Building Custom Security Controls

Access Control Builder

1. Go to **Settings > Controls > Custom Controls**

2. Click **New Control**

3. Enter basic information:

- Control name

- Description

- Category

- Severity

Control Structure

Each control needs:

• **Identifier**: Unique code (e.g., CUSTOM-001)

• **Title**: Short descriptive name

• **Description**: What the control evaluates

• **Rationale**: Why this control matters

• **Remediation**: How to fix if failing

Define Evaluation Rules

Use the rule builder or write custom logic:

Rule Builder Example:

IF data_source = "acronis_backups"

AND backup_age_hours < 24

AND backup_type = "full"

THEN PASS

ELSE FAIL

Custom Code Example:

def evaluate(client_data):

backups = client_data.get('acronis_backups', [])

for backup in backups:

if backup.age_hours > 24:

return {

'status': 'FAIL',

'evidence': f'Backup {backup.name} is {backup.age_hours}h old'

}

return {'status': 'PASS', 'evidence': 'All backups current'}

Use External Data Sources

Custom controls can pull from:

• BrainstormMSP integrations

• Custom API endpoints

• File uploads

• Manual attestations

API Configuration

1. Go to **Settings > Controls > Data Sources**

2. Click **Add Data Source**

3. Configure:

- API endpoint URL

- Authentication method

- Data refresh frequency

- Field mappings

Test Custom Controls

Before deploying:

1. Go to control settings

2. Click **Test Mode**

3. Select test clients

4. Run evaluation

5. Review results

Validation Checks

The system validates:

• Logic syntax is correct

• Data sources are accessible

• Evaluation completes in reasonable time

• Results are deterministic

Promote to Production

After testing:

1. Click **Enable Control**

2. Select clients to apply

3. Set evaluation schedule

4. Monitor initial results