ISMS for GRC (minor AI component)

[donrestarone]

trafficstars

Is your feature request related to a problem? Please describe.

Violet Rails GRC features are fragmented, unify existing GRC systems and add support for common controls where applicable

CCF: https://github.com/restarone/violet_rails/issues/1260

Add functionality that enables:

1. inventory of system devices, which is reconciled [in accordance with the organization-defined frequency]
2. documents the transportation of physical media outside of datacenters
3. Equipment maintenance to be documented
4. routine checks and reminders (eg: Devices that physically capture payment card data are inspected for evidence of tampering)
5. test results to be documented
6. cloud scanning (Where applicable, the information system default access configurations are set to "deny-all.")
7. Change Approval Prior to introducing changes into the production environment, approval from authorized personnel is required
8. Customer-impacting product and system changes are publicly communicated on the company website
9. Consent is obtained for [the organization's] Terms of Service (ToS) prior to collecting personal information and when the ToS is updated
10. restricts personal account number (PAN) data such that only the first six and last four digits are displayed; authorized users with a legitimate business need may be provided the full PAN
11. purges or archives data according to customer requests or legal and regulatory mandates
12. Logical access that is no longer required in the event of a termination is documented, communicated to management, and revoked.
13. Systems leveraged by the U.S. Federal Government present a login screen that displays language covering criminal penalties, and consent to monitoring
14. Vendor accounts used for remote access are enabled only during the time period needed, disabled when not in use, and monitored while in use
15. provides a contact method for external parties to: submit complaints and inquiries report incidents
16. New hires are required to pass a background check as a condition of their employment
17. [Workforce personnel as defined by the organization] consent to a non-disclosure clause
18. Upon employee termination, management is notified to collect [the organization] property from the terminated employee
19. [Workforce personnel as defined by the organization] consent to a proprietary rights agreement.
20. Internal audit establishes and executes a plan to evaluate applicable controls in the Information Security Management System (ISMS) at least once every 3 years.
21. Cryptographic Key Custodians and Cryptographic Materials Custodians (CMC) acknowledge in writing or electronically that they understand and accept their cryptographic-key-custodian responsibilities
22. Critical systems are monitored in accordance to predefined security criteria and alerts are sent to authorized personnel. Confirmed incidents are tracked to resolution
23. Vendors providing networking services to [the organization] are contractually bound to provide secure and available services as documented in SLAs.
24. [The organization] maintains a list of approved managed service providers and the services they provide to [the organization].

the above controls were derived from: https://www.adobe.com/pdf/Open_Source_CCF.pdf

Reading:

1. GDPR Rails: https://github.com/prey/gdpr_rails
2. Audit log: https://github.com/collectiveidea/audited
3. NLP: https://github.com/ankane/torchtext-ruby
4. explainable outlier/anomaly detection: https://github.com/ankane/outliertree-ruby
5. named entity recognition: https://github.com/ankane/mitie-ruby
6. summarizer https://github.com/ssoper/summarize
7. confidential info redactor: https://github.com/diasks2/confidential_info_redactor
8. microsoft word task pane add-in: https://learn.microsoft.com/en-us/office/dev/add-ins/quickstarts/word-quickstart?tabs=yeomangenerator