Matrix generator

README.md

@@ -129,9 +129,9 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the
 - UK Cyber Essentials
 - and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, _free of charge_ 😉
 
-### Add your own framework
+### Add your own library (framework, threat catalog, reference controls catalog or matrix)
 
-Have a look in the tools directory and its dedicated readme. The convert_framework.py script will help you create your library from a simple Excel file. A typical framework can be ingested in a few hours.
+Have a look in the tools directory and its dedicated readme. The convert_library.py script will help you create your library from a simple Excel file. A typical framework can be ingested in a few hours.
 
 You will also find some specific converters in the tools directory (e.g. for CIS or CCM Controls).
 

backend/library/libraries/risk-matrix-3x3-mult.yaml

@@ -0,0 +1,88 @@
+urn: urn:intuitem:risk:library:risk-matrix-3x3-mult
+locale: fr
+ref_id: risk-matrix-3x3-mult
+name: Matrice 3x3 multiplicative
+description: Matrice de risque simple 3x3 multiplicative
+copyright: domaine public
+version: 1
+provider: intuitem
+packager: intuitem
+objects:
+  risk_matrix:
+  - urn: urn:intuitem:risk:matrix:3x3-mult
+    ref_id: risk-matrix-3x3-mult
+    name: Matrice 3x3 multiplicative
+    description: Matrice de risque simple 3x3 multiplicative
+    probability:
+    - id: 0
+      abbreviation: 1
+      name: '[1] peu probable'
+      description: 0-33%
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: '[2] moyennement probable'
+      description: 34-66%
+      hexcolor: '#FFFF00'
+    - id: 2
+      abbreviation: 3
+      name: "[3] tr\xE8s probable"
+      description: '>66%'
+      hexcolor: '#FF0000'
+    impact:
+    - id: 0
+      abbreviation: 1
+      name: '[1] mineur'
+      description: impact mineur
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: "[2] mod\xE9r\xE9"
+      description: "impact mod\xE9r\xE9"
+      hexcolor: '#FFFF00'
+    - id: 2
+      abbreviation: 3
+      name: '[3] majeur'
+      description: impact majeur
+      hexcolor: '#FF0000'
+    risk:
+    - id: 0
+      abbreviation: 1
+      name: '[1] faible'
+      description: "n\xE9gligeable"
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: '[2] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#D3FF4E'
+    - id: 2
+      abbreviation: 3
+      name: '[3] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#EAFF03'
+    - id: 3
+      abbreviation: 4
+      name: '[4] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#FFFF00'
+    - id: 4
+      abbreviation: 6
+      name: '[6] fort'
+      description: "rem\xE9diation sour 6 mois"
+      hexcolor: '#FFC000'
+    - id: 5
+      abbreviation: 9
+      name: '[9] critique'
+      description: "Rem\xE9diation sous 2 mois"
+      hexcolor: '#FF0000'
+    grid:
+    - - 0
+      - 1
+      - 2
+    - - 1
+      - 3
+      - 4
+    - - 2
+      - 4
+      - 5

backend/library/libraries/risk-matrix-5x5-sensitive.yaml

@@ -0,0 +1,104 @@
+urn: urn:intuitem:risk:library:risk-matrix-5x5-sensitive
+locale: en
+ref_id: risk-matrix-5x5-sensitive
+name: 5x5 sensitive
+description: 5x5 matrix for highly sensitive
+copyright: domaine public
+version: 1
+provider: intuitem
+packager: intuitem
+objects:
+  risk_matrix:
+  - urn: urn:intuitem:risk:matrix:5x5-sensitive
+    ref_id: risk-matrix-5x5-sensitive
+    name: 5x5 sensitive
+    description: 5x5 matrix for highly sensitive
+    probability:
+    - id: 0
+      abbreviation: AC
+      name: rare
+      description: rare
+    - id: 1
+      abbreviation: LI
+      name: unlikely
+      description: unlikely
+    - id: 2
+      abbreviation: MO
+      name: moderate
+      description: moderate
+    - id: 3
+      abbreviation: UN
+      name: likely
+      description: likely
+    - id: 4
+      abbreviation: RA
+      name: almost certain
+      description: almost certain
+    impact:
+    - id: 0
+      abbreviation: IN
+      name: insignificant
+      description: insignificant
+    - id: 1
+      abbreviation: MI
+      name: minor
+      description: minor
+    - id: 2
+      abbreviation: SI
+      name: significant
+      description: significant
+    - id: 3
+      abbreviation: MA
+      name: major
+      description: major
+    - id: 4
+      abbreviation: SE
+      name: severe
+      description: severe
+    risk:
+    - id: 0
+      abbreviation: LO
+      name: low
+      description: low
+      hexcolor: '#02A45A'
+    - id: 1
+      abbreviation: ME
+      name: medium
+      description: medium
+      hexcolor: '#FFCE02'
+    - id: 2
+      abbreviation: HI
+      name: high
+      description: high
+      hexcolor: '#FFA600'
+    - id: 3
+      abbreviation: CR
+      name: critical
+      description: critical
+      hexcolor: '#FF1A00'
+    grid:
+    - - 0
+      - 0
+      - 0
+      - 1
+      - 1
+    - - 0
+      - 0
+      - 1
+      - 1
+      - 2
+    - - 0
+      - 1
+      - 1
+      - 2
+      - 3
+    - - 1
+      - 1
+      - 2
+      - 3
+      - 3
+    - - 1
+      - 2
+      - 3
+      - 3
+      - 3

tools/README.md

@@ -1,6 +1,6 @@
 # Library workbench
 
-The convert-framework.py script can be used to transform an Excel file to a CISO Assistant library.
+The convert-library.py script can be used to transform an Excel file to a CISO Assistant library.
 
 Have a look to the given examples.
 
@@ -9,7 +9,7 @@ Have a look to the given examples.
 To launch it, open a shell in a command line, and type:
 
 ```bash
-python convert-framework.py your_library_file.xlsx
+python convert-library.py your_library_file.xlsx
 ```
 
 This will produce a file name your_library_file.yaml
@@ -20,26 +20,34 @@ This will produce a file name your_library_file.yaml
 Conventions:
     | means a cell separation, <> means empty cell
     The first tab shall be named "library_content" and contain the description of the library in the other tabs
-        library_urn                 | <urn>
-        library_version             | <version>
-        library_locale              | <en/fr/...>
-        library_ref_id              | <ref_id>
-        library_name                | <name>
-        library_description         | <description>
-        library_copyright           | <copyright>
-        library_provider            | <provider>
-        library_packager            | <packager>
-        library_dependencies        | <urn1, urn2...
-        framework_urn               | <urn>
-        framework_ref_id            | <ref_id>
-        framework_name              | <name>
-        framework_description       | <description>
-        reference_control_base_urn  | <base_urn>            | id
-        threat_base_urn             | <base_urn>            | id
-        tab                         | <tab_name>            | requirements       | <section_name>
-        tab                         | <tab_name>            | threats            | <base_urn>
-        tab                         | <tab_name>            | reference_controls | <base_urn>
-
+        library_urn                | <urn>
+        library_version            | <version>
+        library_locale             | <en/fr/...>
+        library_ref_id             | <ref_id>
+        library_name               | <name>
+        library_description        | <description>
+        library_copyright          | <copyright>
+        library_provider           | <provider>
+        library_packager           | <packager>
+        library_dependencies       | <urn1, urn2...
+        framework_urn              | <urn>
+        framework_ref_id           | <ref_id>
+        framework_name             | <name>
+        framework_description      | <description>
+        framework_min_score        | <min_score>
+        framework_max_score        | <max_score>
+        reference_control_base_urn | <base_urn> | id
+        threat_base_urn            | <base_urn> | id
+        risk_matrix_urn            | <urn>
+        risk_matrix_ref_id         | <ref_id>
+        risk_matrix_name           | <name>
+        risk_matrix_description    | <description>
+        tab                        | <tab_name> | requirements
+        tab                        | <tab_name> | threats            | <base_urn>
+        tab                        | <tab_name> | reference_controls | <base_urn>
+        tab                        | <tab_name> | scores
+        tab                        | <tab_name> | implementation_groups
+        tab                        | <tab_name> | risk_matrix
 
     For requirements:
         If no section_name is given, no upper group is defined, else an upper group (depth 0) with the section name is used.
@@ -64,6 +72,16 @@ Conventions:
             - description
             - category (policy/process/techncial/physical).
             - annotation
+    For risk matrices:
+        The first line is a header, with the following mandatory fields:
+            - type: probability/impact/risk.
+            - id: a number from 0 to n-1 (depending of the number of objects for a given type)
+            - abbreviation: the abbreviation for the object
+            - name: name of the object
+            - description: description of the object
+            - grid: several columns describing the matrix with colors.
+        The grid shall be aligned with the probability objects, the columns being the impact in order of id, and the content of each cell being the id of the risk.
+        This is a topological representation. The display on the screen (transposition, direction of axes) will be managed in the frontend, not in the data model. 
     A library has a single locale. Translated libraries have the same urns, they are merged during import.
     Dependencies are given as a comma or blank separated list of urns.
 ```

tools/aircyber/aircyber.py

@@ -95,7 +95,9 @@
 ws.append(["tab", "implementation_groups", "implementation_groups"])
 
 ws1 = wb_output.create_sheet("controls")
-ws1.append(["assessable", "depth", "ref_id", "name", "description", "implementation_groups"])
+ws1.append(
+    ["assessable", "depth", "ref_id", "name", "description", "implementation_groups"]
+)
 for row in output_table:
     ws1.append(row)
 ws2 = wb_output.create_sheet("implementation_groups")

tools/ccm/convert_ccm.py

@@ -97,12 +97,18 @@ def pretify_content(content):
 ws1 = wb_output.create_sheet("controls")
 ws1.append(
     ["assessable", "depth", "ref_id", "name", "description", "implementation_groups"]
-    )
+)
 for row in output_table:
     ws1.append(row)
 ws2 = wb_output.create_sheet("implementation_groups")
 ws2.append(["ref_id", "name", "description"])
-ws2.append(["lite", "foundational", "foundational controls that should be implemented by any organization, regardless of their budget, maturity and risk profile"])
+ws2.append(
+    [
+        "lite",
+        "foundational",
+        "foundational controls that should be implemented by any organization, regardless of their budget, maturity and risk profile",
+    ]
+)
 ws2.append(["full", "systematic ", "systematic assessment of a cloud implementation"])
 print("generate ", output_file_name)
 wb_output.save(output_file_name)

tools/cis/convert_cis.py

@@ -44,7 +44,9 @@
                 else:
                     safeguard_index += 1
                     safeguard = f"{control},{safeguard_index}"
-                    implementation_groups = "IG1,IG2,IG3" if ig1 else "IG2,IG3" if ig2 else "IG3"
+                    implementation_groups = (
+                        "IG1,IG2,IG3" if ig1 else "IG2,IG3" if ig2 else "IG3"
+                    )
                     output_table.append(
                         ("x", 2, safeguard, title, description, implementation_groups)
                     )
@@ -73,14 +75,28 @@
 ws.append(["tab", "implementation_groups", "implementation_groups"])
 
 ws1 = wb_output.create_sheet("controls")
-ws1.append(["assessable", "depth", "ref_id", "name", "description", "implementation_groups"])
+ws1.append(
+    ["assessable", "depth", "ref_id", "name", "description", "implementation_groups"]
+)
 for row in output_table:
     ws1.append(row)
 
 ws2 = wb_output.create_sheet("implementation_groups")
 ws2.append(["ref_id", "name", "description"])
-ws2.append(["IG1", "Essential Cyber Hygiene", "Minimum standard of information security for all enterprises."])
-ws2.append(["IG2", "", "For enterprises managing IT infrastructure of multiple departments with differing risk profiles."])
+ws2.append(
+    [
+        "IG1",
+        "Essential Cyber Hygiene",
+        "Minimum standard of information security for all enterprises.",
+    ]
+)
+ws2.append(
+    [
+        "IG2",
+        "",
+        "For enterprises managing IT infrastructure of multiple departments with differing risk profiles.",
+    ]
+)
 ws2.append(["IG3", "", "To secure sensitive and confidential data."])
 
 print("generate ", output_file_name)