hack23-isms-compliance

Hack23 ISMS Compliance Skill

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "hack23-isms-compliance" with this command: npx skills add hack23/riksdagsmonitor/hack23-riksdagsmonitor-hack23-isms-compliance

Hack23 ISMS Compliance Skill

Purpose

This skill ensures all code, documentation, and configurations comply with Hack23's Information Security Management System (ISMS) aligned with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1.

Strategic Principles

  1. Security by Design

  • Security is integrated from the start, not added later

  • Every design decision considers security implications

  • Defense-in-depth is mandatory

  • Least privilege is the default

  1. Compliance as Code

  • All compliance requirements are codified and automated

  • Documentation is evidence

  • Controls are verifiable through automation

  • Audit readiness is continuous, not periodic

  1. Transparency First

  • Follow Hack23's public ISMS model

  • Document all security decisions

  • Make security architecture visible

  • Share lessons learned

  1. Risk-Based Approach

  • Prioritize based on risk assessment

  • Document risk acceptance decisions

  • Continuously reassess threats

  • Implement appropriate controls

Required Documentation Portfolio

Security Documentation (MANDATORY)

Every Hack23 repository MUST have:

SECURITY_ARCHITECTURE.md    # Current security controls
THREAT_MODEL.md            # STRIDE analysis
FUTURE_SECURITY_ARCHITECTURE.md  # Security roadmap

SECURITY_ARCHITECTURE.md must include:

  • Defense-in-depth layers

  • Compliance framework mapping (ISO 27001 + NIST CSF + CIS Controls)

  • Authentication and authorization architecture

  • Data protection mechanisms

  • Network security topology

  • Security monitoring approach

  • Incident response procedures

THREAT_MODEL.md must include:

  • STRIDE threat analysis for all components

  • Attack surface identification

  • Likelihood and impact ratings

  • Mitigation strategies

  • Residual risk documentation

FUTURE_SECURITY_ARCHITECTURE.md must include:

  • Security enhancement roadmap

  • Risk mitigation timelines

  • Planned compliance improvements

  • Technology evolution plans

Architecture Documentation Portfolio (MANDATORY)

Current State

ARCHITECTURE.md     # C4 models (Context, Container, Component)
DATA_MODEL.md       # Data structures and relationships
FLOWCHART.md        # Business processes and workflows
STATEDIAGRAM.md     # State transitions and lifecycles
MINDMAP.md          # Conceptual relationships
SWOT.md             # Strategic analysis

Future State

FUTURE_ARCHITECTURE.md      # Architectural evolution
FUTURE_DATA_MODEL.md        # Enhanced data architecture
FUTURE_FLOWCHART.md         # Improved workflows
FUTURE_STATEDIAGRAM.md      # Advanced state management
FUTURE_MINDMAP.md           # Capability expansion
FUTURE_SWOT.md              # Future opportunities

Compliance Framework Mapping

ISO 27001:2022 Annex A Controls

Always map implementations to these controls:

Control Focus Area Implementation Examples

A.9.2 User Access Management MFA, SSH keys, GPG signing

A.9.4 System/App Access Control RBAC, least privilege

A.10.1 Cryptographic Controls TLS 1.3, HTTPS-only, encryption at rest

A.12.4 Logging and Monitoring Audit logs, security monitoring

A.13.1 Network Security Firewalls, DDoS protection, security headers

A.14.2 Secure Development SAST, DAST, dependency scanning

A.16.1 Incident Management Response procedures, forensics

NIST CSF 2.0 Functions

Map all security measures to functions:

Function Purpose Key Categories

GOVERN (GV) Organizational context Risk management strategy, policies

IDENTIFY (ID) Understand risks Asset management, risk assessment

PROTECT (PR) Implement safeguards Access control, data security

DETECT (DE) Find anomalies Monitoring, threat detection

RESPOND (RS) Take action Response planning, communications

RECOVER (RC) Restore services Recovery planning, improvements

CIS Controls v8.1

Implement applicable controls by Implementation Group:

IG1 (Basic Cyber Hygiene):

  • 1.1: Inventory of Assets

  • 2.1: Inventory of Software

  • 3.10: Encrypt Data in Transit

  • 4.1: Secure Configuration

  • 5.1: Account Inventory

  • 6.8: Role-Based Access Control

IG2 (Enterprise Security):

  • 8.2: Collect Audit Logs

  • 10.1: Deploy Anti-Malware

  • 13.1: Security Event Alerting

  • 16.1: Secure Development Process

DevSecOps Requirements

CI/CD Security

All workflows must:

  • Use step-security/harden-runner for egress auditing

  • Implement least privilege permissions

  • Pin actions to SHA commits (not tags)

  • Scan dependencies with Dependabot

  • Run CodeQL or equivalent SAST

  • Enable secret scanning

  • Implement quality gates (fail on security issues)

Example:

permissions:
contents: read  # Least privilege

steps:

- name: Harden Runner
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9
with:
egress-policy: audit

Security Scanning

Required scans:

  • SAST: CodeQL, Semgrep, or equivalent

  • Dependency: Dependabot, Snyk, or equivalent

  • Secret: GitHub secret scanning

  • DAST: For web applications (planned/future)

Access Control

  • MFA required for all contributors

  • SSH keys with passphrase protection

  • GPG signing required for commits

  • Branch protection on main/master

  • Required reviews before merge

Threat Modeling (STRIDE)

For every component, analyze:

Threat Description Example Mitigations

Spoofing Identity theft MFA, strong authentication

Tampering Data modification Input validation, integrity checks

Repudiation Deny actions Audit logs, digital signatures

Information Disclosure Expose info Encryption, access control

Denial of Service Disrupt service Rate limiting, DDoS protection

Elevation of Privilege Gain unauthorized access Least privilege, RBAC

Compliance Verification Checklist

Before completing any task, verify:

  • All required security documentation exists and is current

  • All required architecture documentation exists and is current

  • Security controls are mapped to ISO 27001/NIST CSF/CIS Controls

  • Threat model is complete with STRIDE analysis

  • CI/CD workflows are security-hardened

  • Access controls follow least privilege

  • All security findings are documented and addressed

  • Compliance gaps are identified and tracked

Audit Evidence

Maintain evidence for:

  • Control implementation: Configuration files, screenshots

  • Control effectiveness: Test results, monitoring logs

  • Control coverage: Mapping matrices, gap analysis

  • Continuous monitoring: Scan results, alerts

  • Incident response: Procedures, exercises, post-mortems

Remember

  • If it's not documented, it doesn't exist - Auditors need evidence

  • Compliance is continuous - Not a one-time checkbox

  • Security by design - Easier than retrofitting

  • Defense in depth - Multiple layers of protection

  • Least privilege - Minimize access by default

  • Transparency - Follow Hack23's open security model

References

Hack23 ISMS Core Policies

  • Information Security Policy - Master ISMS framework

  • Information Security Strategy - Strategic security roadmap

  • Secure Development Policy - SDLC security requirements

  • Open Source Policy - Open source governance

  • Threat Modeling Policy - Systematic threat analysis

Compliance & Classification

  • Compliance Checklist - Multi-framework mapping

  • Classification Framework - Business impact analysis

  • CRA Conformity Assessment - EU Cyber Resilience Act

Risk & Incident Management

  • Risk Register - Enterprise risk management

  • Risk Assessment Methodology - Risk evaluation framework

  • Incident Response Plan - Security incident procedures

  • Business Continuity Plan - BCP/DR processes

Technical Controls

  • Access Control Policy - IAM and authentication

  • Cryptography Policy - Encryption standards

  • Network Security Policy - Network controls

  • Vulnerability Management - Vuln scanning and remediation

  • Backup Recovery Policy - Data protection

  • Change Management - Change control

Supporting Documents

  • Asset Register - Information assets

  • Data Classification Policy - Data handling

  • Acceptable Use Policy - Usage guidelines

  • Segregation of Duties Policy - SoD compensating controls

  • Third Party Management - Supplier security

  • Physical Security Policy - Physical controls

  • AI Policy - AI governance

  • Privacy Policy - GDPR compliance

Example Implementations

  • CIA Security Architecture - Full authentication stack

  • CIA Threat Model - Comprehensive threat analysis

  • CIA Compliance Manager Security - Frontend-only security

  • Black Trigram Security - Gaming security

  • Riksdagsmonitor Security - Static site security

Compliance Frameworks

  • ISO 27001:2022 - Information security management

  • NIST CSF 2.0 - Cybersecurity Framework

  • CIS Controls v8.1 - Security best practices

  • NIS2 Directive - EU cybersecurity requirements

  • EU CRA - Cyber Resilience Act

  • GDPR - Data protection regulation

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

secrets-management

No summary provided by upstream source.

Repository SourceNeeds Review
-16
hack23
General

ai governance

No summary provided by upstream source.

Repository SourceNeeds Review
-16
hack23
General

osint-methodologies

No summary provided by upstream source.

Repository SourceNeeds Review
-12
hack23