compliance-report-builder

Compliance Report Builder

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "compliance-report-builder" with this command: npx skills add dengineproblem/agents-monorepo/dengineproblem-agents-monorepo-compliance-report-builder

Compliance Report Builder

Эксперт по регуляторной compliance документации и отчётности.

Основные принципы

Evidence-Based Documentation

  • Контроли должны быть связаны с конкретными артефактами

  • Audit trail с timestamps и ответственными

  • Количественные метрики для preventive и detective мер

Risk-Oriented Approach

  • Приоритизация high-risk областей

  • Mapping контролей к threat vectors

  • Документирование residual risk

Regulatory Alignment

  • Привязка требований к конкретным статьям регуляций

  • Guidance для неоднозначных стандартов

  • Compensating controls документация

Executive Summary Template

Compliance Status Report

Period: Q4 2024 Prepared: 2024-12-10 Classification: Confidential

Overall Status: 🟡 YELLOW

Coverage Summary

FrameworkControlsCompliantGapsCoverage
SOC 28579693%
GDPR4240295%
ISO 27001114108695%

Key Findings

PriorityCountTrend
Critical0⬇️
High3➡️
Medium8⬆️
Low12➡️

Action Items

  1. [CRITICAL] None
  2. [HIGH] Complete MFA rollout by Jan 15
  3. [HIGH] Update data retention policy
  4. [HIGH] Implement logging for System X

Control Assessment Framework

Control: ID: AC-001 Title: Access Control Policy Framework: SOC 2, ISO 27001 Category: Security

Implementation: Status: Implemented Owner: Security Team Last Review: 2024-12-01

Testing: Method: Inspection + Inquiry Frequency: Quarterly Last Test: 2024-11-15 Result: Effective

Evidence:

  • Policy document v2.3
  • Access review logs
  • Training completion records

Gaps:

  • None identified

Recommendations:

  • Automate quarterly access reviews

SOC 2 Trust Services

Security (Common Criteria)

CC1: Control Environment

ControlDescriptionStatusEvidence
CC1.1Board oversightBoard minutes
CC1.2Management philosophyPolicy docs
CC1.3Organizational structureOrg chart
CC1.4HR practicesHR policies

CC2: Communication and Information

ControlDescriptionStatusEvidence
CC2.1Information qualityData governance
CC2.2Internal communicationSlack, email logs
CC2.3External communicationCustomer portal

CC3: Risk Assessment

ControlDescriptionStatusEvidence
CC3.1Risk identificationRisk register
CC3.2Risk analysisRisk assessment
CC3.3Fraud riskFraud controls
CC3.4Change management⚠️Partial automation

GDPR Checklist

Article 30 - Records of Processing:

  • Processing purposes documented
  • Data categories listed
  • Recipient categories identified
  • Transfer safeguards documented
  • Retention periods defined
  • Security measures described

Article 13/14 - Privacy Notices:

  • Controller identity stated
  • DPO contact provided
  • Purposes explained
  • Legal basis identified
  • Rights information included
  • Complaint procedure described

Article 17 - Right to Erasure:

  • Process documented
  • Timeframes defined (30 days)
  • Exceptions listed
  • Verification procedure
  • Third-party notification

Article 33 - Breach Notification:

  • Detection procedures
  • Assessment criteria
  • 72-hour notification process
  • DPA contact established
  • Subject notification criteria

Risk Assessment Matrix

const riskMatrix = { likelihood: { rare: 1, // < 5% unlikely: 2, // 5-25% possible: 3, // 25-50% likely: 4, // 50-75% certain: 5 // > 75% },

impact: { negligible: 1, // < $10k minor: 2, // $10k-$100k moderate: 3, // $100k-$1M major: 4, // $1M-$10M severe: 5 // > $10M },

calculateRisk(likelihood, impact) { const score = likelihood * impact; if (score >= 15) return 'Critical'; if (score >= 10) return 'High'; if (score >= 5) return 'Medium'; return 'Low'; } };

Finding Classification

Critical: Response: 24-48 hours Escalation: Executive + Board Examples: - Active data breach - Regulatory violation with penalties - System-wide security failure

High: Response: 1-2 weeks Escalation: Senior Management Examples: - Missing critical controls - Significant gaps in coverage - Failed audit controls

Medium: Response: 30-60 days Escalation: Department Head Examples: - Incomplete documentation - Process inefficiencies - Minor policy violations

Low: Response: 90 days Escalation: Control Owner Examples: - Optimization opportunities - Documentation updates - Training gaps

Gap Analysis Template

Gap Analysis: [Control Area]

Current State

[Description of current implementation]

Required State

[Regulatory requirement or best practice]

Gap Description

[Specific gaps identified]

Risk Assessment

  • Likelihood: [1-5]
  • Impact: [1-5]
  • Risk Score: [calculated]
  • Risk Level: [Critical/High/Medium/Low]

Remediation Plan

ActionOwnerDue DateStatus
Action 1NameDateIn Progress
Action 2NameDatePending

Success Metrics

  • Metric 1
  • Metric 2

Audit Sampling

def calculate_sample_size(population: int, confidence: float = 0.95, margin_error: float = 0.05) -> int: """ Calculate statistical sample size for audit testing.

Args:
    population: Total population size
    confidence: Confidence level (default 95%)
    margin_error: Acceptable margin of error (default 5%)

Returns:
    Required sample size
"""
import math

# Z-score for confidence level
z_scores = {0.90: 1.645, 0.95: 1.96, 0.99: 2.576}
z = z_scores.get(confidence, 1.96)

# Assume 50% response distribution for max sample
p = 0.5

# Sample size formula
n = (z**2 * p * (1-p)) / (margin_error**2)

# Finite population correction
if population &#x3C; 10000:
    n = n / (1 + (n - 1) / population)

return math.ceil(n)

Example usage

population=1000, 95% confidence, 5% margin

Result: ~278 samples needed

Continuous Monitoring

Real-time Dashboards:

  • Control effectiveness scores
  • Compliance coverage %
  • Open findings count
  • Risk heat map

Automated Alerts: Critical: - Failed security controls - Unauthorized access attempts - Data breach indicators

Warning: - Controls approaching expiry - Overdue remediations - Anomaly detection triggers

Reporting Cadence: Daily: Critical events Weekly: Status summary Monthly: Detailed report Quarterly: Executive review Annually: Full assessment

Report Templates

Finding Report

Finding Report

ID: FND-2024-042 Date: 2024-12-10 Severity: High

Summary

[One-sentence description]

Background

[Context and relevant history]

Finding Details

[Technical details of the issue]

Impact Assessment

  • Business Impact: [description]
  • Regulatory Impact: [description]
  • Reputational Impact: [description]

Root Cause

[Why this happened]

Recommendation

[Specific remediation steps]

Management Response

[Owner's response and commitment]

Timeline

MilestoneDateStatus
Finding identified2024-12-10Complete
Remediation plan2024-12-15Pending
Implementation2024-01-15Pending
Verification2024-01-30Pending

Лучшие практики

  • Evidence first — каждый контроль должен иметь доказательства

  • Risk-based prioritization — фокус на high-risk областях

  • Continuous monitoring — не ждите годового аудита

  • Clear ownership — каждый контроль имеет ответственного

  • Regular testing — проверяйте effectiveness, не только design

  • Documentation discipline — версионирование и audit trail

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

social-media-marketing

No summary provided by upstream source.

Repository SourceNeeds Review
328-dengineproblem
Automation

video-marketing

No summary provided by upstream source.

Repository SourceNeeds Review
142-dengineproblem
Automation

frontend-design

No summary provided by upstream source.

Repository SourceNeeds Review
91-dengineproblem
Automation

k6-load-test

No summary provided by upstream source.

Repository SourceNeeds Review
85-dengineproblem