| name | compliance-report-builder |
| description | Эксперт по compliance отчётам. Используй для SOX, GDPR, HIPAA, SOC 2 аудитов и документации соответствия. |
Compliance Report Builder
Эксперт по регуляторной compliance документации и отчётности.
Основные принципы
Evidence-Based Documentation
- Контроли должны быть связаны с конкретными артефактами
- Audit trail с timestamps и ответственными
- Количественные метрики для preventive и detective мер
Risk-Oriented Approach
- Приоритизация high-risk областей
- Mapping контролей к threat vectors
- Документирование residual risk
Regulatory Alignment
- Привязка требований к конкретным статьям регуляций
- Guidance для неоднозначных стандартов
- Compensating controls документация
Executive Summary Template
# Compliance Status Report
**Period:** Q4 2024
**Prepared:** 2024-12-10
**Classification:** Confidential
## Overall Status: 🟡 YELLOW
### Coverage Summary
| Framework | Controls | Compliant | Gaps | Coverage |
|-----------|----------|-----------|------|----------|
| SOC 2 | 85 | 79 | 6 | 93% |
| GDPR | 42 | 40 | 2 | 95% |
| ISO 27001 | 114 | 108 | 6 | 95% |
### Key Findings
| Priority | Count | Trend |
|----------|-------|-------|
| Critical | 0 | ⬇️ |
| High | 3 | ➡️ |
| Medium | 8 | ⬆️ |
| Low | 12 | ➡️ |
### Action Items
1. [CRITICAL] None
2. [HIGH] Complete MFA rollout by Jan 15
3. [HIGH] Update data retention policy
4. [HIGH] Implement logging for System X
Control Assessment Framework
Control:
ID: AC-001
Title: Access Control Policy
Framework: SOC 2, ISO 27001
Category: Security
Implementation:
Status: Implemented
Owner: Security Team
Last Review: 2024-12-01
Testing:
Method: Inspection + Inquiry
Frequency: Quarterly
Last Test: 2024-11-15
Result: Effective
Evidence:
- Policy document v2.3
- Access review logs
- Training completion records
Gaps:
- None identified
Recommendations:
- Automate quarterly access reviews
SOC 2 Trust Services
## Security (Common Criteria)
### CC1: Control Environment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC1.1 | Board oversight | ✅ | Board minutes |
| CC1.2 | Management philosophy | ✅ | Policy docs |
| CC1.3 | Organizational structure | ✅ | Org chart |
| CC1.4 | HR practices | ✅ | HR policies |
### CC2: Communication and Information
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC2.1 | Information quality | ✅ | Data governance |
| CC2.2 | Internal communication | ✅ | Slack, email logs |
| CC2.3 | External communication | ✅ | Customer portal |
### CC3: Risk Assessment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC3.1 | Risk identification | ✅ | Risk register |
| CC3.2 | Risk analysis | ✅ | Risk assessment |
| CC3.3 | Fraud risk | ✅ | Fraud controls |
| CC3.4 | Change management | ⚠️ | Partial automation |
GDPR Checklist
Article 30 - Records of Processing:
- [ ] Processing purposes documented
- [ ] Data categories listed
- [ ] Recipient categories identified
- [ ] Transfer safeguards documented
- [ ] Retention periods defined
- [ ] Security measures described
Article 13/14 - Privacy Notices:
- [ ] Controller identity stated
- [ ] DPO contact provided
- [ ] Purposes explained
- [ ] Legal basis identified
- [ ] Rights information included
- [ ] Complaint procedure described
Article 17 - Right to Erasure:
- [ ] Process documented
- [ ] Timeframes defined (30 days)
- [ ] Exceptions listed
- [ ] Verification procedure
- [ ] Third-party notification
Article 33 - Breach Notification:
- [ ] Detection procedures
- [ ] Assessment criteria
- [ ] 72-hour notification process
- [ ] DPA contact established
- [ ] Subject notification criteria
Risk Assessment Matrix
const riskMatrix = {
likelihood: {
rare: 1, // < 5%
unlikely: 2, // 5-25%
possible: 3, // 25-50%
likely: 4, // 50-75%
certain: 5 // > 75%
},
impact: {
negligible: 1, // < $10k
minor: 2, // $10k-$100k
moderate: 3, // $100k-$1M
major: 4, // $1M-$10M
severe: 5 // > $10M
},
calculateRisk(likelihood, impact) {
const score = likelihood * impact;
if (score >= 15) return 'Critical';
if (score >= 10) return 'High';
if (score >= 5) return 'Medium';
return 'Low';
}
};
Finding Classification
Critical:
Response: 24-48 hours
Escalation: Executive + Board
Examples:
- Active data breach
- Regulatory violation with penalties
- System-wide security failure
High:
Response: 1-2 weeks
Escalation: Senior Management
Examples:
- Missing critical controls
- Significant gaps in coverage
- Failed audit controls
Medium:
Response: 30-60 days
Escalation: Department Head
Examples:
- Incomplete documentation
- Process inefficiencies
- Minor policy violations
Low:
Response: 90 days
Escalation: Control Owner
Examples:
- Optimization opportunities
- Documentation updates
- Training gaps
Gap Analysis Template
## Gap Analysis: [Control Area]
### Current State
[Description of current implementation]
### Required State
[Regulatory requirement or best practice]
### Gap Description
[Specific gaps identified]
### Risk Assessment
- Likelihood: [1-5]
- Impact: [1-5]
- Risk Score: [calculated]
- Risk Level: [Critical/High/Medium/Low]
### Remediation Plan
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| Action 1 | Name | Date | In Progress |
| Action 2 | Name | Date | Pending |
### Success Metrics
- [ ] Metric 1
- [ ] Metric 2
Audit Sampling
def calculate_sample_size(population: int, confidence: float = 0.95,
margin_error: float = 0.05) -> int:
"""
Calculate statistical sample size for audit testing.
Args:
population: Total population size
confidence: Confidence level (default 95%)
margin_error: Acceptable margin of error (default 5%)
Returns:
Required sample size
"""
import math
# Z-score for confidence level
z_scores = {0.90: 1.645, 0.95: 1.96, 0.99: 2.576}
z = z_scores.get(confidence, 1.96)
# Assume 50% response distribution for max sample
p = 0.5
# Sample size formula
n = (z**2 * p * (1-p)) / (margin_error**2)
# Finite population correction
if population < 10000:
n = n / (1 + (n - 1) / population)
return math.ceil(n)
# Example usage
# population=1000, 95% confidence, 5% margin
# Result: ~278 samples needed
Continuous Monitoring
Real-time Dashboards:
- Control effectiveness scores
- Compliance coverage %
- Open findings count
- Risk heat map
Automated Alerts:
Critical:
- Failed security controls
- Unauthorized access attempts
- Data breach indicators
Warning:
- Controls approaching expiry
- Overdue remediations
- Anomaly detection triggers
Reporting Cadence:
Daily: Critical events
Weekly: Status summary
Monthly: Detailed report
Quarterly: Executive review
Annually: Full assessment
Report Templates
Finding Report
# Finding Report
**ID:** FND-2024-042
**Date:** 2024-12-10
**Severity:** High
## Summary
[One-sentence description]
## Background
[Context and relevant history]
## Finding Details
[Technical details of the issue]
## Impact Assessment
- Business Impact: [description]
- Regulatory Impact: [description]
- Reputational Impact: [description]
## Root Cause
[Why this happened]
## Recommendation
[Specific remediation steps]
## Management Response
[Owner's response and commitment]
## Timeline
| Milestone | Date | Status |
|-----------|------|--------|
| Finding identified | 2024-12-10 | Complete |
| Remediation plan | 2024-12-15 | Pending |
| Implementation | 2024-01-15 | Pending |
| Verification | 2024-01-30 | Pending |
Лучшие практики
- Evidence first — каждый контроль должен иметь доказательства
- Risk-based prioritization — фокус на high-risk областях
- Continuous monitoring — не ждите годового аудита
- Clear ownership — каждый контроль имеет ответственного
- Regular testing — проверяйте effectiveness, не только design
- Documentation discipline — версионирование и audit trail