How to use Risk Solutions - paramify/support GitHub Wiki

Risk Solutions are a key aspect of your security program, representing capabilities that can be mapped to various requirements.

Overview

Risk Solutions are a crucial part of your security strategy. They represent capabilities that your organization either currently possesses, plans to implement, or does not yet have. Importantly, these Risk Solutions are framework-agnostic, meaning they can be applied to satisfy controls from various frameworks.

Paramify maintains a library of battle-tested Risk Solutions, audited and certified many times over. Depending on your license, you are welcome to use any solution as-is, customize it to your needs, or write your own.

Creating a Security Solution

To create a Risk Solution, navigate to the appropriate page and click on the "Add Solution" button. Assign a name to the solution and optionally categorize it for easier searching and filtering. After saving, you can add additional information.

  • Narrative: A brief statement explaining the capability. It should mention elements from your library. It can also use dynamic template tags to automatically populate information unique to a project. Each narrative is associated with a specific responsible role, or the person tasked with making the narrative "true".
  • Implementation Status: This field indicates whether the solution is currently in operation, planned for implementation, not implemented, or not applicable for some reason.
  • Main Component: This field helps you associate components to a set of capabilities. If left blank, it is assumed that the capability is inherent to the overall system.

Mapping Risk Solutions to Controls

Mapping Risk Solutions to control parts streamlines the management of requirement responses and reduces redundancy. To map a solution to a control, navigate to the solution detail page and click on the "Mappings" tab.

Risk Solutions can be mapped in three ways:

  • To a project requirement: Risk Solutions can be mapped directly to specific requirements in a project.
  • To a source requirement: Risk Solutions can be mapped generically to a source requirement, meaning it may or may not be applicable to a specific project.
  • To a component or collection: Risk Solutions can be mapped to a component or collection of components, meaning that the solution is only applicable when that component is in scope.