Release Notes - 2024-AUG-22
Added
Access reviews feature is GA
Added support for Okta as a universal gateway allowing compliance managers to automatically import access lists for user access reviews across multiple applications not supported by Hyperproof today.
When setting up an access review, you can select an identity management provider, Okta, to select from more than 500 applications in the Okta Applications Network. See the list of applications.
Attachments on requests
When preparing for an audit, you can upload example files to requests to help request assignees understand the request more clearly. Request assignees can view these examples while working on the request to provide the required proof.
External Auditors can collaborate with the compliance team using attachments to support the common population sampling audit work processes.
There is also an option to convert an attachment to proof where appropriate.
See the Attaching non-proof documents to various objects idea in the Ideas portal.
See Linking an attachment to a request for more information.
Groups as members of objects
In Settings > People administrators and compliance managers can create groups of users on the new Groups tab. Once a group is created it can be added to object membership, and an object role can be assigned to grant the members of that group permissions for the selected object. Groups simplify permission management by granting permissions to multiple users at the same time, instead of assigning permissions individually.
See the Groups as Members of Objects idea in the Ideas portal.
See Working with groups for more information.
Program Label and Risk Mapping is in Managed rollout (MRO)
Automatically map generic evidence, as labels, and generic risks to controls when creating a new program.
This feature includes nearly 250 generic evidence types and 60 generic risks that map to both controls in Hyperproof's templates or controls uploaded by your organization.
This is available for the ISO 27001-2022 program.
Program PRD (SSD) fields export
For applicable programs, such as StateRAMP, the Program Requirement Detail (PRD) fields or SSP fields, are included in the Program export > Requirement CSV file. If you need to produce the StateRAMP or similar reports in Excel, you can use this data from Hyperproof for that report.
Program templates that this applies to include:
StateRAMP
FedRAMP
CMMC
NIST 800-171
NIST 800-53
CIS
Hyperproof EU is GA
Includes support for all program template content and self-service reporting.
We are ready to add new or existing customers who want to run new programs in Hyperproof EU using a new Hyperproof organization.
Note
Hyperproof does not offer organization migration from Hyperproof US to Hyperproof EU.
Hyperproof Gov is in managed rollout (MRO)
We are ready to add new or existing customers who want to run new programs in Hyperproof Gov using a new Hyperproof organization.
Note
Hyperproof does not offer organization migration from Hyperproof US to Hyperproof Gov.
Improved
Self-service reporting
Updated the data model for REQUIREMENT: added columns for SECTION_SUMMARY, SECTION_1, SECTION_2, SECTION_3, SECTION_4, and DESCRIPTION to help build reports matching the grid views and exports from Hyperproof.
SPRS scoring
Updated the Requirements implementation widget to include a segment for requirements that don't have an associated SPRS weight. Previously, the widget displayed only the requirements that had an associated weight.
Clearly labeled the requirements that are not weighted in the Weighted status widget as Unweighted. This includes SSP requirement 3.12.4.
Improved the labels in the Requirement details tab to differentiate the status used for SPRS reporting from SSP reporting.
Added an information icon to the dashboard to clarify the meaning and behaviors of SPRS scoring: SPRS is developed by the U.S. Department of Defense as a mandatory measure of the implementation of requirements. Updating the status of the requirements will change the score.
Updated the Score widget to indicate whether the SSP is in place (i.e. in NIST, CMMC, requirement 3.12.4 has been implemented)
Hypersyncs and integrations
Hypersync for F5: This Hypersync is being removed from Hyperproof. The F5 AIP software end of life was June 30th, 2024.
Updated proof: Okta - Password Policy proof - Data types for the following fields are being changed from text to number to facilitate Automated Control Testing.
Password expiration (maxAgeDays)
Minimum password age (minAgeMinutes)
Enforce password history (historyCount)
Attempts before lockout (maxAttempts)
Automatic unlock (autoUnlockMinutes)
Important
If you use this proof type for Automated Control Testing, review your test criteria to ensure these fields are treated as numbers, not text, or your test could fail unexpectedly.
Program frameworks
Digital Services Act (DSA) is now available as a program - The DSA regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. It ensures user safety, protects fundamental rights, and creates a fair and open online platform environment. The DSA protects consumers and their fundamental rights online by setting clear and proportionate rules. It fosters innovation, growth, and competitiveness, and facilitates the scaling up of smaller platforms, SMEs, and start-ups. The roles of users, platforms, and public authorities are rebalanced according to European values, placing citizens at the center.
Is not crosswalked and does not include controls
Updated: ISO 9001 now includes controls as restatements of requirements and is crosswalked. There are currently few other quality control programs, so most of the crosswalking is based on tangential relationships.
Updated: DORA has now been updated with ISO 27001 and ISO 22301 controls and has been remapped to Hyperproof crosswalks.
Updated: PCI DSS 4 has a new version update available - 4.0.1 - Provides clarifications and corrections to PCI DSS 4.0 without introducing new requirements. Updates include improved language for clarity and refined applicability notes. These changes aim to enhance understanding and compliance efforts.
Important notes about this update:
This update does not make changes to the language of your controls. To update the control language of your PCI DSS 4.0 program, contact your CSM for assistance (control language is modified using a CSV upload to prevent unintentional changes).
The illustrative controls included in this program (available via Requirement -> New Control -> Template) are the requirements + guidance + Test Procedures. If you would like Test Procedures as your controls, please contact your CSM.
Updated text: 32 requirements have modified text.
No requirements have been added or removed.
Addressed issues
Fixed an issue where all accounts were not displayed when configuring the Hypersync for AWS. (Case # 00008522)
Fixed an issue where the Hypersync for Snyk could not connect to Snyk when it was deployed in an EU or AU data center. (Case # 00008552)
Fixed an issue where the Tasks list shown under Work Items took a long time to load. (Case # 00008581)
Fixed an issue where tasks remained active even when the task target was archived and the task status could not be edited. (Case # 00008532)
Fixed an issue where a user with limited permissions could attempt to change a Risk Register name from the Details tab, but was unsuccessful. The user interface has been updated to hide the option to rename the Risk Register unless you have the correct permissions. (Case # 00008638)
Fixed an issue with the Hyperproof IP block list to allow customers within a specified IP address range to access Hyperproof. (Case # 00008686)
Fixed an issue when proof was collected by a LiveSync and attached to an audit request, where the proof version and contents continued to be updated by the LiveSync. (Case 00008767)
Fixed an issue importing controls to assign scopes that resulted in the import process being stuck in an endless loop. (Case # 00008776)
Fixed an issue with the Hypersync for GitLab where the Project namespace filter in the configuration window repeated the names of projects. (Case # 00008815)
Fixed an issue in SSO with Microsoft Entra ID when the user also has a Microsoft Account linked to the same email address. (Case # 00008786)
Fixed an issue where @mentioning an Auditor who was not a member of the audit in the Activity Feed for a request added the Auditor to the request as a Contributor. (Case # 00008819, 00008821, 00008838)
Fixed an issue with risks where trying to sort risks in the grid by a User Picker custom field caused an error. (Case # 00008829, 00008834)
Fixed an issue with vendors where vendor contacts could not be deleted. (Case # 00008788)
Fixed an issue where importing audit requests from a CSV file with the audit link populated caused duplicate requests in other audits. (Case # 00008846)
Fixed an issue where an auditor could not @mention an audit manager in the Activity Feed for a request if the manager wasn't a direct member of the request. (Case # 00008857)