compliance-frameworks
Installation
SKILL.md
Compliance Frameworks
SOC 2 Compliance
SOC 2 Overview
SOC 2 (System and Organization Controls 2) is a compliance framework for service organizations that store customer data in the cloud.
SOC 2 Trust Services Criteria
- Security: Protection against unauthorized access
- Availability: System is available for operation and use
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
- Confidentiality: Information is disclosed only to authorized parties
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of properly
SOC 2 Common Criteria (CC)
- CC1.1: The entity demonstrates commitment to integrity and ethical values
- CC2.1: The entity assigns and documents authority and responsibility
- CC3.1: The entity identifies objectives with sufficient clarity
- CC4.1: The entity assesses risks and identifies responses
- CC5.1: The entity selects, develops, and performs ongoing monitoring activities
- CC6.1: The entity selects, develops, and performs corrective actions
- CC7.1: The entity obtains, assesses, and communicates relevant information
- CC8.1: The entity selects, develops, and performs ongoing monitoring activities
SOC 2 Implementation
- Policies and Procedures: Develop comprehensive security policies and procedures
- Access Controls: Implement strong access controls
- Change Management: Implement formal change management processes
- Incident Response: Develop and test incident response procedures
- Vendor Management: Implement vendor risk management processes
- Monitoring and Logging: Implement comprehensive monitoring and logging
- Data Classification: Classify data based on sensitivity
- Encryption: Encrypt data at rest and in transit
ISO 27001
ISO 27001 Overview
ISO 27001 is an international standard for information security management systems (ISMS).
ISO 27001 Annex A Controls
- A.5 Organizational Security Policies: Information security policies
- A.6 Organization of Information Security: Roles and responsibilities
- A.7 Human Resource Security: Employee security
- A.8 Asset Management: Asset inventory and classification
- A.9 Access Control: Access control policy and procedures
- A.10 Cryptography: Cryptographic controls
- A.11 Physical and Environmental Security: Physical security
- A.12 Operations Security: Operational procedures and responsibilities
- A.13 Communications Security: Network security management
- A.14 System Acquisition, Development, and Maintenance: Security in development
- A.15 Supplier Relationships: Supplier security
- A.16 Information Security Incident Management: Incident management
- A.17 Information Security Aspects of Business Continuity: Business continuity
- A.18 Compliance: Compliance with legal and regulatory requirements
ISO 27001 Implementation
- Management Commitment: Obtain management commitment and support
- Scope Definition: Define the scope of the ISMS
- Risk Assessment: Conduct a comprehensive risk assessment
- Statement of Applicability: Create a Statement of Applicability (SoA)
- Risk Treatment Plan: Develop a risk treatment plan
- Policies and Procedures: Develop policies and procedures
- Implementation: Implement controls and processes
- Internal Audit: Conduct internal audits
- Management Review: Conduct management reviews
- Certification Audit: Undergo certification audit
PCI DSS
PCI DSS Overview
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards for organizations that handle credit card information.
PCI DSS Requirements
- Install and maintain a firewall configuration: Protect cardholder data
- Do not use vendor-supplied defaults: Change default passwords and security parameters
- Protect stored cardholder data: Encrypt cardholder data at rest
- Encrypt transmission of cardholder data: Use strong encryption in transit
- Use and regularly update anti-virus software: Protect against malware
- Develop and maintain secure systems: Develop secure applications and systems
- Restrict access to cardholder data: Implement access controls
- Identify and authenticate access: Assign unique IDs to each person
- Restrict physical access: Restrict physical access to cardholder data
- Track and monitor all access: Log and monitor all access to network resources
- Regularly test security systems: Test security systems and processes regularly
- Maintain an information security policy: Maintain a policy that addresses information security
PCI DSS Implementation
- Network Segmentation: Segment cardholder data environment
- Firewall Configuration: Configure firewalls to protect cardholder data
- Encryption: Encrypt cardholder data at rest and in transit
- Access Controls: Implement strong access controls
- Logging and Monitoring: Log and monitor all access to cardholder data
- Vulnerability Management: Regularly scan for vulnerabilities
- Secure Development: Follow secure development practices
- Physical Security: Implement physical security controls
- Security Awareness: Provide security awareness training
- Incident Response: Develop incident response procedures
HIPAA
HIPAA Overview
HIPAA (Health Insurance Portability and Accountability Act) includes the Security Rule and Privacy Rule for protecting health information.
HIPAA Security Rule
- Administrative Safeguards: Policies and procedures for security management
- Physical Safeguards: Physical measures to protect electronic health information
- Technical Safeguards: Technology and policies to protect electronic health information
HIPAA Administrative Safeguards
- Security Management Process: Conduct risk analysis and implement security measures
- Assigned Security Responsibility: Designate a security official
- Workforce Security: Implement workforce security policies and procedures
- Information Access Management: Implement policies for information access
- Security Awareness and Training: Provide security awareness training
- Security Incident Procedures: Develop incident response procedures
- Contingency Plan: Develop a contingency plan
- Evaluation: Perform periodic evaluations of security measures
- Business Associate Contracts: Have business associate contracts in place
HIPAA Technical Safeguards
- Access Control: Implement unique user identification and access controls
- Audit Controls: Implement hardware, software, and procedural audit controls
- Integrity Controls: Ensure electronic protected health information is not improperly altered
- Transmission Security: Ensure transmission security
HIPAA Privacy Rule
- Permitted Uses and Disclosures: Define permitted uses and disclosures
- Minimum Necessary: Use and disclose only the minimum necessary information
- Notice of Privacy Practices: Provide notice of privacy practices
- Individual Rights: Provide individuals with rights to their health information
- Authorization: Obtain authorization for certain uses and disclosures
GDPR
GDPR Overview
GDPR (General Data Protection Regulation) is a European Union regulation for data protection and privacy.
GDPR Principles
- Lawfulness, Fairness, and Transparency: Process data lawfully, fairly, and transparently
- Purpose Limitation: Collect data for specified, explicit, and legitimate purposes
- Data Minimization: Collect only data that is adequate, relevant, and limited
- Accuracy: Ensure data is accurate and kept up to date
- Storage Limitation: Store data only as long as necessary
- Integrity and Confidentiality: Ensure data is processed securely
- Accountability: Be accountable for compliance
GDPR Rights
- Right to be Informed: Individuals have the right to be informed about data processing
- Right of Access: Individuals have the right to access their personal data
- Right to Rectification: Individuals have the right to have inaccurate data corrected
- Right to Erasure: Individuals have the right to have their data erased
- Right to Restrict Processing: Individuals have the right to restrict processing
- Right to Data Portability: Individuals have the right to data portability
- Right to Object: Individuals have the right to object to processing
- Rights in Relation to Automated Decision Making: Individuals have rights related to automated decision making
GDPR Implementation
- Data Mapping: Map all data processing activities
- Legal Basis: Identify legal basis for processing
- Privacy by Design: Implement privacy by design and by default
- Data Protection Impact Assessments: Conduct DPIAs for high-risk processing
- Data Subject Rights: Implement processes to handle data subject rights
- Data Breach Notification: Implement data breach notification procedures
- Data Protection Officer: Appoint a DPO if required
- Records of Processing: Maintain records of processing activities
- International Data Transfers: Implement appropriate safeguards for international data transfers
NIST Cybersecurity Framework
NIST CSF Overview
The NIST Cybersecurity Framework (CSF) provides a policy framework of computer security guidance for private sector organizations.
NIST CSF Functions
- Identify: Develop an understanding of the business context and resources
- Protect: Develop and implement appropriate safeguards
- Detect: Develop and implement activities to identify cybersecurity events
- Respond: Develop and implement activities to take action regarding a detected cybersecurity incident
- Recover: Develop and implement activities to maintain plans for resilience and restoration
NIST CSF Categories
Identify (ID)
- ID.AM: Asset Management
- ID.BE: Business Environment
- ID.GV: Governance
- ID.RA: Risk Assessment
- ID.RM: Risk Management Strategy
- ID.SC: Supply Chain Risk Management
Protect (PR)
- PR.AC: Access Control
- PR.AT: Awareness and Training
- PR.DS: Data Security
- PR.IP: Information Protection Processes and Procedures
- PR.MA: Maintenance
- PR.PS: Protective Technology
Detect (DE)
- DE.AE: Anomalies and Events
- DE.CM: Security Continuous Monitoring
- DE.DP: Detection Processes
Respond (RS)
- RS.RP: Response Planning
- RS.CO: Communications
- RS.AN: Analysis
- RS.MI: Mitigation
- RS.IM: Improvements
Recover (RC)
- RC.RP: Recovery Planning
- RC.CO: Communications
- RC.IM: Improvements
Industry-Specific Compliance
Financial Services
- GLBA: Gramm-Leach-Bliley Act for financial institutions
- FFIEC: Federal Financial Institutions Examination Council guidelines
- SOX: Sarbanes-Oxley Act for financial reporting
- Basel III: International banking regulations
Healthcare
- HIPAA: Health Insurance Portability and Accountability Act
- HITECH: Health Information Technology for Economic and Clinical Health Act
- FDA Regulations: FDA regulations for medical devices
Government
- FISMA: Federal Information Security Management Act
- FedRAMP: Federal Risk and Authorization Management Program
- CMMC: Cybersecurity Maturity Model Certification
Education
- FERPA: Family Educational Rights and Privacy Act
- COPPA: Children's Online Privacy Protection Act
Telecommunications
- FCC Regulations: Federal Communications Commission regulations
- GDPR: General Data Protection Regulation (for EU operations)
Retail and E-commerce
- PCI DSS: Payment Card Industry Data Security Standard
- GDPR: General Data Protection Regulation (for EU customers)
- CCPA: California Consumer Privacy Act
Compliance Implementation
Compliance Management Process
- Gap Analysis: Identify gaps between current state and compliance requirements
- Remediation Planning: Develop remediation plans for identified gaps
- Implementation: Implement controls and processes
- Documentation: Document policies, procedures, and evidence
- Training: Provide training to employees
- Monitoring: Monitor compliance on an ongoing basis
- Audit: Conduct regular audits and assessments
- Continuous Improvement: Continuously improve compliance posture
Common Compliance Controls
- Access Controls: Implement strong access controls
- Encryption: Encrypt data at rest and in transit
- Logging and Monitoring: Implement comprehensive logging and monitoring
- Incident Response: Develop and test incident response procedures
- Risk Assessment: Conduct regular risk assessments
- Training: Provide security awareness training
- Vendor Management: Implement vendor risk management
- Change Management: Implement formal change management processes
- Business Continuity: Develop business continuity and disaster recovery plans
- Data Classification: Classify data based on sensitivity
Related skills
More from davincidreams/agent-team-plugins
blender
Blender interface, workflows, and 3D production pipeline
220rigging
Rigging fundamentals, skeleton setup, and animation controls
16animation
Animation principles, techniques, and best practices for 3D animation
13vroid
Vroid Studio, VRM format, and VTuber avatar creation
10technical-writing
Technical writing principles and best practices for creating clear, accurate documentation
9unreal
Unreal Engine patterns, Actor/Component model, Blueprints vs C++, and best practices
8