Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Basic Guided tour #1341

Closed
ab-smith opened this issue Jan 9, 2025 · 2 comments
Closed

Basic Guided tour #1341

ab-smith opened this issue Jan 9, 2025 · 2 comments
Assignees
@ab-smith
Labels
enhancement New feature or request

Comments

@ab-smith
Copy link
Contributor

ab-smith commented Jan 9, 2025

Based on the requests and suggestions by the community to ease up the onboarding.
@ab-smith ab-smith added the enhancement New feature or request label Jan 9, 2025
@ab-smith ab-smith self-assigned this Jan 9, 2025
@ab-smith ab-smith pinned this issue Jan 9, 2025
@KlavsKlavsen
Copy link

I've just setup ciso locally - for testing out for our small business.
I was hoping this would somehow help give me a structured approach to implementing ISO 27001:2022, GDPR etc.
I can see the ideas (kind of) - that you can define assets, risk scenarios.. applied controls (to handle risk in someway) etc.

But I could really use some more examples of how this would/should be used to improve security (which is the ultimate goal).

Do you make one "complete initial security assessment" ?
Do you start with "production systems" - and create assets and risks you can think of for those.. or ?
Could really use a Q&A thing f.ex. - to "ask questions" - and create objects or something.. or just a couple of good complete examples of how this is used by organisations successfully.

f.ex. I've found that I can create a primary asset (a service of our own we depend on) - and a supporting asset (the k8s cluster it runs on) and another supporting asset (the servers the k8s cluster consists of). Below that lies my cloud provider (hetzner in this case) and datacenter risks.

I've created a applied control - but that is not showing up under "action plan".. only the '23' imported ones are.. for unknown reason.

also - I'd prefer to not list "physical assets" - such as servers manually - but f.ex. be able to import them from CSV atleast - or point to our CMDB (where I could add an API that would work for CISO to automaticly discover new assets).
(support for pointing to an inventory URL perhaps - that responds with a defined standard response - would work). And then in Pro - you can add support for various proprietary CMDBs - to pull from them specificly.

That way those assets could automaticly be "complained" about not being marked under any compliance check.. (until I do that) etc.

There are many ways this could go.. Its great to see an open source solution to GRC..

@ab-smith
Copy link
Contributor Author

Guided tour first iteration covered in #1333 and we'll have dedicated ones later on, using the same prinicple.
For the full journey, the video format is low code and more suitable and we can do the same polls approach on discord to prioritize which ones are more relevant and keep them to a short format :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ab-smith ab-smith

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KlavsKlavsen @ab-smith