senaduka/old-riskletpy
1
0
Fork 0
Code Issues 5 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Swaped from CIS to NIST controls

Browse Source
This commit is contained in:
Amir
2025-08-14 14:08:34 +02:00
parent aeaec99621
commit 3734a5b51b
16 changed files with 639 additions and 241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
backend/core/utils.py
View File

@@ -76,10 +76,10 @@ def get_controls_for_risk(risk, organization):
client = OpenAI(api_key=settings.OPENAI_API_KEY)
all_controls = Control.objects.all()
organization_details = extract_organization_details(organization)
control_list = [f"Control ID: {control.id}, Control Name: {control.name}" for control in all_controls]
control_list = [f"Control ID: {control.id}, Control Name: {control.subcategory} - {control.function or ''}".rstrip(" -") for control in all_controls]
valid_control_ids = {control.id for control in all_controls}
control_map = {control.id: control.name for control in all_controls}
control_map = {control.id: (f"{control.subcategory} - {control.function or ''}").rstrip(" -") for control in all_controls}
def fetch_controls(prompt):
response = client.chat.completions.create(
model="gpt-4o-mini",
@@ -229,13 +229,13 @@ def generate_recommendations(risks_with_controls, organization):
risk: id, name, category, risk_description (or similar)
r_impact (inherent impact 15), r_likelihood (inherent likelihood 15), risk_score
residual_impact, residual_likelihood, residual_risk_score (may be present)
controls: list of controls, each with control__name, weight (15 effectiveness), likelihood (15 occurrence modifier)
controls: list of controls, each with control__subcategory and control__function, weight (15 effectiveness), likelihood (15 occurrence modifier)
Task:
1) Compute a priority score per control = weight × likelihood. Aggregate scores across all risks and cluster into 35 thematic areas that best match the actual controls and risk names (e.g., Access Control & MFA, Patch & Vulnerability Management, Vendor/Third-Party Risk Management, Network Security & Segmentation, Logging/Monitoring/Detection, Incident Response & BCDR, Ransomware Prevention & Recovery, Cryptography & Key Management). Do not invent themes without support in the inputs.
2) For each chosen theme, produce 35 concrete actions derived from the highest-priority controls. Tailor to the organization_details where appropriate. Prefer steps that reduce both likelihood and impact.
3) Each bullet should be 12 sentences: start with a clear, imperative recommendation, and (optionally) add a brief explanation or context. Still keep it concise and actionable.
4) Use only the control__name for reference—do NOT include or reference control IDs, years (e.g., 2024), or quarter references (Q1, Q2, Q3, Q4) anywhere in the output.
4) Use only the control label (i.e., "subcategory - function") for reference—do NOT include or reference control IDs, years, or quarter references (Q1, Q2, Q3, Q4).
5) Do not introduce controls that are not represented in the provided controls list.
Output format (STRICT):