firefrost-gaming/claude-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
466aa13a7b138c3346568616d577d2ab6f39c0a6
claude-skills-reference/c-level-advisor/ciso-advisor/scripts/compliance_tracker.py
Alireza Rezvani 466aa13a7b feat: C-Suite expansion — 8 new executive advisory roles (2→10) (#264) 
* feat: C-Suite expansion — 8 new executive advisory roles

Add COO, CPO, CMO, CFO, CRO, CISO, CHRO advisors and Executive Mentor.
Expands C-level advisory from 2 to 10 roles with 74 total files.

Each role includes:
- SKILL.md (lean, <5KB, ~1200 tokens for context efficiency)
- Reference docs (loaded on demand, not at startup)
- Python analysis scripts (stdlib only, runnable CLI)

Executive Mentor features /em: slash commands (challenge, board-prep,
hard-call, stress-test, postmortem) with devil's advocate agent.

21 Python tools, 24 reference frameworks, 28,379 total lines.
All SKILL.md files combined: ~17K tokens (8.5% of 200K context window).

Badge: 88 → 116 skills

* feat: C-Suite orchestration layer + 18 complementary skills

ORCHESTRATION (new):
- cs-onboard: Founder interview → company-context.md
- chief-of-staff: Routing, synthesis, inter-agent orchestration
- board-meeting: 6-phase multi-agent deliberation protocol
- decision-logger: Two-layer memory (raw transcripts + approved decisions)
- agent-protocol: Inter-agent invocation with loop prevention
- context-engine: Company context loading + anonymization

CROSS-CUTTING CAPABILITIES (new):
- board-deck-builder: Board/investor update assembly
- scenario-war-room: Cascading multi-variable what-if modeling
- competitive-intel: Systematic competitor tracking + battlecards
- org-health-diagnostic: Cross-functional health scoring (8 dimensions)
- ma-playbook: M&A strategy (acquiring + being acquired)
- intl-expansion: International market entry frameworks

CULTURE & COLLABORATION (new):
- culture-architect: Values → behaviors, culture code, health assessment
- company-os: EOS/Scaling Up operating system selection + implementation
- founder-coach: Founder development, delegation, blind spots
- strategic-alignment: Strategy cascade, silo detection, alignment scoring
- change-management: ADKAR-based change rollout framework
- internal-narrative: One story across employees/investors/customers

UPGRADES TO EXISTING ROLES:
- All 10 roles get reasoning technique directives
- All 10 roles get company-context.md integration
- All 10 roles get board meeting isolation rules
- CEO gets stage-adaptive temporal horizons (seed→C)

Key design decisions:
- Two-layer memory prevents hallucinated consensus from rejected ideas
- Phase 2 isolation: agents think independently before cross-examination
- Executive Mentor (The Critic) sees all perspectives, others don't
- 25 Python tools total (stdlib only, no dependencies)

52 new files, 10 modified, 10,862 new lines.
Total C-suite ecosystem: 134 files, 39,131 lines.

* fix: connect all dots — Chief of Staff routes to all 28 skills

- Added complementary skills registry to routing-matrix.md
- Chief of Staff SKILL.md now lists all 28 skills in ecosystem
- Added integration tables to scenario-war-room and competitive-intel
- Badge: 116 → 134 skills
- README: C-Level Advisory count 10 → 28

Quality audit passed:
 All 10 roles: company-context, reasoning, isolation, invocation
 All 6 phases in board meeting
 Two-layer memory with DO_NOT_RESURFACE
 Loop prevention (no self-invoke, max depth 2, no circular)
 All /em: commands present
 All complementary skills cross-reference roles
 Chief of Staff routes to every skill in ecosystem

* refactor: CEO + CTO advisors upgraded to C-suite parity

Both roles now match the structural standard of all new roles:
- CEO: 11.7KB → 6.8KB SKILL.md (heavy content stays in references)
- CTO: 10KB → 7.2KB SKILL.md (heavy content stays in references)

Added to both:
- Integration table (who they work with and when)
- Key diagnostic questions
- Structured metrics dashboard table
- Consistent section ordering (Keywords → Quick Start → Responsibilities → Questions → Metrics → Red Flags → Integration → Reasoning → Context)

CEO additions:
- Stage-adaptive temporal horizons (seed=3m/6m/12m → B+=1y/3y/5y)
- Cross-references to culture-architect and board-deck-builder

CTO additions:
- Key Questions section (7 diagnostic questions)
- Structured metrics table (DORA + debt + team + architecture + cost)
- Cross-references to all peer roles

All 10 roles now pass structural parity:  Keywords  QuickStart  Questions  Metrics  RedFlags  Integration

* feat: add proactive triggers + output artifacts to all 10 roles

Every C-suite role now specifies:
- Proactive Triggers: 'surface these without being asked' — context-driven
  early warnings that make advisors proactive, not reactive
- Output Artifacts: concrete deliverables per request type (what you ask →
  what you get)

CEO: runway alerts, board prep triggers, strategy review nudges
CTO: deploy frequency monitoring, tech debt thresholds, bus factor flags
COO: blocker detection, scaling threshold warnings, cadence gaps
CPO: retention curve monitoring, portfolio dog detection, research gaps
CMO: CAC trend monitoring, positioning gaps, budget staleness
CFO: runway forecasting, burn multiple alerts, scenario planning gaps
CRO: NRR monitoring, pipeline coverage, pricing review triggers
CISO: audit overdue alerts, compliance gaps, vendor risk
CHRO: retention risk, comp band gaps, org scaling thresholds
Executive Mentor: board prep triggers, groupthink detection, hard call surfacing

This transforms the C-suite from reactive advisors into proactive partners.

* feat: User Communication Standard — structured output for all roles

Defines 3 output formats in agent-protocol/SKILL.md:

1. Standard Output: Bottom Line → What → Why → How to Act → Risks → Your Decision
2. Proactive Alert: What I Noticed → Why It Matters → Action → Urgency (🔴🟡)
3. Board Meeting: Decision Required → Perspectives → Agree/Disagree → Critic → Action Items

10 non-negotiable rules:
- Bottom line first, always
- Results and decisions only (no process narration)
- What + Why + How for every finding
- Actions have owners and deadlines ('we should consider' is banned)
- Decisions framed as options with trade-offs
- Founder is the highest authority — roles recommend, founder decides
- Risks are concrete (if X → Y, costs $Z)
- Max 5 bullets per section
- No jargon without explanation
- Silence over fabricated updates

All 10 roles reference this standard.
Chief of Staff enforces it as a quality gate.
Board meeting Phase 4 uses the Board Meeting Output format.

* feat: Internal Quality Loop — verification before delivery

No role presents to the founder without passing verification:

Step 1: Self-Verification (every role, every time)
  - Source attribution: where did each data point come from?
  - Assumption audit: [VERIFIED] vs [ASSUMED] tags on every finding
  - Confidence scoring: 🟢 high / 🟡 medium / 🔴 low per finding
  - Contradiction check against company-context + decision log
  - 'So what?' test: every finding needs a business consequence

Step 2: Peer Verification (cross-functional)
  - Financial claims → CFO validates math
  - Revenue projections → CRO validates pipeline backing
  - Technical feasibility → CTO validates
  - People/hiring impact → CHRO validates
  - Skip for single-domain, low-stakes questions

Step 3: Critic Pre-Screen (high-stakes only)
  - Irreversible decisions, >20% runway impact, strategy changes
  - Executive Mentor finds weakest point before founder sees it
  - Suspicious consensus triggers mandatory pre-screen

Step 4: Course Correction (after founder feedback)
  - Approve → log + assign actions
  - Modify → re-verify changed parts
  - Reject → DO_NOT_RESURFACE + learn why
  - 30/60/90 day post-decision review

Board meeting contributions now require self-verified format with
confidence tags and source attribution on every finding.

* fix: resolve PR review issues 1, 4, and minor observation

Issue 1: c-level-advisor/CLAUDE.md — completely rewritten
  - Was: 2 skills (CEO, CTO only), dated Nov 2025
  - Now: full 28-skill ecosystem map with architecture diagram,
    all roles/orchestration/cross-cutting/culture skills listed,
    design decisions, integration with other domains

Issue 4: Root CLAUDE.md — updated all stale counts
  - 87 → 134 skills across all 3 references
  - C-Level: 2 → 33 (10 roles + 5 mentor commands + 18 complementary)
  - Tool count: 160+ → 185+
  - Reference count: 200+ → 250+

Minor observation: Documented plugin.json convention
  - Explained in c-level-advisor/CLAUDE.md that only executive-mentor
    has plugin.json because only it has slash commands (/em: namespace)
  - Other skills are invoked by name through Chief of Staff or directly

Also fixed: README.md 88+ → 134 in two places (first line + skills section)

* fix: update all plugin/index registrations for 28-skill C-suite

1. c-level-advisor/.claude-plugin/plugin.json — v2.0.0
   - Was: 2 skills, generic description
   - Now: all 28 skills listed with descriptions, all 25 scripts,
     namespace 'cs', full ecosystem description

2. .codex/skills-index.json — added 18 complementary skills
   - Was: 10 roles only
   - Now: 28 total c-level entries (10 roles + 6 orchestration +
     6 cross-cutting + 6 culture)
   - Each with full description for skill discovery

3. .claude-plugin/marketplace.json — updated c-level-skills entry
   - Was: generic 2-skill description
   - Now: v2.0.0, full 28-skill ecosystem description,
     skills_count: 28, scripts_count: 25

* feat: add root SKILL.md for c-level-advisor ClawHub package

---------

Co-authored-by: Leo <leo@openclaw.ai>
2026-03-06 01:35:08 +01:00

782 lines
30 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env python3
"""
CISO Compliance Tracker
========================
Tracks compliance requirements across SOC 2, ISO 27001, HIPAA, and GDPR.
Shows control overlaps, estimates effort and cost, and prioritizes by business value.
Usage:
python compliance_tracker.py # Run with sample data
python compliance_tracker.py --json # JSON output
python compliance_tracker.py --csv output.csv # Export CSV
python compliance_tracker.py --framework soc2 # Show single framework
python compliance_tracker.py --gap-analysis # Show unaddressed requirements
python compliance_tracker.py --roadmap # Show sequenced roadmap
"""
import json
import csv
import sys
import argparse
from datetime import datetime, date
from typing import Optional
# ─── Framework Definitions ───────────────────────────────────────────────────
FRAMEWORKS = {
"soc2": {
"name": "SOC 2 Type II",
"full_name": "AICPA Trust Service Criteria — Security",
"typical_timeline_months": 12,
"typical_cost_usd": 65_000, # Audit + platform
"annual_maintenance_usd": 40_000,
"business_value": "Enterprise sales unblock, US market table stakes",
"mandatory_for": ["B2B SaaS selling to enterprise US companies"],
},
"iso27001": {
"name": "ISO 27001:2022",
"full_name": "Information Security Management System",
"typical_timeline_months": 15,
"typical_cost_usd": 95_000,
"annual_maintenance_usd": 30_000,
"business_value": "EU enterprise sales, global credibility",
"mandatory_for": ["EU enterprise customers", "Government contracts"],
},
"hipaa": {
"name": "HIPAA",
"full_name": "Health Insurance Portability and Accountability Act",
"typical_timeline_months": 7,
"typical_cost_usd": 75_000,
"annual_maintenance_usd": 20_000,
"business_value": "Healthcare customer access, BAA execution",
"mandatory_for": ["Business Associates", "Companies handling PHI"],
},
"gdpr": {
"name": "GDPR",
"full_name": "General Data Protection Regulation (EU) 2016/679",
"typical_timeline_months": 5,
"typical_cost_usd": 45_000,
"annual_maintenance_usd": 15_000,
"business_value": "EU market access, legal compliance",
"mandatory_for": ["EU-based companies", "Any company with EU user data"],
},
}
# ─── Control Domain Library ──────────────────────────────────────────────────
def build_control_domain(
domain_id: str,
name: str,
description: str,
soc2_ref: Optional[str],
iso27001_ref: Optional[str],
hipaa_ref: Optional[str],
gdpr_ref: Optional[str],
effort_days: int, # Estimated implementation effort in person-days
cost_usd: int, # Estimated implementation cost (tooling + time)
implementation_notes: str,
status: str = "Not Started", # Not Started | In Progress | Implemented | Verified
owner: Optional[str] = None,
target_date: Optional[str] = None,
) -> dict:
"""Build a control domain record."""
frameworks_applicable = []
if soc2_ref:
frameworks_applicable.append("soc2")
if iso27001_ref:
frameworks_applicable.append("iso27001")
if hipaa_ref:
frameworks_applicable.append("hipaa")
if gdpr_ref:
frameworks_applicable.append("gdpr")
return {
"domain_id": domain_id,
"name": name,
"description": description,
"references": {
"soc2": soc2_ref,
"iso27001": iso27001_ref,
"hipaa": hipaa_ref,
"gdpr": gdpr_ref,
},
"frameworks_applicable": frameworks_applicable,
"framework_count": len(frameworks_applicable),
"effort_days": effort_days,
"cost_usd": cost_usd,
"implementation_notes": implementation_notes,
"status": status,
"owner": owner,
"target_date": target_date,
}
def load_control_library() -> list[dict]:
"""
Core control domains mapped across SOC 2, ISO 27001, HIPAA, and GDPR.
Each domain represents a logical grouping of controls.
"""
controls = []
controls.append(build_control_domain(
domain_id="IAM-001",
name="Identity and Access Management",
description=(
"Unique user identities, MFA enforcement, SSO, least privilege access, "
"role-based access control, access provisioning and de-provisioning workflows."
),
soc2_ref="CC6.1, CC6.2, CC6.3",
iso27001_ref="A.5.15, A.5.16, A.5.17, A.5.18",
hipaa_ref="§164.312(a)(2)(i), §164.308(a)(3)",
gdpr_ref="Art. 32(1)(b)",
effort_days=15,
cost_usd=25_000, # SSO + MFA tooling
implementation_notes=(
"Deploy IdP (Okta/Azure AD/Google Workspace). Enforce MFA on all applications. "
"Document access provisioning process. Implement quarterly access reviews."
),
status="In Progress",
owner="IT/Security",
))
controls.append(build_control_domain(
domain_id="ENC-001",
name="Encryption at Rest and in Transit",
description=(
"Encryption of sensitive data stored in databases, file systems, and backups. "
"TLS 1.2+ for all data in transit. Key management and rotation."
),
soc2_ref="CC6.7",
iso27001_ref="A.8.24",
hipaa_ref="§164.312(a)(2)(iv), §164.312(e)(2)(ii)",
gdpr_ref="Art. 32(1)(a)",
effort_days=10,
cost_usd=8_000,
implementation_notes=(
"Enable encryption at rest on all databases (RDS, S3, etc.). "
"Configure TLS on all services. Use KMS for key management. "
"Document encryption standards in a security policy."
),
status="Implemented",
owner="Engineering",
))
controls.append(build_control_domain(
domain_id="LOG-001",
name="Audit Logging and Monitoring",
description=(
"Comprehensive logging of user activity, system events, and security events. "
"Log integrity protection. SIEM or log aggregation. Alerting on anomalies."
),
soc2_ref="CC7.2, CC7.3",
iso27001_ref="A.8.15, A.8.16, A.8.17",
hipaa_ref="§164.312(b)",
gdpr_ref="Art. 32(1)(b)",
effort_days=20,
cost_usd=30_000, # SIEM tooling
implementation_notes=(
"Centralize logs from application, infrastructure, and cloud provider. "
"Define log retention (minimum 1 year). Set up alerting for authentication "
"failures, privilege escalation, data export events."
),
status="Not Started",
owner="DevOps/Security",
))
controls.append(build_control_domain(
domain_id="IR-001",
name="Incident Response",
description=(
"Documented incident response plan. Defined severity levels. Escalation procedures. "
"Communication templates. Annual tabletop exercise. Post-incident review process."
),
soc2_ref="CC7.3, CC7.4, CC7.5",
iso27001_ref="A.5.24, A.5.25, A.5.26, A.5.27, A.5.28",
hipaa_ref="§164.308(a)(6)",
gdpr_ref="Art. 33, Art. 34",
effort_days=12,
cost_usd=10_000,
implementation_notes=(
"Write IR plan covering detection, containment, eradication, recovery, communication. "
"Define breach notification timelines (GDPR: 72 hours, HIPAA: 60 days). "
"Run annual tabletop exercise. Retain IR firm on retainer."
),
status="In Progress",
owner="CISO",
))
controls.append(build_control_domain(
domain_id="VM-001",
name="Vulnerability Management and Patching",
description=(
"Regular vulnerability scanning of infrastructure and applications. "
"Defined patch SLAs by severity. Penetration testing program. "
"Dependency vulnerability scanning in CI/CD."
),
soc2_ref="CC7.1",
iso27001_ref="A.8.8",
hipaa_ref="§164.308(a)(1)(ii)(A)",
gdpr_ref="Art. 32(1)(d)",
effort_days=15,
cost_usd=20_000,
implementation_notes=(
"Deploy infrastructure scanner (Tenable, Qualys, AWS Inspector). "
"Add SAST/DAST to CI/CD pipeline. Define patch SLAs: Critical <24h, High <7d, "
"Medium <30d. Conduct annual pentest."
),
status="In Progress",
owner="DevOps/Security",
))
controls.append(build_control_domain(
domain_id="VRISK-001",
name="Vendor and Third-Party Risk Management",
description=(
"Inventory of all third-party vendors with data access. Tiered risk assessment "
"process. Contractual security requirements. Annual reviews for critical vendors."
),
soc2_ref="CC9.2",
iso27001_ref="A.5.19, A.5.20, A.5.21, A.5.22",
hipaa_ref="§164.308(b) Business Associate Agreements",
gdpr_ref="Art. 28 Data Processing Agreements",
effort_days=10,
cost_usd=8_000,
implementation_notes=(
"Build vendor inventory spreadsheet. Tier vendors (Tier 1: PII access, "
"Tier 2: business data, Tier 3: no data). Execute DPAs for all processors (GDPR). "
"Execute BAAs for PHI processors (HIPAA). Annual security questionnaire for Tier 1."
),
status="Not Started",
owner="Legal/Security",
))
controls.append(build_control_domain(
domain_id="RISK-001",
name="Risk Assessment and Treatment",
description=(
"Formal risk assessment methodology. Risk register maintained. "
"Risk treatment decisions documented. Annual risk review cycle."
),
soc2_ref="CC3.1, CC3.2, CC3.3, CC3.4",
iso27001_ref="Clause 6.1.2, 6.1.3",
hipaa_ref="§164.308(a)(1) Security Risk Analysis",
gdpr_ref="Art. 32, Art. 35 DPIA",
effort_days=15,
cost_usd=12_000,
implementation_notes=(
"Document risk methodology (FAIR, NIST, ISO 27005). Maintain risk register. "
"HIPAA: formal security risk analysis required — not optional. "
"GDPR: DPIA required for high-risk processing activities. Annual refresh."
),
status="Not Started",
owner="CISO",
))
controls.append(build_control_domain(
domain_id="TRAIN-001",
name="Security Awareness Training",
description=(
"Annual security awareness training for all employees. "
"Role-specific training for high-risk roles. Phishing simulations. "
"Training completion tracking."
),
soc2_ref="CC1.4",
iso27001_ref="A.6.3, A.6.8",
hipaa_ref="§164.308(a)(5)",
gdpr_ref="Art. 39(1)(b)",
effort_days=5,
cost_usd=8_000,
implementation_notes=(
"Deploy security training platform (KnowBe4, Proofpoint, etc.). "
"Annual training required — track completion (100% target). "
"Quarterly phishing simulations. Role-specific training for devs (secure coding), "
"finance (BEC), support (social engineering)."
),
status="Not Started",
owner="HR/Security",
))
controls.append(build_control_domain(
domain_id="CHGMGMT-001",
name="Change Management",
description=(
"Formal change management process for production changes. "
"Code review requirements. Deployment approvals. Rollback procedures. "
"Change log maintained."
),
soc2_ref="CC8.1",
iso27001_ref="A.8.32",
hipaa_ref="§164.312(c)(1) Integrity controls",
gdpr_ref="Art. 25 Privacy by design",
effort_days=10,
cost_usd=5_000,
implementation_notes=(
"Document change management policy. Require peer review for all production changes. "
"Maintain audit trail in version control. No direct production access — "
"all changes via CI/CD pipeline."
),
status="In Progress",
owner="Engineering",
))
controls.append(build_control_domain(
domain_id="BCP-001",
name="Business Continuity and Disaster Recovery",
description=(
"Business continuity plan. Disaster recovery plan with defined RTO/RPO. "
"Backup procedures with tested restores. Failover capabilities."
),
soc2_ref="A1.1, A1.2, A1.3",
iso27001_ref="A.5.29, A.5.30",
hipaa_ref="§164.308(a)(7) Contingency Plan",
gdpr_ref="Art. 32(1)(c)",
effort_days=12,
cost_usd=15_000,
implementation_notes=(
"Define RTO (<4 hours) and RPO (<1 hour) targets. Configure automated backups. "
"Test restore quarterly — paper backups that aren't tested aren't backups. "
"Document DR runbook. Annual DR exercise."
),
status="In Progress",
owner="DevOps",
))
controls.append(build_control_domain(
domain_id="ASSET-001",
name="Asset Inventory and Classification",
description=(
"Complete inventory of hardware, software, and data assets. "
"Data classification scheme. Ownership assigned to all assets. "
"Regular reconciliation."
),
soc2_ref="CC6.1",
iso27001_ref="A.5.9, A.5.10, A.5.11, A.5.12, A.5.13",
hipaa_ref="§164.310(d) Device and Media Controls",
gdpr_ref="Art. 30 Records of Processing Activities",
effort_days=8,
cost_usd=5_000,
implementation_notes=(
"Build asset register (CMDB or spreadsheet at minimum). "
"Classify data: Public, Internal, Confidential, Restricted. "
"GDPR requires RoPA (Record of Processing Activities) — data map of all PII. "
"ISO 27001 requires SoA referencing asset inventory."
),
status="Not Started",
owner="IT/Security",
))
controls.append(build_control_domain(
domain_id="ENDPOINT-001",
name="Endpoint Security",
description=(
"EDR/antivirus on all managed endpoints. Device management (MDM). "
"Full disk encryption. Patch management. BYOD policy."
),
soc2_ref="CC6.8",
iso27001_ref="A.8.1, A.8.7",
hipaa_ref="§164.310(a)(2)(iv) Workstation security",
gdpr_ref="Art. 32(1)(a)",
effort_days=8,
cost_usd=20_000,
implementation_notes=(
"Deploy EDR (CrowdStrike, SentinelOne, or Microsoft Defender for Business). "
"Enable full disk encryption (FileVault/BitLocker). "
"MDM for device management. BYOD policy documented."
),
status="In Progress",
owner="IT",
))
controls.append(build_control_domain(
domain_id="POLICY-001",
name="Security Policies and Procedures",
description=(
"Documented security policies covering acceptable use, access control, "
"incident response, data classification, vendor management, etc. "
"Annual review cycle. Employee attestation."
),
soc2_ref="CC1.2, CC1.3",
iso27001_ref="A.5.1, A.5.2",
hipaa_ref="§164.308(a)(1) Security Management Process",
gdpr_ref="Art. 24 Responsibility of the controller",
effort_days=15,
cost_usd=10_000,
implementation_notes=(
"Minimum policy set: Information Security Policy, Acceptable Use, "
"Access Control, Incident Response, Data Classification, Password, "
"Change Management, Vendor Management, Business Continuity. "
"Use policy templates from GRC platform (Vanta/Drata)."
),
status="In Progress",
owner="CISO",
))
controls.append(build_control_domain(
domain_id="PRIV-001",
name="Privacy and Data Subject Rights",
description=(
"Privacy policy and notices. Data subject rights fulfilment process "
"(access, erasure, portability). Consent management. Cookie compliance. "
"Privacy by design in product development."
),
soc2_ref=None, # Not a SOC 2 requirement (unless Privacy TSC selected)
iso27001_ref="A.5.34",
hipaa_ref="§164.524 Access, §164.528 Accounting of Disclosures",
gdpr_ref="Art. 13, 14, 1522 (Rights), Art. 25",
effort_days=20,
cost_usd=15_000,
implementation_notes=(
"GDPR: Update privacy policy, implement DSAR process (30-day SLA), "
"build deletion capability into product. Cookie consent (PECR/ePrivacy). "
"HIPAA: Patient rights for PHI access. "
"Consider OneTrust, Termly, or CookieYes for consent management."
),
status="Not Started",
owner="Legal/Product",
))
controls.append(build_control_domain(
domain_id="NET-001",
name="Network Security and Segmentation",
description=(
"Network segmentation (production vs. development vs. corporate). "
"Firewall rules. Intrusion detection. VPN or ZTNA for remote access."
),
soc2_ref="CC6.6, CC6.7",
iso27001_ref="A.8.20, A.8.21, A.8.22",
hipaa_ref="§164.312(e)(1) Transmission security",
gdpr_ref="Art. 32(1)(a)",
effort_days=12,
cost_usd=18_000,
implementation_notes=(
"Segment production from development. WAF in front of public applications. "
"Replace VPN with ZTNA for remote access (Series B+ consideration). "
"DDoS protection (Cloudflare or AWS Shield)."
),
status="In Progress",
owner="DevOps",
))
controls.append(build_control_domain(
domain_id="PENTEST-001",
name="Penetration Testing",
description=(
"Annual external penetration test by qualified third-party firm. "
"Finding remediation tracking. Results reviewed by leadership."
),
soc2_ref="CC7.1",
iso27001_ref="A.8.8",
hipaa_ref="§164.308(a)(8) Evaluation",
gdpr_ref="Art. 32(1)(d)",
effort_days=5,
cost_usd=25_000,
implementation_notes=(
"Scope: external attack surface, application, API, and optionally social engineering. "
"Budget $1535K for a reputable firm. Track findings in risk register. "
"Re-test critical findings within 90 days. Share pentest summary with enterprise "
"customers on request (under NDA)."
),
status="Not Started",
owner="CISO",
))
return controls
# ─── Analysis ────────────────────────────────────────────────────────────────
def calculate_framework_coverage(controls: list[dict]) -> dict:
"""Calculate per-framework coverage statistics."""
coverage = {}
for fw in FRAMEWORKS:
applicable = [c for c in controls if fw in c["frameworks_applicable"]]
implemented = [c for c in applicable if c["status"] in ("Implemented", "Verified")]
in_progress = [c for c in applicable if c["status"] == "In Progress"]
not_started = [c for c in applicable if c["status"] == "Not Started"]
total_effort = sum(c["effort_days"] for c in applicable)
remaining_effort = sum(
c["effort_days"] for c in applicable
if c["status"] not in ("Implemented", "Verified")
)
total_cost = sum(c["cost_usd"] for c in applicable)
remaining_cost = sum(
c["cost_usd"] for c in applicable
if c["status"] not in ("Implemented", "Verified")
)
pct_complete = (len(implemented) / len(applicable) * 100) if applicable else 0
coverage[fw] = {
"framework": FRAMEWORKS[fw]["name"],
"total_controls": len(applicable),
"implemented": len(implemented),
"in_progress": len(in_progress),
"not_started": len(not_started),
"pct_complete": pct_complete,
"total_effort_days": total_effort,
"remaining_effort_days": remaining_effort,
"total_cost_usd": total_cost,
"remaining_cost_usd": remaining_cost,
"gap_controls": [c["name"] for c in not_started],
}
return coverage
def find_high_leverage_controls(controls: list[dict]) -> list[dict]:
"""Controls that satisfy the most frameworks — highest ROI to implement."""
multi_fw = [c for c in controls if c["framework_count"] >= 3
and c["status"] not in ("Implemented", "Verified")]
return sorted(multi_fw, key=lambda c: (-c["framework_count"], c["effort_days"]))
def estimate_roadmap(controls: list[dict], target_frameworks: list[str]) -> list[dict]:
"""
Generate an ordered implementation roadmap for target frameworks.
Prioritize: (1) controls blocking most frameworks, (2) quick wins (low effort).
"""
applicable = [c for c in controls
if any(fw in c["frameworks_applicable"] for fw in target_frameworks)
and c["status"] not in ("Implemented", "Verified")]
# Score: (frameworks_covered × 10) - (effort_days) → higher is better
for c in applicable:
fw_overlap = len([fw for fw in target_frameworks if fw in c["frameworks_applicable"]])
c["_priority_score"] = (fw_overlap * 10) - c["effort_days"]
return sorted(applicable, key=lambda c: -c["_priority_score"])
def fmt_dollars(amount: float) -> str:
if amount >= 1_000_000:
return f"${amount/1_000_000:.1f}M"
if amount >= 1_000:
return f"${amount/1_000:.0f}K"
return f"${amount:.0f}"
def status_icon(status: str) -> str:
icons = {
"Implemented": "",
"Verified": "",
"In Progress": "🔄",
"Not Started": "",
"Planned": "📋",
}
return icons.get(status, "")
# ─── Display ─────────────────────────────────────────────────────────────────
def print_header():
print("\n" + "=" * 80)
print(" CISO COMPLIANCE TRACKER — Multi-Framework Coverage")
print(f" Generated: {datetime.now().strftime('%Y-%m-%d %H:%M')}")
print("=" * 80)
def print_framework_summary(coverage: dict):
print("\n📋 FRAMEWORK COVERAGE SUMMARY")
print("-" * 80)
header = f"{'Framework':<20} {'Done':<6} {'WIP':<5} {'Gap':<5} {'Complete':<10} {'Remain Cost':<14} {'Remain Days'}"
print(header)
print("-" * 80)
for fw_id, data in coverage.items():
pct = f"{data['pct_complete']:.0f}%"
print(
f"{data['framework']:<20} {data['implemented']:<6} {data['in_progress']:<5} "
f"{data['not_started']:<5} {pct:<10} {fmt_dollars(data['remaining_cost_usd']):<14} "
f"{data['remaining_effort_days']} days"
)
def print_control_table(controls: list[dict], framework_filter: Optional[str] = None):
filtered = controls
if framework_filter:
filtered = [c for c in controls if framework_filter in c["frameworks_applicable"]]
title = f"CONTROL DOMAINS"
if framework_filter:
title += f"{FRAMEWORKS[framework_filter]['name']}"
print(f"\n🔧 {title}")
print("-" * 90)
header = f"{'ID':<14} {'Control Name':<30} {'Frameworks':<8} {'Effort':<8} {'Cost':<10} {'Status'}"
print(header)
print("-" * 90)
for c in filtered:
fw_badges = "/".join(
fw.upper()[:3] for fw in ["soc2", "iso27001", "hipaa", "gdpr"]
if fw in c["frameworks_applicable"]
)
icon = status_icon(c["status"])
print(
f"{c['domain_id']:<14} {c['name'][:29]:<30} {fw_badges:<8} "
f"{c['effort_days']:>3}d {fmt_dollars(c['cost_usd']):<10} {icon} {c['status']}"
)
def print_gap_analysis(coverage: dict):
print("\n⚠️ GAP ANALYSIS — Controls Not Yet Started")
print("-" * 70)
for fw_id, data in coverage.items():
if data["gap_controls"]:
print(f"\n {data['framework']}{len(data['gap_controls'])} gaps:")
for gap in data["gap_controls"]:
print(f"{gap}")
def print_high_leverage(controls: list[dict]):
hl = find_high_leverage_controls(controls)
print(f"\n🎯 HIGH-LEVERAGE CONTROLS — Implement Once, Satisfy Multiple Frameworks")
print("-" * 70)
print(f"{'Control':<30} {'Frameworks':<35} {'Effort':<8} {'Cost'}")
print("-" * 70)
for c in hl:
fw_list = " + ".join(FRAMEWORKS[fw]["name"] for fw in c["frameworks_applicable"])
print(
f"{c['name'][:29]:<30} {fw_list[:34]:<35} "
f"{c['effort_days']:>3}d {fmt_dollars(c['cost_usd'])}"
)
def print_roadmap(controls: list[dict], target_frameworks: list[str]):
ordered = estimate_roadmap(controls, target_frameworks)
fw_names = " + ".join(FRAMEWORKS[fw]["name"] for fw in target_frameworks)
print(f"\n🗺️ IMPLEMENTATION ROADMAP — {fw_names}")
print("-" * 80)
print("Priority order: most framework coverage first, then quick wins")
print()
cumulative_days = 0
cumulative_cost = 0
for i, c in enumerate(ordered, 1):
cumulative_days += c["effort_days"]
cumulative_cost += c["cost_usd"]
fw_badges = ", ".join(
FRAMEWORKS[fw]["name"] for fw in target_frameworks
if fw in c["frameworks_applicable"]
)
print(f" {i:>2}. {c['name']}")
print(f" Frameworks: {fw_badges}")
print(f" Effort: {c['effort_days']} days | Cost: {fmt_dollars(c['cost_usd'])} "
f"| Cumulative: {cumulative_days}d / {fmt_dollars(cumulative_cost)}")
if c.get("owner"):
print(f" Owner: {c['owner']}")
print()
def print_framework_profiles():
print("\n💼 FRAMEWORK PROFILES")
print("-" * 70)
for fw_id, fw in FRAMEWORKS.items():
print(f"\n {fw['name']} ({fw_id.upper()})")
print(f" Timeline: ~{fw['typical_timeline_months']} months")
print(f" First-year cost: {fmt_dollars(fw['typical_cost_usd'])}")
print(f" Annual maintenance: {fmt_dollars(fw['annual_maintenance_usd'])}/yr")
print(f" Business value: {fw['business_value']}")
print(f" Required for: {', '.join(fw['mandatory_for'])}")
def export_csv(controls: list[dict], filepath: str):
fields = [
"domain_id", "name", "frameworks_applicable", "framework_count",
"effort_days", "cost_usd", "status", "owner", "target_date",
"soc2_ref", "iso27001_ref", "hipaa_ref", "gdpr_ref", "implementation_notes"
]
with open(filepath, "w", newline="") as f:
writer = csv.DictWriter(f, fieldnames=fields)
writer.writeheader()
for c in controls:
row = {k: c.get(k, "") for k in fields}
row["frameworks_applicable"] = ", ".join(c["frameworks_applicable"])
row["soc2_ref"] = c["references"].get("soc2", "")
row["iso27001_ref"] = c["references"].get("iso27001", "")
row["hipaa_ref"] = c["references"].get("hipaa", "")
row["gdpr_ref"] = c["references"].get("gdpr", "")
writer.writerow(row)
print(f"✅ Exported {len(controls)} controls to {filepath}")
# ─── Main ────────────────────────────────────────────────────────────────────
def main():
parser = argparse.ArgumentParser(
description="CISO Compliance Tracker — Multi-framework coverage and roadmap"
)
parser.add_argument("--json", action="store_true", help="Output JSON")
parser.add_argument("--csv", metavar="FILE", help="Export CSV to file")
parser.add_argument(
"--framework", metavar="FRAMEWORK",
choices=list(FRAMEWORKS.keys()),
help="Filter to single framework (soc2, iso27001, hipaa, gdpr)"
)
parser.add_argument("--gap-analysis", action="store_true", help="Show gap analysis")
parser.add_argument("--roadmap", metavar="FRAMEWORKS",
help="Sequenced roadmap for frameworks e.g. 'soc2,iso27001'")
parser.add_argument("--profiles", action="store_true", help="Show framework profiles")
parser.add_argument("--leverage", action="store_true", help="Show high-leverage controls")
args = parser.parse_args()
controls = load_control_library()
coverage = calculate_framework_coverage(controls)
if args.json:
output = {
"generated": datetime.now().isoformat(),
"frameworks": FRAMEWORKS,
"coverage": coverage,
"controls": controls,
}
print(json.dumps(output, indent=2, default=str))
return
if args.csv:
export_csv(controls, args.csv)
return
print_header()
if args.profiles:
print_framework_profiles()
return
if args.roadmap:
target_fws = [fw.strip() for fw in args.roadmap.split(",") if fw.strip() in FRAMEWORKS]
if not target_fws:
print(f"Unknown frameworks. Valid: {', '.join(FRAMEWORKS.keys())}")
sys.exit(1)
print_framework_summary(coverage)
print_roadmap(controls, target_fws)
return
print_framework_summary(coverage)
print_control_table(controls, args.framework)
if args.gap_analysis:
print_gap_analysis(coverage)
if args.leverage:
print_high_leverage(controls)
if not any([args.framework, args.gap_analysis, args.leverage]):
print_high_leverage(controls)
print_gap_analysis(coverage)
print("\n💡 NEXT STEPS")
print(" --roadmap soc2,iso27001 Priority order for dual-framework")
print(" --framework hipaa HIPAA-only control view")
print(" --gap-analysis What's not started")
print(" --leverage Controls covering most frameworks")
print(" --profiles Framework timelines and costs")
print(" --csv controls.csv Export for stakeholder review")
print()
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink