diff --git a/backend/library/utils.py b/backend/library/utils.py index 34d622514..440ea117d 100644 --- a/backend/library/utils.py +++ b/backend/library/utils.py @@ -198,7 +198,6 @@ def import_requirement_node(self, framework_object: Framework): annotation=self.requirement_data.get("annotation"), provider=framework_object.provider, order_id=self.index, - level=self.requirement_data.get("level"), name=self.requirement_data.get("name"), description=self.requirement_data.get("description"), maturity=self.requirement_data.get("maturity"), diff --git a/documentation/architecture/data-model.md b/documentation/architecture/data-model.md index 6e0909c92..155c982b3 100644 --- a/documentation/architecture/data-model.md +++ b/documentation/architecture/data-model.md @@ -81,7 +81,6 @@ erDiagram REQUIREMENT_ASSESSMENT }o--o{ EVIDENCE : is_proved_by APPLIED_CONTROL }o--o| REFERENCE_CONTROL : implements REQUIREMENT_NODE }o--o{ THREAT : addresses - FRAMEWORK ||--o{ REQUIREMENT_LEVEL : contains FRAMEWORK ||--o{ REQUIREMENT_NODE : contains APPLIED_CONTROL }o--o{ EVIDENCE : is_proved_by RISK_ASSESSMENT }o--|| RISK_MATRIX : applies @@ -154,18 +153,6 @@ erDiagram string provider } - REQUIREMENT_LEVEL { - string urn - string locale - boolean default_locale - string ref_id - string name - string description - string annotation - - int level - } - REQUIREMENT_NODE { string urn string locale @@ -177,7 +164,6 @@ erDiagram urn parent_urn int order_id - int level int maturity boolean assessable } @@ -432,7 +418,6 @@ ReferentialObjectMixin <|-- Threat ReferentialObjectMixin <|-- ReferenceControl ReferentialObjectMixin <|-- RiskMatrix ReferentialObjectMixin <|-- Framework -ReferentialObjectMixin <|-- RequirementLevel ReferentialObjectMixin <|-- RequirementNode ReferentialObjectMixin <|-- Mapping NameDescriptionMixin <|-- Assessment @@ -506,18 +491,12 @@ namespace ReferentialObjects { +is_deletable() bool } - class RequirementLevel { - +Framework framework - +IntegerField level - } - class RequirementNode { +Threat[] threats +ReferenceControl[] REFERENCE_CONTROLs +Framework framework +CharField parent_urn +IntegerField order_id - +IntegerField level +IntegerField maturity +BooleanField assessable } @@ -688,11 +667,7 @@ Assets are of category primary or support. A primary asset has no parent, a supp ## Frameworks The fundamental object of CISO Assistant for compliance is the framework. It corresponds to a given standard, e.g. ISO27001:2013. It mainly contains requirements nodes. A requirement node can be assessable or not (e.g. title or informational elements are not assessable). Assessable requirement nodes can be simply called "requirements". -The structure (tree) of requirements is defined by the level and requirement node objects. The *parent_urn* of a requirement node can either be the URN of another requirement node or null for top-level objects. This allows to simply define the structure of a framework. An assessable requirement node can be the child of another assessable requirement node, which is very convenient for frameworks that have lists of conditions attached to a requirement. - -The requirement level objects of a framework optionally provide the naming of each level from 1 to n, when applicable. Requirement nodes have a nullable *level* field to refer to the corresponding requirement level. If requirement nodes are set at a defined level, the term "requirement" is replaced by the name of the correponding level (e.g. "subcategory" for CSF). - -If no level information is provided, requirement nodes will be displayed without reference to a notion of level, only as a tree containing requirement nodes. This can address potential frameworks with branches of various depths. +The structure (tree) of requirements is defined by the requirement node objects. The *parent_urn* of a requirement node can either be the URN of another requirement node or null for top-level objects. This allows to simply define the structure of a framework. An assessable requirement node can be the child of another assessable requirement node, which is very convenient for frameworks that have lists of conditions attached to a requirement. The maturity field describes the maturity level of the requirement node, when this is relevant (e.g. for CMMC or CIS).