bmarsh9 / gapps

Security compliance platform - SOC2, CMMC, ASVS, ISO27001, HIPAA, NIST CSF, NIST 800-53, CSC CIS 18, PCI DSS, SSF tracking. https://gapps.darkbanner.com
Other
437 stars 99 forks source link

Add Security exceptions handling for projects #89

Open GBues opened 1 year ago

GBues commented 1 year ago

Hi Bmarsh,

I think it would be great to be able to use gapps to handle security exceptions list for a project and link them to controls. We could have a review system on each exception.

Thanks by advance, Guillaume

bmarsh9 commented 1 year ago

@GBues That's a good idea. Just to be clear, the use case would be if a control can not be implemented for some reason, you could create a security exception within the project, tie it the control, provide a explanation and compensating controls, and get approval?

GBues commented 1 year ago

Thanks, for your response :) I thinks we're ok, but to be really really clear here is an exemple

Control : all USB port should be disabled on all computers Implemented 100% But on computer X we need it to be allowed, maybe for a small period of time. This is the security exception for me.

I didn't thought of approval but that's a good idea.

I would like to see all exception for my project to review them periodicaly. For this I must have the date of creation, and a date of review for this exception.

bmarsh9 commented 1 year ago

Yup that makes sense