5.8.9 – 20th December 2022
- STPA: Fixed duplicate entries for adding existing items in HCS Diagram context menu
5.8.8 – 5th October 2022
- Risk Treatment: Fixed a bug where reloading Risk Assessment data after removing risks from the Risk Treatment would give an error
5.8.7 – 26th September 2022
- STPA: Improved the layout of Unsafe Control Action table view
- STPA: Fixed a bug where F2/Shift+F2 did not work to edit/add labels to items in the HCS diagram
- STPA: Fixed a visual glitch with collapsed annotation notes in the HCS diagram
5.8.6 – 15th July 2022
- Added check-in and check-out functionality to STPA projects, for improved multi-user experience
- Added Web API hosting option for STPA module
5.8.3 – 9th September 2021
- Fixed an issue with BCM reports not loading
- Updated .NET version requirement to 4.8
- Added the option to remove Risks from a Risk Treatment
5.8.0 – 17th May 2021
- Performance/timout fixes in saving Risk Assessment
- When adding new threats to business entity asset categories, add the threats to all assets in those categories
- Added the option to sync base threat-category connections to business entity threat-category
- Added the option to use Web API to communicate with the RM Studio database instead of a direct database connection from the client
- Fix: Add threats from both parent and child asset categories to asset
- Fixes in deploying trial database
5.7.2 – 17 June 2020
- Added support for deploying and updating databases to SQL Server 2019
- Increased .NET version requirement to 4.6.2
5.7.1 – 09 June 2020
- Fixed an issue on startup where database settings could not be located
- Fixed an issue in importing contacts
- When an SSH tunnel disconnects, the system now gives a prompt to try to reconnect
RMS STPA Master
- Disabled sorting on Category columns in UCA Table View
- Fixed a bug where multiple Default Categories cannot be created at the same time
- Fixed an issue where Annotation Connector Labels are not being saved
5.7 – 30 April 2020
New Database Hosting option:
- We now offer the option of hosting your RM Studio database and website. We manage all updates and maintenance along with backups of the database(s). You will only need to install the RM Studio desktop client to use the system.Contact email@example.com for more information.
- STPA is now part of the standard release
- Added Active Directory synchronization option. You can now fully manage RM Studio users from within your Active Directory settings. Define security groups that match your RM Studio roles, and the system will synchronize user access based on their Active Directory group assignments
- Added ISO 14001:2015 Environmental Management as a deployable standard
- Data Management:
- Added data source and data sink nodes to represent how data enters and leaves your organization
- Added ability to define Purpose of Processing
- General improvements to usability and overview report
- Added ability to customize email templates that are sent out from the system
- Added ability to connect to an RM Studio database behind an SSH tunnel
- Deleting asset Categories now automatically removes all child Categories and connections to Threats. Previously this had to be done manually.
- Added ability to link Threats to Categories from the Categories view
- Improved Single Sign-On using Windows Authentication in the web module
- Fixed a potential crash in Risk Assessment
- General bug fixes and improvements
5.6.1 – 31 October 2019
- Fixed a potential error when opening the Gap Analysis list
RMS Web 2.1.1
- Fixed a bug which prevented the Document section to be opened
5.6 – 14 November 2018
- Added a new report: Controls in Risk Treatment
- The new report presents the Risk Treatment(s) that contain the requirements or controls of the chosen standard or regulation along with the current implementation status from the Treatment.
- Added a justification text field to the risk and asset evaluation factors in the Risk Assessment
- The text field allows the user to input justification or reasoning for the why the selected evaluation was chosen for a risk or asset evaluation factor (e.g. why a value of “High” was chosen for “Impact” on a specific risk).
- Note: The justification text is an optional feature that is enabled in the Risk Profile for the evaluation factors where a justification is desired (justifications are not enabled by default).
- Also enabled on the web solution as part of the risk owner surveys (tasks)- see Web 2.1 below
- Report logos are now stored in the RM Studio database. The database update process will attempt to automatically upload existing logos to the database from the file system. A warning will be displayed for those logos that can’t be automatically uploaded and will need to be manually uploaded after the update.
- Added a list to Standard Mapping Sets that shows all controls/requirements and their mappings to the standards/regulations
- Fixed various bugs in the Data Management module
- Fixed a bug in ISO 27001:2013 where clause 5.1.h appeared under section 5.2
RMS – Web 2.1
- When performing a Risk Evaluation task, risk owners provide justification text for their risk evaluations to the Risk Assessment managers for a better understanding of the risk owner’s chosen levels of risk.
- Note: the justifications for evaluations must be enable in the Risk Profile
RMS – Web API 1.2
- Added a new field to AssetEvaluation and RiskEvaluation models for justification text
5.5.1 – 13 August 2018
- Fixed node connections in the Data Flow Process editor not being deleted properly
- Fixed disposal method description of Data Records not saving
- Fixed location of Data Sources not saving
- Fixed protection method of Data Record Attributes not appearing in Data Flow Overview report
- Date format in Risk Analysis report now correctly uses the short date format of the client computer
5.5 – 26 July 2018
- Contact Types have been changed to Contact Groups. Contacts can belong to more than one Contact Group.
- New Data Management Module that allows you to create data flow maps of personal data within your organization using a visual editor.
- Generate a map of data records and data sources containing personal information
- Document the retention policy, access control, location, responsible controllers and processors for each data record
- List the data attributes that you collect in each step, and the lawful basis used to authorize the collection
- Generate a report to give you an overview of your data records
- Manage a list of data subjects that you collect information about
For more about the Data Management Module, contact firstname.lastname@example.org
- Revised various features of the Document interface for a better user experience
- Fixed a bug where it was possible to delete a Gap Analysis that had an associated Control Maturity Assessment. When trying to save, the system would give an unhelpful exception error message
RMS – Web 2.0
- Added an Incident Registration Manager that allows stakeholders and other employees to register incidents that they notice within the organization
- The registration fields cover discovery, investigation, classification and resolution of the incident
- Get notified of newly registered incidents via Email notifications
- Track status changes of incidents via Email notifications
- Assign affected Assets from your Asset registry to the Incident
- A new dashboard widget shows the most recently registered incidents for a quick status overview
Note: The Incident Registration Manager is only available in the Web Interface, and is licensed as a part of the Business Continuity Management module.
- Documents can now be managed within the Web Interface: Create, update, and delete documents and folders on the Web.
5.4.3 – 23 March 2018
- The data between Business Entities tab and Assets tab is now synchronized – editing/adding items in one window is immediately reflected in the other window. Previously the data needed to be saved, and refreshed in the other window.
- Fixed a couple of issues with installing the trial database
- Using the “Add existing asset” action on a Business Entity now correctly adds the risks associated with the existing asset categories
- Fixed a potential error in the database update
- Few smaller UI tweaks
5.4.2 – 15 March 2018
- Added Excel and PDF export options in a few lists where they were missing
- Added Item Count information to a few lists where it was missing
- Fixed an issue where it was possible to delete a Control Maturity Assessment that was associated with a Risk Treatment. This would leave the Risk Treatment inaccessible within the program.
RMS Web 1.4
- Fixed flickering issues on page load in various places
- The “Pinned document folder” dashboard widget now shows links to all documents within that folder
- The “My Top 10 Inherent Risks” dashboard widget now also shows the Business Entity associated with each Risk
5.4.1 – 26 February 2018
- Fixed an exception when clicking “Add new” within the catogories list of an Asset
- Fixed incorrect asset category hierarchy listing in the Asset Browser tree.
- Added missing option for adding a root level threat type in th threat tree
5.4 – 15 February 2018 (limited release)
- The Business Entities interface has been redesigned:
- Business Entities can be hierarchical
- Threat<->Category connections can be customized for each Business Entity
- Assets can be created directly under a Business Entity and therefor associated with that BE, but the Asset is also available to associate with other BEs as needed. You can view all Assets under the Common->Assets and review the associated BEs, Categories, and Risks.
- Threats/Risks can be added directly to an Asset within a Business Entity, thus allowing for an asset to have different AssetRisk associations under different BEs.
- When adding Categories to Assets, if the Asset is associated with a BE, the Asset will be assocaited with the Risks based on the ThreatCategory connection for that BE only.
- It is important to note that Categories are associated directly with the Asset, but Risks are associated with the Asset within a Business Entity. If the Asset is shared between multiple Business Entities, the Asset can have different Risks for each BE. An Asset can’t have associated Risks unless it is within a Business Entity – a significant change from previous versions.
- The Asset interface has been rewritten:
- The Asset interface now allows you to browse Assets by Categories.
- The Asset interface shows what Business Entities the Asset is associated with.
- When adding an Asset to a Risk Assessment, the only Assets available for that RA are Assets that belong to the designated BE when creating the new RA.
- The list of Risks for an Asset evaluated in the Risk Assessment will be the same list of Risks associated with the Asset under the Business Entity.
- The Threat list interface has been rewritten to show Threats grouped by Threat Type in a tree structure.
- Threat Types are now created in the same interface as Threats. The Threat Type node has been removed from the main navigation tree.
- It is now possible to assign Categories to multiple Assets in a single operation, either within the new Asset interface or the new Business Entity interface
- Added a new type of Document classification and function for creating and editing in RM Studio. The three types of document classifications available are:
- Embedded ̶ The document is imported and stored in the RM Studio database. You can store any type of file in this manner.
- External ̶ The document is stored as a file external to RM Studio on a file system or URL.
- New: RM Studio Document ̶ This type of document is stored as HTML text within the RM Studio database. The document contents are modified within RM Studio using a rich text editor. This type of document can be viewed directly using the RM Studio Web Module.
- Fixed an issue when deleting an Asset from a Risk Assessment if the Asset had Risks that were associated with any Tasks
RMS Web 1.4
- Added ability to view Documents on the web, except external files. The new type, RM Studio Documents, can be browsed and linked to as web pages.
- Added Dashboard features on the home page:
- Open tasks: Displays any open Tasks assigned to the user logged in,
- Pinned document folder: Add a direct link to a Document Folder for quick browsing,
- Top 10 risks: Displays top ten Risks by Inherent Risk Score for Risks that the current user is the Risk Owner of.
- Redesigned the look of the sidebar and added a collapse icon.
5.3.1 – 29 November 2017
- Most of the programs UI now scales correctly when viewed on high DPI devices
- Fixed an error reported by users during database update
- Fixed a few errors in the Control Implementation Comparison report
- Fixed a potential crash when saving a Risk Treatment
- Fixed a problem where pasting text into the rich text editor would not always work
- Fixed other minor bugs reported by users
Note: This version does not require a database update when updating from 5.3.0.
5.3.0 – 27 October 2017 (limited release)
- 3 new Standards/Regulations are now available for deployment:
- EU General Data Protection Regulation,
- NIST Special Publications 800-53 rev.4,
- ISO 13485:2016 – Medical devices – Quality Management Systems.
- New Risk Analysis report: lists the threats and mitigation controls from the Risk Treatment plus associated assets summary.
- The Standard Mapping Sets feature defines mappings between Standards/Regulations.
- The Rich Text Editor has been upgraded.
- The Standards and Controls section UI has been revised.
- Added support for deploying the database to SQL Server 2016
- Fixed a recent issue, where copying an Asset in the Asset List produced an error.
- Fixed a few issues in the Tasks List in a Risk Assessment
- Updated the .NET version requirement to 4.6.1
RMS Web 1.3.0
- Deployed Standards and Controls can now be viewed from the web module
- Added a login screen with support for both RM Studio User authentication and Windows authentication
- Added progress indicators (spinners) and disabled user interaction in several places when the website is busy working
5.2.3 – 16 October 2017
- Fixed an issue where email sending from tasks did not work
- Fixed an issue where the database could not be deployed to SQL Server 2008
- Fixed a few minor issues with the tasks list in a Risk Assessment
5.2.2 – 19 September 2017
Fixed bugs reported by users.
- Fixed an issue where sometimes the risk level labels in the Risk Treatment gauges were ordered incorrectly
- Fixed a crash when right clicking in the rich text editor
- Fixed an issue where new assets in a Risk Assessment were not reloaded correctly into a Risk Treatment
Web 1.2.1 – 14 September 2017
- Fixed an issue where saving a task would occasionally give an error and required multiple attempts to save
- Fixed an issue where the task status would always be displayed as In Progress in the task list
5.2.1 – 3 August 2017
Fixed bugs reported by users.
- Fixed an issue with deleting a Risk Treatment
- Fixed an issue with running the Control Implementation Comparison report
5.2.0 – 19 July 2017
- Added the ability to assign related controls from other standards to standard controls. By implementing the set of related controls in a Gap Analysis or Risk Treatment, it is considered that the control is implemented as well.The system comes with predefined mappings between Cloud Controls Matrix 3.0.1 and ISO 27002:2013 for users who have both standards licensed and deployed.Existing users who have already deployed both standards will need to go to Menu -> Properties -> Standard Data, select either ISO 27002:2013 or CCM 3.0.1, and click the Deploy Standard button. This will redeploy the standard and add the mappings.
- Added a new report, “Control Implementation Comparison”, which uses the new related controls to check the implemention of a related standard against a current standard implementation in a Risk Treatment.
- In gap analysis, it is now possible to assign Justification text and Implementation date to multiple controls at the same time with one action
- Changed Risk Treatment reload functionality. Reloading changes from Gap Analysis or Risk Assessment now updates the Risk Treatment only with the changes made since the last reload. If no changes have been made to the Gap Analysis or Risk Assessment, then the Risk Treatment remains unchanged.Previously the reload function would reset any Risk Treatment changes made by the user since the last reload.Note: Risk Treatments created before version 5.2 will do a “full reload” for the first time they are reloaded after update. This means potentially overwriting changes made by the user.
- Removed the ability to link an existing Risk Treatment to a different Gap Analysis or Risk Assessment. To change the Assessment or Gap for a Risk Treatment, use the copy feature to create a new risk treatment and select the new Assessment and Gap from the copy dialog
- Improved user interface layout and text in a few places (Import Dialog, Create Risk Treatment Dialog, Asset Information)
- It is now possible to manually add and remove risks from Risk Assessment risk tasks. Previously the list of task risks was automatically populated based on the risk owner and could not be modified by the user.
- Risk treatments with a large amount of risks should now save and load much faster
- Added columns “Modified On” and “Modified By” to the risk treatment list, showing information for the latest modification to the Risk Treatment
- Updated ISO 27001:2013 and ISO 27002:2013 text with changes made in Cor1:2014 and Cor2:2015
- Fixed a bug where HTML tags were shown in text in some reports
- Fixed a bug where it was possible to send an email notification for an newly created unsaved task, resulting in an invalid web URL
- Fixed a bug where the Risk Treatment reload button was enabled in the list details view. The reload button should only be enabled in the full view
- Fixed a possible crash when editing Risk Profile risk criteria
- Increased the minimum .NET version requirement to 4.5.2
5.1.1 – 15 November 2016
- Bug fixes related to check-in and check-out status of the risk assessment (reported by users)
5.1.0 – 12 July 2016
- New module: Web interface for stakeholder risk evaluations
- Gather risk evaluations from risk owners in a risk assessment using a web interface
- Track status using email notifications
- Domain authentication in an intranet setting
- New feature: Document store
- Ability to define and categorize documents
- Store documents externally or upload to the RM Studio database
- Link documents to control and use as evidence in Gap Analysis
- Various bug fixes and improvements