Metadata-Version: 2.1
Name: odoo-addon-mgmtsystem_security_event
Version: 19.0.1.0.0.3
Requires-Dist: odoo-addon-document_page==19.0.*
Requires-Dist: odoo-addon-mgmtsystem==19.0.*
Requires-Dist: odoo-addon-mgmtsystem_hazard==19.0.*
Requires-Dist: odoo==19.0.*
Summary: Feared Events
Home-page: https://github.com/OCA/management-system
License: AGPL-3
Author: Savoir-faire Linux, Odoo Community Association (OCA)
Author-email: support@odoo-community.org
Classifier: Programming Language :: Python
Classifier: Framework :: Odoo
Classifier: Framework :: Odoo :: 19.0
Classifier: License :: OSI Approved :: GNU Affero General Public License v3
Description-Content-Type: text/x-rst

.. image:: https://odoo-community.org/readme-banner-image
   :target: https://odoo-community.org/get-involved?utm_source=readme
   :alt: Odoo Community Association

=============
Feared Events
=============

.. 
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   !! This file is generated by oca-gen-addon-readme !!
   !! changes will be overwritten.                   !!
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   !! source digest: sha256:dfb9cb53a0941acdd9a5ddf6ad0ea2faf21c555b0f615a69ae999c3601dab8b8
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
    :target: https://odoo-community.org/page/development-status
    :alt: Beta
.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png
    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
    :alt: License: AGPL-3
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fmanagement--system-lightgray.png?logo=github
    :target: https://github.com/OCA/management-system/tree/19.0/mgmtsystem_security_event
    :alt: OCA/management-system
.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
    :target: https://translation.odoo-community.org/projects/management-system-19-0/management-system-19-0-mgmtsystem_security_event
    :alt: Translate me on Weblate
.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
    :target: https://runboat.odoo-community.org/builds?repo=OCA/management-system&target_branch=19.0
    :alt: Try me on Runboat

|badge1| |badge2| |badge3| |badge4| |badge5|

This module allows you to manage **feared events** (security incidents)
of your Information Security Management System (ISMS) and assess their
risk using a configurable risk matrix.

Key concepts:

- **Feared Events** — Security incidents that could impact your
  organization, each classified by the security properties they
  threaten: Confidentiality, Integrity, and/or Availability (CIA triad).

- **Attack Vectors** — The means by which a threat could materialize.
  Each vector carries three risk ratings (probability × severity):
  *Original* (before any control), *Current* (with controls already in
  place), and *Residual* (after planned remediation). A feared event's
  overall rating is automatically computed as the maximum across all its
  vectors.

- **Scenarios** — Links between a feared event, an attack vector, and a
  threat source, with a description of how the attack could unfold.

- **Threat Sources** — The origin of a threat (e.g. external attacker,
  malicious insider, compromised supplier).

- **Security Controls** — Countermeasures applied to reduce risk, each
  flagged as *Prevention*, *Protection*, and/or *Recovery*.

- **Assets** — Primary assets (the information or processes to protect)
  and Supporting assets (the infrastructure that hosts them), organized
  by category.

- **Risk Matrix** — A visual heat-map report that plots feared events by
  probability and severity for a chosen risk type (original, current, or
  residual), with color-coded cells (green / orange / red).

**Table of contents**

.. contents::
   :local:

Configuration
=============

Risk Matrix Levels
------------------

Define which cells in the risk matrix are green, orange, or red.

Go to **Management System > Configuration > Security > Risk Matrix
Levels** and create one record per zone. Each level covers a rectangular
region of the matrix defined by a probability range and a severity
range. Ranges must not overlap.

A default 4 × 4 matrix configuration is installed with the module.
Adjust it to match your organization's risk appetite.

Assets and Threat Sources
-------------------------

Before creating vectors and events, populate the reference data:

- **Management System > Manuals > Security > Assets > Primary Assets** —
  the information assets or business processes you need to protect.
- **Management System > Manuals > Security > Assets > Supporting
  Assets** — the servers, software, and infrastructure that host primary
  assets. Link each supporting asset to the primary assets it carries.
- **Management System > Manuals > Security > Threat Sources** — the
  actors or causes that could exploit a vector (e.g. external attacker,
  malicious insider).

Usage
=====

Typical workflow
----------------

1. Create attack vectors
~~~~~~~~~~~~~~~~~~~~~~~~

Go to **Management System > Manuals > Security > Vectors** and create
one record per attack vector. For each vector:

- Set the **Original** probability and severity (risk without any
  control).
- Set the **Current** probability and severity (risk with existing
  controls).
- Set the **Residual** probability and severity (risk after planned
  remediation).
- Optionally link the supporting assets that are exposed by this vector.

2. Create security controls
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Go to **Management System > Manuals > Security > Controls** and create
the countermeasures available in your organization.

3. Create feared events
~~~~~~~~~~~~~~~~~~~~~~~

Go to **Management System > Manuals > Security > Feared Events** and
create one record per feared event. For each event:

- Tick the **Confidentiality**, **Integrity**, and/or **Availability**
  flags that the event threatens.
- In the **Scenarios** tab, add one line per attack scenario: select the
  vector and threat source, and describe how the attack could unfold.
  The event's risk ratings (probability and severity) are automatically
  computed as the maximum across all linked vectors.
- In the **Controls** tab, add the controls that mitigate this event.
  For each control line, indicate whether it acts as **Prevention**,
  **Protection**, and/or **Recovery**, and optionally link the specific
  supporting asset it protects.

Use the search bar to filter events by **Confidentiality**,
**Integrity**, or **Availability**, or group them by system or severity.

4. Generate the risk matrix
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Go to **Management System > Manuals > Security > Risk Matrix**, select
the risk type (**Original**, **Current**, or **Residual**), and click
**Done** to generate the PDF report. Each cell shows the feared events
at that probability/severity intersection, color-coded by the configured
risk level.

Bug Tracker
===========

Bugs are tracked on `GitHub Issues <https://github.com/OCA/management-system/issues>`_.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us to smash it by providing a detailed and welcomed
`feedback <https://github.com/OCA/management-system/issues/new?body=module:%20mgmtsystem_security_event%0Aversion:%2019.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.

Do not contact contributors directly about support or help with technical issues.

Credits
=======

Authors
-------

* Savoir-faire Linux

Contributors
------------

- `Savoir-faire Linux <https://www.savoirfairelinux.com>`__:

  - Loïc Faure-Lacroix loic.lacroix@savoirfairelinux.com
  - David Dufresne david.dufresne@savoirfairelinux.com
  - Maxime Chambreuil maxime.chambreuil@savoirfairelinux.com
  - Nicolas Zin nicolas.zin@savoirfairelinux.com

- `Gray Matter Logic <https://www.graymatterlogic.com>`__:

  - Maxime Chambreuil maxime.chambreuil@graymatterlogic.com

Maintainers
-----------

This module is maintained by the OCA.

.. image:: https://odoo-community.org/logo.png
   :alt: Odoo Community Association
   :target: https://odoo-community.org

OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.

This module is part of the `OCA/management-system <https://github.com/OCA/management-system/tree/19.0/mgmtsystem_security_event>`_ project on GitHub.

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
