Summary
GRC Tool - Technical Knowledge Transfer Session
Highlights
The session begins with an objective to understand the development process module by module, including code standardization and unit testing. There's a critical discussion about data dictionaries and data flow, with Jagruti having prepared an initial data dictionary that Ajay needs to update for new columns and Shivam's contributions. The team aims to finalize a formula by the end of the day, with Avinash reviewing it.
A key action point is the deployment of encryption for product keys and code security. The discussion highlights the risk of unencrypted code files, especially for client-side installations, and the need for a tool to obfuscate or encrypt the code. Database encryption for sensitive columns is also identified as a critical issue. The management of product keys and user licenses is discussed, emphasizing the need for an automated, secure mechanism for key distribution rather than manual travel.
The team discusses the importance of a comprehensive user manual, including sections on installation prerequisites. Prerequisites are categorized into infrastructure needs (machine configuration), environment system support (SSL certificates, browser compatibility, services), and configurable settings (network path rights, admin rights, default passwords). The need for backward compatibility with Windows versions (10 onwards) and impact analysis for upgrades (e.g., Windows 10 vs. Windows 11 Pro) is also addressed.
The discussion moves to workflow processes, particularly policy approval which involves a two-level approval system. Internal and external audits are also covered, along with defining granular access rights for different user types (e.g., admin). The importance of clear mapping between checkboxes, procedures, and their impact on system functionality is stressed, along with the need for a 'head master checklist' to verify these connections.
The team reviews the user interface, specifically the sidebar for DBCR and user groups. The conversation centers on how groups (like 'ISO group' or 'PCI DSS group') are managed, including read/write/edit rights, control checks, and approval buttons. The mapping between these group rights and the code is questioned, emphasizing the need for clear links to forms and tables, which forms a key action point for Ajay.
User registration fields are reviewed, including mandatory requirements for email, password, and primary business name. The 'AI' field in user status is clarified to mean 'Active/Inactive' rather than 'Artificial Intelligence', with a recommendation to relabel it to 'Status' for clarity. The session also covers the importance of tracking active and inactive user statuses, recording data and time for status changes, and basic validations for mobile numbers.
The discussion delves into certification details, including defining certifying body, certification number, validity, and number of days remaining until expiry. A review reminder system is proposed to notify users 30 days before certification expiration. Company profile fields like start and end dates, audit frequency, and organizational chart uploads are also reviewed. The formats for uploading organizational charts are also discussed, with a suggestion to predefine supported formats.
The team discusses configurable settings, such as session timeout (with a security concern raised about a 24-hour hardcoded timeout). Data storage and evidence files are also covered, with a preference for storing evidence files on the server or cloud, and the capability for customers to increase server storage for policy and procedure evidence. The current system using Google Drive with hardcoded client ID and secret is flagged as a major bug due to security concerns.
The concept of dynamic content generation, particularly for company briefs, is explored. The idea is to use AI to generate brief descriptions from uploaded documents and provide options for manual input or generating with AI. This also extends to vision documents and product/service information, ensuring the authenticity and accuracy of the generated content.
The session covers database connectivity and initial setup for new installations. The process involves creating a new database, populating it with default global data entries and schema, but with blank data tables. This allows for a quick setup for new customers or POC environments, with the tool handling automatic linking for company-specific databases upon login.
Incident management is reviewed, focusing on incident flow, logging events, business impact analysis, and associated actions. The discussion then moves to change management, defining a change request, its source (bug fixes, commercial benefits, compliance changes), and its lifecycle. The importance of assigning change numbers (incremental), associating incidents, and managing approval processes is highlighted. The various statuses for change requests (open, pending, closed) and reasons for rejection are also discussed.
A detailed discussion on password reset mechanisms explores three approaches: direct temporary password email, OTP verification, and a reset link via email. The critical point raised is the need for a verified email ID during registration to ensure the security and effectiveness of any chosen password reset method. The preferred approach involves sending a temporary password to a verified email, with the user being prompted to change it upon first login, incorporating validation for the new password.