With so many options for customizing the IriusRisk installation, we have provided a list below that an organization might use to determine the order or priority of where they might start with customization.
They are prioritized based on the following criteria:
- Delivers immediate value to the threat modeling process
- Relative ease of implementation (some items are more complex than others)
Recommended customization priorities:
- Workflows - provides a status or stage for threat models to flow through - LINK
- Security Classifications - provides categories for assets related to confidentiality, integrity, and impact. This might match your organizations information classification requirements. - LINK
- Assets - Specific types of data (assets) that will be assigned to each components and will be marked as either being stored, processed, received, or sent. - LINK
- Trust Zones - defines the relative trust among different areas of your threat model. The product does come with preconfigured trust zones. - LINK
- Roles & Permission Sets - providing the correct permission sets to user per role - LINK
- Custom Fields - Adding custom fields to projects, threats, and countermeasures - LINK
- Architecture Questionnaires - adding questions for end users during project setup - LINK
- Component Questionnaires - adding questions for end users for specific components
- Rule Engine - Adding condition/action rule sets to custom fields, workflows, and questionnaires, etc. - LINK
- Standardized Tags - creating standardized tags that will be used for project, data flows, and components - LINK
- Security Libraries - libraries provide the basis for automating custom threats and countermeasures through the rules engine and custom components - LINK
- Custom standard - automatically moves countermeasures into a required status - LINK
- Custom Components - creating custom components allow users to map risk patterns from custom libraries (or pre-existing libraries) that can be automatically added to threat models when users add those components to architecture diagrams - LINK
Obviously, this list depends on the organization's strategic and tactical requirements and will change from deployment to deployment.
Time estimate for customizations:
Provided that an organization has a general idea of what content they are wanting to add in each of the previously mentioned customization areas, below are general estimates on how long those sections should take to customize.
|Roles & Permissions Sets
|2 - 4 hours
|10 minutes per custom field
|20 minutes per questionnaire
|20 minutes per component questionnaire
|10 minutes per rule, 10 minutes for testing
|1 minute per tag
|20 minutes per risk pattern
|5 minutes to create a standard, 2 minutes to attach the standard to a pre-established countermeasure.
|5 minutes per component (if risk patterns have been completed)