Skip to main content

Architecture questionnaire triggers countermeasure status change

Walter Gildersleeve
  • Updated

In this article

At times, project-level decisions can affect multiple items within a diagram. As an example, several countermeasures within the IriusRisk libraries encourage the use of Multi-Factor Authentication, something you might want to assert once, at the project level. Specifically, you could create a project-level questionnaire that asks if MFA is implemented which, when answered in the affirmative, automatically marks as implemented all countermeasures requiring it.

An issue here is that, while a project-level questionnaire triggers Rules in the Main module, component-specific countermeasures are altered in the Rules Component module. Moreover, Conclusions created in one module aren't visible in another. (In our case, Conclusions created in the Main module are not readable in the Components module.)

We therefore not only need to take a multi-rule approach in order to achieve this, but need to convert from a Conclusion to a hidden field on the Project.

 

Level of Complexity

Intermediate

 

Instructions

1. Create a custom field on the Project

Instructions for creating custom fields are here. Make it look like the following:

 

2. Add a question to the architecture questionnaire

Instructions for doing this can be found here.

The question should be "Has MFA been implemented for this architecture?" It should have two mutually-exclusive answers, "Yes" and "No."

 

3. Add a Rule that responds to the "Yes" answer

  • Navigate to the Rules panel in IriusRisk
  • Select the Rules Editor tab
  • Choose the library in which this needs to be stored (This should be stored in the same library that contains the question you created above)
  • Click the blue New Rule button
  • Name the Rule in a memorable way. For instance, "R: MFA has been implemented"
  • In the Module drop-down, select Main
  • Under New Condition, select Answer is selected. For the Answer Text, find and select the "Yes" answer created above
  • Under New Action, select Insert Conclusion. Under Type, select Hidden; enter a Unique ID (for instance, mfa-has-been-implemented). Duplicate this text into the Value field.
  • Click Save

Here's how the new rule should look:

 

4. Add a Rule that sets the custom field we created on the Project

Unfortunately, it is not possible to set a custom field when a question is answered. Therefore, we need the intermediary step of setting a Conclusion, as we did in step 3. Having done so, we can now set our custom field.

Similarly, we cannot go directly from answering a questionnaire to setting countermeasure statuses, due to architectural limitations of the Rules subsystem. That's why we are doing what might appear to be needlessly verbose steps. 

  • Navigate to the Rules panel in IriusRisk
  • Select the Rules Editor tab
  • Choose the library in which this needs to be stored (This should be stored in the same library that contains the question you created above)
  • Click the blue New Rule button
  • Name the Rule in a memorable way. For instance, "Mark Project MFA Field as Affirmative"
  • In the Module drop-down, select Main
  • Under New Condition, select Conclusion exists. For the Conclusions, find and select the conclusion ID you created above in step 3.
  • Under New Action, select Set Custom Field Value. Under Custom Field, select the custom field created above; in Custom field value, enter True.
  • Click Save

The rule should appear as follows:

 

5. Add a Rule that changes countermeasure statuses

We are finally ready to actually change the statuses of our selected countermeasures. For the purposes of this example this means that, once a user answers the questionnaire we created in the affirmative, any countermeasures indicated below will be marked Implemented

  • Navigate to the Rules panel in IriusRisk
  • Select the Rules Editor tab
  • Choose the library in which this needs to be stored (This should be stored in the same library that contains the question you created above)
  • Click the blue New Rule button
  • Name the Rule in a memorable way. For instance, "Mark MFA-specific countermeasures as implemented"
  • In the Module drop-down, select Component (not Main, as was the case above)
  • Under New Condition, select Custom Field. For the Name, find and select the custom field created in step 1., above. ID you created above; as Comparator, select Equals; and as Value, enter "True."
  • Under New Action, select Mark Countermeasure as; Under Status, select Implemented; in Library and Countermeasure, select the appropriate libraries and countermeasures that you want to be affected. You can include multiple countermeasures here, all of which will be marked Implemented when the question is answered. For the purposes of this demo, this is done for the following countermeasures (libraries in parentheses):
    • Setup Multi-factor Authentication for Google Cloud Platform accounts (Google Cloud Platform)
    • Apply setting MFA for sensitive API calls (Hydras-AWS-Foundation)
    • Implement multifactor authentication for ERP (IR-Generic-Components
  • Click Save

Here's what the Rule looks like:

 

Example

Testing the results of the example above is easy. Create a new project, include the component GCP PostgreSQL (or any other component with one of the relevant risk patterns applied). Once the MFA question on the questionnaire has been answered in the affirmative, you will see that the appropriate countermeasure has been implemented automatically.

 

implement-based-on-questionnaire.gif

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk