IruisRisk Documention
Introduction
The Four-Question Framework for Threat Modeling
Question 1: What are we working on - Creating a threat model
Create a diagram from scratch 
Trust zones and components 
Adding Component details 
Changing Component Visibility by Business Unit
Answer our questionnaire to create a diagram 
Import a template
File Import Feature
Use our AI Assistant, Jeff 
Embedded IriusRisk Project Diagrams in external tools
Question 2: What can go wrong - Assessing Threats in IriusRisk
Analyzing the threats
Filter Threats and Countermeasures by Custom Fields
Threat Details
Fields: Threat Details
Impact: Threat Details
Risk Summary: Threat Details
Risk types and their explanations
Test State: Threat Details
Question 3: What are we going to do about it - Countermeasures
Change the Countermeasures Status
Seeing countermeasures applicable to a Standard
Create Issue Trackers from your Countermeasures
Configuring your Issue Trackers
Question 4: Did we do a good job
Reporting
Compliance Report
Current Risk Summary Report
Technical Countermeasure Report
Technical Threat Report
Export your threat model
Risk Score
Configurable Options in IriusRisk
Security Content
Risk pattern libraries
Risk Calculation
Security Classifications
Standards
Templates
Objects
Components
Assets
Trust Zones
Deleting Tags in Dataflows and Risk Pattern
Workflows
Custom Fields
Rules
Integrations & Imports
Miscellaneous
Version History
See Threat Model Output (Threats and Countermeasures) Changes Over Time
Automated Component Change Detection in IriusRisk
Copy the Project link to share with others
Audit Log
Deleting Tags in Dataflows and Risk Pattern
User Management
APIs to use UUID rather than Username
Using SAML as an authentication-only identity provider
Question 3: What are we going to do about it - Countermeasures

Question 3: What are we going to do about it - Countermeasures

Luke Skywalker needed the force to stop the empire, you need countermeasusres to defeat your risks.

6
min
Last updated
September 24, 2024
Question 4: Did we do a good job

Contents

Change the Countermeasures Status

Seeing countermeasures applicable to a Standard

Create Issue Trackers from your Countermeasures

Configuring your Issue Trackers

This section focuses on what actions can be taken to mitigate the risks. We will go through the Countermeasures (security controls) to show you the options to lower the risk within your threat model. 

If you are not already in the 'Threats and countermeasures' view, you can navigate to it at the top of the screen - next to 'Diagram'. This is what the tab looks like.

If you wish, you can widen the column while you work on the Countermeasures area, and even minimize the Threats column all together until you are finished. This view will also be saved for the next time you log in. The columns can easily be changed simply by dragging the columns left or right as you require.

Change the Countermeasures Status 

On the right hand side you can filter, expand and minimize depending what you’d like to see. To change the status of a Countermeasure, click on the three ellipses and you will see various options to mark them as 'Required' instead of 'Recommended', for example.

You can even mark as 'Not Applicable' but must add a reason before this status is reflected. The same applies if you mark a threat as 'Rejected'. Which perhaps you may do this with certain context if say it was a third party responsibility for example. 

The model will highlight in the top right when you have changed a status.

If you minimize the Recommended section, you will now see there is one item marked as 'Required', and one marked as 'Not Applicable'. And at the end you will have one listed as 'Rejected'.

Seeing countermeasures applicable to a Standard

Perhaps you need to comply with EU-GDPR, PCI, NIST 800-53, or others. You can apply a standard to your Project, and it will filter the results based upon those that are Non-Compliant against that standard. You can then easily mark these as ‘Required’ so that these are mitigated first. 

Below are the results when the NIST 800-53 Standard is selected. There are 6 identified as Non Compliant. 

Expand this section, select the six items, and go to the blue ‘Bulk edit’ button on the right. Here is where you can mark them as 'Required'. 

Create Issue Tracker Tickets from your Countermeasures 

This is an important section. Whether you use Jira, CA Rally, Azure DevOps, Servicenow, or a mixture of these tools, IriusRisk offers two-way integration with all of them. Meaning any status changes, comments or edits in the issue tracker, are reflected directly into your threat model, including adjusting your Project’s overall risk level.

Select the Countermeasures - in the example two have been chosen - select the blue ‘Bulk edit’ button, and choose Issues, then 'New Issues'. Here you have three choices:

  1. Create a new ticket for each countermeasures 
  2. Create one ticket that includes both countermeasures
  3. Add these to an existing known issue tracker task 

If you are yet to configure your issue trackers, your view will look like this:

Jump to the next heading ‘Configuring Issue Trackers’ to begin setup.

Configuring your Issue Trackers 

It is possible to create issues in an issue tracker ticket (for instance, in Azure DevOps or Jira) to better manage the mitigation of threats within your systems. To facilitate this, it is possible in IriusRisk to configure multiple issue tracker systems and projects at a global level, allowing individuals to leverage these configurations at lower levels of granularity.

Adding New Issue Tracker Profiles:

  • From the IriusRisk global view, click settings (the gear icon), then 'Issue trackers'
  • Use the 'General settings' area to configure global issue tracker behavior
  • Below the "General settings" card is a card for all configured issue tracker profiles; click 'New' to add a new one
  • Select the target ticketing system for the new profile, from Jira, ServiceNow, Azure Dev Ops and Rally Software

Configuring a New Jira Issue Tracker Profile

  • Descriptively name the new issue tracker profile
  • Add the URL to the Jira instance being used in this profile
  • Enter the project key from the Jira project being used
  • Enter the authentication details to the Jira instance, either by using Basic Authentication or a Personal Access Token
  • Once the settings are configured, click 'Test connection' to ensure that the details have been entered correctly
itp-2.gif

 

  • Having tested the connection, scroll down and click the 'Fetch issue types' button. This retrieves the issue types available in the indicated project
  • Select the issue type to be used when creating a ticket for a countermeasure or threat
  • Indicate the ticket states when opening a new issue, when closing an issue or rejecting an issue
  • Next, configure how to set Jira issue priorities based on weakness and/or countermeasure values
  • It is also possible to link issues to a parent issue (an Epic, for instance), and to configure any other Jira ticket fields with static values
  • After configuring the settings, click  'Test connection' to ensure the values are correct
  • Once the settings are correct and tested, the new profile can be made available by clicking 'Publish'

 

itp-3.gif

Using the profiles at the Project, Threat and Countermeasure levels

  • The default Issue Tracker Profile can be set per-project; From the project landing page, click Settings (gear icon) > Issue Trackers
  • At the threat or countermeasure view, click 'Create issue', and either use the default profile or use the dropdown to select a different one
itp-4.gif
Close Modal