•Authoritative Document Editor: Standards and policies can be created and published in the Knowledge module. Files can be attached, and people and groups of people can also be included in the audience of these authoritative documents, which are then available in the Documents section of the Home module.
In addition to custom content, Modulo offers various industry-standard authoritative documents with the installation for immediate use in compliance projects and other applications. Content provided out-of-the-box includes: ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 31000ISO 15489 Parts 1 and 2, ISO/IEC 20000-1 and ISO/IEC 20000-2, BS 25999-1, PCI DSS, CSA Cloud Control Matrix, NIST SP 800-53, FFIEC standards, NERC reliability standards, COBIT, BITS framework, FDIC, OCC regulations, SEC regulations, US state privacy laws, and others.
•Cross-Referenced Requirements: Cross-references between requirements from authoritative documents can be managed and reports can be generated showing these mappings. A specific type of query is available to show the results for requirements analyzed in projects along with any cross-referenced requirements, avoiding unnecessary analyses of similar requirements.
•Knowledge Base Editor: Knowledge bases and their controls can be created and published in the Knowledge module. A publication workflow with full versioning control is supported. For technology knowledge bases, you can also manage OVAL Definitions and their associations with controls.
•Supports the NIST CPE and CCE: The system allows CPE (Common Platform Enumeration) and CCE (Common Configuration Enumeration) names to be created and used in knowledge bases.
•Threat and Threat Source Editor: Custom threats and threat sources can be created and their associations can be managed. Threats (both custom and those provided by Modulo) can be associated with controls so that you can filter consolidated results from risk analyses by them and understand which threats the controls help avoid if implemented, thus helping prioritize non-implemented controls.
•Survey Editor: Surveys play an important role in risk and compliance assessments, and can also be used to collect and automatically update information on organizational objects. The system includes an editor for creating custom surveys, which are then used as interviews in the projects. These can be created from scratch, based on existing documents, or through copies of other surveys. They can also be edited offline through Excel and imported back to the system, and rules can be created for displaying or hiding questions, for making comments and attachments required, and for processing responses automatically. Interviewees can attach evidence when answering questions, and auditors, managers, or other interested parties can check the findings related to a specific question. In addition, when previewing each survey, users can simulate the final results according to the responses selected.
•Export/Import Content: Custom authoritative documents, knowledge bases, surveys, and cross-references can be selected to be exported to a knowledge package so that they can be imported to other system installations. Packages containing updated knowledge are provided by Modulo and can also be imported.
•Map Controls to Requirements: Controls and requirements similar in nature can be mapped to each other, allowing the results of risk assessments to be displayed for any mapped requirements through specific queries.
•Import Vulnerabilities to the Catalogue: Vulnerabilities identified by scanners not supported by the system can be imported to the catalogue of vulnerabilities through spreadsheets. Those identified by scanners integrated with the system are automatically included in the catalogue.