Compliance Report Builder
by dengineproblem
Эксперт по compliance отчётам. Используй для SOX, GDPR, HIPAA, SOC 2 аудитов и документации соответствия.
Skill Details
Repository Files
1 file in this skill directory
name: compliance-report-builder description: Эксперт по compliance отчётам. Используй для SOX, GDPR, HIPAA, SOC 2 аудитов и документации соответствия.
Compliance Report Builder
Эксперт по регуляторной compliance документации и отчётности.
Основные принципы
Evidence-Based Documentation
- Контроли должны быть связаны с конкретными артефактами
- Audit trail с timestamps и ответственными
- Количественные метрики для preventive и detective мер
Risk-Oriented Approach
- Приоритизация high-risk областей
- Mapping контролей к threat vectors
- Документирование residual risk
Regulatory Alignment
- Привязка требований к конкретным статьям регуляций
- Guidance для неоднозначных стандартов
- Compensating controls документация
Executive Summary Template
# Compliance Status Report
**Period:** Q4 2024
**Prepared:** 2024-12-10
**Classification:** Confidential
## Overall Status: 🟡 YELLOW
### Coverage Summary
| Framework | Controls | Compliant | Gaps | Coverage |
|-----------|----------|-----------|------|----------|
| SOC 2 | 85 | 79 | 6 | 93% |
| GDPR | 42 | 40 | 2 | 95% |
| ISO 27001 | 114 | 108 | 6 | 95% |
### Key Findings
| Priority | Count | Trend |
|----------|-------|-------|
| Critical | 0 | ⬇️ |
| High | 3 | ➡️ |
| Medium | 8 | ⬆️ |
| Low | 12 | ➡️ |
### Action Items
1. [CRITICAL] None
2. [HIGH] Complete MFA rollout by Jan 15
3. [HIGH] Update data retention policy
4. [HIGH] Implement logging for System X
Control Assessment Framework
Control:
ID: AC-001
Title: Access Control Policy
Framework: SOC 2, ISO 27001
Category: Security
Implementation:
Status: Implemented
Owner: Security Team
Last Review: 2024-12-01
Testing:
Method: Inspection + Inquiry
Frequency: Quarterly
Last Test: 2024-11-15
Result: Effective
Evidence:
- Policy document v2.3
- Access review logs
- Training completion records
Gaps:
- None identified
Recommendations:
- Automate quarterly access reviews
SOC 2 Trust Services
## Security (Common Criteria)
### CC1: Control Environment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC1.1 | Board oversight | ✅ | Board minutes |
| CC1.2 | Management philosophy | ✅ | Policy docs |
| CC1.3 | Organizational structure | ✅ | Org chart |
| CC1.4 | HR practices | ✅ | HR policies |
### CC2: Communication and Information
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC2.1 | Information quality | ✅ | Data governance |
| CC2.2 | Internal communication | ✅ | Slack, email logs |
| CC2.3 | External communication | ✅ | Customer portal |
### CC3: Risk Assessment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC3.1 | Risk identification | ✅ | Risk register |
| CC3.2 | Risk analysis | ✅ | Risk assessment |
| CC3.3 | Fraud risk | ✅ | Fraud controls |
| CC3.4 | Change management | ⚠️ | Partial automation |
GDPR Checklist
Article 30 - Records of Processing:
- [ ] Processing purposes documented
- [ ] Data categories listed
- [ ] Recipient categories identified
- [ ] Transfer safeguards documented
- [ ] Retention periods defined
- [ ] Security measures described
Article 13/14 - Privacy Notices:
- [ ] Controller identity stated
- [ ] DPO contact provided
- [ ] Purposes explained
- [ ] Legal basis identified
- [ ] Rights information included
- [ ] Complaint procedure described
Article 17 - Right to Erasure:
- [ ] Process documented
- [ ] Timeframes defined (30 days)
- [ ] Exceptions listed
- [ ] Verification procedure
- [ ] Third-party notification
Article 33 - Breach Notification:
- [ ] Detection procedures
- [ ] Assessment criteria
- [ ] 72-hour notification process
- [ ] DPA contact established
- [ ] Subject notification criteria
Risk Assessment Matrix
const riskMatrix = {
likelihood: {
rare: 1, // < 5%
unlikely: 2, // 5-25%
possible: 3, // 25-50%
likely: 4, // 50-75%
certain: 5 // > 75%
},
impact: {
negligible: 1, // < $10k
minor: 2, // $10k-$100k
moderate: 3, // $100k-$1M
major: 4, // $1M-$10M
severe: 5 // > $10M
},
calculateRisk(likelihood, impact) {
const score = likelihood * impact;
if (score >= 15) return 'Critical';
if (score >= 10) return 'High';
if (score >= 5) return 'Medium';
return 'Low';
}
};
Finding Classification
Critical:
Response: 24-48 hours
Escalation: Executive + Board
Examples:
- Active data breach
- Regulatory violation with penalties
- System-wide security failure
High:
Response: 1-2 weeks
Escalation: Senior Management
Examples:
- Missing critical controls
- Significant gaps in coverage
- Failed audit controls
Medium:
Response: 30-60 days
Escalation: Department Head
Examples:
- Incomplete documentation
- Process inefficiencies
- Minor policy violations
Low:
Response: 90 days
Escalation: Control Owner
Examples:
- Optimization opportunities
- Documentation updates
- Training gaps
Gap Analysis Template
## Gap Analysis: [Control Area]
### Current State
[Description of current implementation]
### Required State
[Regulatory requirement or best practice]
### Gap Description
[Specific gaps identified]
### Risk Assessment
- Likelihood: [1-5]
- Impact: [1-5]
- Risk Score: [calculated]
- Risk Level: [Critical/High/Medium/Low]
### Remediation Plan
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| Action 1 | Name | Date | In Progress |
| Action 2 | Name | Date | Pending |
### Success Metrics
- [ ] Metric 1
- [ ] Metric 2
Audit Sampling
def calculate_sample_size(population: int, confidence: float = 0.95,
margin_error: float = 0.05) -> int:
"""
Calculate statistical sample size for audit testing.
Args:
population: Total population size
confidence: Confidence level (default 95%)
margin_error: Acceptable margin of error (default 5%)
Returns:
Required sample size
"""
import math
# Z-score for confidence level
z_scores = {0.90: 1.645, 0.95: 1.96, 0.99: 2.576}
z = z_scores.get(confidence, 1.96)
# Assume 50% response distribution for max sample
p = 0.5
# Sample size formula
n = (z**2 * p * (1-p)) / (margin_error**2)
# Finite population correction
if population < 10000:
n = n / (1 + (n - 1) / population)
return math.ceil(n)
# Example usage
# population=1000, 95% confidence, 5% margin
# Result: ~278 samples needed
Continuous Monitoring
Real-time Dashboards:
- Control effectiveness scores
- Compliance coverage %
- Open findings count
- Risk heat map
Automated Alerts:
Critical:
- Failed security controls
- Unauthorized access attempts
- Data breach indicators
Warning:
- Controls approaching expiry
- Overdue remediations
- Anomaly detection triggers
Reporting Cadence:
Daily: Critical events
Weekly: Status summary
Monthly: Detailed report
Quarterly: Executive review
Annually: Full assessment
Report Templates
Finding Report
# Finding Report
**ID:** FND-2024-042
**Date:** 2024-12-10
**Severity:** High
## Summary
[One-sentence description]
## Background
[Context and relevant history]
## Finding Details
[Technical details of the issue]
## Impact Assessment
- Business Impact: [description]
- Regulatory Impact: [description]
- Reputational Impact: [description]
## Root Cause
[Why this happened]
## Recommendation
[Specific remediation steps]
## Management Response
[Owner's response and commitment]
## Timeline
| Milestone | Date | Status |
|-----------|------|--------|
| Finding identified | 2024-12-10 | Complete |
| Remediation plan | 2024-12-15 | Pending |
| Implementation | 2024-01-15 | Pending |
| Verification | 2024-01-30 | Pending |
Лучшие практики
- Evidence first — каждый контроль должен иметь доказательства
- Risk-based prioritization — фокус на high-risk областях
- Continuous monitoring — не ждите годового аудита
- Clear ownership — каждый контроль имеет ответственного
- Regular testing — проверяйте effectiveness, не только design
- Documentation discipline — версионирование и audit trail
Related Skills
Attack Tree Construction
Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.
Grafana Dashboards
Create and manage production Grafana dashboards for real-time visualization of system and application metrics. Use when building monitoring dashboards, visualizing metrics, or creating operational observability interfaces.
Matplotlib
Foundational plotting library. Create line plots, scatter, bar, histograms, heatmaps, 3D, subplots, export PNG/PDF/SVG, for scientific visualization and publication figures.
Scientific Visualization
Create publication figures with matplotlib/seaborn/plotly. Multi-panel layouts, error bars, significance markers, colorblind-safe, export PDF/EPS/TIFF, for journal-ready scientific plots.
Seaborn
Statistical visualization. Scatter, box, violin, heatmaps, pair plots, regression, correlation matrices, KDE, faceted plots, for exploratory analysis and publication figures.
Shap
Model interpretability and explainability using SHAP (SHapley Additive exPlanations). Use this skill when explaining machine learning model predictions, computing feature importance, generating SHAP plots (waterfall, beeswarm, bar, scatter, force, heatmap), debugging models, analyzing model bias or fairness, comparing models, or implementing explainable AI. Works with tree-based models (XGBoost, LightGBM, Random Forest), deep learning (TensorFlow, PyTorch), linear models, and any black-box model
Pydeseq2
Differential gene expression analysis (Python DESeq2). Identify DE genes from bulk RNA-seq counts, Wald tests, FDR correction, volcano/MA plots, for RNA-seq analysis.
Query Writing
For writing and executing SQL queries - from simple single-table queries to complex multi-table JOINs and aggregations
Pydeseq2
Differential gene expression analysis (Python DESeq2). Identify DE genes from bulk RNA-seq counts, Wald tests, FDR correction, volcano/MA plots, for RNA-seq analysis.
Scientific Visualization
Meta-skill for publication-ready figures. Use when creating journal submission figures requiring multi-panel layouts, significance annotations, error bars, colorblind-safe palettes, and specific journal formatting (Nature, Science, Cell). Orchestrates matplotlib/seaborn/plotly with publication styles. For quick exploration use seaborn or plotly directly.