= Functionality development complete and ready for release

= Functionality development incomplete, but on the short-term roadmap


FUTURE RELEASES (Last Updated 10/19/2021):


Q4 2021 Release Target (December?)

  • Add the ability to search through the Owner field to select the desired user.
  • Add the ability to search through the Owner's Manager field to select the desired user.
  • Risk Assessment: Hosted proxy and the ability to export an assessment to CSV, fill it out offline and then import the results.
  • Notification Extra: Add customizable reports to automatically send via email
  • Notification Extra: Add an Action notification to send an email when a new document is added.
  • Notification Extra: Add an Action notification to send an email when a document is edited.
  • Notification Extra: Add the Team to the 'Who To Notify' section for Notify on Audit Status Change/Audit Comment
  • Notification Extra: Add the Team to the 'Who To Notify' section for 'Automated Notifications of Audits'
  • Incident Management Extra: Add an action menu allowing you to "Escalate", "Close" or "Reopen" an incident.
  • Incident Management Extra: Set the time along with the date for the start date and detection date.
  • Incident Management: Integration with the Email Notification Extra for sending notifications of actions
  • Incident Management: Dynamic Incident Report


PAST RELEASES:


Q3 2021 Release Target (September 30, 2021)

  • Added a new Control Type field. When the Control Type is Enterprise you will be able to track a status of pass fail that stays with that control, whereas before you could only review the state of a control by reviewing its most recent audit tests. This also feeds into new additions you will see on the mitigation page for Control Validation when a control is attached to a mitigation. This includes the ability to attach a control artifact.
  • Added a new feature that allows users to create a risk based on a control failure when submitting the failed control test during an audit. When users save an audit test with a test result of “Fail” the user will be prompted with the ability to submit a risk based on this failure or attaching this failed control to an existing risk. Users can select “No” to not associate the failed test with a risk.
  • Added the ability for users to configure the max subject length of risks. (Configure → Settings)
  • Added all customization fields to Dynamic Risk Report regardless of if they appear in an active template.
  • Added audit logging for documentation reviews.
  • Added the ability to select jquery CDN or local for restricted environments.
  • Updated to a lower resource costing version of the font system in place. 
  • Added filters to the Risks and Controls Report. 
  • Added filters to the Risks and Assets Report. 
  • Added Reporting for Risk Mapping to the Dynamic Risk Report 
  • Added the ability to edit asset names in the Asset Management menu. 
  • Added several improvements and details to the Risks and Assets report including new fields for highest residual risk, average residual risk, highest inherent risk, and average inherent risk. 
  • Added a filter for projects to the Risks and Assets report. 
  • Risks and Controls report now displays the color of the highest risk score in the table header for each control. 
  • Added the ability to edit asset names directly through the “Edit Assets” menu in the “Asset Management” section. 
  • Added the ability to edit Project names in the “Plan Project” menu.
  • Added additional details associated with projects. (Due Date, Consultant, Business Owner, Data Classification.) 
  • Added additional debugging to the Upgrade Extra. 
  • Added a Healthcheck to ensure php max_var_char is set properly. 
  • Added a Healthcheck to ensure php-gd and php-zip are present.
  • Integrated CSRF Magic to allow for newer versions to be included with SimpleRisk. 
  • Fixed XSS when adding an attack vector with a script in the name. 
  • Fixed XSS when adding an IM playbook with script in the name. 
  • Fixed an issue where a user could view all Asset Valuations without permission to do so. 
  • Fixed an SQLi when retrieving risks from the database.
  • Fixed an issue where changing date format would result in the Document Program next review date not automatically populating. 
  • Updated the display method for active audits to support high volumes of active audits. 
  • Fixed an issue where users could configure the risk scoring levels into a state that was not functional and could not be corrected through the UI. 
  • Fixed an issue where custom fields continued to not be exported unless currently assigned to a template. 
  • Updated jquery CDN to use google instead of jquery’s CDN. 
  • Fixed a bug where asset management using team-based separation would not block the view of assets properly. 
  • Fixed an issue where sorting by Next Review Date in the Dynamic Risk Report would cause the report to indefinitely say “Processing”. 
  • Fixed an issue where submitting a risk with any template outside of the default would cause affected assets to not poll correctly. 
  • Fixed a bug where users were unable to upgrade the Upgrade Extra unless they were on the newest release. 
  • Fixed an issue where the link generated for Management Review yes/no in All Open Risks Assigned to me incorrectly adds 1000 to the url for the risk ID. 
  • Fixed an issue where All Risks Assigned to Me report did not function as intended with team-based separation turned off. 
  • Fixed a bug where admin users could add users with invalid e-mail addresses. 
  • Fixed an issue where using the SimpleRisk API would create a session for the user that could be used to gain access to the UI. 
  • Fixed a bug where removing the Risk Scoring Method field would result in the risk being unable to be scored or displayed properly.
  • Risk Assessment: Fixed a bug where Risk Submission via the Risk Analysis did not function.
  • Risk Assessment: Fixed a bug where not entering certain fields during risk submission of a pending risk would prevent the confirmation messages from displaying. 
  • Risk Assessment: Fixed an issue where Risk Analysis did not use the correct submission date format. 
  • Risk Assessment: Fixed an issue where fill in the blank questions could not be edited. 
  • Risk Assessment: Fixed an issue where Questionnaire Results would load extremely slow
  • Import-Export: Updated the extra to function with multiple templates and export the template associated with a risk and it may now be declared during import as well.
  • Customization: Fixed a bug where removing the Risk Scoring Method field would result in the risk being unable to be scored or displayed properly. 
  • Customization: Fixed an issue where removing the Supporting Documentation field would break the ability to submit risks.
  • Notification: Fixed a bug where the middle date range for sending a notification for the Document Program would not send as intended. 
  • Notification: Fixed an issue where the 3rd and furthest out date e-mail notification for Document Program would display $due_date instead of the number of days until due.
  • Team-Based Separation: Added an asset permission for “Allow all users to see assets not assigned to a team” which is checked by default. When unchecked only admins will see assets that are not currently assigned to a team.
  • Incident Management: Fixed a bug in Incident Management where the related risks subject was encrypted when the Encrypted Database Extra was enabled. 
  • Incident Management: Fixed a bug where the Fontawesome icon name changed and the disk "save" icon wasn't displaying.
  • Custom Authentication: Added the ability to manage and map Roles and Teams to users using LDAP or SAML. A new claim/assertion may be required to make those values available to SimpleRisk.
  • Vulnerability Management: This newly added extra takes the functionality once rolled into the Import/Export Extra and completely reworks the way we approach vulnerability management. Where before we would pull any and all vulnerabilities from a given instance of your application of choice we now offer the ability to filter this down by site and risk level and provide the opportunity to triage the entries added before generating risks. This extra is offered free of charge to all users who already possess a license to import/export and should already be available for download.


Q3 2021 Bug Fix Release (July 13, 2021)

  • The audit trail now records actions related to the Document Program.
  • Fixed an issue with some small icons and symbols that would not be displayed properly.
  • Fixed an issue where the Additional Stakeholders field would not be displayed as intended.
  • Upgrade: Updated the extra to update the database to the latest version instead of just the next version.
  • Upgrade: Added new checks before an upgrade to avoid issues that could make the upgrade fail.
  • Custom Authentication: Updated the extra to use the SimpleSAMLphp files that are now provided in the SimpleRisk Core.


Q2 2021 Bug Fix Release (June 30, 2021)

  • Made it so that Admin users can no longer disable their own account
  • Updated the usages of echo in the API


Q2 2021 Release Target (June 25, 2021)

  • Added a new automated backup scheduling system under Configure → Settings → Backups.
  • Increased granularity in the audit log regarding risks.
  • Increased the information retained for the audit log regarding audit test.
  • Added the ability to add custom impact descriptions for the Contributing Risk scoring methodology. 
  • Added an "About This Page" link in the help menu to provide additional context and help for the different pages in SimpleRisk. This feature is still under construction and only available for the Risk Management module at this time.
  • When no mitigating control is available for a mitigation the system will now report “No Control Available” 
  • Updated mouseover descriptions for User Permissions. 
  • The control short name is now displayed with audit tests. 
  • Removed the ability for admins to remove their own admin rights. 
  • Admins can no longer change what teams they belong to as they have access to all risks. 
  • Updated the Dynamic Risk Report so that when you group by a value that can have multiple checked for a single risk (ie. "teams"), it only shows that group once with all associated risks. In previous releases, it splits it out so if you assign a risk to multiple teams, that shows as a separate grouping. 
  • Added Project Status (Active, On Hold, etc.) to the Dynamic Risk Report. 
  • Filters on the Define Tests page are now kept after editing a test. 
  • Filters on the Define Control Frameworks page are now kept after editing a control. 
  • The Management Review filter found on Plan Mitigations and Perform Reviews is now a dropdown to be in line with mitigation planned. 
  • Added a “Back” button to the Manage Users tab in User Management when editing a user. 
  • Updated from unsupported Zend Escaper to the newer Laminas Escaper. 
  • Added Risk Scoring to the dynamic risk report to allow users to display a column of the current risk scoring methods in use for risks listed in the table. 
  • Added a field to display the Inherent Risk score from 30/60/90 days ago in the Dynamic Risk Report.
  • Added the ability to view the contributing risk likelihood and impact values in the Dynamic Risk Report. 
  • Increased control_number field size to 50 characters. 
  • Added a healthcheck to determine what the memory_limit value is set to in the php.ini file. 
  • Added a healthcheck to determine what USE_DATABASE_FOR_SESSIONS is set to in the config.php file.
  • Fixed an issue where “Current Control Maturity” and “Desired Control Maturity” values are not copied when cloning a control. 
  • Fixed an issue where browser zoom would cause the Governance → Define Control Framework page would not display properly. 
  • Fixed an issue where users could receive a notice in the PHP log when viewing the Document Program page. 
  • Fixed an issue where an Asset Group’s name would be escaped when editing and would save with unintended characters in the group name. 
  • Fixed an issue where not setting a compliance test result and leaving null would result in being unable to see that test in the past audits. 
  • Fixed an issue where long control names would not display properly in Compliance → Past Audits. 
  • Fixed a bug where approximate time was not saved when editing a compliance test. 
  • Fixed an issue with double encoding pop up menus on the Governance → Define Exceptions page. 
  • Fixed an issue where submitting a risk the displayed pop confirmation would not be escaped properly. 
  • Fixed an issue where returning the test audits last test date and next date were incorrect. 
  • Fixed an issue experienced when using Internet Explorer where the page doctype would be improperly set causing display and submission issues. 
  • Fixed an issue with the Connectivity Visualizer not showing assets when the Encrypted Database Extra is not enabled. 
  • Added a Default Desired Maturity value to Settings. 
  • Added a Default Current Maturity value to Settings. 
  • Fixed a Fatal Error when trying to communicate with SimpleRisk services when they are unavailable.
  • Fixed a potential XSS vulnerability on the Control Gap Analysis report. 
  • Fixed a potential XSS vulnerability with Control Exceptions. 
  • Fixed a potential XSS vulnerability on the Dynamic Risk Report. 
  • Fixed a potential XSS vulnerability on the View Risk page. 
  • Fixed a potential XSS vulnerability on the Custom Authentication Settings tab when mapping LDAP groups. 
  • Fixed a potential XSS vulnerability on the Plan Mitigation 
  • Fixed a potential XSS vulnerability in the Connectivity Visualizer. 
  • Fixed an issue where Team-Based Separation could be circumvented. 
  • Fixed an issue where a username matching a UID could be used to login as that username.
  • Fixed a potential XSS vulnerability on the Add and Delete Assets page 
  • Fixed a potential XSS vulnerability on the Manage Asset Groups page 
  • Limited platform to one password reset for a given user every ten minutes to prevent 'Email Bomb' attacks.
  • Customization: Added the ability to create multiple templates for use with Organizational Hierarchy.
  • Customization: Fixed an issue where User Multi-Select dropdowns would cause a risk to be unable to save.
  • Customization: Fixed an issue where the Risk Mapping field could not be restored.
  • Customization: User Multi Dropdowns will now respect organization hierarchy.
  • Custom Authentication: Added a check that prevents users from manually creating duplicate users using LDAP/SAML.
  • Risk Assessment: Added sharing functionality for Risk Assessments allowing you to give access to the results to a person who does not have a SimpleRisk login.
  • Risk Assessment: Import/Export capabilities have been updated to be more in line with how Risk imports work. Question IDs are now absolute values and no longer only relative to the import. Mapping question ID will update the question in the line and leaving it unmapped imports the question as a new question.
  • Risk Assessment: Fixed an issue where mapped controls were not saved if Compliance Assessment was not checked.
  • Risk Assessment: We now display the Question ID in various places to help with the new changes to import/export
  • Risk Assessment: When an Import is done that includes an answer that has Submit Risk set to "1" and no "Subject" defined we now set submit risk to "0" and give the user a warning that questions lacking a subject were edited to not attempt to submit a blank risk subject.
  • Risk Assessment: Imports can now be used to remove answers to a question. Only answers imported with a given question will remain on the imported question even if others already exist in the system for that question.
  • Import-Export: Added the Current and Desired Control Maturity fields to Control Import.
  • Import-Export: Added the Current and Desired Control Maturity fields to Control Export.
  • Import-Export: Filters on the Dynamic Risk report will now be respected when exporting.
  • Notification: Added a new feature allowing users to customize their notifications layout and text.
  • Notification: Fixed an issue where certain configurations in the Notification Extra Configuration page would not be saved.
  • Notification: Fixed an issue where Automated Notifications of Unreviewed / Past Due Risks fails to complete if there's a user with no review permissions and only the notify reviewer option is selected.
  • Notification: Fixed an issue where mitigation related e-mails would not decrypt properly with encryption turned on.
  • Notification: Fixed an issue where unreviewed risks did not appear in the unreviewed/past due risk scheduled e-mail
  • Notification: Added Notify Approver to the notify section for Document Reviews.
  • Notification: When a review rejects and closes a risk the close notification will now send as expected.
  • Organizational Hierarchy: Fixed an issue where Org Hierarchy would not function properly with admin users who did not belong to all teams.
  • Organizational Hierarchy: Added the ability for users to now assign individual templates based on the active Business Unit they are currently working with.
  • Organizational Hierarchy: Fixed a potential XSS vulnerability associated with the use of Organizational Hierarchy
  • Incident Management: Added permissions for Incident Management.


Q1 2021 Release Target (March 5, 2021)

  • Add a "Current Control Maturity" value for each control to define the existing level of maturity for that control.
  • Add a "Desired Control Maturity" value for each control to define the desired level of maturity for that control.
  • Added a "Control Gap Analysis" report to show all controls where the current control maturity is less than the desired level of maturity.
  • Added the ability to filter columns in the Active Audits table so that they may be searched and filtered the same way the Dynamic Risk Report works.
  • Added the ability to filter by control name on the Define Tests menu of Compliance.
  • Added the ability to filter by control family on the Define Tests menu of Compliance.
  • When Exporting to XLS via the Dynamic Risk Report all filters and configurations are now respected.
  • When using the printer friendly version of the Dynamic Risk Report column filters will now affect the generated document for printing.
  • Added the Mitigation Percent field to the mitigation columns available for display in the Dynamic Risk Report.
  • Added a last review date field to the Governance Document Program to bring its feature set in line with other repeating tasks in SimpleRisk.
  • Added a field for Team to the Document Program.
  • Level of Mitigation effort now sorts based on magnitude and no longer alphabetically.
  • Updated the Asset Selection widget to show available items on the left and selected items on the right.
  • Updated the OWASP Risk Scoring methodology so that the resulting risk score is reflective of their Overall Risk Severity.
  • Updated the Risk Catalog to have the latest information from ComplianceForge.
  • Created a new Threat Catalog with the latest information from ComplianceForge.
  • Added Assessment Uploads to the Fix Encoding page.   Now any broken attached files to assessments will be identified so they may be replaced. This only applies to files uploaded in version 20201005-001.
  • Fixed a bug where the default custom display settings for a user would be empty.
  • Fixed an issue where enabling extras in a specific order could generate an error.
  • Fixed an issue where users could create a mitigation for a risk that does not exist.
  • Fixed an issue where updating a risk could set the submission date to 00:00 of the current day.
  • Fixed an issue where using the sorting function on the comment section of the Dynamic Risk Report did not function as intended.
  • Fixed a bug where the risk appetite report would be affected by closed risks.
  • Fixed a bug where Next Review Date in the Document Program did not respect the configured date format
  • Fixed an issue where users could add projects to the system without the correct privilege to do so when executing a review or adding a risk during after an assessment.
  • When admins change a users Role or Permissions the changes will now take affect immediately instead of when the next session is set.
  • Disabling a user now immediately destroys their session.
  • Customization: Fixed an XSS vulnerability in Customization Extra Asset Field Name.
  • Customization: Fixed an issue where removing the risk mapping it could no longer be restored to the original placement.
  • Customization: Fixed an issue where custom fields would not sort properly in the Dynamic Risk Report.
  • Risk Assessment: Fixed an issue where users may record an undefined index error when submitting a new tag with a risk assessment questionnaire question.
  • Import-Export: Added the NIST 800-171 Controls to the one-click framework installation option.
  • Import-Export: Added the ability to export the list of users currently in SimpleRisk along with their roles, permissions and teams.
  • Import-Export: Added the ability to import a list of users along with their roles, permissions and teams.
  • Import-Export: Now when exporting XLS from the Dynamic Risk Report all filters will be respected in the generated export.
  • Import-Export: When creating a printable version of the Dynamic Risk Report the column filters will now be reflected in the printed version.
  • Import-Export: Fixed an issue where importing control frameworks from the GitHub was not properly capturing the framework_id.
  • Import-Export: Added the ability to map mitigating controls when importing risks.
  • Import-Export: Fixed an issue where Close Reason could not be null when importing risks.
  • Notification: Updated the user interface to use twisties to hide the details of notifications.
  • Notification: Made improvements to the notification of document reviews and fixed an issue where users would not receive them at the configured time.
  • Notification: Fixed an issue where notify on review and notify on close settings were not functioning.
  • Notification: Added new configurations for document exception notifications to bring it in line with other scheduled notifications.
  • Jira: Fixed an issue that would cause an error to be logged when submitting risks with this extra.


Q4 2020 Release Target (January 21, 2021)

  • Adding a new report to visually show relationships between frameworks, controls, risks and assets
  • Adding a new report to view latest comments and updates to risks
  • Added Last Test Date to the audit timeline report.
  • Added searchable fields from the Dynamic Risk Report to all other reports in the reporting section.
  • Re-ordered the control dropdown menus to be in alphabetical order.
  • Changed the format on the Document Program so the edit buttons are easier to use.
  • Fixed an issue where Next Review Date and Approval Date fields would display in different date formats when editing items in the Document Program.
  • Fixed an issue where users were unable to set a Last Test Date prior to the current day when editing Compliance Tests.
  • Fixed an issue where searching for items in the Document Program using Framework or Control would not function if the item belongs to multiple selections.
  • Fixed an issue where Timezone was not being displayed correctly according to what was configured in Settings.
  • Fixed an issue where editing the tags associated with an asset would submit them twice.
  • Fixed an issue where the tabs to switch between risks and the risk list would break when a risk was edited.
  • Changing a value in the Add and Remove values now records an audit entry as expected.
  • Fixed an issue where the User Permissions in the User Management were not correctly spaced.
  • Fixed a XSS vulnerability on the Settings page under the Configure menu.
  • Organizational Hierarchy Extra: Update to not show assets that are not in the same Business Unit(s) as the current user.
  • Team-Based Separation: Apply team separation to the viewing and use of assets in dropdowns, searches, and asset management.
  • Incident Management Extra: Add the ability to edit existing playbooks and add your own custom playbooks.
  • Incident Management Extra: Added incident closure states for Duplicated, Error, Expected, False Positive, Inconclusive, Precursor and True Positive.
  • Incident Management: Add an Overview report for the current month of Incidents.
  • Incident Management: Add an Incident Trend report for the past 13 months of Incidents.
  • Incident Management: Add a Lessons Learned report to show lessons learned and associated incidents.
  • Incident Management: Add an "Add and Remove Values" menu under Configure to allow users to add dropdown items.
  • Incident Management: Add a "Settings" menu under Configure to enable Incident Management configuration settings.
  • Incident Management: Updated Incident Management to use tags the same way as the rest of SimpleRisk.
  • Incident Management: The “Collected on” field will now save properly when users have a date format set other than default.
  • Incident Management: Editing and saving incidents no longer duplicates notes/evidence.
  • Customization: Fixed an XSS on the Customization Extra configuration page.
  • Customization: Fixed an issue where users could not disable the Risk Mapping field.
  • Customization: Fixed an XSS on the All Open Risks By Team By Risk Level report while using Custom Fields.
  • Customization: Fixed an XSS on the Management Review page when using Custom Fields.
  • Risk Assessment: Fixed an issue where after Assessments was turned on for the first time some text would be displayed somewhere randomly on the next page loaded.
  • Risk Assessment: Fixed an issue where adding a new tag to an answer would not make it available for later use in dropdowns.
  • Risk Assessment: Unified how tags work in Assessments to match the rest of SimpleRisk.
  • Risk Assessment: Changed the separator for multiple tags on active/closed risks on the questionnaire results page as commas were found to be misleading.
  • Jira: Added the ability to have a risk added in Jira trigger a new risk in SimpleRisk.
  • ComplianceForge SCF: Fixed an issue where users would receive an error when disabling the ComplianceForge SCF Extra.


Q4 2020 Bug Fix Release (November 23, 2020)

  • Added a page to identify any broken files as a result of the 20201005-001 upload bug. You will
    find this page in the Configure menu at the top followed by Fix Upload Issues on the left. If
    you do not see it then you have not been affected by this bug. If you do see this page you need
    to go into it and it will allow you an easy place to identify the broken uploads and upload
    replacements to replace them.
  • Added a warning when the max tag length of 255 is exceeded.
  • Fixed the display issue causing problems viewing the edit and delete buttons in the Governance
    Document Program.
  • Fixed a UI bug in the User Management page.
  • Custom Authentication: Fixed an issue where SAML authentication did not work if SimpleRisk was not being run out of the web server context root.
  • Custom Authentication: Fixed a bug that would leave a php warning in the log when an AD user’s account is
    created upon the first login.
  • Customization: Fixed an issue where the Risk Mapping field was unable to be removed from a template.
  • Risk Assessment: Fixed a bug where the questionnaire tracking table was not set to use innodb.
  • Encryption: Fixed an issue with hitting the API while encryption is on.
  • Encryption: Fixed an issue where users were unable to sort by a given column on the Dynamic Risk
    Report as long as Encryption was enabled.
  • Organizational Hierarchy: Fixed a performance issue for SAML users with Organizational Hierarchy enabled.
  • Import-Export: Saved Reports will now export to XLS properly on the Dynamic Risk Report.
  • Import-Export: Fixed an issue where exported affected assets not properly escape certain symbols.
  • Import-Export: Added the FedRAMP Low Baseline Controls to the one-click framework installation option.
  • Import-Export: Added the FedRAMP Moderate Baseline Controls to the one-click framework installation option.
  • Import-Export: Added the FedRAMP Low Baseline Controls to the one-click framework installation option.
  • Import-Export/Risk Assessment: Added NIST SP 800-171 DoD Assessment to the one-click assessment installation option.
  • Email Notification: Fixed an issue preventing scheduled notifications from being sent.
  • Incident Management: Fixed an issue where updating the incident subject didn't show after being saved.
  • Incident Management: Fixed an issue where updating the incident status didn't show after being saved.
  • Incident Management: Fixed an issue where the risk subject was not decrypted with Encryption enabled.
  • Incident Management: Fixed an issue where the asset name was not decrypted with Encryption enabled.


Q4 2020 Bug Fix Release (November 6, 2020)

  • Fixed a bug causing empty files to be uploaded for every file upload function in SimpleRisk.


Q3 2020 Release (October 5, 2020)

  • Ordering of Past Audits under Compliance by time, in addition to date, so that the last one completed displays at the top.
  • Rewrote the API health check to more closely reflect an actual API call.
  • Updated the way that SimpleRisk handles user permissions to make it easier to add new permissions going forward.
  • Updated the way that SimpleRisk handles sessions for improved visibility and consistency.
  • Ability to customize views for the Plan Mitigation, Perform Reviews and Review Regularly pages
  • Ability to filter by asset tags in the Risks and Assets report
  • Creation of a Printable View of the groupings in the Dynamic Risk Report
  • Added GUI-based notifications of when licensed Extras have expired.
  • Fixed a console message about refusing to load the image URL because it violates the CSP directive.
  • Custom Authentication Extra: Added ability to select sAMAccountName and userPrincipalName as a Username Attribute when using LDAP authentication.
  • Notification Extra: Fixed a bug affecting scheduled notifications.
  • Import-Export Extra: Added the ability to install and uninstall frameworks from the GitHub repository with the click of a button.
  • Import-Export Extra: Added AICPA 2017 SOC2 Trusted Services Criteria (TSC) to the one-click framework installation option.
  • Import-Export Extra: Added CIS Critical Security Controls v7 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 1 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 2 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 3 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 4 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 5 to the one-click framework installation option.
  • Import-Export Extra: Added Information Security Regulation Version 2.0 to the one-click framework installation option.
  • Import-Export Extra: Added NIST 800-53 to the one-click framework installation option.
  • Import-Export Extra: Added NIST Cybersecurity Framework (CSF) to the one-click framework installation option.
  • Import-Export Extra: Added PCI DSS v3.2.1 to the one-click framework installation option.
  • Import-Export Extra/Risk Assessment Extra: Added the ability to install and uninstall assessment templates from the GitHub repository with the click of a button.
  • Import-Export Extra/Risk Assessment Extra: Added NIST Cybersecurity Framework (CSF) to the one-click assessment installation option.
  • Import-Export Extra/Risk Assessment Extra: Added PCI DSS v3.2.1 Self-Assessment Questionnaire D for Merchants to the one-click assessment installation option.
  • Incident Management Extra: Bug that each playbook is not treated as per incident.
  • ComplianceForge SCF Extra: Updated to display the SCF Control Number as part of the control short name and both the SCF Control Number and SCF Domain as part of the control long name.
  • Risk Assessment Extra: Addition of a risk catalog linked to questionnaires and the Secure Controls Framework
  • Risk Assessment Extra: Updating the Additional Notes with Assessment Information


Q2 2020 Release (July 11, 2020)

  • Ability to attach files to policy and control exceptions
  • New permissions under Risk Management for creating, deleting, and managing projects
  • New permissions under Compliance for defining tests and initiating and managing audits
  • Ability to save the column filter selections in the Dynamic Risk Report
  • Fixed a bug with sorting by Subject in the Dynamic Risk Report
  • Fixed a bug where the "Define Tests" page under Compliance would refresh after a new test had been added
  • Added a report under Configuration -> User Management to track users and all of the responsibilities they are associated with.
  • Added a report under Configuration -> User Management to track users and all of the roles they are associated with.
  • Updated the Risks and Controls report to sort by the inherent risk score for the "Risks by Control" view.
  • Added the ability to select a "Document Owner" from the Document Program menu under Governance
  • Added an "Additional Stakeholders" user multi-select dropdown in the Document Program menu under Governance
  • Added an "Approver" user select dropdown in the Document Program menu under Governance
  • Added a "Next Review Date" date select field in the Document Program menu under Governance
  • Added a "Review Frequency" field in the Document Program menu under Governance
  • Added the ability to choose whether to sort by Asset Name or Asset Risk in the Risks and Assets report
  • Added the ability to choose the columns displayed for the Active Audits page under Compliance
  • Removed Obsolete Reports from Reporting
  • Updated to invalidate the old password reset token for a user if a new token is generated
  • Change "Review Date" to "Approval Date" in the Document Program menu under Governance
  • Changed the Health Check to a tab layout and added a Summary tab
  • Added a new health check to ensure the SimpleRisk Base URL defined in Settings matches the base URL that is being used to access the instance
  • Import-Export Extra: Added the ability to save custom fields in the Import/Export mappings.
  • Team-Based Separation Extra: Added a report under Configuration -> User Management for users mapped to teams and teams mapped to users.
  • Email Notification Extra: Added the ability to send automated notifications for document reviews.
  • Organizational Hierarchy Extra: The Organizational Hierarchy Extra enables the ability to define multiple Business Units which can include any number of teams. Users can then be assigned across one or more teams under various Business Units. This affects a user's ability to see and use the teams, users, and assets which they are not associated with.
  • Incident Management Extra: The Incident Management Extra is based on the NIST 800-61 Computer Security Incident Handling Guide and provides incident management capabilities from within the SimpleRisk system.


Q1 2020 Release (March 28, 2020)

  • Add filterable and sortable columns for Dynamic Risk Report and similar tabular views of data
  • Enhance usability of the Dynamic Risk Report by creating expandable sections
  • Performance improvements by converting concatenated ids to junction tables and adding indexes
  • Ability to choose if High Risk Report is based on the Inherent or Residual risk score
  • Fix for creation of circular references with control framework parent-child relationships
  • Fix for different looking Action buttons on the Audit Timeline report
  • Added a new audit log type for user events
  • The Risks and Assets report now includes the risk's locations/teams in the row instead of the asset's locations/teams.
  • Group names are now included on the Assets by Risk report in brackets.
  • The Audit Trail now includes an entry when a framework is deleted.
  • After adding a test to a control, you are now brought back to the same place you were when you clicked "Add Test".
  • Changing user permissions while a session is open will now immediately take effect without the need to logout.
  • Added the ability to control whether the "High Risk Report" is based on the Inherent or Residual risk score.
  • Added a new health check to see if an Extra is compatible with the SimpleRisk instance version.
  • Added a new health check to see if an instance is running the most recent version of an Extra.
  • Added a new health check to check for proper MySQL database user permissions.
  • Sorted the "Mitigation Controls" dropdown when planning a mitigation in alphabetical order.
  • Fixed an issue in the Risks and Assets report where assets that were part of an asset group were not displayed when the asset was assigned to a risk and the asset group was not.
  • Fixed a bug where using the "Group By" feature on the Dynamic Risk Report would show both a column header and footer when that was not necessary.
  • Updated a function that caused an error when the SimpleRisk Base URL was not set.
  • Fixed a bug when updating your user profile language while selecting "--".
  • Fixed a bug where users would not receive password reset emails without setting the simplerisk_base_url value.
  • Fixed an issue where MySQL instances with STRICT_TRANS_TABLES enabled would throw an error if too many characters were entered into the Compliance related fields.
  • Fixed a bug where the risk levels for "Custom" Classic Risk scoring were not being set properly.
  • Removed Control Regulation from Add and Remove Values as this is now managed through the Governance section of SimpleRisk.
  • Fixed a UI bug that would occur when a Framework's name was too long.
  • Fixed an issue where reporting with Risks and Assets would cause an incorrect maximum quantitative loss when an asset group was attached to a risk.
  • Fixed a bug that was causing the Site/Location and Asset Valuation for assets to not accept new changes.
  • Fixed various issues that occur when SimpleRisk is run from a sub-directory of the virtualhost's web root.
  • Fixed a bug where all pages were making unnecessary calls to the SimpleRisk update server.
  • Fixed a bug where circular references could be made for Frameworks using parent/child associations.
  • Fixed undefined index errors on the Risk and Controls report.
  • Fixed a bug where the Contributing Risk popup window was named "SimpleRisk OWASP Calculator" instead of "SimpleRisk Contributing Risk Calculator".
  • Added the ability to set SimpleRisk to make requests via a proxy through the SimpleRisk UI under the "Security" tab in Configure -> Settings.
  • Open sessions are now immediately invalidated when a password is reset.
  • When account lockouts occur, any active sessions from that account are also invalidated.
  • Various security fixes
  • ComplianceForge SCF: Changed the user interface for enabling and disabling frameworks.
  • ComplianceForge SCF: Added functionality to dynamically download the current ComplianceForge SCF release and update SimpleRisk with the new controls and mappings.
  • Jira: Integration with Jira (Official Release)
  • Risk Assessment: Added a new "Fill in the blank" question type
  • Risk Assessment: Added the ability to send assessments to users already defined in SimpleRisk
  • Email Notification: Fixed an issue where email notifications were not sent with risk closures.
  • Custom Authentication: Added the ability to add a manager attribute through LDAP to the account created in SimpleRisk.
  • Custom Authentication: Added the ability to specify display name, email address, and manager username value attributes for SAML authentication.
  • Custom Authentication: Updated SAML authentication to handle when strict_user_validation is turned off.
  • Upgrade: Continuing to move closer to a true "one-click" upgrade process.
  • Customization: Added an option to have results in a single-select or multi-select dropdown displayed in alphabetical order.
  • Customization: Added a new "Hyperlink" custom field that allows users to create clickable hyperlinks in their templates.
  • Import-Export: Fixed a bug with importing existing assets with updated custom fields.
  • Import-Export: Fixed a bug where the "Export to XLS" button did not work in the Dynamic Risk Report unless a subject column was selected.
  • Import-Export: Added the "Date Closed" column for risk exports.
  • Import-Export: Added the ability to import a Mitigation Submission Date value.
  • Import-Export: Updated import mappings to store custom fields.
  • Import-Export: Added "Additional Stakeholders" to imports.


Q4 2019 Release (November 30, 2019)

  • Added a selection to view the Date Closed value on the Dynamic Risk Report.
  • Updated existing multi-select dropdowns to be searchable and scrollable.
  • Added the ability to search tags when filtering by tags in the Dynamic Risk Report.
  • Added a new filter on the Compliance Active Audits page that allows you to filter based on the "Test Name" column.
  • Added a new filter on the Compliance Past Audits page that allows you to filter based on the "Test Name" column.
  • Added a new "Actions" column in the Audit Timeline report enabling the user to initiate a new audit of the test, view active audits of the test, or view past audits of the test directly from the page.
  • Updated the Team field for assets to be a multi-select dropdown.
  • Updated the "Associated Frameworks" under the Audit Timeline report so that only active frameworks are displayed.
  • Added the ability for a user to select any document type as a parent in the Document Hierarchy on the Governance page.
  • Removed the ability to create a risk subject with only whitespace characters.
  • Removed the "report requires PHP >= 5.5" message if you are running PHP >= 5.5.
  • Added a health check to detect an outdated version of PHP.
  • The missing "Initiate Test" functionality was added back to the Initiate Audits page.
  • Fixed an issue where the pop up menus were no longer able to be scrolled through.
  • Fixed an issue where filtering by an asset or asset group in the Dynamic Risk Report did not work.
  • Fixed an issue where you could not make a tag that contained spaces in it.
  • Fixed an issue where you could not sort by Residual Risk Score in the Dynamic Risk Report after grouping by risk level.
  • Fixed an issue where the Dynamic Risk Report did not properly group by risk level when using custom risk level names.
  • Fixed an issue where changing tabs in the Configure -> Settings menu caused the Risk Appetite slider to disappear until the page is refreshed.
  • Fixed an issue where the "All" button on the Risk Appetite Report did not expand to show all risks under the selected tab.
  • Fixed a spelling issue for "Mitigation Supporting Documenttation" under the Mitigation tab in the Configure, Extras, and Customization menus.
  • Added additional code to prevent a time-based account enumeration attack on login.
  • Fixed a CSRF vulnerability with the new one-click-upgrade functionality.
  • Fixed a SQL Injection vulnerability with audit trail logs.
  • Fixed a Stored XSS vulnerability with the new risk appetite functionality.
  • Fixed a Stored XSS vulnerability with the Frameworks and Controls tabs.
  • Fixed an issue where any user could access the list of Framework Controls.
  • Fixed an issue where an unprivileged user could change the risk levels.
  • Jira: Integration with Jira (Beta)
  • Risk Assessment: Created a new "Control Audit" button when viewing a questionnaire result that will show all controls mapped to the question asked, their associated frameworks, and whether the answer was a "Pass" or "Fail".
  • Risk Assessment: Made it so that each time a pending risk is accepted it did not reload the entire page.
  • Risk Assessment: Fixed an issue where you would receive a datatables error if you added a text filter for questionnaire questions and select a filter template.
  • Email Notification: Fixed an issue where the scheduled reporting section of the Notification Extra would send e-mails to users it should not send emails to.
  • Upgrade: Fixed an issue where the Upgrade Extra would throw an error regarding undefined available_extras when attempting to upgrade even if no upgrade was needed.
  • API: Added an API query to update the values of a risk.
  • API: Fixed an issue in the API Extra when attempting to create a new API key for a user.
  • Customization: Fixed an issue where required asset fields would inhibit database upgrades.
  • Import-Export: Added support for asset groups to Tenable and Rapid7 integrations.
  • Import-Export: Fixed an issue where you could not import fields set to be encrypted using the Customization Extra.


Q3 2019 Release (September 30, 2019)

  • Ability to define a custom "risk appetite" value
  • Creation of a new "Risk Appetite" report that shows separate tabs for risks within and outside the appetite
  • Ability to save selections in the Dynamic Risk Report with a name 
  • Ability to share saved selections in the Dynamic Risk Report with other users
  • Customization: Ability to define custom fields as required
  • Risk Assessment: Ability to add sub-templates as questionnaire logic
  • Customization/Encryption: Ability to define custom fields as encrypted
  • Risk Assessment: Ability to audit questionnaire responses against a defined control framework


Q2 2019 Release (June 30, 2019)

  • Addition of a "Manager" value for each user that will automatically populate the "Owner's Manager" field for risks
  • Fix for IE10 compatibility issues
  • Add the "Mitigation Control" value to the Dynamic Risk Report
  • Updated handling of roles so that user permissions change when role permissions are changed
  • Fix so that updating a control in the Governance section doesn't refresh the entire page
  • Add an audit trail entry for Accepting and Rejecting a Risk Mitigation
  • Add functionality to combine multiple assets into an "Asset Group" that can be added to a risk
  • Add translations for the Mongolian language
  • Association of teams with audit tests
  • Ability to delete active audits
  • Risk Assessment: Ability to select multiple contacts for an assessment
  • Import-Export: Ability to import vulnerabilities with Rapid7 Nexpose
  • Import-Export: Export of controls to a CSV file
  • Ability to specify your own scores for risks depending on the likelihood and impact values
  • Team-Based Separation: Restrict access to audit tests by associated team
  • Advanced Search: Creation of a new SimpleRisk Extra to enable more targeted search criteria


Q1 2019 Release (March 31, 2019)

  • Addition of tagging of risks and assets
  • Addition of asset groups
  • Addition of text-based description for asset valuation range
  • Enable project selection as part of risk review
  • Association of Frameworks and Controls with Policies, Guidelines, Standards, and Procedures
  • Ability to Document Exceptions to Policies and Controls
  • Addition of a help menu
  • Addition of the Audit Timeline report
  • Customization of e-mail prepend value
  • Ability to export the audit log
  • Import-Export: Ability to import assets with Rapid7 Nexpose