Release Notes - 2024-MAY-16
Added
Issues on evaluations
Allows you to record issues discovered during an assessment. You can:
Create an issue directly from an evaluation
Import issues with evaluations as the source or as an affected object
Select evaluations as a source or affected object when creating an issue through the Work items page
See the Issue Creation (Assessments) idea in the Ideas portal.
See Linking an evaluation to an issue for more information.
SPRS scoring
SPRS scoring for CMMC and NIST 800-171 frameworks is generally available and shows on all new and existing programs that use these frameworks.
See the SPRS calculated field for CMMC programs idea in the Ideas portal.
See Working with SPRS Scoring for more information.
Scopes
Import controls with scopes from a CSV
See the Updating team assignments using a control CSV import idea in the Ideas portal.
Self-service reporting - Managed rollout
Vendor Health, Risk, and Tolerance are now available in the data warehouse
Access reviews - Managed rollout
Added imports for three new applications using the following Hypersyncs: Azure DevOps, GitHub, and Google Cloud Platform
Added the option to copy an access review when starting a new one. To copy, select the Start from previous access review option on the Create window. See Copying an access review for more information.
Improved
Hypersyncs and integrations
New Hypersync: Snyk: Includes three proof types: List of Users by Org, List of Issues by Project, and Issue Summary by Project.
See the Hypersync Snyk idea in the Ideas portal.
See Snyk proof types and permissions for more information.
User interface design and accessibility
Updated text and colors to improve readability, scannability, and accessibility
Removed the use of light grey for all text and icons unless the option is unavailable
Changed all caps to sentence case for field labels and table headers
Note
For text supplied by users, such as the field name of a custom field, the text is displayed as typed.
Program frameworks
New frameworks
AWS Well-Architected Framework is now available as a program. The AWS Well-Architected Framework is a comprehensive guide designed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. It is based on five key pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization. Each pillar includes best practices, design principles, and actionable guidance, enabling architects to evaluate and improve their cloud architecture. The framework also offers a structured approach to review and refine systems, ensuring they align with AWS's established best practices. Includes controls as restatements of the requirements. Is not crosswalked. We can investigate adding that upon request.
Cyber Risk Institute Profile 2.0 (CRI) is now available as a program. The Cyber Risk Institute Profile 2.0 is designed to help financial institutions manage and mitigate cyber risks. Developed in collaboration with industry experts, the Profile 2.0 provides a comprehensive set of standards and best practices to enhance cybersecurity resilience. It aligns with various regulatory requirements and industry guidelines, enabling organizations to systematically assess, prioritize, and address cybersecurity threats. The Profile 2.0 emphasizes a risk-based approach, promoting effective cyber risk management through continuous monitoring, assessment, and improvement of security measures. Includes controls as restatements of the requirements. Is not crosswalked. We can investigate adding that upon request.
Canadian OSFI B-13 is now available as a program. The OSFI Guideline B-13 provides comprehensive cybersecurity risk management standards for federally regulated financial institutions in Canada. It outlines best practices to enhance cyber resilience, focusing on governance, risk assessment, controls, and incident response. The guideline aims to help institutions protect against and respond to cybersecurity threats effectively, ensuring the stability and security of the financial system. Includes controls as restatements of the requirements. Is crosswalked using the SCF dataset.
Updates to existing frameworks
ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering has been updated. Now includes controls as restatements of the requirements and is crosswalked with our other programs.
ISO 27001:2022/Amd 1:2024 revisions have been applied to requirements 4.1 and 4.2; does not affect controls.
CMMC 2.0 controls have been updated for those organizations starting a new CMMC program; does not affect existing programs. For organizations with existing CMMC programs, controls linked to 3.4.7 will need to be updated according to NIST 800-171A rev 2
NIST 800-53 rev. 5 "Full catalog" controls updated for formatting issues. These changes are only available to organizations starting new programs with the full 800-53 catalog; similar changes will be applied in the future to other programs that use NIST 800-53 controls.
Addressed issues
Fixed an issue where text was too light in the ID column of Assessments, Audit, and Risk Register creating a usability and accessibility issue.
Fixed an issue where users couldn't log in using Single Sign-on (SSO) after changing their domain. (Case # 00008261, 00008447)
Fixed an issue where users invited to a Hyperproof organization attempted to log in with an incorrect email address. The error message returned now contains the email address used in the failed login attempt to help troubleshoot any login errors. (Case # 00008257)
Fixed an issue where a user with a compliance manager role and a manager object role couldn't export a program. (Case # 00008496, 00008418)
Fixed a formatting error importing controls from a CSV when the scopes feature was not enabled in the organization. (Case # 00008424, 00008425, 0008427)
Fixed an issue displaying users in the Jira task integration where errors similar to the following were generated when attempting to assign the task to a user: Max Limit Reached - PayloadTooLargeError - Error Code 413. (Case # 00008396)
Fixed an issue where proof for an audit request that was collected by a Hypersync did not allow access to the latest version of that proof. (Case # 00008406)
Fixed an issue where moving an organization's SSO configuration from a sandbox organization to a production organization generated errors similar to the following: Single sign-on (SSO) Error: Failed to create connection (Conflict). (Case # 00008392)
Fixed an issue where selecting all items in a list of proof filtered by date caused all proof in the proof library to be selected. (Case # 00008386)
Fixed an issue where some users saw access denied errors when attempting to access evaluations that were assigned to them directly. (Case # 00008269)
Fixed an issue where collecting the List of Vulnerabilities proof using the Hypersync for Wiz generated errors similar to the following: Error: Runtime exited with error (Case # 00008284)
Fixed a formatting issue where dashes at the beginning of the Answer text in a questionnaire caused the display text to be illegible. (Case # 00008333)
Fixed an issue where users couldn't enable LiveSync on an empty folder. (Case # 00008270)
Fixed an issue where some user's IP addresses were blocked and an RBAC: access denied error was generated when trying to log into Hyperproof. (Case # 00008237, 00008240, 00008303)
Note
If you encounter this error, contact Hyperproof Support for help removing your IP address from Hyperproof's block list. This list is in place to guard against IP addresses that may have been used for malicious activity before being recycled and assigned to you.
Fixed an issue with the Microsoft Entra ID Password Protection proof type where fields with a value of "undefined" were not interpreted correctly causing the data in the proof to be incorrect. (Case # 00008334)
Fixed an issue where proof was not accessible from a control if the proof was unlinked and subsequently relinked. (Case # 00008335, 00008349)
Fixed timeout errors generated when collecting proof from ServiceNow by adding some additional filter options. For the List of User proof, a filter for Active users was added. For the List of Incidents proof, a filter for Incident state was added. (Case # 00008332)
Fixed an issue where an unexpected error was generated when archiving an evaluation from the Work items page. (Case # 00008294)
Fixed an issue when importing a task to an audit request where the import accepted the request reference instead of the request ID field. (Case # 00008283)
Fixed an issue where the zones criteria for Cloudflare Firewall rules and Zone details proof types were not fully populating when configuring proof collection. (Case # 00008251)