Introduction
With so many options for customizing the IriusRisk installation, we have provided a list below that an organization might use to determine the order or priority of where they might start with customization.
They are prioritized based on the following criteria:
- Delivers immediate value to the threat modeling process
- Relative ease of implementation (some items are more complex than others)
Recommended customization priorities:
- Workflows - provides a status or stage for threat models to flow through - LINK
- Security Classifications - provides categories for assets related to confidentiality, integrity, and impact. This might match your organizations information classification requirements. - LINK
- Assets - Specific types of data (assets) that will be assigned to each components and will be marked as either being stored, processed, received, or sent. - LINK
- Trust Zones - defines the relative trust among different areas of your threat model. The product does come with preconfigured trust zones. - LINK
- Roles & Permission Sets - providing the correct permission sets to user per role - LINK
- Custom Fields - Adding custom fields to projects, threats, and countermeasures - LINK
- Architecture Questionnaires - adding questions for end users during project setup - LINK
- Component Questionnaires - adding questions for end users for specific components
- Rule Engine - Adding condition/action rule sets to custom fields, workflows, and questionnaires, etc. - LINK
- Standardized Tags - creating standardized tags that will be used for project, data flows, and components - LINK
- Security Libraries - libraries provide the basis for automating custom threats and countermeasures through the rules engine and custom components - LINK
- Custom standard - automatically moves countermeasures into a required status - LINK
- Custom Components - creating custom components allow users to map risk patterns from custom libraries (or pre-existing libraries) that can be automatically added to threat models when users add those components to architecture diagrams - LINK
Obviously, this list depends on the organization's strategic and tactical requirements and will change from deployment to deployment.
Time estimate for customizations:
Provided that an organization has a general idea of what content they are wanting to add in each of the previously mentioned customization areas, below are general estimates on how long those sections should take to customize.
Customization Area | Customization Timeline |
Workflows | 30 Minutes |
Security Classifications | 30 Minutes |
Assets | 30 Minutes |
Trust Zones | 30 Minutes |
Roles & Permissions Sets | 2 - 4 hours |
Custom Fields | 10 minutes per custom field |
Architecture Questionnaires | 20 minutes per questionnaire |
Component Questionnaires | 20 minutes per component questionnaire |
Rules Engine | 10 minutes per rule, 10 minutes for testing |
Standardized Tags | 1 minute per tag |
Security Libraries | 20 minutes per risk pattern |
Customized standards | 5 minutes to create a standard, 2 minutes to attach the standard to a pre-established countermeasure. |
Custom Components | 5 minutes per component (if risk patterns have been completed) |
Comments
0 comments
Article is closed for comments.