To be able to create and use a new Standard, the first step should be to create a new custom library. This is covered in the following article.
After creating a new library and implementing the custom content we are in the position of creating a new security standard for the countermeasures. In IriusRisk, standards are essentially tags on countermeasures, so for example the "Encrypt data in transit" countermeasure can be tagged with the PCI-DSS standard, the EU GDPR, and your own custom standard.
The following figure illustrates the standards tagged for the countermeasure CWE-120-MANAGED in the CS-Default library.
For this example, the countermeasure CWE-120-MANAGED is tagged with the following IriusRisk Standards:
- NIST 800-53-SI-10
- ISO/IEC 27002:2013-12.2.1
IriusRisk standards are a fantastic way to mark countermeasures as required as long as they share a common standard. When creating a countermeasure you will see that you can add a standard:
Here you can select an already existing standard in the combobox and also include a relevant reference that helps to refine the relationship between the countermeasure and the standard. The "Reference" in this case can point to the specific control in the standard, or it can be a textual description of that control.
If you want to create your own custom standard, you should go to the “Standards” tab in IriusRisk’s Configuration menu and click on “New” (new standard). This is shown in the following figure:
A standard consists of a legible name and a custom unique ID. When mapping standard on a countermeasure you can also add a reference. For example, we have implemented the standard IoT Security Foundation as three standards:
- IoTSF Class 0
- IoTSF Class 1
- IoTSF Class 2
We have a countermeasure called “Implement application and network rate limiting” in our IoT library that coincides with section 188.8.131.52 of IoTSF Class 1 and Class 2, so we have linked those standard references to that countermeasure.
Note: standards cannot be linked to default libraries, only on custom libraries.