From 54ce89822bee395ff6ab1b8b38820cc74face99c Mon Sep 17 00:00:00 2001
From: Jacob Boddey <boddey@google.com>
Date: Wed, 5 Jun 2024 14:22:25 +0100
Subject: [PATCH] Update risk assessment format

---
 resources/risk_assessment.json | 40 +++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/resources/risk_assessment.json b/resources/risk_assessment.json
index e341dd904..5393edfbd 100644
--- a/resources/risk_assessment.json
+++ b/resources/risk_assessment.json
@@ -59,8 +59,12 @@
     "options": [
       "The device collects any Personal Identifiable Information (PII) or Personal Health Information (PHI)",
       "The device collects intellectual property and trade secrets, sensitive business data, critical infrastructure data, identity assets",
-      "The device stream confidential business data in real-time (seconds)?"
-    ]
+      "The device stream confidential business data in real-time (seconds)?",
+      "None of the above"
+    ],
+    "validation": {
+      "required": true
+    }
   },
   {
     "question": "Which of the following statements are true about this device?",
@@ -72,8 +76,12 @@
       "A failure in data transmission would likely have a substantial negative impact (https://www.rra.rocks/docs/standard_levels#levels-definitions)",
       "A confidentiality breach during transmission would have a substantial negative impact",
       "The device encrypts data during transmission",
-      "The device network protocol is well-established and currently used by Google"
-    ]
+      "The device network protocol is well-established and currently used by Google",
+      "None of the above"
+    ],
+    "validation": {
+      "required": true
+    }
   },
   {
     "question": "Does the network protocol assure server-to-client identity verification?",
@@ -96,8 +104,12 @@
       "Unrecoverable actions (e.g. disk wipe) can be performed remotely",
       "Authentication is required for remote access",
       "The management interface is accessible from the public internet",
-      "Static credentials are used for administration"
-    ]
+      "Static credentials are used for administration",
+      "None of the above"
+    ],
+    "validation": {
+      "required": true
+    }
   },
   {
     "question": "Are any of the following statements true about this device?",
@@ -109,7 +121,19 @@
       "The device controls robotics in human-accessible spaces.",
       "The device controls physical access systems.",
       "The device is involved in processes required by regulations, or compliance. (ex. privacy, security, safety regulations)",
-      "The device's failure would cause faults in other high-criticality processes."
-    ]
+      "The device's failure would cause faults in other high-criticality processes.",
+      "None of the above"
+    ],
+    "validation": {
+      "required": true
+    }
+  },
+  {
+    "question": "Comments",
+    "description": "Anything else to share?",
+    "type": "text-long",
+    "validation": {
+      "max": "512"
+    }
   }
 ]
\ No newline at end of file