Isora GRC Release Notes

Isora v1.0.1.1

February 16, 2024

What's New

  • Added Isora version information to the user menu dropdown.

Bug Fixes

  • Resolved an issue with the search bar in report responses that was not returning any results. It now correctly returns results from categories and questions.

  • Addressed a bug preventing unit assessments with asset enrichment from being launched or acknowledged.

  • Addressed a bug that was restricting users from accessing reports.

Isora v1.0.1

February 9, 2024

What's New

  • Enhanced Clarity for Assessments: Introducing the "Partially Launched" status on the unit assessment dashboard for a more intuitive understanding of assessments with mixed "Active" and "Launched" survey states.

  • Optimized Assessment Page: We've refactored the assessment page for better performance, significantly reducing loading times, especially with large datasets.

Bug Fixes

  • Unit Hierarchy Display: Resolved an issue where the deploying unit field was not correctly displaying the unit hierarchy tree in the setup wizard.

  • Data Accuracy in Reports: Fixed the bell curve report widget to ensure data accuracy.

  • Exported Document Column Names: Corrected inaccuracies in column names within the .docx response export feature.

  • Letter Grade Calculations: Adjusted the letter grade algorithm to ensure accurate grading.

  • User Access: Addressed issues with user roles and permissions that previously restricted access to certain features.

API Enhancements

  • We've made several updates to the API to support our platform's ongoing redesign.

Version 2024.01

  • FIX: Temp fix for querying /api/questionsnapshot/<id>, if survey is in query parameters.

  • NEW: Making Isora Lite configurable from a regular instance, so Lite is easier to maintain.

  • NEW: New UI Changes: risk register, add new fields to vendorproduct and vendorproductsurvey, add new fields to app and appsurvey,  add new fields to classificationsurvey, update statuses on assessment and surveys, add new deployment environment - Evaluation, add default instructions - set it on all existing surveys,  add ability to launch all surveys from an assessment request, add ability to save launch options to surveys so users can save as draft, add ability to import previous survey responses on launch for vendorproductsurveys, adding report mean to app and vendor most_recent_report representation.

  • NEW: New UI: Adding new attribute for participants to Assessment - it's a combination of all users who might participate in the assessments surveys (ou heads, assessment managers, IT contacts, delegate users).

  • FIX: Fix Classification and App Survey Statuses.

  • FIX: New UI: Fix for final_acknowledged_date in report for when the survey is in pre-final acknowlegement phase.

  • NEW: Add filter_queryset to querysets for reports/all and reports/listdetails endpoints to honor any query parameters passed to them for the New UI.

Version 2023.12

  • FIX: Inventory updates: Fix vendorproduct.assessment_type filtering and add filtering to VendorProductContacts. 

  • NEW: Add system_type breakdown for classification surveys to ReportData for use in New UI reports.

  • NEW: Add bulkremove option for attachments in UnitAnswerViewSet for New UI.

  • NEW: Surveys - updating statuses and adding new attribute for assessment status.

  • NEW: NEW UI: Add participants and system_types to reports and product filter to surveys.

  • NEW: Three changes for the New UI display of question lists: We are giving the users a preview of the question list they select when creating/previewing/launching surveys. 1. Making QuestionViewSet AdminOrReadOnly instead of AdminOnly. 2. QuestionListViewSet adding Classification Surveys to queryset. 3. Making QuestionCategoryViewSet AdminOrReadOnly instead of AdminOnly.

  • NEW: Add new entry 'Evaluation' to DeploymentEnvironments.

  • NEW: Add Default AssessmentInstructions, attach it to all assessments for New UI.

  • NEW: Add findings count to reportdata.questions.unit.current for all answers not NA or Favorable.

  • FIX: Fixing order of answer choices ordering by multiplier then text, so that when answer choices have the same multiplier, they are ordered by text.

  • NEW: Summarize CMMC report on backend: future frameworks will be summarized on the backend so that rendering in the New UI is easier.

  • NEW: Updates to SurveyViewSet filters: 1. Filtering out deleted assessment_types for survey param. 2. Added filter by product.

  • NEW: Add grade, grade description, and findings count to report question summary for New UI.

  • NEW: Add listdetails endpoint to reports, ability to filter by specifying ids: it is similar to the reports endpoint except the user can filter on report ids as well.

Version 2023.11

  • NEW: Risk Register downstream activities: enabling risk register downstream, i.e. the ability to create a risk score from an advanced report missing control, from the detailed control breakdown.

  • NEW: New UI Changes: risk register, add new fields to vendorproduct and vendorproductsurvey, add new fields to app and appsurvey,  add new fields to classificationsurvey, update statuses on assessment and surveys, add new deployment environment - Evaluation, add default instructions - set it on all existing surveys,  add ability to launch all surveys from an assessment request, add ability to save launch options to surveys so users can save as draft, add ability to import previous survey responses on launch for vendorproductsurveys, adding mean app and vendor most_recent_report representation.

  • NEW: Add CSV Imports and Exports to /api/apps backend.

  • NEW: New UI frontend changes: Added feature flag for new UI - can turn it on and off per instance. Converts app, vendor, classification links to new UI.

  • NEW: Added attested_surveys to vendorproductcontacts API endpoint: New UI change so we can see which survey / product the contact attested in the API.

Version 2023.10

  • NEW: Calculate average category score in report.

Version 2023.09

  • FIX: Assessment Type num_assessments fix, adding filters to apps and vendor products for assessment_type of surveys they've participated in: 

    • Adding changes to return num_assessments in assessments types as what assessments the user can see (so there are no questions).

    • Adding filter to apps and vendorproducts for assessment_type for surveys the app participated in. Uses AssessmentSecuredQuerySets.get_surveys_queryset to honor permissions.

  • NEW: Added reports mean to surveys endpoint if the survey has a report generated.

  • NEW: Add CSV imports and exports to /api/vendors backend.

  • NEW: Added CSV Imports and Exports to /api/vendorproducts backend.

  • NEW: Added readonly field to questioncategorysnapshot endpoint for new UI.

  • NEW: Added status fields to assessments for new UI: Added number of surveys, added number of surveys completed, added status (Active, Draft, Complete).

  • NEW: Added level filter on /api/orgs endpoint for use in new UI.

  • NEW: New queries and attributes for new UI: assessment_types - filter on running (true or false), assessment_types - filter on target (1, 3, 6), assessment_types - count of assessments, assessments - filter by type (id), assessments - filter by product, app, ou (id), assessments - filter by target (1, 3, 6).

  • NEW: Allow vendors to upload documentation that matches Isora configurations (new UI).

Version 2023.08

  • NEW: Added question parameter (questionlist=questionlist_id) for returning categories, questions in tree order.

  • FIX: Fetch questionlists/all on the create assessment modal from assessments page.

  • NEW: Added tooltip to "Enable host categorization" checkbox in org unit assessment setup dialog.

  • FIX: Fixes external-user access to surveys.

  • FIX: Two updates to orgs endpoint to make working with it easier for the new UI: 1. Added param (parent=uuid) to orgs endpoint for querying level 2. Added attribute num_children.

  • NEW: Added created_date to vendorproducts API endpoint (new UI).

  • NEW: Added new notification options:

    • Adds a VendorRequester contact type.

    • Notifies the above (and some other roles) on vendor survey launch.

    • Adds a new event, vendor survey renewal, and notifies superusers when called.

    • Adds a script to run to send renewal notices.

    • Adds some notification variables useful for the above.

  • NEW: Adding user_total, user_remaining, user_complete to a survey’s progress for questions and classification indicating user specific progress to surveys api endpoint.

  • FIX: Fix for uploading documentation files larger than 2.5MB.

  • FIX: Fix Org Survey Launch Modal Options Bug.

  • FIX: Can now launch an assessment without favorable and unfavorable choice. UI does validation checking when a favorable and/or unfavorable choice is deselected, it is cleared.

  • NEW: Add CSV endpoint for downloading questions in question lists. The option shows up in “Settings” > “Question Configuration” > “Question Lists” as a download icon.

Version 2023.07

  • NEW: New Survey Status Attribute to surveys api endpoint. New Statuses are: Draft, Published, Active, Requires Acknowledgement (Questionnaire), Requires Acknowledgement (Enrichment), Requires Acknowledgement (Survey), Requires Acknowledgement (Assessment Report), Completed.

  • NEW: Add request timing info to logging-middleware output as a way to calculate timing info for API calls.

  • FIX: Risk Register: remove the requirements for the impacts and likelihoods, default them to 0.

  • NEW: Add help for CSV Upload button on survey page.

  • NEW: This patch introduces a comments backend for Isora GRC. It exposes a new endpoint: /api/comments. This endpoint is used strictly to add comments to an existing non-resolved thread.

  • NEW: Added the ability for admins to create org unit (classification) assessments without the host categorization portion.

  • NEW: Added Markdown support for email notifications, which is rendered to HTML before being sent (attached in addition to a plaintext version).

  • NEW: Made Deployment Environment field customizable for products.

Version 2023.06

  • NEW: Added a bulk unitdelegate endpoint to create and delete in bulk through /api/unitdelegates/bulk?survey=SURVEYID endpoint.

  • NEW: Unit answers bulk update, adding category to success and error rows.

  • FIX: Fixes for auditor permissions.

  • NEW: Display assessment name for launched and completed vendor assessments.

  • NEW: Added number of sheets to the /api/orgs endpoint.

  • NEW: Adding categories/all endpoint to show more than 25 categories.

Version 2023.05

  • NEW: Added tooltip to Add Documentation button and related tooltip improvements.

Version 2023.04

  • NEW: Admin has ability to upload and download survey answers in CSV format.

  • FIX: Risk register report now pulls /api/riskscores/all endpoint 

  • FIX: Custom attributes population - response groups needs /allRiskRegister endpoint - to limit all custom attributes that pertain to the Risk Register

  • NEW: Added due dates to Open App and Classification Surveys listings.

  • FIX: Fix to show VendorProductContactsin Vendor Product Deployments when you have more than 25 VendorProductContacts.

  • FIX: Fix for bulk lock and save not working when there are questions not answered.

  • FIX: Fix to show all Vendor Product Deployments in Vendor Products when there are more than 25 deployments total.

  • FIX: Fix to show all assessmenttypes (when there are more than 25) when launching an assessment on Assessments and Settings pages.

  • NEW: For app reports, added a new section to the reportdata blob, where we find all of the app reports matching the vertical and calculate the mean for the question categories if found. Since the app's vertical is not a requirement, this gave us some errors when trying to render the dynamic portion of the report blob. This PR accounts for this problem.

Version 2023.03

  • FIX: Fix migration conflicts for assessments.

  • NEW: Added the ability to delete a vendor product.

  • NEW: Allows users to add documentation to exception requests.

  • NEW: New model for adding Assessment Instructions, where admins can create them and add it as an attribute of an Assessment. Should be available to Surveys. Right now this is only available via the api.

  • FIX: Fix for previous answers that were NA.

  • FIX: Fix for when a user is an AppUserContact who can assess, can lock, but not unlock an answer on an app survey.

  • NEW: Added category as a searchable field for hosts through the api.

  • NEW: Add category as a searchable field for Apps through the api.

  • NEW: Added the ability to Import and Export Policies via CSV.

Version 2023.02

  • FIX: Fix for multiple leaf in migrations due to answer_text and question category merges.

  • NEW: Added sending notifications to question category delegates when they are added to a question category.

  • NEW: Add /all to /api/apps endpoint to provide an unpaged list of apps, so it's easier to query /api/apps/all?attribute=value.

  • FIX: TreeCsvUploadHandler - filtering out deleted things when looking up parent objects.

  • NEW: Push label of answer choice selected to unit answer and report.

  • NEW: Added chosen answer's text/label to csv export.

  • FIX: Bug in auto-lock/import logic for UnitAnswers that did not copy over new answer_text value from previous UnitAnswer objects.

  • FIX: Question CSV upload now filters out deleted parent and question categories so question is not attached to incorrect parent and/or question category.

  • FIX: Rendering of host-asset MAC addresses in Exception Request asset selector view.

  • FIX: Bug when trying to create a vendorverticalcategory record through the api.

Version 2023.01

  • NEW: Documentation upload for Assets (Hosts, Apps, Vendor Products)

  • FIX: Bug on the trend chart where a survey's assessment must have all surveys completed before this survey's score shows on the trend chart. This fix includes the survey in the unit trend line if its assessment has unfinished surveys. The org trend line will not have a point for the same time, until all surveys are completed.

  • FIX: Added ability to switch dashboards for apps. Apps now has 3 dashboards in the switcher: Current dashboard is now named: 1. Basic App Report (Default). 2 new dashboards: 1. DFARS & CMMC 2. Advanced App Report (exactly like vendor report)

  • FIX: Fixed local auth error message for invalid credentials

Version 2022.12

  • FIX: Advanced vendor report - in category breakdown, it previously showed all categories in all reports in the vertical when report being viewed doesn't have those categories. That muddies up report between hecvat versions, different question lists, etc. This visualization now compares only the categories in the current report across the vertical.

  • FIX: Update handling of N/A categories to re-calculate the category score if ANY answer is N/A

Version 2022.11

  • FIX: Fixing question list dropdown (not paginating) on new/edit assessment form

  • FIX: Adding Assessment Save UI Notification on Settings > Assessments > Assessments edit/new page

  • FIX: Adding a UI notifiation to the Host Classification Save All functionality. The notification shows up and the 'Save All' button is disabled when user clicks 'Save All'; the notification disappears and the 'Save All' button is enabled when success or fail is returned from server.

  • FIX: Dropdown fixes for safari browser to work properly

  • FIX: Child org unit risk register data is read only when the user is assigned the Risk Auditor role and Inherit is selected.

Version 10.2022

  • NEW: New Risk Register Reporting Page

  • FIX: Risk Register - Removed risksettings endpoint

  • NEW: Risk Register - Added scope to config

  • NEW: Risk Register - Ability to change labels through config

  • FIX: Risk Register - Cleaned up results on History Tab on Risk Score record

  • NEW: Risk Register - Added ability to create risk on upload if it doesn't exist

  • NEW: Risk Register - Added ability to create risk on risk score create / edit if it doesn't exist

Version 2022.09

  • NEW: On host, set last editor to the saving user and save edited date

  • FIX: Erroneous tooltip about expiration date in New Assessment dialog modal

  • FIX: Survey launch dialog, links to docs about notifications

  • FIX: Add the ability to edit exception requests

Version 2022.08

  • FIX: Cleanup display on hosts and surveys, save to pdf

  • FIX: Make UI changes to question helptext, Show a tooltip for extended helptext display on survey ou question template, Add a modal for displaying very long Question HelpText. Display HelpText in that modal instead of a popup when the HelpText is long.

  • FIX: Updated Delete dialogs for org units, questions and categories to be more useful

Version 2022.07

  • FIX: Added tooltips to drop-downs and checkboxes for data classifications and categories to show help text

  • NEW: Host bulk delete

  • FIX: Fix to logging for performance increases

  • NEW: Risk Register

Version 2022.06

  • FIX: Comment header in CSV file for Permissions upload

  • FIX: Lite sync script updates

  • NEW: Allow running assessments to have their question snapshots updated

Version 2022.05

  • FIX: Update exception request to use user profile username entry rather than user.username to avoid issues when users are deleted

  • NEW: Multiple vendor product deployments can now be added to an Organization's product inventory (previously, OUs could only add one deployment per vendor product). A given owner org unit can now add three deployments to their vendor product inventory representing test, development, and production environments.

  • FIX: Improved error message when trying to save a duplicate vendor product deployment to an org.

Version 2022.04

  • NEW: Advanced Vendor Dashboard: Gives users the ability to filter on various question attributes, compare category averages between the vendor and the vertical average, and understand high vs low risk vendor answers.

  • NEW: Added questions complete count in vendor and app survey listing in Assessments > Open tab.

  • FIX: Staleness indicator on vendor survey listing in Assessments > Completed tab.

  • FIX: Disable report dashboard dropdown when there's only one report dashboard.

  • FIX: Updates Basic Vendor Report > Answers tab to display consistently between browsers. Firefox and Chrome previously displayed differently.

Version 2022.03

  • NEW: Automated documentation now available for API endpoints: https://myisoraurl/api/schema/redoc/. Users must be authenticated into Isora to have the ability to read the api documentation.

Version 2022.02

  • NEW: Users can choose from additional options to increase the number of Hosts displayed per page when viewing a Sheet.

  • NEW: The filter popover menu has been redesigned on the Sheet view page.

  • NEW: Users and Vendor Requestors can now create and view exception requests for hosts on which they've been added as a delegate.

  • FIX: Users can now download attached files in completed assessments as expected.

Version 2022.01

  • NEW: New vendor assessment surveys now default to allow report to be viewed by others. This allows users who may be interested in a specific vendor to assess the vendor using the existing report.

  • FIX: Deleting vendor surveys from the Assessments page now works as expected.

Version 2021.12

  • NEW: As part of a settings config update, users can now view the Isora version in the bottom right-hand version on the Settings panel.

  • NEW: Org Unit Assessment survey types can now be deleted through the API by system admins. This functionality is in addition to existing delete capability by various roles for vendor and application assessments. 

  • NEW: CMMC Dashboard updates - Adding question criticality filter to Detailed Control Breakdown filters (to be able to search by most critical controls). Added Unit to front of report header.

  • NEW: Added column to QuestionLists page to show target types

  • FIX: fixed capitalization issues

  • FIX: replaced Type with Series

  • FIX: fixed output display of question list target type

  • FIX: Tooltip improvements

Version 2021.11

  • NEW: Users can bulk apply a Classification value to multiple hosts on a sheet using the Bulk Action drop-down selection menu. If the user selects the “Confidential” data classification from the pop-up window, then they will also be presented with the option to select data category values to bulk apply to the hosts.

  • NEW: When choosing to import previous answers at survey launch, all available previous answers will be imported regardless of any changes made to the underlying questions since the last survey took place. This assumes that most questions get edited to update language, correct errors, or adjust answer requirements, but leaves the intent of a question the same. If an imported answer fails to meet the updated intent or requirements of a question, the user will need to take action to meet those requirements.

  • NEW: Added ability for user to switch between the Comparative (default) and DFARS & CMMC (New) dashboards. The dashboard searches specific tag frameworks (NIST 800-171, CMMC Level, SPRS) to show a complete dashboard with SPRS Assessment Score, and a breakdown of NIST 800-171, CMMC Levels 1, 2, and 3. In the detailed control breakdown, users are able to search/filter questions, answers, categories and statuses.

  • NEW: Acknowledging a survey brings policies into the report data endpoint.

  • NEW: Isora Admins can now create asset statuses via the API and apply one or more to a vendor product via the UI. New status endpoint /api/assetstatuses.

  • NEW: Admins can now specify which notifications they want to send to users.

  • NEW: Users can bulk delete multiple hosts from a sheet using the Bulk Action drop-down selection menu.

  • NEW: Users can bulk apply a System Type value to multiple hosts on a sheet using the Bulk Action drop-down selection menu.

  • NEW: Users can bulk apply a Priority value to multiple hosts on a sheet using the Bulk Action drop-down selection menu.

  • NEW: Users will now see more-helpful context messages in confirmation dialogs when deleting certain assets from Isora GRC.

  • NEW: When disabling former users, disabled users will also be removed from all App and Vendor Product Deployment-related listings.

  • FIX: When canceling a bulk action, the bulk action dropdown menu will be disabled and greyed out.

  • FIX: Searching for hosts now works as expected.

  • FIX: Editing vendor products now works as expected (admin role only).

Version 2021.10

  • NEW: Expanded vendor inventory management capabilities – allowing units to create and manage local metadata for their respective vendors.

  • NEW: UI will now check for an answer and explanation before prompting the user to attach a file on an assessment question.

  • NEW: Users can now see additional metadata about duplicate hosts (e.g., by MAC, by IP, by sheet).

  • NEW: Users will no longer see Technical Contact and Delegate links on Open Unit and Application Assessments when the count of Technical Contacts and Delegates equal zero.

  • FIX: Corrected a problem where org unit question responses weren't correctly downloading as a CSV.

  • FIX: Corrected an issue where a report wouldn't appear on the reports page once an assessment was completed unless a hard browser refresh was triggered.

  • FIX: Users will now receive an improved error message when creating a new assessment.

  • FIX: api/metadata endpoint will now return data. Fixes bug after vendor/assessment merge.

  • FIX: The Vendor Product Description field has been expanded so users no longer need to scroll when viewing longer descriptions.

  • FIX: The App Description field has been expanded so users no longer need to scroll when viewing longer descriptions.

  • FIX: The Settings > Question Configuration > Question List treeview listing indents child questions appropriately.

  • FIX: Report csv downloads will now show question ID, which will allow users to find the text of the parent question.

  • FIX: Issue with a spinning hourglass when selecting the tree view in the Question Configuration section has been resolved and selecting the tree view now works as expected.

Version 2021.09

  • NEW: Users can now attach documentation to surveys with file names of up to 250 characters.

  • NEW: Users can now add a description to sheets.

  • NEW: New sheets that have never been edited now say “never edited” instead of showing the created date.

  • NEW: Users can now filter hosts by “seen_after” in API.

  • NEW: Improved save workflow on the Notifications page and added clearer success messaging.

  • NEW: Updated capitalization on delegates listing and host categorization page to be consistent with other UI style elements.

  • FIX: Moving hosts in bulk from one inventory sheet to a new inventory sheet, now works when choosing from the sheet suggestion list.

Version 2021.08

  • NEW: Super users can now enable API access when creating a new user as expected.

  • FIX: Assessments page will now refresh open assessments when a new vendor assessment is added.

  • FIX: Uploading and downloading documentation on external vendor survey links now works as expected.

  • FIX: Links to download attachments on answers in reports now works as expected. The issue was incomplete data available to the page when rendering to get to the proper download destination. Test coverage now includes checking for this necessary information.

  • FIX: Notifications now send to assessment managers and superusers on vendor/app survey final acknowledgement.

  • FIX: Sheet CSV exports now properly export the “category” field now as a nested CSV.

  • FIX: Allow org unit type assessment creation to progress beyond the first dialog page.

Version 2021.07

  • FIX: Shared Vendor Surveys now have a unique UUID for each organization that is able to view the survey.

  • FIX: Some host sheet downloads were failing due to Django update; issue has been fixed so that all host sheets download as expected.

  • FIX: Csvs upload as expected.

Version 2021.06

  • NEW: Settings UI updates.

  • NEW: Allow "enter" to activate the As-User form.

  • NEW: Allow As-User form to search users by name.

  • NEW: Allow moving hosts from one sheet to another.

  • NEW: As part of Location serialization, include number of assets in that location.

  • FIX: Updates to various builtin help texts.

  • FIX: Highlighting duplicated hosts in a more obvious way.

  • FIX: Prevent host info popup from appearing if user has selected text.

  • FIX: Return a more specific error (rather than 500) on user creation attempt when missing attributes.

  • FIX: Handle deletes of Locations more gracefully.

  • FIX: Allow searching of sheets to filter only sheet metadata (rather than linked assets as well).

  • FIX: Update dependencies, including to Django 3.2.

  • FIX: Bug wherein a user sheet owner might not see hosts in the express view.