Skip to content

Latest commit

 

History

History
554 lines (395 loc) · 22.3 KB

README.md

File metadata and controls

554 lines (395 loc) · 22.3 KB

Star the project 🌟 to get releases notification and help growing the community!

intuitem%2Fciso-assistant-community | Trendshift
intuitem.com · SaaS Free trial · Roadmap · Docs · Languages · Discord · Frameworks

CodeFactor API Tests Functional Tests Codacy Badge FOSSA Status

CISO Assistant brings a different take to GRC and Cyber Security Posture Management:

  • by explicitly decoupling compliance from cybersecurity controls implementation
  • has built-in standards, security controls and threats
  • risk assessment and remediation plan follow-up
  • allows to manage a catalog for security controls and threats
  • you can bring your own framework as well using a simple syntax
  • manage audit, evidences collection and report generation

Our vision is to provide a one stop shop for cyber security posture management and cover the layers of GRC (Governance, Risk and Compliance). As practitioners interacting with multiple cybersecurity and IT professionals, we have struggled with fragmentation and lack of efficient tooling. We keep improving CISO Assistant with anything that could bring clarity and productivity to cybersecurity teams and reduce the effort of research, audit management and paperwork.

CyberSecurity teams need to use GRC as a foundation to structure their program and implement the right tools and processes to mitigate the risks, and leave the rest to CISO Assistant 🐙

The vision of the tool is based on these fundamental objects:

There are other concepts and models to provide other features. The full details are available in the data model.

The decoupling concept is a pillar of the app and allows you to save a considerable amount of time:

  • reuse previous assessments,
  • assess a scope against multiple frameworks at the same time,
  • leave the reporting formatting and sanity check to CISO assistant and focus on your fixes,
  • balance controls implementation and compliance follow-up

Here is an illustration of the decoupling principle and its advantages:

01_decoupling_.mp4

Features

Here is an overview of CISO Assistant features and capabilities:

overview

CISO Assistant is developed and maintained by intuitem, a French 🇫🇷 company specialized in Cyber Security, Cloud and Data/AI.

Quick Start 🚀

Tip

The easiest way to get started is through the free trial of cloud instance available here.

Alternatively, once you have Docker and Docker-compose installed, on your workstation or server:

clone the repo:

git clone https://github.com/intuitem/ciso-assistant-community.git

and run the starter script

./docker-compose.sh

If you are looking for other installation options, you might want to check the docs.

Note

The docker-compose script uses prebuilt Docker images supporting most of the standard hardware architecture. If you're using Windows, Make sure to have WSL installed and trigger the script within a WSL command line. It will feed Docker Desktop on your behalf.

The docker compose file can be adjusted to pass extra parameters to suit your setup (e.g. Mailer settings).

Warning

If you're getting warnings or errors about image's platform not matching host platform, raise an issue with the details and we'll add it shortly after. You can also use docker-compose-build.sh instead (see below) to build for your specific architecture.

Caution

Don't use the main branch code directly for production as it's the merge upstream and can have breaking changes during our development. Either use the tags for stable versions or prebuilt images.

End-user Documentation

Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant.

Supported frameworks 🐙

  1. ISO 27001:2022 🌐
  2. NIST Cyber Security Framework (CSF) v1.1 🇺🇸
  3. NIST Cyber Security Framework (CSF) v2.0 🇺🇸
  4. NIS2 🇪🇺
  5. SOC2 🇺🇸
  6. PCI DSS 4.0 💳
  7. CMMC v2 🇺🇸
  8. PSPF 🇦🇺
  9. General Data Protection Regulation (GDPR): Full text and checklist from GDPR.EU 🇪🇺
  10. Essential Eight 🇦🇺
  11. NYDFS 500 with 2023-11 amendments 🇺🇸
  12. DORA (Act, RTS, ITS and GL) 🇪🇺
  13. NIST AI Risk Management Framework 🇺🇸🤖
  14. NIST SP 800-53 rev5 🇺🇸
  15. France LPM/OIV rules 🇫🇷
  16. CCB CyberFundamentals Framework 🇧🇪
  17. NIST SP-800-66 (HIPAA) 🏥
  18. HDS/HDH 🇫🇷
  19. OWASP Application Security Verification Standard (ASVS) 🐝🖥️
  20. RGS v2.0 🇫🇷
  21. AirCyber ✈️🌐
  22. Cyber Resilience Act (CRA) 🇪🇺
  23. TIBER-EU 🇪🇺
  24. NIST Privacy Framework 🇺🇸
  25. TISAX (VDA ISA) v5.1 and v6.0 🚘
  26. ANSSI hygiene guide 🇫🇷
  27. Essential Cybersecurity Controls (ECC) 🇸🇦
  28. CIS Controls v8* 🌐
  29. CSA CCM (Cloud Controls Matrix)* ☁️
  30. FADP (Federal Act on Data Protection) 🇨🇭
  31. NIST SP 800-171 rev2 (2021) 🇺🇸
  32. ANSSI : recommandations de sécurité pour un système d'IA générative 🇫🇷🤖
  33. NIST SP 800-218: Secure Software Development Framework (SSDF) 🖥️
  34. GSA FedRAMP rev5 ☁️🇺🇸
  35. Cadre Conformité Cyber France (3CF) v1 (2021) ✈️🇫🇷
  36. ANSSI : SecNumCloud ☁️🇫🇷
  37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷
  38. ANSSI : outil d’autoévaluation de gestion de crise cyber 💥🇫🇷
  39. BSI: IT-Grundschutz-Kompendium 🇩🇪
  40. NIST SP 800-171 rev3 (2024) 🇺🇸
  41. ENISA: 5G Security Controls Matrix 🇪🇺
  42. OWASP Mobile Application Security Verification Standard (MASVS) 🐝📱
  43. Agile Security Framework (ASF) - baseline - by intuitem 🤗
  44. ISO 27001:2013 🌐 (For legacy and migration)
  45. EU AI Act 🇪🇺🤖
  46. FBI CJIS 🇺🇸👮
  47. Operational Technology Cybersecurity Controls (OTCC) 🇸🇦
  48. Secure Controls Framework (SCF) 🇺🇸🌐
  49. NCSC Cyber Assessment Framework (CAF) 🇬🇧
  50. California Consumer Privacy Act (CCPA) 🇺🇸
  51. California Consumer Privacy Act Regulations 🇺🇸
  52. NCSC Cyber Essentials 🇬🇧
  53. Directive Nationale de la Sécurité des Systèmes d'Information (DNSSI) Maroc 🇲🇦
  54. Part-IS ✈️🇪🇺
  55. ENS Esquema Nacional de seguridad 🇪🇸
  56. Korea ISA ISMS-P 🇰🇷
  57. Swiss ICT minimum standard 🇨🇭
  58. Adobe Common Controls Framework (CCF) 🌐
  59. BSI Cloud Computing Compliance Criteria Catalogue (C5) 🇩🇪
  60. Référentiel d’Audit de la Sécurité des Systèmes d’Information, ANCS Tunisie 🇹🇳
  61. ECB Cyber resilience oversight expectations for financial market infrastructures 🇪🇺
  62. Mindeststandard-des-BSI-zur-Nutzung-externer-Cloud-Dienste (Version 2.1) 🇩🇪
  63. Formulaire d'évaluation de la maturité - niveau fondamental (DGA) 🇫🇷
  64. NIS2 technical and methodological requirements 2024/2690 🇪🇺
  65. Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework 🇸🇦
  66. Guide de sécurité des données (CNIL) 🇫🇷
  67. International Traffic in Arms Regulations (ITAR) 🇺🇸
  68. Federal Trade Commission (FTC) Standards for Safeguarding Customer Information 🇺🇸
  69. OWASP's checklist for LLM governance and security 🌐

Community contributions

  1. PGSSI-S (Politique Générale de Sécurité des Systèmes d'Information de Santé) 🇫🇷
  2. ANSSI : Recommandations de configuration d'un système GNU/Linux 🇫🇷
  3. PSSI-MCAS (Politique de sécurité des systèmes d’information pour les ministères chargés des affaires sociales) 🇫🇷
  4. ANSSI : Recommandations pour la protection des systèmes d'information essentiels 🇫🇷
  5. ANSSI : Recommandations de sécurité pour l'architecture d'un système de journalisation 🇫🇷
  6. ANSSI : Recommandations de sécurité relatives à TLS 🇫🇷
  7. New Zealand Information Security Manual (NZISM) 🇳🇿
  8. Clausier de sécurité numérique du Club RSSI Santé 🇫🇷
  9. Référentiel National de Sécurité de l’Information (RNSI), MPT Algérie 🇩🇿
  10. Misure minime di sicurezza ICT per le pubbliche amministrazioni, AGID Italia 🇮🇹
  11. Framework Nazionale CyberSecurity v2, FNCS Italia 🇮🇹

Note

* These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.


Checkout the library and tools for the Domain Specific Language used and how you can define your own.

Coming soon

  • Indonesia PDP

  • COBAC R-2024/01

  • ICO Data protection self-assessment

  • NIST 800-82

  • ASD ISM

  • and much more: just ask on Discord. If it's an open standard, we'll do it for you, free of charge 😉

Add your own library

A library can be a framework, a catalog of threats or reference controls, and even a custom risk matrix.

Take a look at the tools directory and its dedicated README. The convert_library.py script will help you create your library from a simple Excel file. Once you have structured your items in that format, just run the script and use the resulting yaml file.

You can also find some specific converters in the tools directory (e.g. for CIS or CCM Controls).

There is also a tool to facilitate the creation of mappings, called prepare_mapping.py that will create an Excel file based on two framework libraries in yaml. Once properly filled, this Excel file can be processed by the convert_library.py tool to get the resulting mapping library.

Community

Join our open Discord community to interact with the team and other GRC experts.

Testing the cloud version

The fastest and easiest way to get started is through the free trial of cloud instance available here.

Testing locally 🚀

To run CISO Assistant locally in a straightforward way, you can use Docker compose.

  1. Update docker

Make sure you have a recent version of docker (>= 25.0).

  1. Clone the repository
git clone https://github.com/intuitem/ciso-assistant-community.git
cd ciso-assistant-community
  1. Launch docker-compose script for prebuilt images:
./docker-compose.sh

Alternatively, you can use this variant to build the docker images for your specific architecture:

./docker-compose-build.sh

When asked for, enter your email and password for your superuser.

You can then reach CISO Assistant using your web browser at https://localhost:8443/

For the following executions, use "docker compose up" directly.

Tip

If you want a fresh install, simply delete the db directory, (default: backend/db) where the database is stored.

Docker-compose on remote

For docker setup on a remote server or hypervisor, checkout the specific instructions here

Setting up CISO Assistant for development

Requirements

  • Python 3.11+
  • pip 20.3+
  • poetry 1.8+
  • node 18+
  • npm 10.2+
  • pnpm 9.0+
  • yaml-cpp (brew install yaml-cpp libyaml or apt install libyaml-cpp-dev)

Running the backend

  1. Clone the repository.
git clone [email protected]:intuitem/ciso-assistant-community.git
cd ciso-assistant-community
  1. Create a file in the parent folder (e.g. ../myvars) and store your environment variables within it by copying and modifying the following code and replace "<XXX>" by your private values. Take care not to commit this file in your git repo.

Mandatory variables

All variables in the backend have handy default values.

Recommended variables

export DJANGO_DEBUG=True

# Default url is set to http://localhost:5173 but you can change it, e.g. to use https with a caddy proxy
export CISO_ASSISTANT_URL=https://localhost:8443

# Setup a development mailer with Mailhog for example
export EMAIL_HOST_USER=''
export EMAIL_HOST_PASSWORD=''
export [email protected]
export EMAIL_HOST=localhost
export EMAIL_PORT=1025
export EMAIL_USE_TLS=True

Other variables

# CISO Assistant will use SQLite by default, but you can setup PostgreSQL by declaring these variables
export POSTGRES_NAME=ciso-assistant
export POSTGRES_USER=ciso-assistantuser
export POSTGRES_PASSWORD=<XXX>
export POSTGRES_PASSWORD_FILE=<XXX>  # alternative way to specify password
export DB_HOST=localhost
export DB_PORT=5432  # optional, default value is 5432

# Add a second backup mailer
export EMAIL_HOST_RESCUE=<XXX>
export EMAIL_PORT_RESCUE=587
export EMAIL_HOST_USER_RESCUE=<XXX>
export EMAIL_HOST_PASSWORD_RESCUE=<XXX>
export EMAIL_USE_TLS_RESCUE=True

# You can define the email of the first superuser, useful for automation. A mail is sent to the superuser for password initialization
export CISO_SUPERUSER_EMAIL=<XXX>

# By default, Django secret key is generated randomly at each start of CISO Assistant. This is convenient for quick test,
# but not recommended for production, as it can break the sessions (see
# this [topic](https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key) for more information).
# To set a fixed secret key, use the environment variable DJANGO_SECRET_KEY.
export DJANGO_SECRET_KEY=...

# Logging configuration
export LOG_LEVEL=INFO # optional, default value is INFO. Available options: DEBUG, INFO, WARNING, ERROR, CRITICAL
export LOG_FORMAT=plain # optional, default value is plain. Available options: json, plain

# Authentication options
export AUTH_TOKEN_TTL=900 # optional, default value is 3600 seconds (60 minutes). It defines the time to live of the authentication token
export AUTH_TOKEN_AUTO_REFRESH=True # optional, default value is True. It defines if the token TTL should be refreshed automatically after each request authenticated with the token
  1. Install poetry

Visit the poetry website for instructions: https://python-poetry.org/docs/#installation

  1. Install required dependencies.
poetry install
  1. Recommended: Install the pre-commit hooks.
pre-commit install
  1. If you want to setup Postgres:
  • Launch one of these commands to enter in Postgres:
    • psql as superadmin
    • sudo su postgres
    • psql
  • Create the database "ciso-assistant"
    • create database ciso-assistant;
  • Create user "ciso-assistantuser" and grant it access
    • create user ciso-assistantuser with password '<POSTGRES_PASSWORD>';
    • grant all privileges on database ciso-assistant to ciso-assistantuser;
  1. Apply migrations.
poetry run python manage.py migrate
  1. Create a Django superuser, that will be CISO Assistant administrator.

If you have set a mailer and CISO_SUPERUSER_EMAIL variable, there's no need to create a Django superuser with createsuperuser, as it will be created automatically on first start. You should receive an email with a link to setup your password.

poetry run python manage.py createsuperuser
  1. Run development server.
poetry run python manage.py runserver
  1. Configure the git hooks for generating the build name.
cd .git/hooks
ln -fs ../../git_hooks/post-commit .
ln -fs ../../git_hooks/post-merge .

Running the frontend

  1. cd into the frontend directory
cd frontend
  1. Install dependencies
npm install -g pnpm
pnpm install
  1. Start a development server (make sure that the django app is running)
pnpm run dev
  1. Reach the frontend on http://localhost:5173

Note

Safari will not properly work in this setup, as it requires https for secure cookies. The simplest solution is to use Chrome or Firefox. An alternative is to use a caddy proxy. This is the solution used in docker-compose, so you can use it as an example.

  1. Environment variables

All variables in the frontend have handy default values.

If you move the frontend on another host, you should set the following variable: PUBLIC_BACKEND_API_URL. Its default value is http://localhost:8000/api.

When you launch "node server" instead of "pnpm run dev", you need to set the ORIGIN variable to the same value as CISO_ASSISTANT_URL in the backend (e.g. http://localhost:3000).

Managing migrations

The migrations are tracked by version control, https://docs.djangoproject.com/en/4.2/topics/migrations/#version-control

For the first version of the product, it is recommended to start from a clean migration.

Note: to clean existing migrations, type:

find . -path "*/migrations/*.py" -not -name "__init__.py" -delete
find . -path "*/migrations/*.pyc"  -delete

After a change (or a clean), it is necessary to re-generate migration files:

poetry run python manage.py makemigrations
poetry run python manage.py migrate

These migration files should be tracked by version control.

Test suite

To run API tests on the backend, simply type "pytest" in a shell in the backend folder.

To run functional tests on the frontend, do the following actions:

  • in the frontend folder, launch the following command:
tests/e2e-tests.sh

The goal of the test harness is to prevent any regression, i.e. all the tests shall be successful, both for backend and frontend.

API and Swagger

To interact with it:

  • call /api/iam/login/ with your credentials in the body to get the token
  • pass it then as a header Authorization: Token {token} for your next calls. Notice it's Token not Bearer.

Setting CISO Assistant for production

The docker-compose-prod.yml highlights a relevant configuration with a Caddy proxy in front of the frontend. It exposes API calls only for SSO. Note that docker-compose.yml exposes the full API, which is not yet recommended for production.

Set DJANGO_DEBUG=False for security reason.

Note

The frontend cannot infer the host automatically, so you need to either set the ORIGIN variable, or the HOST_HEADER and PROTOCOL_HEADER variables. Please see the sveltekit doc on this tricky issue. Beware that this approach does not work with "pnpm run dev", which should not be a worry for production.

Note

Caddy needs to receive a SNI header. Therefore, for your public URL (the one declared in CISO_ASSISTANT_URL), you need to use a FQDN, not an IP address, as the SNI is not transmitted by a browser if the host is an IP address. Another tricky issue!

Supported languages 🌐

  • FR: French
  • EN: English
  • AR: Arabic
  • PT: Portuguese
  • ES: Spanish
  • DE: German
  • NL: Dutch
  • IT: Italian
  • PL: Polish
  • RO: Romanian
  • HI: Hindi
  • UR: Urdu
  • CS: Czech
  • SV: Swedish
  • ID: Indonesian

Contributors 🤝

Built With 💜

Security

Great care has been taken to follow security best practices. Please report any issue to [email protected].

License

This repository contains the source code for both the Open Source edition of CISO Assistant (Community Edition), released under the AGPL v3, as well as the commercial edition of CISO Assistant (Pro and Enterprise Editions), released under the intuitem Commercial Software License. This mono-repository approach is adopted for simplicity.

All the files within the top-level "enterprise" directory are released under the intuitem Commercial Software License.

All the files outside the top-level "enterprise" directory are released under the AGPLv3.

See LICENSE.md for details. For more details about the commercial editions, you can reach us on [email protected].

Unless otherwise noted, all files are © intuitem.

Activity

Alt