Github/comply
1
0
Fork 0
mirror of https://github.com/strongdm/comply synced 2025-12-06 14:24:12 +00:00
Code Issues Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Justin McCarthy
2018-05-11 13:25:46 -07:00
commit 8f7e41ffc8
1038 changed files with 263537 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
themes/comply-soc2/narratives/README.md Normal file
View File

20
themes/comply-soc2/narratives/control.md Normal file
View File

@@ -0,0 +1,20 @@
name: Control Environment Narrative
acronym: CEN
satisfies:
TSC:
- CC2.1
- CC2.2
- CC2.3
- CC4.1
- CC4.2
- CC5.1
- CC5.2
- CC5.3
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Control Environment Narrative
Here we narrate why our org satisfies the control keys listed in the YML block

20
themes/comply-soc2/narratives/organizational.md Normal file
View File

@@ -0,0 +1,20 @@
name: Organizational Narrative
acronym: ON
satisfies:
TSC:
- CC1.2
- CC1.3
- CC1.4
- CC1.5
- CC3.1
- CC3.2
- CC3.3
- CC3.4
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Organizational Narrative
Here we narrate why our org satisfies the control keys listed in the YML block

13
themes/comply-soc2/narratives/products.md Normal file
View File

@@ -0,0 +1,13 @@
name: Products and Services Narrative
acronym: PSN
satisfies:
TSC:
- CC9.9
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Products Narrative
Here we describe the key products marketed by our organization

16
themes/comply-soc2/narratives/security.md Normal file
View File

@@ -0,0 +1,16 @@
name: Security Architecture Narrative
acronym: SEN
satisfies:
TSC:
- CC6.6
- CC6.7
- CC7.1
- CC7.2
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Control Environment Narrative
Here we narrate why our org satisfies the control keys listed in the YML block

10
themes/comply-soc2/narratives/system.md Normal file
View File

@@ -0,0 +1,10 @@
name: System Architecture Narrative
acronym: SYN
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Control Environment Narrative
Here we narrate why our org satisfies the control keys listed in the YML block

1
themes/comply-soc2/policies/README.md Normal file
View File

@@ -0,0 +1 @@
# TODO Describe Policies

15
themes/comply-soc2/policies/access.md Normal file
View File

@@ -0,0 +1,15 @@
name: Access Onboarding and Termination Policy
acronym: AOTP
satisfies:
TSC:
- CC6.1
- CC6.2
- CC6.3
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

33
themes/comply-soc2/policies/application.md Normal file
View File

@@ -0,0 +1,33 @@
name: Application Security Policy
acronym: ASP
satisfies:
TSC:
- CC6.2
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The Application Security Policy governs the use of applications deemed critical to {{.Name} Information Security.
# Critical Applications
The following applications are within the scope of this policy:
* GitHub
* Slack
* Google Apps
Applications supporting production data operations (specifically the AWS Console) are deliberately excluded from this policy.
# Data Sensitivity
Any company proprietary data may be stored within these *[Critical Applications]*.
Customer support activities must be conducted entirely within the *[Critical Applications]*.
# Other Applications
Other applications not listed in *[Critical Applications]* may include company proprietary data, but must not contain any customer support or customer-owned data.

14
themes/comply-soc2/policies/availability.md Normal file
View File

@@ -0,0 +1,14 @@
name: Availability Policy
acronym: AP
satisfies:
TSC:
- A1.1
- CC9.1
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The Availability Policy governs X.

13
themes/comply-soc2/policies/change.md Normal file
View File

@@ -0,0 +1,13 @@
name: System Change Policy
acronym: SCP
satisfies:
TSC:
- CC8.1
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

37
themes/comply-soc2/policies/classification.md Normal file
View File

@@ -0,0 +1,37 @@
name: Data Classification Policy
acronym: DCP
satisfies:
TSC:
- CC9.9
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Background
This policy defines the high level objectives and implementation instructions for the organizations data classification scheme. This includes data classification levels, as well as procedures for the classification, labeling and handling of data within the organization. Confidentiality and non-disclosure agreements maintained by the organization must reference this policy.
# Purpose and Scope
- This data classification policy defines the requirements to ensure that information within the organization is protected at an appropriate level.
- This document applies to the entire scope of the organizations information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written.
- This policy applies to all individuals and systems that have access to information kept by the organization.
# References
- Risk Assessment Policy
- Security Incident Management Policy
# Policy
- If classified information is received from outside the organization, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.
- If classified information is received from outside the organization and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.
- When classifying information, the level of confidentiality is determined by:
- The value of the information, based on impacts identified during the risk assessment process. More information on risk assessments is defined in the Risk Assessment Policy (reference (a)).
- Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.
- Legal, regulatory and contractual obligations.
- Information must be classified based on confidentiality levels as defined in Table 1.

13
themes/comply-soc2/policies/conduct.md Normal file
View File

@@ -0,0 +1,13 @@
name: Code of Conduct Policy
acronym: COCP
satisfies:
TSC:
- CC1.1
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The Data Classification Policy governs X.

14
themes/comply-soc2/policies/confidentiality.md Normal file
View File

@@ -0,0 +1,14 @@
name: Confidentiality Policy
acronym: CP
satisfies:
TSC:
- C1.1
- C1.2
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/continuity.md Normal file
View File

@@ -0,0 +1,13 @@
name: Business Continuity Policy
acronym: BCP
satisfies:
TSC:
- CC9.1
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/cyber.md Normal file
View File

@@ -0,0 +1,13 @@
name: Cyber Risk Assessment Policy
acronym: CRP
satisfies:
TSC:
- CC9.1
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/datacenter.md Normal file
View File

@@ -0,0 +1,13 @@
name: Datacenter Policy
acronym: DP
satisfies:
TSC:
- CC6.4
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/development.md Normal file
View File

@@ -0,0 +1,13 @@
name: Software Development Lifecycle Policy
acronym: SDLCP
satisfies:
TSC:
- CC8.1
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

15
themes/comply-soc2/policies/disaster.md Normal file
View File

@@ -0,0 +1,15 @@
name: Disaster Recovery Policy
acronym: DRP
satisfies:
TSC:
- A1.2
- A1.3
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.
s

13
themes/comply-soc2/policies/encryption.md Normal file
View File

@@ -0,0 +1,13 @@
name: Encryption Policy
acronym: EP
satisfies:
TSC:
- CC9.9
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

15
themes/comply-soc2/policies/incident.md Normal file
View File

@@ -0,0 +1,15 @@
name: Security Incident Response Policy
acronym: SIRP
satisfies:
TSC:
- CC7.3
- CC7.4
- CC7.5
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

29
themes/comply-soc2/policies/information.md Normal file
View File

@@ -0,0 +1,29 @@
name: Information Security Policy
acronym: ISP
satisfies:
TSC:
- CC9.9
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The Information Security Policy is a composite policy referencing other Acme policies relevant to information security.
# Component Policies
The Acme Information Security Policy is composed of:
- [Application Security Policy (*Acme-ASP.pdf*)](Acme-ASP.pdf) {-}
- [Cyber Risk Management Policy (*Acme-CRP.pdf*)](Acme-CRP.pdf) {-}
- [Data Classification Policy (*Acme-DCP.pdf*)](Acme-DCP.pdf) {-}
- [Data Retention Policy (*Acme-ASP.pdf*)](Acme-DRP.pdf) {-}
- [Datacenter Security Policy (*Acme-ASP.pdf*)](Acme-DSP.pdf) {-}
- [Encryption Policy (*Acme-ASP.pdf*)](Acme-EP.pdf) {-}
- [Password Policy (*Acme-ASP.pdf*)](Acme-PWP.pdf) {-}
- [Remote Access Policy (*Acme-ASP.pdf*)](Acme-REAP.pdf) {-}
- [Removable Media Policy (*Acme-ASP.pdf*)](Acme-RMP.pdf) {-}
- [Security Incident Response Policy (*Acme-ASP.pdf*)](Acme-SIRP.pdf) {-}
- [Workstation Security Policy (*Acme-ASP.pdf*)](Acme-WSP.pdf) {-}

13
themes/comply-soc2/policies/log.md Normal file
View File

@@ -0,0 +1,13 @@
name: Log Management Policy
acronym: LMP
satisfies:
TSC:
- CC7.2
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/media.md Normal file
View File

@@ -0,0 +1,13 @@
name: Removable Media and Cloud Storage Policy
acronym: MCP
satisfies:
TSC:
- CC6.7
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/office.md Normal file
View File

@@ -0,0 +1,13 @@
name: Office Security Policy
acronym: OSP
satisfies:
TSC:
- CC6.4
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/password.md Normal file
View File

@@ -0,0 +1,13 @@
name: Password Policy
acronym: PWP
satisfies:
TSC:
- CC9.9
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

21
themes/comply-soc2/policies/policy.md Normal file
View File

@@ -0,0 +1,21 @@
name: Policy Training Policy
acronym: PTP
satisfies:
TSC:
- CC9.9
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The Policy Training Policy addresses policy education requirements for Acme employees and contractors.
# Adherence
Assignees are reminded that adherence to assigned policies is binding under the terms of their Acme Employment Offer Letter and/or their Acme Independent Contractor Agreement.
# Applicability
Upon each full-time, part-time or contractor addition, the hiring manager determines which subset of of Acme Policies apply to that individual. The individual is tasked with reading the assigned policies within 5 working days. The initial assignment date, scope, and completion date are entered into the [Ledger].

30
themes/comply-soc2/policies/privacy.md Normal file
View File

@@ -0,0 +1,30 @@
name: Privacy Management Policy
acronym: PMP
satisfies:
TSC:
- P1.1
- P2.1
- P3.1
- P3.2
- P4.1
- P4.2
- P4.3
- P5.1
- P5.2
- P6.1
- P6.2
- P6.3
- P6.4
- P6.5
- P6.6
- P6.7
- P7.1
- P8.1
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

17
themes/comply-soc2/policies/processing.md Normal file
View File

@@ -0,0 +1,17 @@
name: Processing Integrity Management Policy
acronym: PIMP
satisfies:
TSC:
- PI1.1
- PI1.2
- PI1.3
- PI1.4
- PI1.5
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

15
themes/comply-soc2/policies/remote.md Normal file
View File

@@ -0,0 +1,15 @@
name: Remote Access Policy
acronym: REAP
satisfies:
TSC:
- CC6.1
- CC6.2
- CC6.7
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

15
themes/comply-soc2/policies/retention.md Normal file
View File

@@ -0,0 +1,15 @@
name: Data Retention Policy
acronym: RP
satisfies:
TSC:
- CC1.2
- CC6.5
- P4.2
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/risk.md Normal file
View File

@@ -0,0 +1,13 @@
name: Risk Assessment Policy
acronym: RIAP
satisfies:
TSC:
- CC9.1
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/vendor.md Normal file
View File

@@ -0,0 +1,13 @@
name: Vendor Management Policy
acronym: VMP
satisfies:
TSC:
- CC9.2
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

13
themes/comply-soc2/policies/workstation.md Normal file
View File

@@ -0,0 +1,13 @@
name: Workstation Policy
acronym: WP
satisfies:
TSC:
- CC6.8
majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Overview
The XXX Policy governs X.

1
themes/comply-soc2/procedures/README.md Normal file
View File

@@ -0,0 +1 @@
# TODO Describe Procedures

13
themes/comply-soc2/procedures/offboarding.md Normal file
View File

@@ -0,0 +1,13 @@
id: "offboard"
name: "Offboard User"
---
# Onboarding Steps
- [ ] Determine github username and assign to correct Org
- [ ] Create Slack account
- [ ] Determine and assign IAM role
# Attach Evidence
No evidence beyond activity logs within Slack, Github

13
themes/comply-soc2/procedures/onboarding.md Normal file
View File

@@ -0,0 +1,13 @@
id: "onboard"
name: "Onboard New User"
---
# Onboarding Steps
- [ ] Determine github username and assign to correct Org
- [ ] Create Slack account
- [ ] Determine and assign IAM role
# Attach Evidence
No evidence beyond activity logs within Slack, Github

11
themes/comply-soc2/procedures/patch.md Normal file
View File

@@ -0,0 +1,11 @@
id: "patch"
name: "Apply OS patches"
cron: "0 0 1 * * *"
---
# Production Environment
- [ ] View patchlevel report in OpenVAS
- [ ] Apply patches using Ansible playbooks
- [ ] AWS us-west-2
- [ ] Reston Datacenter

13
themes/comply-soc2/procedures/workstation.md Normal file
View File

@@ -0,0 +1,13 @@
id: "workstation"
name: "Collect Workstation Details"
cron: "0 0 * * * *"
---
# Workstation Details
- [ ] E-mail all users requesting confirmation of drive encryption
- [ ] E-mail all users requesting confirmation of antivirus / antimalware configuration
# Insert Evidence
Insert evidence into the Evidence Vault

5
themes/comply-soc2/standards/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Compliance Standards
All `yaml` files in this directory are assumed to conform to https://github.com/opencontrol/schemas/tree/master/kwalify/standard
Adjust the target standard for this project by adding or removing line-items within each file, or adding/removing a standard file entirely.

245
themes/comply-soc2/standards/TSC-2017.yml Normal file
View File

@@ -0,0 +1,245 @@
name: TSC
CC1.1:
family: CC1
name: Integrity and Ethics
description: The entity demonstrates a commitment to integrity and ethical values
CC1.2:
family: CC1
name: Board Independence
description: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
CC1.3:
family: CC1
name: Organizational Structure
description: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
CC1.4:
family: CC1
name: Hiring, Training and Retention
description: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
CC1.5:
family: CC1
name: Individual Accountability
description: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
CC2.1:
family: CC2
name: Use of Information Systems
description: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control
CC2.2:
family: CC2
name: Use of Communication Systems, Internal
description: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
CC2.3:
family: CC2
name: Use of Communication Systems, External
description: The entity communicates with external parties regarding matters affecting the functioning of internal control
CC3.1:
family: CC3
name: Objectives
description: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
CC3.2:
family: CC3
name: Risk to Objectives
description: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
CC3.3:
family: CC3
name: Fraud Risk to Objectives
description: The entity considers the potential for fraud in assessing risks to the achievement of objectives
CC3.4:
family: CC3
name: Impact of Changes
description: The entity identifies and assesses changes that could significantly impact the system of internal control
CC4.1:
family: CC4
name: Monitoring
description: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
CC4.2:
family: CC4
name: Remediation
description: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
CC5.1:
family: CC5
name: Objective Risk Mitigation
description: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
CC5.2:
family: CC5
name: Technology Controls
description: The entity also selects and develops general control activities over technology to support the achievement of objectives
CC5.3:
family: CC5
name: Established Policies
description: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action
CC6.1:
family: CC6
name: Logical Access
description: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entitys objectives
CC6.2:
family: CC6
name: User Access
description: Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized
CC6.3:
family: CC6
name: Role-Based Access
description: The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entitys objectives
CC6.4:
family: CC6
name: Physical Access
description: The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entitys objectives
CC6.5:
family: CC6
name: Data Disposal
description: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entitys objectives
CC6.6:
family: CC6
name: External Threats
description: The entity implements logical access security measures to protect against threats from sources outside its system boundaries
CC6.7:
family: CC6
name: Data Custody and Transmission
description: The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entitys objectives
CC6.8:
family: CC6
name: Malware Detection
description: The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entitys objectives
CC7.1:
family: CC7
name: Vulnerability Detection
description: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities
CC7.2:
family: CC7
name: Anomaly Detection
description: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entitys ability to meet its objectives; anomalies are analyzed to determine whether they represent security events
CC7.3:
family: CC7
name: Security Incident Evaluation
description: The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures
CC7.4:
family: CC7
name: Security Incident Response Plan
description: The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate
CC7.5:
family: CC7
name: Security Incident Response Execution
description: The entity identifies, develops, and implements activities to recover from identified security incidents
CC8.1:
family: CC8
name: Change Control
description: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives
CC9.1:
family: CC9
name: Disruption Risk Mitigation
description: The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions
CC9.2:
family: CC9
name: Vendor Risk Management
description: The entity assesses and manages risks associated with vendors and business partners
A1.1:
family: A1
name: Capacity Planning
description: The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives
A1.2:
family: A1
name: Backup and Recovery
description: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
A1.3:
family: A1
name: Recovery Testing
description: The entity tests recovery plan procedures supporting system recovery to meet its objectives
C1.1:
family: C1
name: Confidential Information Identification
description: The entity identifies and maintains confidential information to meet the entitys objectives related to confidentiality
C1.2:
family: C1
name: Confidential Information Disposal
description: The entity disposes of confidential information to meet the entitys objectives related to confidentiality.
PI1.1:
family: PI1
name: Processing Integrity Monitoring
description: The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including de nitions of data processed and product and service speci cations, to support the use of products and services
PI1.2:
family: PI1
name: Processing Integrity Accuracy
description: The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entitys objectives
PI1.3:
family: PI1
name: Processing Integrity Operations
description: The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entitys objectives
PI1.4:
family: PI1
name: Processing Integrity Outputs
description: The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with speci cations to meet the entitys objectives
PI1.5:
family: PI1
name: Processing Integrity Backups
description: The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system speci cations to meet the entitys objectives
P1.1:
family: P1
name: Privacy Notification
description: The entity provides notice to data subjects about its privacy practices to meet the entitys objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entitys privacy practices, including changes in the use of personal information, to meet the entitys objectives related to privacy
P2.1:
family: P2
name: Privacy Consent and Choice
description: The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entitys objectives related to privacy. The entitys basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented
P3.1:
family: P3
name: Personal Information Collection
description: Personal information is collected consistent with the entitys objectives related to privacy
P3.2:
family: P3
name: Explicit Consent
description: For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entitys objectives related to privacy
P4.1:
family: P4
name: Proper Use of Personal Information
description: The entity limits the use of personal information to the purposes identified in the entitys objectives related to privacy
P4.2:
family: P4
name: Personal Information Retention
description: The entity retains personal information consistent with the entitys objectives related to privacy
P4.3:
family: P4
name: Personal Information Disposal
description: The entity securely disposes of personal information to meet the entitys objectives related to privacy
P5.1:
family: P5
name: Data Subject Access
description: The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entitys objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entitys objectives related to privacy
P5.2:
family: P5
name: Data Subject Amendment
description: The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entitys objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entitys objectives related to privacy
P6.1:
family: P6
name: Consent for Third Party Disclosure
description: The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entitys objectives related to privacy
P6.2:
family: P6
name: Authorized Disclosures
description: The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entitys objectives related to privacy
P6.3:
family: P6
name: Unauthorized Disclosures
description: The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entitys objectives related to privacy
P6.4:
family: P6
name: Appropriate Third Party Disclosure
description: The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entitys objectives related to privacy. The entity assesses those parties compliance on a periodic and as-needed basis and takes corrective action, if necessary
P6.5:
family: P6
name: Unauthorized Third Party Disclosure
description: The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entitys objectives related to privacy
P6.6:
family: P6
name: Notification of Unauthorized Third Party Disclosure
description: The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entitys objectives related to privacy
P6.7:
family: P6
name: Accounting of Personal Information
description: The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects personal information, upon the data subjects request, to meet the entitys objectives related to privacy
P7.1:
family: P7
name: Accuracy of Personal Information
description: The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entitys objectives related to privacy
P8.1:
family: P8
name: Personal Information Dispute Resolution
description: The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entitys objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner

280
themes/comply-soc2/templates/default.latex Normal file
View File

@@ -0,0 +1,280 @@
\documentclass[$if(fontsize)$$fontsize$,$endif$$if(lang)$$babel-lang$,$endif$$if(papersize)$$papersize$paper,$endif$$for(classoption)$$classoption$$sep$,$endfor$]{$documentclass$}
$if(beamerarticle)$
\usepackage{beamerarticle} % needs to be loaded first
$endif$
$if(fontfamily)$
\usepackage[$for(fontfamilyoptions)$$fontfamilyoptions$$sep$,$endfor$]{$fontfamily$}
$else$
\usepackage{lmodern}
$endif$
$if(linestretch)$
\usepackage{setspace}
\setstretch{$linestretch$}
$endif$
\usepackage{amssymb,amsmath}
\usepackage{ifxetex,ifluatex}
\usepackage{fixltx2e} % provides \textsubscript
\ifnum 0\ifxetex 1\fi\ifluatex 1\fi=0 % if pdftex
\usepackage[$if(fontenc)$$fontenc$$else$T1$endif$]{fontenc}
\usepackage[utf8]{inputenc}
$if(euro)$
\usepackage{eurosym}
$endif$
\else % if luatex or xelatex
\ifxetex
\usepackage{mathspec}
\else
\usepackage{fontspec}
\fi
\defaultfontfeatures{Ligatures=TeX,Scale=MatchLowercase}
$for(fontfamilies)$
\newfontfamily{$fontfamilies.name$}[$fontfamilies.options$]{$fontfamilies.font$}
$endfor$
$if(euro)$
\newcommand{\euro}{€}
$endif$
$if(mainfont)$
\setmainfont[$for(mainfontoptions)$$mainfontoptions$$sep$,$endfor$]{$mainfont$}
$endif$
$if(sansfont)$
\setsansfont[$for(sansfontoptions)$$sansfontoptions$$sep$,$endfor$]{$sansfont$}
$endif$
$if(monofont)$
\setmonofont[Mapping=tex-ansi$if(monofontoptions)$,$for(monofontoptions)$$monofontoptions$$sep$,$endfor$$endif$]{$monofont$}
$endif$
$if(mathfont)$
\setmathfont(Digits,Latin,Greek)[$for(mathfontoptions)$$mathfontoptions$$sep$,$endfor$]{$mathfont$}
$endif$
$if(CJKmainfont)$
\usepackage{xeCJK}
\setCJKmainfont[$for(CJKoptions)$$CJKoptions$$sep$,$endfor$]{$CJKmainfont$}
$endif$
\fi
% use upquote if available, for straight quotes in verbatim environments
\IfFileExists{upquote.sty}{\usepackage{upquote}}{}
% use microtype if available
\IfFileExists{microtype.sty}{%
\usepackage[$for(microtypeoptions)$$microtypeoptions$$sep$,$endfor$]{microtype}
\UseMicrotypeSet[protrusion]{basicmath} % disable protrusion for tt fonts
}{}
\PassOptionsToPackage{hyphens}{url} % url is loaded by hyperref
$if(verbatim-in-note)$
\usepackage{fancyvrb}
$endif$
\usepackage[unicode=true]{hyperref}
$if(colorlinks)$
\PassOptionsToPackage{usenames,dvipsnames}{color} % color is loaded by hyperref
$endif$
\hypersetup{
$if(title-meta)$
pdftitle={$title-meta$},
$endif$
$if(author-meta)$
pdfauthor={$author-meta$},
$endif$
$if(keywords)$
pdfkeywords={$for(keywords)$$keywords$$sep$, $endfor$},
$endif$
$if(colorlinks)$
colorlinks=true,
linkcolor=$if(linkcolor)$$linkcolor$$else$Maroon$endif$,
citecolor=$if(citecolor)$$citecolor$$else$Blue$endif$,
urlcolor=$if(urlcolor)$$urlcolor$$else$Blue$endif$,
$else$
pdfborder={0 0 0},
$endif$
breaklinks=true}
\urlstyle{same} % don't use monospace font for urls
$if(verbatim-in-note)$
\VerbatimFootnotes % allows verbatim text in footnotes
$endif$
$if(geometry)$
\usepackage[$for(geometry)$$geometry$$sep$,$endfor$]{geometry}
$endif$
$if(lang)$
\ifnum 0\ifxetex 1\fi\ifluatex 1\fi=0 % if pdftex
\usepackage[shorthands=off,$for(babel-otherlangs)$$babel-otherlangs$,$endfor$main=$babel-lang$]{babel}
$if(babel-newcommands)$
$babel-newcommands$
$endif$
\else
\usepackage{polyglossia}
\setmainlanguage[$polyglossia-lang.options$]{$polyglossia-lang.name$}
$for(polyglossia-otherlangs)$
\setotherlanguage[$polyglossia-otherlangs.options$]{$polyglossia-otherlangs.name$}
$endfor$
\fi
$endif$
$if(natbib)$
\usepackage{natbib}
\bibliographystyle{$if(biblio-style)$$biblio-style$$else$plainnat$endif$}
$endif$
$if(biblatex)$
\usepackage[$if(biblio-style)$style=$biblio-style$,$endif$$for(biblatexoptions)$$biblatexoptions$$sep$,$endfor$]{biblatex}
$for(bibliography)$
\addbibresource{$bibliography$}
$endfor$
$endif$
$if(listings)$
\usepackage{listings}
$endif$
$if(lhs)$
\lstnewenvironment{code}{\lstset{language=Haskell,basicstyle=\small\ttfamily}}{}
$endif$
$if(highlighting-macros)$
$highlighting-macros$
$endif$
$if(tables)$
\usepackage{longtable,booktabs}
% Fix footnotes in tables (requires footnote package)
\IfFileExists{footnote.sty}{\usepackage{footnote}\makesavenoteenv{long table}}{}
$endif$
$if(graphics)$
\usepackage{graphicx,grffile}
\makeatletter
\def\maxwidth{\ifdim\Gin@nat@width>\linewidth\linewidth\else\Gin@nat@width\fi}
\def\maxheight{\ifdim\Gin@nat@height>\textheight\textheight\else\Gin@nat@height\fi}
\makeatother
% Scale images if necessary, so that they will not overflow the page
% margins by default, and it is still possible to overwrite the defaults
% using explicit options in \includegraphics[width, height, ...]{}
\setkeys{Gin}{width=\maxwidth,height=\maxheight,keepaspectratio}
$endif$
$if(links-as-notes)$
% Make links footnotes instead of hotlinks:
\renewcommand{\href}[2]{#2\footnote{\url{#1}}}
$endif$
$if(strikeout)$
\usepackage[normalem]{ulem}
% avoid problems with \sout in headers with hyperref:
\pdfstringdefDisableCommands{\renewcommand{\sout}{}}
$endif$
$if(indent)$
$else$
\IfFileExists{parskip.sty}{%
\usepackage{parskip}
}{% else
\setlength{\parindent}{0pt}
\setlength{\parskip}{6pt plus 2pt minus 1pt}
}
$endif$
\setlength{\emergencystretch}{3em} % prevent overfull lines
\providecommand{\tightlist}{%
\setlength{\itemsep}{0pt}\setlength{\parskip}{0pt}}
$if(numbersections)$
\setcounter{secnumdepth}{$if(secnumdepth)$$secnumdepth$$else$5$endif$}
$else$
\setcounter{secnumdepth}{0}
$endif$
$if(subparagraph)$
$else$
% Redefines (sub)paragraphs to behave more like sections
\ifx\paragraph\undefined\else
\let\oldparagraph\paragraph
\renewcommand{\paragraph}[1]{\oldparagraph{#1}\mbox{}}
\fi
\ifx\subparagraph\undefined\else
\let\oldsubparagraph\subparagraph
\renewcommand{\subparagraph}[1]{\oldsubparagraph{#1}\mbox{}}
\fi
$endif$
$if(dir)$
\ifxetex
% load bidi as late as possible as it modifies e.g. graphicx
$if(latex-dir-rtl)$
\usepackage[RTLdocument]{bidi}
$else$
\usepackage{bidi}
$endif$
\fi
\ifnum 0\ifxetex 1\fi\ifluatex 1\fi=0 % if pdftex
\TeXXeTstate=1
\newcommand{\RL}[1]{\beginR #1\endR}
\newcommand{\LR}[1]{\beginL #1\endL}
\newenvironment{RTL}{\beginR}{\endR}
\newenvironment{LTR}{\beginL}{\endL}
\fi
$endif$
% set default figure placement to htbp
\makeatletter
\def\fps@figure{htbp}
\makeatother
$if(header-includes)$
\usepackage{fancyhdr}
\pagestyle{fancy}
\fancyhead{}
\fancyhead[RO,RE]{$head-content$}
\fancyfoot[LO,LE]{$foot-content$}
$endif$
$if(title)$
\title{$title$$if(thanks)$\thanks{$thanks$}$endif$}
$endif$
$if(subtitle)$
\providecommand{\subtitle}[1]{}
\subtitle{$subtitle$}
$endif$
$if(author)$
\author{$for(author)$$author$$sep$ \and $endfor$}
$endif$
$if(institute)$
\providecommand{\institute}[1]{}
\institute{$for(institute)$$institute$$sep$ \and $endfor$}
$endif$
\date{$date$}
\begin{document}
$if(title)$
\maketitle
$endif$
$if(abstract)$
\begin{abstract}
$abstract$
\end{abstract}
$endif$
$for(include-before)$
$include-before$
$endfor$
$if(toc)$
{
$if(colorlinks)$
\hypersetup{linkcolor=$if(toccolor)$$toccolor$$else$black$endif$}
$endif$
\setcounter{tocdepth}{$toc-depth$}
\tableofcontents
}
$endif$
$if(lot)$
\listoftables
$endif$
$if(lof)$
\listoffigures
$endif$
$body$
$if(natbib)$
$if(bibliography)$
$if(biblio-title)$
$if(book-class)$
\renewcommand\bibname{$biblio-title$}
$else$
\renewcommand\refname{$biblio-title$}
$endif$
$endif$
\bibliography{$for(bibliography)$$bibliography$$sep$,$endfor$}
$endif$
$endif$
$if(biblatex)$
\printbibliography$if(biblio-title)$[title=$biblio-title$]$endif$
$endif$
$for(include-after)$
$include-after$
$endfor$
\end{document}

224
themes/comply-soc2/templates/index.ace Normal file
View File

@@ -0,0 +1,224 @@
= doctype html
html lang=en
head
meta charset=utf-8
title {{.Project.Name}}
link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.6.2/css/bulma.min.css"
link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulmaswatch/0.6.2/sandstone/bulmaswatch.min.css"
script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.22.0/moment.min.js"
script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/later/1.2.0/later.min.js"
script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/prettycron/0.11.0/prettycron.min.js"
meta name="viewport" content="width=device-width, initial-scale=1"
= css
= javascript
document.addEventListener("DOMContentLoaded", function(event) {
document.querySelectorAll('.cron').forEach(function(el) {
el.innerHTML = prettyCron.toString(el.innerHTML)
})
})
function show(name) {
var items = document.getElementsByClassName('top-nav')
for (var i=0; i<items.length; i++) {
var item = items[i]
if (item.tagName === "LI") {
// navigation tabs
if (item.classList.contains(name)) {
item.classList.add('is-active')
} else {
item.classList.remove('is-active')
}
} else {
// sections
if (item.id === name) {
item.classList.remove('is-hidden')
} else {
item.classList.add('is-hidden')
}
}
}
}
body
section.hero.is-primary.is-small
.hero-body
.container
h1.title {{.Project.Name}}
p.subtitle Policy, Procedure, and Audit Status
.hero-foot
nav.tabs.is-boxed.is-fullwidth
.container
ul.is-size-4
li.top-nav.overview
strong
a onclick="javascript:show('overview')" Overview
li.top-nav.narratives
strong
a onclick="javascript:show('narratives')" Narratives
li.top-nav.policies
strong
a onclick="javascript:show('policies')" Policies
li.top-nav.procedures
strong
a onclick="javascript:show('procedures')" Procedures
li.top-nav.standards
strong
a onclick="javascript:show('standards')" Standards
/ li.top-nav.evidence
/ a onclick="javascript:show('evidence')" Evidence Vault
#overview.section.top-nav.container.content
blockquote
h3 This site consolidates all documents related to the {{.Project.Name}}
hr
.columns.is-vcentered
.column.is-one-third
div
p.subtitle.is-3.has-text-centered Control Tracking
.column.has-text-centered
div
p.heading Satisfied Controls
p.title
{{.Stats.ControlsSatisfied}}
.column.has-text-centered
div
p.heading Total Controls
p.title
{{.Stats.ControlsTotal}}
.columns.is-vcentered
.column.is-one-third
div
p.subtitle.is-3.has-text-centered Procedure Tracking
.column.has-text-centered
div
p.heading Active Tickets
p.title
a target=_blank href="https://github.com/strongdm/comply/issues?q=is%3Aissue+is%3Aopen+label%3Acomply+label%3Aprocess"
{{.Stats.ProcessOpen}}
.column.has-text-centered
div
p.heading Oldest Ticket
p.title
a {{.Stats.ProcessOldestDays}} days
.columns.is-vcentered
.column.is-one-third
div.has-text-centered
p.subtitle.is-3 Audit Tracking
.column.has-text-centered
div
p.heading Open Requests
p.title
a target=_blank href="https://github.com/strongdm/comply/issues?q=is%3Aissue+is%3Aopen+label%3Acomply+label%3Aaudit"
{{.Stats.AuditOpen}}
.column.has-text-centered
div
p.heading Total Requests
p.title
a target=_blank href="https://github.com/strongdm/comply/issues?q=is%3Aissue+is%3Aclosed+label%3Acomply+label%3Aaudit"
{{.Stats.AuditTotal}}
.columns.is-vcentered
.column.is-one-third
.column.is-two-thirds.has-text-centered
/ progress.progress.is-primary value={{.Stats.AuditClosed}} max={{.Stats.AuditTotal}}
#narratives.section.top-nav.container.content
blockquote
h3
p
strong Narratives
| provide an overview of the organization and the compliance environment.
table.table.is-size-4
thead
tr
th Name
th Acronym
th PDF
tbody
{{range .Narratives }}
tr
td {{.Name}}
td {{.Acronym}}
td
a href={{.OutputFilename}} target=_blank
{{.OutputFilename}}
{{end}}
#policies.section.top-nav.container.content
blockquote
h3
p
strong Policies
| govern the behavior of {{.Project.OrganizationName}} employees and contractors.
table.table.is-size-4
thead
tr
th Name
th Acronym
th PDF
tbody
{{range .Policies }}
tr
td {{.Name}}
td {{.Acronym}}
td
a href={{.OutputFilename}} target=_blank
{{.OutputFilename}}
{{end}}
#procedures.section.top-nav.container.content
blockquote
h3
p
strong Procedures
| prescribe specific steps that are taken in response to key events.
table.table.is-size-4
thead
tr
th Name
th ID
th Schedule (cron format)
tbody
{{range .Procedures }}
tr
td {{.Name}}
td {{.ID}}
{{if .Cron}}
td.cron {{.Cron}}
{{else}}
td On demand
{{end}}
{{end}}
#standards.section.top-nav.container.content
blockquote
h3
p
strong Standards
| specify the controls satisfied by the compliance program.
table.table.is-size-4.is-fullwidth
thead
tr
th Control Key
th Name
th Satisfied?
th Satisfied By
tbody
{{range .Controls }}
tr
td {{.ControlKey}}
td
strong {{.Name}}
.subtitle {{.Description}}
{{if .Satisfied}}
td.is-success Yes
{{else}}
td No
{{end}}
td
{{range .SatisfiedBy}}
a.is-size-7 href={{.}} target=_blank
{{.}}
{{end}}
{{end}}
footer.footer
.container
.content.has-text-centered
p {{.Project.OrganizationName}} Confidential 2018
= javascript
// commented for development
show('overview')