Risk Policies

Get All Risk Policies

This endpoint retrieves a list of Risk Policy resources.

GET /api/v2/risk-policies/

Query Parameters

The following parameters may be used to filter the risk policy resources in the response.

Parameter	Description
name	Filter Risk Policies by name.
description	Filter Risk Policies by description.
priority	Filter Risk Policies by priority.
riskclassification__ordinal	Filter Risk Policies by project classification ordinal.

GET /api/v2/risk-policies/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"

HTTP/1.1 200 OK
Content-Type: application/json

{
    "results": [{
        "id": 1,
        "is_org_default": true,
        "name": "All Risk",
        "description": "Applies to all applications",
        "filters": {
            "phases": ["requirements", "architecture-design", "development", "testing"],
            "priority": 7,
            "regulations": ["REG1", "REG2"],
            "tags": ["tag1", "tag2"]
        },
        "project_classifications": [1, 4],
        "conditions": {
          "statuses": [{
            "task_status": "TS1",
            "minimum_verification_status": "pass"
          }]
        }
    }]
}

Create a new Risk Policy

Fields	Required	Description
name	Yes	The name of the new Risk Policy.
description	Yes	The description of the Risk Policy.
is_org_default	No	A boolean field which shows if this is the default Risk Policy. Defaults to false.
filters.priority	No	Countermeasures in this policy must have a priority greater or equal to this value. Must be a value from 1 to 10. Defaults to 1.
filters.phases	No	Countermeasures in this policy must be in one of these phases.
filters.regulations	No	The regulation(s) associated with this policy.
filters.tags	No	Countermeasures in this policy must have one of these tags.
conditions.statuses	Yes	To be considered compliant, Countermeasure subject to this Risk Policy must have a relevant Countermeasure Status and an Acceptable Verification Status.

POST /api/v2/risk-policies/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"

{
    "name": "Low Risk",
    "description": "Applies to all applications",
    "filters": {
        "phases": ["requirements", "architecture-design", "development", "testing"],
        "priority": 7,
        "regulations": ["REG1", "REG2"],
        "tags": ["tag1", "tag2"]
    },
    "project_classifications": [],
    "conditions": {
      "statuses": [{
        "task_status": "TS1",
        "minimum_verification_status": "pass"
      }]
    }
}

HTTP/1.1 201 CREATED
Content-Type: application/json

{

    "id": 2,
    "is_org_default": false,
    "name": "Low Risk",
    "description": "Applies to all applications",
    "filters": {
        "phases": ["requirements", "architecture-design", "development", "testing"],
        "priority": 7,
        "regulations": ["REG1", "REG2"],
        "tags": ["tag1", "tag2"]
    },
    "project_classifications": [],
    "conditions": {
      "statuses": [{
        "task_status": "TS1",
        "minimum_verification_status": "pass"
      }]
    }
}

Update a Risk Policy

Update a single Risk Policy by specifying a new name and priority. The Risk Policy to update is identified by the id.

PATCH /api/v2/risk-policies/{risk_policy_id}/

URL Parameters

Parameter	Description
risk_policy_id	The id of the Risk Policy to edit must be submitted in the request.

Payload

Fields	Required	Description
name	No	The name of the new Risk Policy.
description	No	The description of the Risk Policy.
is_org_default	No	A boolean field which shows if this is the default Risk Policy. Defaults to false.
filters.priority	No	Countermeasures in this policy must have a priority greater or equal to this value. Must be a value from 1 to 10. Defaults to 1.
filters.phases	No	Countermeasures in this policy must be in one of these phases.
filters.regulations	No	This policy will include all relevant Countermeasures related to these regulations.
filters.tags	No	Countermeasures in this policy must have one of these tags.
conditions.statuses	No	To be considered compliant, Countermeasures subject to this risk policy must have a relevant Countermeasures Status and an Acceptable Verification Status.
regulations	No	This policy will include all Countermeasures related to relevant regulations.

PATCH /api/v2/risk-policies/2/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"

{
    "name": "Max Risk",
    "filters": {
        "priority": 10
    }
}

HTTP/1.1 200 OK
Content-Type: application/json

{

    "id": 2,
    "is_org_default": false,
    "name": "Max Risk",
    "description": "Applies to all applications",
    "filters": {
        "phases": ["requirements", "architecture-design", "development", "testing"],
        "priority": 10,
        "regulations": ["REG1", "REG2"],
        "tags": ["tag1", "tag2"]
    },
    "project_classifications": [],
    "conditions": {
      "statuses": [{
        "task_status": "TS1",
        "minimum_verification_status": "pass"
      }]
    }
}

Delete a Risk Policy

This endpoint deletes a single Risk Policy resource, as specified by the id parameter.

DELETE /risk-policies/{risk_policy_id}/

URL Parameters

Parameter	Description
risk_policy_id	The id of the Risk Policy to delete must be submitted in the request.

Payload

Fields	Required	Description
replacement	Yes	The Risk Policy ID to move the associated projects.

DELETE /api/v2/risk-policies/1/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"

{
    "replacement": 2
}

HTTP/1.1 204 NO CONTENT

Get a specific Risk Policy

This endpoint retrieves a specific Risk Policy resource, as specified by the id parameter.

GET /api/v2/risk-policies/{risk_policy_id}/

URL Parameters

Parameter	Description
risk_policy_id	The id of the Risk Policy to retrieve.

GET /api/v2/risk-policies/1/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"

HTTP/1.1 200 OK
Content-Type: application/json

{
    "id": 1,
    "is_org_default": true,
    "name": "All Risk",
    "description": "Applies to all applications",
    "filters": {
        "phases": ["requirements", "architecture-design", "development", "testing"],
        "priority": 7,
        "regulations": ["pci-dss", "HIPAA"],
        "tags": ["tag1", "tag2"]
    },
    "project_classifications": [1, 4],
    "conditions": {
      "statuses": [{
        "task_status": "TS1",
        "minimum_verification_status": "pass"
      }]
    }
}

Expand Parameters

See the Expand Parameters section for more details.

Parameter	Description
phases	The Phases field is expanded to include Phase names.
statuses	The Statuses field is expanded to include Countermeasure Status names and Verification Status names, ordinals, and labels.
regulations	The Regulations field is expanded to include Regulation names.
project_classifications	The Project Classifications field is expanded to include the name, description, and last updated time.

GET /api/v2/risk-policies/1/?expand=phases,conditions,regulations,project_classifications HTTP/1.1
Accept: application/json
Authorization: Token: "YOUR SDE ACCESS TOKEN"

HTTP/1.1 200 OK
Content-Type: application/json

{
    "id": 1,
    "is_org_default": true,
    "name": "All Risk",
    "description": "Applies to all applications",
    "filters": {
        "phases": [
            {
                "name": "Requirements",
                "slug": "requirements"
            },
            {
                "name": "Architecture & Design",
                "slug": "architecture-design"
            },
            {
                "name": "Development",
                "slug": "development"
            },
            {
                "name": "Testing",
                "slug": "testing"
            }
        ],
        "priority": 7,
        "regulations": [
            {
                "name": "PCI-DSS v2.0",
                "item_id": "REG1"
            },
            {
                "name": "HIPAA",
                "item_id": "REG2"
            }
        ],
        "tags": ["tag1", "tag2"]
    },
    "project_classifications": [
        {
            "ordinal": 1,
            "name": "Maximum",
            "description": "Used for projects with maximum risk.",
            "default_risk_policy": 1,
            "risk_policies": [1],
            "answers": ["A168"],
            "last_update_date_time": "2019-05-28T11:34:21.908541-04:00",
            "is_unclassified": false
        }
    ],
    "conditions": {
      "statuses": [{
        "task_status": {
            "name": "Complete",
            "item_id": "TS1"
        },
        "minimum_verification_status": {
            "name": "pass",
            "label": "Pass",
            "ordinal": 2
        }
      }]
    }
}

Risk Policies

Risk Policies

Get All Risk Policies

Query Parameters

Create a new Risk Policy

Update a Risk Policy

URL Parameters

Payload

Delete a Risk Policy

URL Parameters

Payload

Get a specific Risk Policy

URL Parameters

Expand Parameters

results matching ""

No results matching ""