Skip to main content
Version: 1.0.438

Documentation for Unicis Cybersecurity Controls for Jira - Unicis.CSC

CSC

Introducing the Cybersecurity Baseline Controls App, an enterprise-ready solution for small companies to enhance their security posture within Jira. This app provides a comprehensive set of baseline controls to safeguard against cyber threats, including regular security assessments, incident response planning, and vulnerability management. By implementing these best practices, companies can effectively protect their sensitive data and minimize the risk of a data breach. Additionally, the app is easily integrated into Jira, ensuring a seamless and efficient implementation process for businesses. Upgrade your company's cybersecurity with the Cybersecurity Baseline Controls App for Jira.

It is based on a Minimum Viable Secure Product. That is a minimum security baseline for enterprise-ready products and services.

It can be used for several purpose:

The documentation for MVSP controls is brief and easy to understand. Can give you a common cybersecurity benchmark for choosing vendors and makes the duties of the sourcing teams easier.

Demoā€‹

For more info please see the demo video (1:01 minute long):

Requirementsā€‹

Unicis CSC is developed with Atlassian Forge platform. Hence, it can be only installed in Atlassian Jira Cloud product. It requires read, write, manage and storage access to your Jira account, because the CSC are stored in your Atlassian Cloud instance, and not shared with Unicis. Unfortunately, it can not be installed for Server and Data Jira set up.

Installationā€‹

You can install Unicis Cybersecurity Controls for Jira - Unicis.CSC from Atlassian Marketplace. After installation, you will be requested to grant and read access. Have in mind that Unicis CSC application requires a storage, manage, write and read access to your Jira account, however it does not share your data with Unicis. It stays with your Atlassian Jira account.

Atlassian Marketplace
IAP

Configurationā€‹

tip

You need to assign CSC app to one or more Jira projects.

Keep in mind that multiple assigned projects will have one dashboard, as a result of which only one security team can be in one company, and the company will have only one unified cybersecurity controls.

Click on Apps on the top header, click on Manage your apps, on the side panel under APPS click Cybersecurity Control Settings and you will see the below screen.

To assign a Jira already existing project to be enabled for CSC you need to click on Add Project.

info

Multiple project can be added.

There are one actions available: Delete.

Deleteā€‹

You can delete added project.

danger

All cybersecurity controls related to this project will be erased.

Featuresā€‹

Cybersecurity Control app has a several features. Such as:

  • You can enable the Unicis Cybersecurity Control app for Jira by assigning it to one or more Jira projects.
  • You can designate several Jira tickets as a baseline or proof of evidence for each criterion, i.e. control and requirements.
  • Utilizing the ISO/IEC 21827:2008 methodology for security maturity score, an interactive dashboard and overview of your company's security baseline posture are provided.
  • Provide you with a filter feature on an interactive table based on the current state of the capability model for each area, control, and need.
info

CSC app works with any Jira project templates, for instance software project, service project, HR service manage, legal service management, etc. There is no limitation.

For more details please see subsections.

Dashboardā€‹

CSC provides you an overview dashboard for all the baseline cybersecurity controls that are assigned for the Jira Project.

There are two ways to reach the dashboard:

  1. If the project is a Jira Software project, select Cybersecurity Controls Dashboard on the left side of the screen.
  2. If it is a Jira Business project, select Cybersecurity Control Dashboard from the dropdown menu under Apps in the top menu.
note

Multiple assigned Jira projects will have one CSC dashboard, as a result of which only one security team, and have only one unified cybersecurity controls.

The dashboard is coupled of two sectoins.

Firstly, there are two charts:

  1. A pie chart illustrating the status of cybersecurity controls according to the proportion of controls.
  2. Radar charts show security maturity levels in accordance with ISO/IEC 21827:2008 methodology. Showing multiple data points and the variation between them.

Second section is a table with a list of controls:

  • Code special example of a code: MVSP-1.1
  • Section, for example, Business Controls, Application Design Controls, etc.
  • Control name, for instance Training, Self-asessment, etc.
  • Requirements that must be set up and put into practice
  • Status, as detailed below. Dropdown option.
  • Tickets related to the control, or proof to logs and proof of concept for the control's implementation. Dropdown option for Jira project issues.
tip

A control may have various issues, or a control may be linked to several issues. No limitation.

CSC

Minimum Viable Secure Productā€‹

Cybersecurity controls are based on Minimum Viable Secure Product - Controls. That is a minimal security checklist for B2B software and business process outsourcing suppliers, as well as controls for a Minimum Viable Secure Product.

The checklist was created with simplicity in mind and only includes the measures that must be put in place to guarantee a product has a minimally feasible security posture.

The controls should be implemented at a minimum by all businesses creating B2B software or otherwise managing sensitive information in the broadest sense, and doing more is strongly advised.

The display controls can be filtered by parts using Choose a section or filter by status using Choose a status and the number of controls that will appear on each page, for instance: 5, 10, 25, 50 and 100.

Statusā€‹

Maturity level is based on ISO/IEC 21827:2008 Information technology ā€” Security techniques ā€” Systems Security Engineering ā€” Capability Maturity Model:

StatusMeaning
UnknownHas not even been checked yet
Not ApplicableManagement can ignore them
Not PerformedComplete lack of recognizable policy, procedure, control etc.
Performed InformallyDevelopment has barely started and will require significant work to fulfill the requirements
PlannedProgressing nicely but not yet complete
Well DefinedDevelopment is more or less complete, although detail is lacking and/or it is not yet implemented, enforced and actively supported by top management
Quantitatively ControlledDevelopment is complete, the process/control has been implemented and recently started operating
Continuously ImprovingThe requirement is fully satisfied, is operating fully as expected, is being actively monitored and improved, and there is substantial evidence to prove all that to the auditors
tip

The pie chart and the radar map above the table will be recalculated if the status of one of the controls is changed.

Add CSC from Jira Issueā€‹

If you open the issue and click the CSC logo icon under the menu, you will be able to select a Control from the dropdown menu in the following format: CODE: Section, Control name, for example, MVSP-1.5: Business controls, Training, and requirements.

You can add and delete associated control from the issue by clicking + Add Control or Delete.

CSC

danger

All of the issue's controls will be deleted if you click the Delete button. Please use the Trash symbol next to the dropdown control to delete a single control.

Activity/Audit Logā€‹

It can be accessed when you open the Jira ticket and on Activity sections click Activity logs of CSC.

We only display changes of the records, such as:

  • Initial
  • Created
  • Added
  • Removed
  • Changed

The format of displaying the changes is as follows: Example 1:

[Author] created the Cybersecurity Controls 1/5/2023 3:29:09 PM (Date format M/DD/YYYY H:MM AM/PM)

Example 2:

[Author] changed the control M/DD/YYYY H:MM  AM/PM
MVSP-1.1, Business controls, Vulnerability reports ā†’ MVSP-1.3, Business controls, Self-assessment

Pricingā€‹

Please check the Atlassian Cloud app pricing overview.

Permissionsā€‹

Unicis - Transfer Impact Assessment can perform the following actions on behalf of the user:

  • App Storage scope
  • Read and write to app storage service
  • Create and manage issues
  • Create and edit issues in Jira, post comments as the user, create worklogs, and delete issues.
  • Manage project settings
  • Create and edit project settings and create new project-level objects (e.g. versions and components).
  • View active user profile
  • View the profile details for the currently logged-in user.
  • View Jira issue data
  • Read Jira project and issue data, search for issues, and objects associated with issues like attachments and worklogs.
  • Before you revoke permissions, we recommend you to notify the user as they will lose access to the app.

Technical detailsā€‹

Transfer Impact Assessment (TIA) is build in Atlassian Forge UI kit components with the following components:

It requires the following permissions scope:

  • read:jira-work
  • write:jira-work
  • manage:jira-project
  • storage:app

Changelogā€‹

v.2.2.0ā€‹

Patched security vulnerability

v2.13.0ā€‹

Minor fixes

v2.1.0ā€‹

First release with MVP scope