Checklists

This section describes the configuration of checklists and how to change a checklist or define a completely new one.

General Settings

Checklist Configuration image

A checklist contains general settings (No. 1) and the list of requirements (No. 2). Is is possible to define multiple levels for a checklist (No. 3). Note that at least one level is required, even if a checklist does not define different levels. The states of a checklist can also be configured (No. 4). Settings for the states can be changed (No. 5). These state settings are used for the initial state and automations.

Requirements Configuration

Checklist Requirements Configuration image

Requirements can be hierarchically configured in the inner navigation tree shown on the left side of the image. Requirements should include a prefix (No. 1), the description according to the checklist (No. 2), and an optional explanation for further guidance (No. 3).

When requirements are referenced in the project report, the full prefix-path of the navigation tree is shown to assure correct identification. If the prefix should not be shown in this prefix-path, it can be excluded (No. 4).

It must be configured for each level whether a requirement is required to fulfill the checklist (No. 5). The target type (No. 6) can be used to define for which type the requirement is relevant.

A detection rule for automatically setting whether a requirement is fulfilled or not can be defined (No. 7). It is possible to use the boolean properties of software components to decide whether the requirement is fulfilled. It can be defined whether users must review and manually accept the detection (No. 8).

Automations

The following automations are currently available:

  • Not relevant: If the target type does not match the owner of a checklist (device or app), the requirement will be set to 'Not relevant'
  • With measures fulfilled: If a requirement has linked attack scenarios or countermeasures, the requirement will be set to 'With measures fulfilled'
  • Fulfilled/Not fulfilled: If a requirement has a detection rule, the requirement will be set to the evaluation result ('Fulfilled', 'Not fulfilled')