Release notes 1.5.0
Conformatix® v1.5.0 Release notes.
Release date: December 4th 2020
|
Some of the fixes and additional functionalities are related to conformatix’s risk module. This module makes it easy to identify and manage risks. Focus on – but not limited to – information security. If you do not use this module yet, please consider it and contact us. |
Hot Fixes
Insights > Issues (deployed (Oct 19th)
Report only displayed issues with “issue type: audit”.
Added "Issue Type" selector dropdown.
New functionalities / Improvements
General
We added conformatix’s version number in the bottom left corner.
Users:
We introduced a section User Based Settings in the user profile. This is user based
approach for some options within the system that the system wide rights or roles could not cover:
- Assign Risk Owner & Manage Risks can now be switched on at the user level adding (but not removing) additional rights in case the Risk Module is obtained.
- User based roles will be part of the User Based Settings in the users profile section.
Processes:
View process step - added edit button in view mode.
Retired process can now still be edited.
New steps can not be added to a retired process.
Process steps are now searchable by name as well.
Compliance:
Requirements - we add an extra level so we have 4 levels deep now.
We removed the +/- signs if there are no underlying parts.
The Risk module related content regarding Gaps (Requirements) is now only visible when the risk module is active.
"Relevant Issues" At each requirement a new part is added to display relevant related unsolved issues.
"Relevant Risks" At each requirement a new part is added to display relevant non-closed risks.
Issues:
Added the option to overrule mandatory process field with checkbox "No Process required" on add issue.
Issues will now get a unique number. The unique numbers upon creation are unique to each company.
The issues counter will restart when the year changes to have a correlation with the year created. (Example: 19-0001, 19-0002, 20-0003, 20-0004).
All issues already in the system will get a unique number during rollout.
The column "Issue type" has been added to the grid, which makes selection easier.
The search function now also search on the "Issue type".
Issues can now be exported to an excel list.
Audits:
Added the option to overrule mandatory process field with checkbox "No Process required" on add audit.
In the Audit planning there is a new checkbox, which shows "overdue audits". This will help you focus on the audits that had to be performed already and better manage your audit planning.
Projects:
We added a comment/description box to provide more information to a project.
Delete / Retire actions:
When deleting/retiring parts there is now a message saying that it cannot be done in case it is still used which is good & informative. A lightbox now shows the related parts and you can click them to go directly to that part in a new window.
Risk Module
In view mode the HTML of the memo field was not parsed correctly.
Administration, Chance and impact lists: we removed the pagination and items per page selector as they are only 5 for each.
When the risk assessment is finished, a date stamp is given to the assessment as a whole (Event+threats+process+consequences). This is triggered by a button.
A notification will be given to the user with a text (this action will store the initial assessment date for audit trail purposes, are you sure? Y/N). No will fall back, else it stores the initial date.
This historical timestamp (1st initial assessment date) creates a freeze from all parts involved (Event+threats+process+consequences). The reason for this is that even as a risk is mitigated, due to circumstances (legal/new laws etc) the assessment could/should be re-evaluated (the second date) triggering basically new assessment.
If risks as part of the loaded assessment are already mitigated by means of the treatment planning (Status closed), the threat (or consequence) should get the values from the closed treatment and should become editable in the assessment screen.
Only if the assessment leads to new values (any!) within the assessment a new (initial) datestamp will be possible (else timestamp will be greyed out). It should then be saved as a NEW UNASSIGNED part of the treatment planning.
As long as the threat as part of the risk assessment has not been assigned in the treatment planning, the values in the assessment should be editable.
The evaluation timestamp button is only for a CISO who’s job it is to evaluate the assessment and upon pressing should overwrite the last eval date. The evaluation date timestamp button should only be available to a (user based) rights.
The rights “assign risk owner” is sufficient to have the option to make the evaluation as per above. The button should hence only be available in case the user has the “assign risk owner” rights.
Inconsistencies:
Sometimes the order of requirements was show inconsistently.
Sometimes the name in the browser tab was representing the wrong name.
Within the applications in consistent use of save/submit/edit. The following are fixed:
- Issues>Manage Issues>Edit, the save button reads Edit instead of save.
- Processes > Edit Process > Edit, the save button reads Edit instead of save.
- Processes > Edit Process > Edit Process step, the save button reads Submit instead of save.
- Audits > Register Audit > the save button reads Submit instead of save.
- Audits > History > Edit Audit> the save button reads Submit instead of save.
- Administration > Users > Create new> the save button reads Submit instead of save.
- Administration > Users > Edit > the save button reads Submit instead of save.
- Administration > Assets Edit > the save button reads Edit instead of save.
- Administration > Dropdowns > When editing: Norm Categories, Issue Categories, Asset Category, Asset Data Category, Asset Goal Category, Security Measure, Stakeholder Category and Chance & Impact the save button reads Edit instead of Save.
Bug Fixes:
Audits
It was impossible to select any other user then the user group auditor.
Retired processes should not be shown in audit planning but only in audit history.
Audit > Planning - date and frequency where not sortable.
Compliance:
When looking at requirements with the reader role, the processes did not show.
Insights:
Asset Report - did not show all assets.
Process:
When the PDF is created it is missing the "Task Type" in the process steps.
Translations:
Some parts missed the relation with the translation tables.
Risk Module:
Some small layout issues that influenced readability.
Risk appitite, columns are now responsive.
Closed risks still appeared in the users tasks.
An additional word was added into the closed description risk from the place it was related to.
Retire / delete function:
Delete functionality should not be blocked if related issues are already closed.