= Functionality development complete and ready for release

= Functionality development incomplete, but on the short-term roadmap


FUTURE RELEASES (Last Updated 9/28/2020):


Q3 2020 Release Target (September?)

  • Ordering of Past Audits under Compliance by time, in addition to date, so that the last one completed displays at the top.
  • Risk Assessment Extra: Addition of a risk catalog linked to questionnaires and the Secure Controls Framework
  • Risk Assessment Extra: Updating the Additional Notes with Assessment Information
  • Rewrote the API health check to more closely reflect an actual API call.
  • Updated the way that SimpleRisk handles user permissions to make it easier to add new permissions going forward.
  • Updated the way that SimpleRisk handles sessions for improved visibility and consistency.
  • Ability to customize views for the Plan Mitigation, Perform Reviews and Review Regularly pages
  • Ability to filter by asset tags in the Risks and Assets report
  • Creation of a Printable View of the groupings in the Dynamic Risk Report
  • Added GUI-based notifications of when licensed Extras have expired.
  • Fixed a console message about refusing to load the image URL because it violates the CSP directive.
  • Custom Authentication Extra: Added ability to select sAMAccountName and userPrincipalName as a Username Attribute when using LDAP authentication.
  • Notification Extra: Fixed a bug affecting scheduled notifications.
  • Import-Export Extra: Added the ability to install and uninstall frameworks from the GitHub repository with the click of a button.
  • Import-Export Extra: Added AICPA 2017 SOC2 Trusted Services Criteria (TSC) to the one-click framework installation option.
  • Import-Export Extra: Added CIS Critical Security Controls v7 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 1 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 2 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 3 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 4 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 5 to the one-click framework installation option.
  • Import-Export Extra: Added Information Security Regulation Version 2.0 to the one-click framework installation option.
  • Import-Export Extra: Added NIST 800-53 to the one-click framework installation option.
  • Import-Export Extra: Added NIST Cybersecurity Framework (CSF) to the one-click framework installation option.
  • Import-Export Extra: Added PCI DSS v3.2.1 to the one-click framework installation option.
  • Import-Export Extra/Risk Assessment Extra: Added the ability to install and uninstall assessment templates from the GitHub repository with the click of a button.
  • Import-Export Extra/Risk Assessment Extra: Added NIST Cybersecurity Framework (CSF) to the one-click assessment installation option.
  • Import-Export Extra/Risk Assessment Extra: Added PCI DSS v3.2.1 Self-Assessment Questionnaire D for Merchants to the one-click assessment installation option.
  • Incident Management Extra: Bug that each playbook is not treated as per incident.
  • ComplianceForge SCF Extra: Updated to display the SCF Control Number as part of the control short name and both the SCF Control Number and SCF Domain as part of the control long name.


Q4 2020 Release Target (December?)

  • Adding a new report to view latest comments and updates to risks
  • Ability to dynamically generate graphs and charts with the Dynamic Risk Report
  • Notification: Allow customization of language of notifications
  • Organizational Hierarchy Extra: Update to not show assets that are not in the same Business Unit(s) as the current user.
  • Team-Based Separation: Apply team separation to the viewing and use of assets in dropdowns, searches, and asset management.
  • Incident Management Extra: Set the time along with the date for the start date and detection date.
  • Incident Management Extra: Add user permissions.
  • Incident Management Extra: Add an action menu allowing you to "Escalate", "Close" or "Reopen" an incident.
  • Incident Management Extra: Add Positive/Negative, True/False, Root Cause, and Corrective Action when an incident is closed.
  • Custom Authentication: Enhancements to setting of teams and permissions via AD and SAML attributes


Q1 2021 Release Target (March?)

  • Incident Management Extra: Add the ability to edit existing playbooks and add your own custom playbooks.


Q2 2021 Release Target (June?)



PAST RELEASES:


Q2 2020 Release Target (July 11, 2020)

  • Ability to attach files to policy and control exceptions
  • New permissions under Risk Management for creating, deleting, and managing projects
  • New permissions under Compliance for defining tests and initiating and managing audits
  • Ability to save the column filter selections in the Dynamic Risk Report
  • Fixed a bug with sorting by Subject in the Dynamic Risk Report
  • Fixed a bug where the "Define Tests" page under Compliance would refresh after a new test had been added
  • Added a report under Configuration -> User Management to track users and all of the responsibilities they are associated with.
  • Added a report under Configuration -> User Management to track users and all of the roles they are associated with.
  • Updated the Risks and Controls report to sort by the inherent risk score for the "Risks by Control" view.
  • Added the ability to select a "Document Owner" from the Document Program menu under Governance
  • Added an "Additional Stakeholders" user multi-select dropdown in the Document Program menu under Governance
  • Added an "Approver" user select dropdown in the Document Program menu under Governance
  • Added a "Next Review Date" date select field in the Document Program menu under Governance
  • Added a "Review Frequency" field in the Document Program menu under Governance
  • Added the ability to choose whether to sort by Asset Name or Asset Risk in the Risks and Assets report
  • Added the ability to choose the columns displayed for the Active Audits page under Compliance
  • Removed Obsolete Reports from Reporting
  • Updated to invalidate the old password reset token for a user if a new token is generated
  • Change "Review Date" to "Approval Date" in the Document Program menu under Governance
  • Changed the Health Check to a tab layout and added a Summary tab
  • Added a new health check to ensure the SimpleRisk Base URL defined in Settings matches the base URL that is being used to access the instance
  • Import-Export Extra: Added the ability to save custom fields in the Import/Export mappings.
  • Team-Based Separation Extra: Added a report under Configuration -> User Management for users mapped to teams and teams mapped to users.
  • Email Notification Extra: Added the ability to send automated notifications for document reviews.
  • Organizational Hierarchy Extra: The Organizational Hierarchy Extra enables the ability to define multiple Business Units which can include any number of teams. Users can then be assigned across one or more teams under various Business Units. This affects a user's ability to see and use the teams, users, and assets which they are not associated with.
  • Incident Management Extra: The Incident Management Extra is based on the NIST 800-61 Computer Security Incident Handling Guide and provides incident management capabilities from within the SimpleRisk system.


Q1 2020 Release Target (March 28, 2020)

  • Add filterable and sortable columns for Dynamic Risk Report and similar tabular views of data
  • Enhance usability of the Dynamic Risk Report by creating expandable sections
  • Performance improvements by converting concatenated ids to junction tables and adding indexes
  • Ability to choose if High Risk Report is based on the Inherent or Residual risk score
  • Fix for creation of circular references with control framework parent-child relationships
  • Fix for different looking Action buttons on the Audit Timeline report
  • Added a new audit log type for user events
  • The Risks and Assets report now includes the risk's locations/teams in the row instead of the asset's locations/teams.
  • Group names are now included on the Assets by Risk report in brackets.
  • The Audit Trail now includes an entry when a framework is deleted.
  • After adding a test to a control, you are now brought back to the same place you were when you clicked "Add Test".
  • Changing user permissions while a session is open will now immediately take effect without the need to logout.
  • Added the ability to control whether the "High Risk Report" is based on the Inherent or Residual risk score.
  • Added a new health check to see if an Extra is compatible with the SimpleRisk instance version.
  • Added a new health check to see if an instance is running the most recent version of an Extra.
  • Added a new health check to check for proper MySQL database user permissions.
  • Sorted the "Mitigation Controls" dropdown when planning a mitigation in alphabetical order.
  • Fixed an issue in the Risks and Assets report where assets that were part of an asset group were not displayed when the asset was assigned to a risk and the asset group was not.
  • Fixed a bug where using the "Group By" feature on the Dynamic Risk Report would show both a column header and footer when that was not necessary.
  • Updated a function that caused an error when the SimpleRisk Base URL was not set.
  • Fixed a bug when updating your user profile language while selecting "--".
  • Fixed a bug where users would not receive password reset emails without setting the simplerisk_base_url value.
  • Fixed an issue where MySQL instances with STRICT_TRANS_TABLES enabled would throw an error if too many characters were entered into the Compliance related fields.
  • Fixed a bug where the risk levels for "Custom" Classic Risk scoring were not being set properly.
  • Removed Control Regulation from Add and Remove Values as this is now managed through the Governance section of SimpleRisk.
  • Fixed a UI bug that would occur when a Framework's name was too long.
  • Fixed an issue where reporting with Risks and Assets would cause an incorrect maximum quantitative loss when an asset group was attached to a risk.
  • Fixed a bug that was causing the Site/Location and Asset Valuation for assets to not accept new changes.
  • Fixed various issues that occur when SimpleRisk is run from a sub-directory of the virtualhost's web root.
  • Fixed a bug where all pages were making unnecessary calls to the SimpleRisk update server.
  • Fixed a bug where circular references could be made for Frameworks using parent/child associations.
  • Fixed undefined index errors on the Risk and Controls report.
  • Fixed a bug where the Contributing Risk popup window was named "SimpleRisk OWASP Calculator" instead of "SimpleRisk Contributing Risk Calculator".
  • Added the ability to set SimpleRisk to make requests via a proxy through the SimpleRisk UI under the "Security" tab in Configure -> Settings.
  • Open sessions are now immediately invalidated when a password is reset.
  • When account lockouts occur, any active sessions from that account are also invalidated.
  • Various security fixes
  • ComplianceForge SCF: Changed the user interface for enabling and disabling frameworks.
  • ComplianceForge SCF: Added functionality to dynamically download the current ComplianceForge SCF release and update SimpleRisk with the new controls and mappings.
  • Jira: Integration with Jira (Official Release)
  • Risk Assessment: Added a new "Fill in the blank" question type
  • Risk Assessment: Added the ability to send assessments to users already defined in SimpleRisk
  • Email Notification: Fixed an issue where email notifications were not sent with risk closures.
  • Custom Authentication: Added the ability to add a manager attribute through LDAP to the account created in SimpleRisk.
  • Custom Authentication: Added the ability to specify display name, email address, and manager username value attributes for SAML authentication.
  • Custom Authentication: Updated SAML authentication to handle when strict_user_validation is turned off.
  • Upgrade: Continuing to move closer to a true "one-click" upgrade process.
  • Customization: Added an option to have results in a single-select or multi-select dropdown displayed in alphabetical order.
  • Customization: Added a new "Hyperlink" custom field that allows users to create clickable hyperlinks in their templates.
  • Import-Export: Fixed a bug with importing existing assets with updated custom fields.
  • Import-Export: Fixed a bug where the "Export to XLS" button did not work in the Dynamic Risk Report unless a subject column was selected.
  • Import-Export: Added the "Date Closed" column for risk exports.
  • Import-Export: Added the ability to import a Mitigation Submission Date value.
  • Import-Export: Updated import mappings to store custom fields.
  • Import-Export: Added "Additional Stakeholders" to imports.


Q4 2019 Release Target (November 30, 2019)

  • Added a selection to view the Date Closed value on the Dynamic Risk Report.
  • Updated existing multi-select dropdowns to be searchable and scrollable.
  • Added the ability to search tags when filtering by tags in the Dynamic Risk Report.
  • Added a new filter on the Compliance Active Audits page that allows you to filter based on the "Test Name" column.
  • Added a new filter on the Compliance Past Audits page that allows you to filter based on the "Test Name" column.
  • Added a new "Actions" column in the Audit Timeline report enabling the user to initiate a new audit of the test, view active audits of the test, or view past audits of the test directly from the page.
  • Updated the Team field for assets to be a multi-select dropdown.
  • Updated the "Associated Frameworks" under the Audit Timeline report so that only active frameworks are displayed.
  • Added the ability for a user to select any document type as a parent in the Document Hierarchy on the Governance page.
  • Removed the ability to create a risk subject with only whitespace characters.
  • Removed the "report requires PHP >= 5.5" message if you are running PHP >= 5.5.
  • Added a health check to detect an outdated version of PHP.
  • The missing "Initiate Test" functionality was added back to the Initiate Audits page.
  • Fixed an issue where the pop up menus were no longer able to be scrolled through.
  • Fixed an issue where filtering by an asset or asset group in the Dynamic Risk Report did not work.
  • Fixed an issue where you could not make a tag that contained spaces in it.
  • Fixed an issue where you could not sort by Residual Risk Score in the Dynamic Risk Report after grouping by risk level.
  • Fixed an issue where the Dynamic Risk Report did not properly group by risk level when using custom risk level names.
  • Fixed an issue where changing tabs in the Configure -> Settings menu caused the Risk Appetite slider to disappear until the page is refreshed.
  • Fixed an issue where the "All" button on the Risk Appetite Report did not expand to show all risks under the selected tab.
  • Fixed a spelling issue for "Mitigation Supporting Documenttation" under the Mitigation tab in the Configure, Extras, and Customization menus.
  • Added additional code to prevent a time-based account enumeration attack on login.
  • Fixed a CSRF vulnerability with the new one-click-upgrade functionality.
  • Fixed a SQL Injection vulnerability with audit trail logs.
  • Fixed a Stored XSS vulnerability with the new risk appetite functionality.
  • Fixed a Stored XSS vulnerability with the Frameworks and Controls tabs.
  • Fixed an issue where any user could access the list of Framework Controls.
  • Fixed an issue where an unprivileged user could change the risk levels.
  • Jira: Integration with Jira (Beta)
  • Risk Assessment: Created a new "Control Audit" button when viewing a questionnaire result that will show all controls mapped to the question asked, their associated frameworks, and whether the answer was a "Pass" or "Fail".
  • Risk Assessment: Made it so that each time a pending risk is accepted it did not reload the entire page.
  • Risk Assessment: Fixed an issue where you would receive a datatables error if you added a text filter for questionnaire questions and select a filter template.
  • Email Notification: Fixed an issue where the scheduled reporting section of the Notification Extra would send e-mails to users it should not send emails to.
  • Upgrade: Fixed an issue where the Upgrade Extra would throw an error regarding undefined available_extras when attempting to upgrade even if no upgrade was needed.
  • API: Added an API query to update the values of a risk.
  • API: Fixed an issue in the API Extra when attempting to create a new API key for a user.
  • Customization: Fixed an issue where required asset fields would inhibit database upgrades.
  • Import-Export: Added support for asset groups to Tenable and Rapid7 integrations.
  • Import-Export: Fixed an issue where you could not import fields set to be encrypted using the Customization Extra.


Q3 2019 Release Target (September 30, 2019)

  • Ability to define a custom "risk appetite" value
  • Creation of a new "Risk Appetite" report that shows separate tabs for risks within and outside the appetite
  • Ability to save selections in the Dynamic Risk Report with a name 
  • Ability to share saved selections in the Dynamic Risk Report with other users
  • Customization: Ability to define custom fields as required
  • Risk Assessment: Ability to add sub-templates as questionnaire logic
  • Customization/Encryption: Ability to define custom fields as encrypted
  • Risk Assessment: Ability to audit questionnaire responses against a defined control framework


Q2 2019 Release Target (June 30, 2019)

  • Addition of a "Manager" value for each user that will automatically populate the "Owner's Manager" field for risks
  • Fix for IE10 compatibility issues
  • Add the "Mitigation Control" value to the Dynamic Risk Report
  • Updated handling of roles so that user permissions change when role permissions are changed
  • Fix so that updating a control in the Governance section doesn't refresh the entire page
  • Add an audit trail entry for Accepting and Rejecting a Risk Mitigation
  • Add functionality to combine multiple assets into an "Asset Group" that can be added to a risk
  • Add translations for the Mongolian language
  • Association of teams with audit tests
  • Ability to delete active audits
  • Risk Assessment: Ability to select multiple contacts for an assessment
  • Import-Export: Ability to import vulnerabilities with Rapid7 Nexpose
  • Import-Export: Export of controls to a CSV file
  • Ability to specify your own scores for risks depending on the likelihood and impact values
  • Team-Based Separation: Restrict access to audit tests by associated team
  • Advanced Search: Creation of a new SimpleRisk Extra to enable more targeted search criteria


Q1 2019 Release Target (March 31, 2019)

  • Addition of tagging of risks and assets
  • Addition of asset groups
  • Addition of text-based description for asset valuation range
  • Enable project selection as part of risk review
  • Association of Frameworks and Controls with Policies, Guidelines, Standards, and Procedures
  • Ability to Document Exceptions to Policies and Controls
  • Addition of a help menu
  • Addition of the Audit Timeline report
  • Customization of e-mail prepend value
  • Ability to export the audit log
  • Import-Export: Ability to import assets with Rapid7 Nexpose