Merge pull request #345 from intuitem/hotfix/scores

hot fix: Improve UX for NIST CSF v2

backend/library/libraries/nist-csf-2.0.yaml

@@ -22,95 +22,31 @@ objects:
       description: 'Application of the organizational cybersecurity risk strategy
         is managed in an ad hoc manner.
 
-        Prioritization is ad hoc and not formally based on objectives or threat environment.
-
-        There is limited awareness of cybersecurity risks at the organizational level.
-
-        The organization implements cybersecurity risk management on an irregular,
-        case-by-case basis.
-
-        The organization may not have processes that enable cybersecurity information
-        to be shared within the organization.
-
-        The organization is generally unaware of the cybersecurity risks associated
-        with its suppliers and the products and services it acquires and uses.'
+        There is limited awareness of cybersecurity risks at the organizational level.'
     - score: 2
       name: Risk informed
       description: 'Risk management practices are approved by management but may not
         be established as organization-wide policy.
 
-        The prioritization of cybersecurity activities and protection needs is directly
-        informed by organizational risk objectives, the threat environment, or business/mission
-        requirements.
-
         There is an awareness of cybersecurity risks at the organizational level,
         but an organization-wide approach to managing cybersecurity risks has not
-        been established.
-
-        Consideration of cybersecurity in organizational objectives and programs may
-        occur at some but not all levels of the organization. Cyber risk assessment
-        of organizational and external assets occurs but is not typically repeatable
-        or reoccurring.
-
-        Cybersecurity information is shared within the organization on an informal
-        basis.
-
-        The organization is aware of the cybersecurity risks associated with its suppliers
-        and the products and services it acquires and uses, but it does not act consistently
-        or formally in response to those risks.'
+        been established.'
     - score: 3
       name: Repeatable
       description: "The organization\u2019s risk management practices are formally\
-        \ approved and expressed as policy. \nRisk-informed policies, processes, and\
-        \ procedures are defined, implemented as intended, and reviewed.\nOrganizational\
-        \ cybersecurity practices are regularly updated based on the application of\
-        \ risk management processes to changes in business/mission requirements, threats,\
-        \ and technological landscape.\nThere is an organization-wide approach to\
-        \ managing cybersecurity risks. Cybersecurity information is routinely shared\
-        \ throughout the organization.\nConsistent methods are in place to respond\
-        \ effectively to changes in risk. Personnel possess the knowledge and skills\
-        \ to perform their appointed roles and responsibilities.\nThe organization\
-        \ consistently and accurately monitors the cybersecurity risks of assets.\
-        \ Senior cybersecurity and non-cybersecurity executives communicate regularly\
-        \ regarding cybersecurity risks. Executives ensure that cybersecurity is considered\
-        \ through all lines of operation in the organization.\nThe organization risk\
-        \ strategy is informed by the cybersecurity risks associated with its suppliers\
-        \ and the products and services it acquires and uses. Personnel formally act\
-        \ upon those risks through mechanisms such as written agreements to communicate\
-        \ baseline requirements, governance structures (e.g., risk councils), and\
-        \ policy implementation and monitoring. These actions are implemented consistently\
-        \ and as intended and are continuously monitored and reviewed."
+        \ approved and expressed as policy.\nOrganizational cybersecurity practices\
+        \ are regularly updated based on the application of risk management processes\
+        \ to changes in business/mission requirements, threats, and technological\
+        \ landscape."
     - score: 4
       name: Adaptive
       description: 'There is an organization-wide approach to managing cybersecurity
         risks that uses risk-informed policies, processes, and procedures to address
-        potential cybersecurity events. The relationship between cybersecurity risks
-        and organizational objectives is clearly understood and considered when making
-        decisions. Executives monitor cybersecurity risks in the same context as financial
-        and other organizational risks. The organizational budget is based on an understanding
-        of the current and predicted risk environment and risk tolerance. Business
-        units implement executive vision and analyze system-level risks in the context
-        of the organizational risk tolerances.
-
-        Cybersecurity risk management is part of the organizational culture. It evolves
-        from an awareness of previous activities and continuous awareness of activities
-        on organizational systems and networks. The organization can quickly and efficiently
-        account for changes to business/mission objectives in how risk is approached
-        and communicated.
+        potential cybersecurity events.
 
         The organization adapts its cybersecurity practices based on previous and
         current cybersecurity activities, including lessons learned and predictive
-        indicators. Through a process of continuous improvement that incorporates
-        advanced cybersecurity technologies and practices, the organization actively
-        adapts to a changing technological landscape and responds in a timely and
-        effective manner to evolving, sophisticated threats.
-
-        The organization uses real-time or near real-time information to understand
-        and consistently act upon the cybersecurity risks associated with its suppliers
-        and the products and services it acquires and uses.
-
-        Cybersecurity information is constantly shared throughout the organization
-        and with authorized third parties.'
+        indicators.'
     requirement_nodes:
     - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv
       assessable: false

frontend/src/routes/(app)/compliance-assessments/[id=uuid]/TreeViewItemContent.svelte

@@ -58,7 +58,9 @@
 
 	const assessableNodes = getAssessableNodes(node);
 	const hasAssessableChildren =
-		children && Object.keys(children).length > 0 && assessableNodes.length > 0;
+		children &&
+		Object.keys(children).length > 0 &&
+		assessableNodes.length - (node.assessable ? 1 : 0) > 0;
 
 	const REQUIREMENT_ASSESSMENT_STATUS = [
 		'compliant',