INFO:

Pursuant to Article 24 of the Cybersecurity Act (Narodne novine, No. 14/24), the Government of the Republic of Croatia adopted the Cybersecurity Regulation (Narodne novine, No. 135/24; Croatian: Uredba o kibernetičkoj sigurnosti) — hereinafter referred to as the UKS Directive — at its session on November 21, 2024.

The Regulation establishes criteria for classifying entities based on specific criteria for the implementation of entity categorization, measures for managing cybersecurity risks and the manner of their implementation, the conduct of cybersecurity self-assessments, criteria for determining significant cybersecurity incidents, incident reporting, as well as other matters relevant to raising the level of cybersecurity.

More info can be found at: https://ncsc.hr/hr/uredba-o-kibernetickoj-sigurnosti

Based on this, we have developed a new module in our app, which will be detailed in this version log, particularly in the following Cybersecurity Directive (UKS) Integration section.

***

  Cybersecurity Directive (UKS) Integration

Implemented self-assessment according to the UKS directive, including new control mappings.

This is presented on a new ControlAssessment UKS screen:

Clicking on a Library detail in the left grid now filters the right grid, displaying only the Control Assessments associated with the selected Library detail:

When a Control Assessment is evaluated, grades are automatically calculated and highlighted in the appropriate color, in accordance with the formal procedure of the UKS directive. Here, the non-applicable Library Details for this specific user are shown with a gray background:

The UKS Report based on these Library Details and Control Assessments can be downloaded by clicking the UKS REPORT button at the top of the screen. This report can be used to get formal compliance with the UKS directive.

Added a ClientSetting allowing users to select their UKS security level, which automatically generates the corresponding Controls and Library Details. ClientSettings are available in navigation under Administration -> ClientSettings.

Added two new foreign key columns to Control Implementation and Control Assessment based on the UKS directive:

• Control Documentation Grade

• Control Implementation Grade
  Both reference new lookup tables with values ranging from 1 to 5.

• Introduced a calculated field ControlGrade that automatically derives the overall grade based on the above values.

A new report is now available specifically for the UKS directive. It follows the Compliance Status Summary template but is advanced with UKS-related fields.

  Entity Improvements

Extended EntityProcess and EntityService edit forms with a new Hardware tab to link related hardware records.

  New App Documentation System

• A new navigation button has been added, providing quick access to:

  • The official app documentation page

  • The Version Log, which highlights the latest features and updates in each new release

  Enhanced Entity Connections

• Entity Process and Entity Service edit forms now display their connection to the corresponding Entity Hardware.

• All Entity subpages (Process, Service, Hardware, etc.) now include a visible EntityID field, making it easier to identify and trace their associated Entities.

   New "Library Detail" Tab in Control Assessment

• A new tab has been added to the Control Assessment edit form, displaying the linked Library Detail data for easier reference and navigation.

      AutoCreateRisks Now Validates Entity Group Membership

• The AutoCreateRisks feature (for Projects of type "Risk assessment") now runs only if connected entities are part of a group. If not, a user-friendly message is displayed to inform the user of the requirement.

  Added Tab to Control Assessment Controller

• A new tab has been added to the Control Assessment edit form, displaying linked data from Library Detail.
• This enhancement improves visibility of related LibraryDetail information directly within the ControlAssessment interface, streamlining data navigation and management.

 Custodian Field Visibility in Risk and Risk Assessment

• The Custodian field is now present at the Risk and Risk Assessment pages. 
• This field is meant to address the user of the app who is responsible for the management of a given risk.

  Improved Finding-ControlPlan Workflow

• Since these two pages and their data are now connected, parts of the workflow have been successfully automated.
• The app automatically updates Finding status to “Implemented” or “Partially implemented” based on the linked Recommendations’ statuses. 
• Comments and closing dates from Recommendations are now appended to the Finding notes. 
• Removed redundant step when editing Recommendations from the Finding form. Also fixed translation issues in the UI.

  Entity Code Uniqueness Enforcement

• Entity Code is now a unique field. Added the same suffix-adding mechanism as in Threat to prevent duplicates when inserting existing EntityCodes. 
• If two Entities with the same Entity Codes are added, the second will automatically get a prefix to differentiate them.

  Improved Login Security for Multiple Users with the Same Email

• When multiple users share the same email, the login confirmation now clearly indicates which user account is being accessed by sending a verification to that email.

  Easier Language Switching (HR ⇄ ENG) 

• Added quick-access language switch drop down (HR & ENG) on the home screen.
• Improved user experience by reducing the number of steps needed for language changes.

  Dynamic Coloring for Risk Value Fields in Risk and Risk Assessment

• Implemented dynamic coloring for Risk Value fields in Risk and Risk Assessment pages.
• Colors now change based on predefined probability and impact thresholds, improving visibility.

  Lan Sweeper Integration Interface

• Developed an interface for integration between Lan Sweeper and Alter Risk, allowing seamless repository connection for IT asset information.

• After Synchronizing your data from Lan Sweeper with the "Synchronization" button, you can import that data directly into your Entity table with the "Import into Entity table" button.

• Import Options:

  • Group Import: Import all synchronized data from Lan Sweeper as a group of asset types
  • Single Entry Import: Import individual asset data records one by one, offering flexibility in selecting and adding specific entries to the Entity table.
    Navigation:Administration→ Entity Integration*Lan Sweeper Integration can be added upon inquiry.*

  Added Attachments to Control Assessment Table 

• Integrated the ability to add and manage attachments directly within the Control Assessment table.
• Users can now upload files related to each control assessment.
• Attachments can be viewed and downloaded from the table.

  New Password Validation

• Added regex-based validation for input fields, ensuring proper formatting and security.
• Enforced strong password policies through regex.
• Users cannot reuse previous passwords within a defined history limit.
• System now tracks the last password change date for each user.
• Introduced password expiration
• Introduced a minimal age of password
• Adjustable according to clients password policy

  Findings Table: Added new column Due Date

• Added a new Due Date column to the Findings table.
• This column allows users to set and track deadlines for each instance.

  Improved delegation of Entities, Risks and Risk assessment

• Setting Entity Custodian field to user enables that user to view that entity
• In Risk and Risk Assessment, added field Risk Custodian
• Risk and risk assessment record is visible if logged in user or its function is in Owner or Custodian fields.

  Added Findings tab inside Control Plan Edit form

• The Findings tab allows users to input and review specific findings related to the control.

Navigation: Risk→ Control Plan

  Implementation of Multifactor Authentication (MFA) Option in Settings

• Added an option in the settings page to enable/disable Multifactor Authentication (MFA).
• User-friendly interface for MFA setup and management.

Navigation:Administration->ShowTwoFactorAuthentication

   Duplicate Threat Prevention Enhancements

• Input Validation Prompt: Added a confirmation prompt when entering a threat that already exists: "You are trying to enter a threat that already exists. Are you sure?" This helps prevent manual duplicate entries.

  New Report: Control Assessment Report

A new report has been created for Control Assessment process, allowing detailed analysis of control evaluations in form of a table.

Navigation: Reports → Control Assessment Report

  Dynamic Coloring for "Risk Value" Fields on Risk & Risk Assessment Forms

The "Risk Value" fields on both the Risk and Risk Assessment edit forms are now dynamically color-coded based on the entered values, enhancing visual identification of risk levels.

  Enhanced Probability & Impact Catalog Management

The system now supports the historical tracking of Probability and Impact catalogs over time. Older catalogs are preserved for historical data accuracy, while the latest valid catalog is always displayed for new calculations. This ensures consistency and precision in historical reporting and future risk assessments. This functionality can be accessed through the following pages, which are available to Administrator, Group Admin, and Manager roles.

Current catalog items should be marked as "active" while historical items should be marked as "not active".

  Dynamic Coloring for "Risk Value" Field on Risk Treatment Plan Status Page

The "Risk Value" field on the Risk Treatment Plan Status page is now color-coded based on the entered values, making risk levels more intuitive.

Navigation: Reports → Risk Treatment Plan Status

  New Color Option for Colored Fields

All fields that can be color-coded based on entered values now support four colors: red, yellow, green, and the newly added orange. This update affects the Probability & Impact matrix, which is used for calculating risk values across four distinct levels. More (dynamic) colors should be available in the next versions of the application.

  FIX: Import of Regulatory Document Sections Now Functional

The import functionality for sections of regulatory documents is now working correctly.

Navigation: Knowledgebase → Regulatory documents → Chapters

  New Page & Report: Finding Control Plan 

A new report has been added for the Finding Control Plan page, which combines the functionality of the Finding and Control Plan pages. The report can be generated by clicking "Report."

Navigation: Reports → Finding Control Plan

  New Detail Table: Compliance Edit Form 

A new Control Assessment grid has been added to the Compliance edit form, providing an integrated view of control assessments. Previous assessments for the control can be visible as historical items in the grid below.

Navigation: Compliance → Edit Form

  New Page & Report: Risk Treatment Plan Status

A new report has been added for the Risk Treatment Plan Status page. The report can be generated by clicking "Report."

Navigation: Reports → Risk Treatment Plan Status

  "Users in roles" tab now visible in Administration for administrators and group admins

Here (navigation: Administration) administrators can view users by roles - i.e., see how many users are in each role.

  Education functionality

The education module is a kind of LMS (Learning Management System) system, which enables the user to manage the education of his employees. In the first step, the user must create a new project (navigation: Projects) with the selected field Type of project = "Education".

After that, he adds external attachments/educational materials (eg powerpoint, pdf, word, etc.) to the form of the newly created project, and in the menu below that, he selects the users who must attend the education. Users are selected using the "multi-choice" menu on the "All users" tab (as well as deleting users from education), and the selected users can be viewed via the "Users in education" tab.

Also, the creator of the training can notify added users about the training via the "Send training notification" button on the training form, which sends an email notification to all added users.

After that, each of the users added to the education can access the education on the "Education" page in the navigation. By clicking on an individual education on that interface, he gets added educational materials, and after viewing them, that is, after completing the education, he can click the "Complete education" button, thus notifying the creator of the project/education about his completed education.

  Version logs now accessible through the app 

Hover the "Help" tab in the navigation and click "Version logs"

  RiskAssessments graphs available

Go to the "Risk assessments" page (navigation: Risks -> Risk assessments), and click the following button:

There, select "Charts" and you will be presented with the graph/chart view of data. 

  Chatbot AlterRisk assistant + Help wizard 

From version 4.5 onwards, AlterRisk has been enhanced with the AlterRisk Assistant – an artificial intelligence chat, which can provide the user with detailed instructions and information about the application. It supports two languages, Croatian and English, and the chatbot also has a "Talk to human" option, which redirects the user from a conversation with the UI directly to a conversation with the dev team.

Furthermore, a wizard with instructions on how to use the application is now present and can be accessed by clicking the "Tour" button on the bottom right of the application. (see the image above - the button is shown below the chatbot).

  "Check Data" functionality

On the "Client settings" page (navigation: Administration -> Client settings) there is a new "Check data" functionality that allows the user to check the accuracy, completeness and reliability of their data throughout the application. The results are presented in Excel format and are automatically downloaded to the user's computer at the push of a button. All found errors are listed in the Excel file, along with an identification indication of where the erroneous data is located.

  New field on Personal Data Processes page (navigation: GPDR->Personal Data Processes) 

Field "Data destruction method".

  RiskAssessment mail notification functionality

Risk assessments now have the option of sending email notifications to the chosen owner of the risk assessment ("Risk Owner" field). Mail notification can be sent for a single assessment or simultaneously for several, via "multi-choice" selection.

Single risk assessment notification:

Multiple notifications:

  New knowledge base

The mapping of controls to a new set of chapters for the ISO/IEC 27001:2022 and ISO/IEC 27002:2022 standards was introduced in the knowledge base. (For the Croatian language.)

  Personal Data Processes - choose between textual and lookup fields

"Personal Data Processes" page (navigation: GPDR -> Personal Data Processes) now allows you to choose the kind of field you want for your "Data Processor" and "Process/Service" fields. 

If you navigate to "Client Settings" page (navigation: Administration -> Client Settings) there is a new row called "ShowEntityPDataProcessTextFields". If you set it to 1, the aforementioned two fields will appear in the form of free text. If you set it to 0, the fields will appear as lookups. 

Client Settings row:

Personal Data Process edit form - client settting set to 1, so the fields appear in the free text form: