Added a healthcheck to determine what the memory_limit value is set to in the php.ini file.
- Added a healthcheck to determine what USE_DATABASE_FOR_SESSIONS is set to in the config.php file.
This release also included the following bug fixes for the SimpleRisk Core:
- Fixed an issue where “Current Control Maturity” and “Desired Control Maturity” values are not copied when cloning a control.
- Fixed an issue where browser zoom would cause the Governance → Define Control Framework page would not display properly.
- Fixed an issue where users could receive a notice in the PHP log when viewing the Document Program page.
- Fixed an issue where an Asset Group’s name would be escaped when editing and would save with unintended characters in the group name.
- Fixed an issue where not setting a compliance test result and leaving null would result in being unable to see that test in the past audits.
- Fixed an issue where long control names would not display properly in Compliance → Past Audits.
- Fixed a bug where approximate time was not saved when editing a compliance test.
- Fixed an issue with double encoding pop up menus on the Governance → Define Exceptions page.
- Fixed an issue where submitting a risk the displayed pop confirmation would not be escaped properly.
- Fixed an issue where returning the test audits last test date and next date were incorrect.
- Fixed an issue experienced when using Internet Explorer where the page doctype would be improperly set causing display and submission issues.
- Fixed an issue with the Connectivity Visualizer not showing assets when the Encrypted Database Extra is not enabled.
- Added a Default Desired Maturity value to Settings.
- Added a Default Current Maturity value to Settings.
- Fixed a Fatal Error when trying to communicate with SimpleRisk services when they are unavailable.
We also fixed a number of potential Cross-Site Scripting vulnerabilities as well as an issue allowing for circumvention of Team-Based Separation, an issue around being able to log in with a username matching a UID and we updated the password reset functionality to only allow for once password reset per user every ten minutes in order to prevent email bomb attacks from the SimpleRisk system.
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This release included a ton of new functionality and bug fixes to our SimpleRisk Extras:
- Added the ability to create multiple templates for use with Organizational Hierarchy.
- Fixed an issue where User Multi-Select dropdowns would cause a risk to be unable to save.
- Fixed an issue where the Risk Mapping field could not be restored.
- User Multi Dropdowns will now respect organization hierarchy.
- Added a check that prevents users from manually creating duplicate users using LDAP/SAML.
- Added sharing functionality for Risk Assessments allowing you to give access to the results to a person who does not have a SimpleRisk login.
- Import/Export capabilities have been updated to be more in line with how Risk imports work. Question IDs are now absolute values and no longer only relative to the import. Mapping question ID will update the question in the line and leaving it unmapped imports the question as a new question.
- Fixed an issue where mapped controls were not saved if Compliance Assessment was not checked.
- We now display the Question ID in various places to help with the new changes to import/export
- When an Import is done that includes an answer that has Submit Risk set to "1" and no "Subject" defined we now set submit risk to "0" and give the user a warning that questions lacking a subject were edited to not attempt to submit a blank risk subject.
- Imports can now be used to remove answers to a question. Only answers imported with a given question will remain on the imported question even if others already exist in the system for that question.
- Added the Current and Desired Control Maturity fields to Control Import.
- Added the Current and Desired Control Maturity fields to Control Export.
- Filters on the Dynamic Risk report will now be respected when exporting.
- Added a new feature allowing users to customize their notifications layout and text.
- Fixed an issue where certain configurations in the Notification Extra Configuration page would not be saved.
- Fixed an issue where Automated Notifications of Unreviewed / Past Due Risks fails to complete if there's a user with no review permissions and only the notify reviewer option is selected.
- Fixed an issue where mitigation related e-mails would not decrypt properly with encryption turned on.
- Fixed an issue where unreviewed risks did not appear in the unreviewed/past due risk scheduled e-mail
- Added Notify Approver to the notify section for Document Reviews.
- When a review rejects and closes a risk the close notification will now send as expected.
- Fixed an issue where Org Hierarchy would not function properly with admin users who did not belong to all teams.
- Added the ability for users to now assign individual templates based on the active Business Unit they are currently working with.
- Fixed a potential XSS vulnerability associated with the use of Organizational Hierarchy
- Added permissions for Incident Management.
After officially releasing the 20210625-001 release, we performed additional testing and decided to roll a new 20210630-001 release in order to address a couple of items a few days later. This included:
- Fixing a bug which allowed admins to disable their own account.
- Updating the usage of "echo" statements in the API.
With this release live, we continued to track additional issues and determined that we wanted to do a third 20210713-001 release to address these additional items:
- Added recording of actions related to the Document Program functionality to the audit trail.
- Fixed an issue with some small icons and symbols that would not be displayed properly.
- Fixed an issue where the Additional Stakeholders field would not be displayed as intended.
- Updated the Upgrade Extra to update the database to the latest version instead of just the next version.
- Added new checks to the Upgrade Extra to avoid issues in advance which could cause an upgrade to fail.
- Updated the Custom Authentication Extra to use the SimpleSAMLphp files that are now provided in the SimpleRisk Core.