From 810217b7c6685c3ac01d17a3051baa423c602afd Mon Sep 17 00:00:00 2001 From: Mariano Fuentes Date: Thu, 13 Feb 2025 12:52:46 -0800 Subject: [PATCH 1/7] fix controls --- .../framework/select-frameworks-action.ts | 96 ++++++++++------ .../(home)/Components/FrameworksOverview.tsx | 1 - .../Actions/getOrganizationCategories.ts | 73 ++++++++++++ .../Actions/getOrganizationFramework.ts | 70 ++++++++++++ .../hooks/useOrganizationCategories.ts | 46 ++++++++ .../hooks/useOrganizationFramework.ts | 42 +++++++ .../frameworks/[frameworkId]/page.tsx | 106 +----------------- .../frameworks/framework-controls.tsx | 29 +++-- .../frameworks/framework-overview.tsx | 28 ++--- .../components/tables/frameworks/columns.tsx | 11 +- .../tables/frameworks/data-table.tsx | 6 +- .../migration.sql | 26 +++++ .../migration.sql | 11 ++ .../migration.sql | 11 ++ .../db/prisma/migrations/migration_lock.toml | 3 + packages/db/prisma/schema.prisma | 23 ++++ packages/db/prisma/seed.ts | 18 +++ 17 files changed, 424 insertions(+), 176 deletions(-) create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Actions/getOrganizationCategories.ts create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Actions/getOrganizationFramework.ts create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationCategories.ts create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationFramework.ts create mode 100644 packages/db/prisma/migrations/20250212204100_add_organization_category_table/migration.sql create mode 100644 packages/db/prisma/migrations/20250212205810_fix_unique_constraint/migration.sql create mode 100644 packages/db/prisma/migrations/20250212210730_add_framework_id_to_org_cat/migration.sql create mode 100644 packages/db/prisma/migrations/migration_lock.toml diff --git a/apps/app/src/actions/framework/select-frameworks-action.ts b/apps/app/src/actions/framework/select-frameworks-action.ts index af1aae8783..7939a7d4a7 100644 --- a/apps/app/src/actions/framework/select-frameworks-action.ts +++ b/apps/app/src/actions/framework/select-frameworks-action.ts @@ -30,12 +30,18 @@ export const selectFrameworksAction = authActionClient } try { - await Promise.all([ + // First create categories + await createOrganizationCategories(user as User, frameworkIds); + + // Then create frameworks and controls + await Promise.all( frameworkIds.map((frameworkId) => createOrganizationFramework(user as User, frameworkId) - ), - createOrganizationPolicy(user as User, frameworkIds), - ]); + ) + ); + + // Finally create policies + await createOrganizationPolicy(user as User, frameworkIds); return { data: true, @@ -65,46 +71,40 @@ const createOrganizationFramework = async (user: User, frameworkId: string) => { }, }); - // For each framework we need to get the categories and controls. - const framework = await db.framework.findUnique({ - where: { id: frameworkId }, - }); - - if (!framework) { - throw new Error("Framework not found"); - } - + // Get the framework categories and their corresponding organization categories const frameworkCategories = await db.frameworkCategory.findMany({ where: { frameworkId }, - select: { - id: true, + include: { + controls: true, }, }); - // For each category we need to get the controls. - const frameworkControls = await db.control.findMany({ + // Get the organization categories that were just created + const organizationCategories = await db.organizationCategory.findMany({ where: { - frameworkCategoryId: { - in: frameworkCategories.map((category) => category.id), - }, - }, - select: { - id: true, + organizationId: user.organizationId, + frameworkId, }, }); - if (!user.organizationId) { - throw new Error("Organization ID is required"); + // Create controls for each category + for (const frameworkCategory of frameworkCategories) { + const organizationCategory = organizationCategories.find( + (oc) => oc.name === frameworkCategory.name + ); + + if (!organizationCategory) continue; + + await db.organizationControl.createMany({ + data: frameworkCategory.controls.map((control) => ({ + organizationFrameworkId: organizationFramework.id, + controlId: control.id, + organizationId: user.organizationId!, + status: "not_started", + organizationCategoryId: organizationCategory.id, + })), + }); } - - await db.organizationControl.createMany({ - data: frameworkControls.map((control) => ({ - organizationFrameworkId: organizationFramework.id, - controlId: control.id, - organizationId: user.organizationId!, - status: "not_started", - })), - }); }; const createOrganizationPolicy = async (user: User, frameworkIds: string[]) => { @@ -143,3 +143,31 @@ const createOrganizationPolicy = async (user: User, frameworkIds: string[]) => { return organizationPolicies; }; + +const createOrganizationCategories = async ( + user: User, + frameworkIds: string[] +) => { + if (!user.organizationId) { + throw new Error("Not authorized - no organization found"); + } + + // For each frameworkCategory we need to get the controls. + const frameworkCategories = await db.frameworkCategory.findMany({ + where: { + frameworkId: { in: frameworkIds }, + }, + }); + + // Create the organization categories. + const organizationCategories = await db.organizationCategory.createMany({ + data: frameworkCategories.map((category) => ({ + name: category.name, + description: category.description, + organizationId: user.organizationId!, + frameworkId: category.frameworkId, + })), + }); + + return organizationCategories; +}; diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/(home)/Components/FrameworksOverview.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/(home)/Components/FrameworksOverview.tsx index 77d9f2b655..eaacdb9153 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/(home)/Components/FrameworksOverview.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/(home)/Components/FrameworksOverview.tsx @@ -12,7 +12,6 @@ export const FrameworksOverview = () => { frameworks, availableFrameworks, isLoading, - isMutating, error, selectFrameworks, } = useFrameworks(); diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Actions/getOrganizationCategories.ts b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Actions/getOrganizationCategories.ts new file mode 100644 index 0000000000..b9b1765a2e --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Actions/getOrganizationCategories.ts @@ -0,0 +1,73 @@ +"use server"; + +import { db } from "@bubba/db"; +import { authActionClient } from "@/actions/safe-action"; +import type { + Framework, + OrganizationControl, + OrganizationFramework, + OrganizationCategory, + Control, +} from "@bubba/db"; +import { z } from "zod"; + +export type OrganizationCategoryWithControls = OrganizationCategory & { + organizationControl: (OrganizationControl & { + control: Control; + })[]; +}; + +export interface OrganizationCategoriesResponse { + organizationCategories: OrganizationCategoryWithControls[]; +} + +export const getOrganizationCategories = authActionClient + .schema(z.object({ frameworkId: z.string() })) + .metadata({ + name: "getOrganizationCategories", + track: { + event: "get-organization-categories", + channel: "server", + }, + }) + .action(async ({ ctx, parsedInput }) => { + const { user } = ctx; + const { frameworkId } = parsedInput; + + if (!user.organizationId) { + return { + error: "Not authorized - no organization found", + }; + } + + try { + const organizationCategories = await db.organizationCategory.findMany({ + where: { + organizationId: user.organizationId, + frameworkId, + }, + include: { + organizationControl: { + include: { + control: true, + }, + }, + }, + }); + + if (!organizationCategories) { + return { + error: "Organization categories not found", + }; + } + + return { + data: organizationCategories, + }; + } catch (error) { + console.error("Error fetching organization categories:", error); + return { + error: "Failed to fetch organization categories", + }; + } + }); diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Actions/getOrganizationFramework.ts b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Actions/getOrganizationFramework.ts new file mode 100644 index 0000000000..f167aba545 --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Actions/getOrganizationFramework.ts @@ -0,0 +1,70 @@ +"use server"; + +import { db } from "@bubba/db"; +import { authActionClient } from "@/actions/safe-action"; +import type { + Framework, + OrganizationControl, + OrganizationFramework, +} from "@bubba/db"; +import { z } from "zod"; + +export type FrameworkWithControls = OrganizationFramework & { + organizationControl: OrganizationControl[]; + framework: Framework; +}; + +export interface FrameworksResponse { + frameworks: FrameworkWithControls[]; + availableFrameworks: Framework[]; +} + +export const getOrganizationFramework = authActionClient + .schema(z.object({ frameworkId: z.string() })) + .metadata({ + name: "getOrganizationFramework", + track: { + event: "get-organization-framework", + channel: "server", + }, + }) + .action(async ({ ctx, parsedInput }) => { + const { user } = ctx; + const { frameworkId } = parsedInput; + + if (!user.organizationId) { + return { + error: "Not authorized - no organization found", + }; + } + + try { + const framework = await db.organizationFramework.findUnique({ + where: { + organizationId_frameworkId: { + organizationId: user.organizationId, + frameworkId: frameworkId, + }, + }, + include: { + framework: true, + organizationControl: true, + }, + }); + + if (!framework) { + return { + error: "Framework not found", + }; + } + + return { + data: framework, + }; + } catch (error) { + console.error("Error fetching framework:", error); + return { + error: "Failed to fetch framework", + }; + } + }); diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationCategories.ts b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationCategories.ts new file mode 100644 index 0000000000..4329e213c9 --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationCategories.ts @@ -0,0 +1,46 @@ +"use client"; + +import useSWR from "swr"; +import { + getOrganizationCategories, + OrganizationCategoryWithControls, +} from "../Actions/getOrganizationCategories"; + +async function fetchOrganizationCategories( + frameworkId: string +): Promise { + const result = await getOrganizationCategories({ frameworkId }); + + console.log({ result }); + + if (!result) { + throw new Error("Failed to fetch frameworks"); + } + + const data = result.data?.data; + if (!data) { + throw new Error("Invalid response from server"); + } + + return data; +} + +export function useOrganizationCategories(frameworkId: string) { + const { data, error, isLoading, mutate } = useSWR< + OrganizationCategoryWithControls[] + >( + ["organization-categories", frameworkId], + () => fetchOrganizationCategories(frameworkId), + { + revalidateOnFocus: false, + revalidateOnReconnect: false, + } + ); + + return { + data, + isLoading, + error, + mutate, + }; +} diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationFramework.ts b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationFramework.ts new file mode 100644 index 0000000000..6cdbd1c075 --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationFramework.ts @@ -0,0 +1,42 @@ +"use client"; + +import useSWR from "swr"; +import { + FrameworkWithControls, + getOrganizationFramework, +} from "../Actions/getOrganizationFramework"; + +async function fetchOrganizationFramework( + frameworkId: string +): Promise { + const result = await getOrganizationFramework({ frameworkId }); + + if (!result) { + throw new Error("Failed to fetch frameworks"); + } + + const data = result.data?.data; + if (!data) { + throw new Error("Invalid response from server"); + } + + return data; +} + +export function useOrganizationFramework(frameworkId: string) { + const { data, error, isLoading, mutate } = useSWR( + ["organization-framework", frameworkId], + () => fetchOrganizationFramework(frameworkId), + { + revalidateOnFocus: false, + revalidateOnReconnect: false, + } + ); + + return { + data, + isLoading, + error, + mutate, + }; +} diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/page.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/page.tsx index f1e66f3914..f9da49158f 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/page.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/page.tsx @@ -21,114 +21,14 @@ export default async function FrameworkPage({ params }: PageProps) { redirect("/login"); } - const [framework, organizationFramework, categories] = await Promise.all([ - getFramework(frameworkId), - getOrganizationFramework(frameworkId, session.user.organizationId), - getFrameworkCategories(frameworkId, session.user.organizationId), - ]); - - if (!framework || !organizationFramework) { + if (!frameworkId) { redirect("/"); } return (
- }> - - - - }> - - + +
); } - -const getFramework = unstable_cache( - async (frameworkId: string) => { - return db.framework.findFirst({ - where: { - id: frameworkId, - }, - include: { - categories: { - include: { - controls: true, - }, - }, - }, - }); - }, - ["framework-cache"], - { - tags: ["framework-cache"], - } -); - -const getOrganizationFramework = unstable_cache( - async (frameworkId: string, organizationId: string) => { - return db.organizationFramework.findFirst({ - where: { - frameworkId, - organizationId, - }, - include: { - organizationControl: { - include: { - control: true, - artifacts: true, - }, - }, - }, - }); - }, - ["org-framework-cache"], - { - tags: ["org-framework-cache"], - } -); - -const getFrameworkCategories = unstable_cache( - async (frameworkId: string, organizationId: string) => { - const categories = await db.frameworkCategory.findMany({ - where: { - frameworkId, - }, - include: { - controls: { - include: { - organizationControls: { - where: { - organizationId, - }, - include: { - artifacts: true, - }, - }, - }, - }, - }, - }); - - return categories.map((category) => ({ - ...category, - controls: category.controls.map((control) => ({ - id: control.id, - name: control.name, - code: control.code, - description: control.description, - domain: control.domain, - frameworkCategoryId: control.frameworkCategoryId, - status: control.organizationControls[0]?.status || "not_started", - artifacts: control.organizationControls[0]?.artifacts || [], - })), - })); - }, - ["framework-categories-cache"], - { - tags: ["framework-categories-cache"], - } -); diff --git a/apps/app/src/components/frameworks/framework-controls.tsx b/apps/app/src/components/frameworks/framework-controls.tsx index 17b10729a0..e639d32b9a 100644 --- a/apps/app/src/components/frameworks/framework-controls.tsx +++ b/apps/app/src/components/frameworks/framework-controls.tsx @@ -10,16 +10,23 @@ import { } from "@bubba/ui/card"; import { DataTable } from "@/components/tables/frameworks/data-table"; +import { useOrganizationFramework } from "@/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationFramework"; +import { useOrganizationCategories } from "@/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationCategories"; interface FrameworkControlsProps { - categories: TransformedCategory[]; frameworkId: string; } -export function FrameworkControls({ - categories, - frameworkId, -}: FrameworkControlsProps) { +export function FrameworkControls({ frameworkId }: FrameworkControlsProps) { + const { data: organizationCategories } = + useOrganizationCategories(frameworkId); + + console.log({ organizationCategories, frameworkId }); + + if (!organizationCategories) { + return null; + } + return ( @@ -27,15 +34,17 @@ export function FrameworkControls({ Review and manage compliance controls - {categories.map((category) => ( + {organizationCategories.map((category) => (

{category.name}

({ - ...control, + data={category.organizationControl.map((control) => ({ + code: control.control.code, + description: control.control.description, + name: control.control.name, + status: control.status, + id: control.id, frameworkId, - categoryId: category.id, - requiredArtifactTypes: [], }))} />
diff --git a/apps/app/src/components/frameworks/framework-overview.tsx b/apps/app/src/components/frameworks/framework-overview.tsx index fdefbe1fb6..b912d63adf 100644 --- a/apps/app/src/components/frameworks/framework-overview.tsx +++ b/apps/app/src/components/frameworks/framework-overview.tsx @@ -1,5 +1,6 @@ "use client"; +import { useOrganizationFramework } from "@/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationFramework"; import type { Control, Framework, @@ -13,32 +14,27 @@ import { format } from "date-fns"; import { CalendarIcon } from "lucide-react"; interface FrameworkOverviewProps { - framework: Framework & { - categories: { - controls: Control[]; - }[]; - }; - organizationFramework: OrganizationFramework & { - organizationControl: OrganizationControl[]; - }; + frameworkId: string; } -export function FrameworkOverview({ - framework, - organizationFramework, -}: FrameworkOverviewProps) { +export function FrameworkOverview({ frameworkId }: FrameworkOverviewProps) { + const { data: organizationFramework } = useOrganizationFramework(frameworkId); + console.log({ organizationFramework }); + + return null; + // Calculate compliance metrics - const totalControls = framework.categories.reduce( + const totalControls = data?.categories.reduce( (acc, cat) => acc + cat.controls.length, - 0, + 0 ); const compliantControls = organizationFramework.organizationControl.filter( - (oc) => oc.status === "compliant", + (oc) => oc.status === "compliant" ).length; const compliancePercentage = Math.round( - (compliantControls / totalControls) * 100, + (compliantControls / totalControls) * 100 ); return ( diff --git a/apps/app/src/components/tables/frameworks/columns.tsx b/apps/app/src/components/tables/frameworks/columns.tsx index 1d6a218798..a17d8243fc 100644 --- a/apps/app/src/components/tables/frameworks/columns.tsx +++ b/apps/app/src/components/tables/frameworks/columns.tsx @@ -8,23 +8,16 @@ import { useI18n } from "@/locales/client"; import type { ArtifactType, ComplianceStatus } from "@bubba/db"; import type { ColumnDef } from "@tanstack/react-table"; -export type FrameworkControlType = { +export type OrganizationControlType = { id: string; name: string; code: string; description: string | null; - categoryId: string; status: ComplianceStatus; - artifacts: { - id: string; - organizationControlId: string; - artifactId: string; - }[]; frameworkId: string; - requiredArtifactTypes: ArtifactType[]; }; -export function columns(): ColumnDef[] { +export function columns(): ColumnDef[] { const t = useI18n(); return [ diff --git a/apps/app/src/components/tables/frameworks/data-table.tsx b/apps/app/src/components/tables/frameworks/data-table.tsx index 25c1dd3c44..64f4983dce 100644 --- a/apps/app/src/components/tables/frameworks/data-table.tsx +++ b/apps/app/src/components/tables/frameworks/data-table.tsx @@ -8,11 +8,11 @@ import { useReactTable, } from "@tanstack/react-table"; import { Suspense } from "react"; -import { type FrameworkControlType, columns as getColumns } from "./columns"; +import { type OrganizationControlType, columns as getColumns } from "./columns"; import { DataTableHeader } from "./data-table-header"; interface DataTableProps { - data: FrameworkControlType[]; + data: OrganizationControlType[]; } export function DataTable({ data }: DataTableProps) { @@ -41,7 +41,7 @@ export function DataTable({ data }: DataTableProps) { {flexRender( cell.column.columnDef.cell, - cell.getContext(), + cell.getContext() )} ))} diff --git a/packages/db/prisma/migrations/20250212204100_add_organization_category_table/migration.sql b/packages/db/prisma/migrations/20250212204100_add_organization_category_table/migration.sql new file mode 100644 index 0000000000..02ef80fb03 --- /dev/null +++ b/packages/db/prisma/migrations/20250212204100_add_organization_category_table/migration.sql @@ -0,0 +1,26 @@ +-- AlterTable +ALTER TABLE "OrganizationControl" ADD COLUMN "organizationCategoryId" TEXT; + +-- CreateTable +CREATE TABLE "OrganizationCategory" ( + "id" TEXT NOT NULL, + "name" TEXT NOT NULL, + "description" TEXT, + "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP, + "updatedAt" TIMESTAMP(3) NOT NULL, + "organizationId" TEXT NOT NULL, + + CONSTRAINT "OrganizationCategory_pkey" PRIMARY KEY ("id") +); + +-- CreateIndex +CREATE INDEX "OrganizationCategory_organizationId_idx" ON "OrganizationCategory"("organizationId"); + +-- CreateIndex +CREATE UNIQUE INDEX "OrganizationCategory_organizationId_name_key" ON "OrganizationCategory"("organizationId", "name"); + +-- AddForeignKey +ALTER TABLE "OrganizationControl" ADD CONSTRAINT "OrganizationControl_organizationCategoryId_fkey" FOREIGN KEY ("organizationCategoryId") REFERENCES "OrganizationCategory"("id") ON DELETE SET NULL ON UPDATE CASCADE; + +-- AddForeignKey +ALTER TABLE "OrganizationCategory" ADD CONSTRAINT "OrganizationCategory_organizationId_fkey" FOREIGN KEY ("organizationId") REFERENCES "Organization"("id") ON DELETE CASCADE ON UPDATE CASCADE; diff --git a/packages/db/prisma/migrations/20250212205810_fix_unique_constraint/migration.sql b/packages/db/prisma/migrations/20250212205810_fix_unique_constraint/migration.sql new file mode 100644 index 0000000000..457db8c633 --- /dev/null +++ b/packages/db/prisma/migrations/20250212205810_fix_unique_constraint/migration.sql @@ -0,0 +1,11 @@ +/* + Warnings: + + - A unique constraint covering the columns `[id]` on the table `OrganizationCategory` will be added. If there are existing duplicate values, this will fail. + +*/ +-- DropIndex +DROP INDEX "OrganizationCategory_organizationId_name_key"; + +-- CreateIndex +CREATE UNIQUE INDEX "OrganizationCategory_id_key" ON "OrganizationCategory"("id"); diff --git a/packages/db/prisma/migrations/20250212210730_add_framework_id_to_org_cat/migration.sql b/packages/db/prisma/migrations/20250212210730_add_framework_id_to_org_cat/migration.sql new file mode 100644 index 0000000000..94f343abd8 --- /dev/null +++ b/packages/db/prisma/migrations/20250212210730_add_framework_id_to_org_cat/migration.sql @@ -0,0 +1,11 @@ +/* + Warnings: + + - Added the required column `frameworkId` to the `OrganizationCategory` table without a default value. This is not possible if the table is not empty. + +*/ +-- AlterTable +ALTER TABLE "OrganizationCategory" ADD COLUMN "frameworkId" TEXT NOT NULL; + +-- AddForeignKey +ALTER TABLE "OrganizationCategory" ADD CONSTRAINT "OrganizationCategory_frameworkId_fkey" FOREIGN KEY ("frameworkId") REFERENCES "Framework"("id") ON DELETE CASCADE ON UPDATE CASCADE; diff --git a/packages/db/prisma/migrations/migration_lock.toml b/packages/db/prisma/migrations/migration_lock.toml new file mode 100644 index 0000000000..648c57fd59 --- /dev/null +++ b/packages/db/prisma/migrations/migration_lock.toml @@ -0,0 +1,3 @@ +# Please do not edit this file manually +# It should be added in your version-control system (e.g., Git) +provider = "postgresql" \ No newline at end of file diff --git a/packages/db/prisma/schema.prisma b/packages/db/prisma/schema.prisma index df1be60768..e74ccfd214 100644 --- a/packages/db/prisma/schema.prisma +++ b/packages/db/prisma/schema.prisma @@ -145,6 +145,7 @@ model Organization { RiskAttachment RiskAttachment[] members OrganizationMember[] OrganizationPolicy OrganizationPolicy[] + OrganizationCategory OrganizationCategory[] @@index([stripeCustomerId]) } @@ -218,6 +219,7 @@ model Framework { organizations Organization[] OrganizationFramework OrganizationFramework[] PolicyFramework PolicyFramework[] + OrganizationCategory OrganizationCategory[] @@index([id]) } @@ -286,6 +288,8 @@ model OrganizationControl { artifacts ControlArtifact[] OrganizationFramework OrganizationFramework? @relation(fields: [organizationFrameworkId], references: [id]) organizationFrameworkId String? + OrganizationCategory OrganizationCategory? @relation(fields: [organizationCategoryId], references: [id]) + organizationCategoryId String? @@index([organizationId]) @@index([organizationFrameworkId]) @@ -951,3 +955,22 @@ model OrganizationPolicy { @@index([organizationId]) @@index([policyId]) } + +model OrganizationCategory { + id String @id @default(cuid()) + name String + description String? + createdAt DateTime @default(now()) + updatedAt DateTime @updatedAt + + frameworkId String + framework Framework @relation(fields: [frameworkId], references: [id], onDelete: Cascade) + + organizationControl OrganizationControl[] + + organizationId String + organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade) + + @@unique([id]) + @@index([organizationId]) +} diff --git a/packages/db/prisma/seed.ts b/packages/db/prisma/seed.ts index 492e31e43a..9ee44f21db 100644 --- a/packages/db/prisma/seed.ts +++ b/packages/db/prisma/seed.ts @@ -14,6 +14,24 @@ import type { JsonValue } from "@prisma/client/runtime/library"; const prisma = new PrismaClient(); async function main() { + console.log("\n🗑️ Cleaning up existing data..."); + // Delete in order of dependencies + await prisma.organizationFramework.deleteMany(); + await prisma.organizationCategory.deleteMany(); + await prisma.organizationControl.deleteMany(); + await prisma.organizationPolicy.deleteMany(); + + await prisma.policy.deleteMany(); + await prisma.policyControl.deleteMany(); + await prisma.policyFramework.deleteMany(); + + await prisma.control.deleteMany(); + await prisma.controlRequirement.deleteMany(); + + await prisma.framework.deleteMany(); + await prisma.frameworkCategory.deleteMany(); + console.log("✅ Database cleaned"); + console.log("\n📋 Seeding policies..."); await seedPolicies(); console.log("✅ Policies seeded"); From 8f936ce0ae1b14d62fa4374b24464d991d0efeec Mon Sep 17 00:00:00 2001 From: Mariano Fuentes Date: Thu, 13 Feb 2025 12:54:16 -0800 Subject: [PATCH 2/7] comment for now --- .../frameworks/framework-overview.tsx | 136 +++++++++--------- 1 file changed, 69 insertions(+), 67 deletions(-) diff --git a/apps/app/src/components/frameworks/framework-overview.tsx b/apps/app/src/components/frameworks/framework-overview.tsx index dc50344260..b754e2df59 100644 --- a/apps/app/src/components/frameworks/framework-overview.tsx +++ b/apps/app/src/components/frameworks/framework-overview.tsx @@ -21,77 +21,79 @@ export function FrameworkOverview({ frameworkId }: FrameworkOverviewProps) { const { data: organizationFramework } = useOrganizationFramework(frameworkId); console.log({ organizationFramework }); + return null; + // Calculate compliance metrics - const totalControls = data?.categories.reduce( - (acc, cat) => acc + cat.controls.length, - 0 - ); + // const totalControls = data?.categories.reduce( + // (acc, cat) => acc + cat.controls.length, + // 0 + // ); - const compliantControls = organizationFramework.organizationControl.filter( - (oc) => oc.status === "compliant" - ).length; + // const compliantControls = organizationFramework.organizationControl.filter( + // (oc) => oc.status === "compliant" + // ).length; - const compliancePercentage = Math.round( - (compliantControls / totalControls) * 100 - ); + // const compliancePercentage = Math.round( + // (compliantControls / totalControls) * 100 + // ); - return ( -
- - - {framework.name} - - -

- {framework.description} -

-
- Version {framework.version} -
- - + // return ( + //
+ // + // + // {framework.name} + // + // + //

+ // {framework.description} + //

+ //
+ // Version {framework.version} + //
+ // + // - - - Compliance Progress - - -
- -

- {compliantControls} of {totalControls} controls compliant -

-
- - + // + // + // Compliance Progress + // + // + //
+ // + //

+ // {compliantControls} of {totalControls} controls compliant + //

+ //
+ // + // - - - Assessment Status - - -
-
- - - Last assessed:{" "} - {organizationFramework.lastAssessed - ? format(organizationFramework.lastAssessed, "MMM d, yyyy") - : "Never"} - -
-
- - - Next assessment:{" "} - {organizationFramework.nextAssessment - ? format(organizationFramework.nextAssessment, "MMM d, yyyy") - : "Not scheduled"} - -
-
- - -
- ); + // + // + // Assessment Status + // + // + //
+ //
+ // + // + // Last assessed:{" "} + // {organizationFramework.lastAssessed + // ? format(organizationFramework.lastAssessed, "MMM d, yyyy") + // : "Never"} + // + //
+ //
+ // + // + // Next assessment:{" "} + // {organizationFramework.nextAssessment + // ? format(organizationFramework.nextAssessment, "MMM d, yyyy") + // : "Not scheduled"} + // + //
+ //
+ // + // + //
+ // ); } From 770b268d362ea8597997f64d32477e37adaa6d85 Mon Sep 17 00:00:00 2001 From: Mariano Fuentes Date: Thu, 13 Feb 2025 13:14:52 -0800 Subject: [PATCH 3/7] fix controls bug --- .../Components/FrameworkControls.tsx} | 0 .../Components/FrameworkOverview.tsx | 105 ++++++++++++++++++ .../frameworks/[frameworkId]/layout.tsx | 2 +- .../frameworks/[frameworkId]/page.tsx | 10 +- .../frameworks/framework-overview.tsx | 99 ----------------- packages/db/prisma/seed.ts | 4 +- packages/db/prisma/seedTypes.ts | 11 +- 7 files changed, 120 insertions(+), 111 deletions(-) rename apps/app/src/{components/frameworks/framework-controls.tsx => app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkControls.tsx} (100%) create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkOverview.tsx delete mode 100644 apps/app/src/components/frameworks/framework-overview.tsx diff --git a/apps/app/src/components/frameworks/framework-controls.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkControls.tsx similarity index 100% rename from apps/app/src/components/frameworks/framework-controls.tsx rename to apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkControls.tsx diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkOverview.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkOverview.tsx new file mode 100644 index 0000000000..e4d7561068 --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkOverview.tsx @@ -0,0 +1,105 @@ +"use client"; + +import { useOrganizationCategories } from "@/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationCategories"; +import { useOrganizationFramework } from "@/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationFramework"; +import type { + Control, + Framework, + OrganizationControl, + OrganizationFramework, +} from "@bubba/db"; +import { Badge } from "@bubba/ui/badge"; +import { Card, CardContent, CardHeader, CardTitle } from "@bubba/ui/card"; +import { Progress } from "@bubba/ui/progress"; +import { format } from "date-fns"; +import { CalendarIcon } from "lucide-react"; + +interface FrameworkOverviewProps { + frameworkId: string; +} + +export function FrameworkOverview({ frameworkId }: FrameworkOverviewProps) { + const { data } = useOrganizationCategories(frameworkId); + const { data: framework } = useOrganizationFramework(frameworkId); + + console.log({ data }); + + // Calculate compliance metrics + const totalControls = data?.reduce( + (acc, cat) => acc + cat.organizationControl.length, + 0 + ); + + const compliantControls = data?.reduce( + (acc, cat) => + acc + + cat.organizationControl.filter((oc) => oc.status === "compliant").length, + 0 + ); + + const compliancePercentage = Math.round( + (compliantControls ?? 0 / (totalControls ?? 0)) * 100 + ); + + return ( +
+ + + {framework?.framework.name} + + +

+ {framework?.framework.description} +

+
+ + Version {framework?.framework.version} + +
+ + + + + + Compliance Progress + + +
+ +

+ {compliantControls} of {totalControls} controls compliant +

+
+ + + + + + Assessment Status + + +
+
+ + + Last assessed:{" "} + {framework?.lastAssessed + ? format(framework?.lastAssessed, "MMM d, yyyy") + : "Never"} + +
+
+ + + Next assessment:{" "} + {framework?.nextAssessment + ? format(framework?.nextAssessment, "MMM d, yyyy") + : "Not scheduled"} + +
+
+ + +
+ ); +} diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/layout.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/layout.tsx index b473accef2..328e3d5b53 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/layout.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/layout.tsx @@ -9,7 +9,7 @@ export default async function Layout({ children }: LayoutProps) { const t = await getI18n(); return ( -
+
{children}
diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/page.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/page.tsx index 41d8a4f47f..59ed094f73 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/page.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/page.tsx @@ -1,14 +1,8 @@ import { auth } from "@/auth"; -import { FrameworkControls } from "@/components/frameworks/framework-controls"; -import { FrameworkOverview } from "@/components/frameworks/framework-overview"; -import { SkeletonLoader } from "@/components/skeleton-loader"; -import { getI18n } from "@/locales/server"; -import { db } from "@bubba/db"; -import type { Metadata } from "next"; import { setStaticParamsLocale } from "next-international/server"; -import { unstable_cache } from "next/cache"; import { redirect } from "next/navigation"; -import { Suspense } from "react"; +import { FrameworkOverview } from "./Components/FrameworkOverview"; +import { FrameworkControls } from "./Components/FrameworkControls"; interface PageProps { params: Promise<{ diff --git a/apps/app/src/components/frameworks/framework-overview.tsx b/apps/app/src/components/frameworks/framework-overview.tsx deleted file mode 100644 index b754e2df59..0000000000 --- a/apps/app/src/components/frameworks/framework-overview.tsx +++ /dev/null @@ -1,99 +0,0 @@ -"use client"; - -import { useOrganizationFramework } from "@/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/hooks/useOrganizationFramework"; -import type { - Control, - Framework, - OrganizationControl, - OrganizationFramework, -} from "@bubba/db"; -import { Badge } from "@bubba/ui/badge"; -import { Card, CardContent, CardHeader, CardTitle } from "@bubba/ui/card"; -import { Progress } from "@bubba/ui/progress"; -import { format } from "date-fns"; -import { CalendarIcon } from "lucide-react"; - -interface FrameworkOverviewProps { - frameworkId: string; -} - -export function FrameworkOverview({ frameworkId }: FrameworkOverviewProps) { - const { data: organizationFramework } = useOrganizationFramework(frameworkId); - console.log({ organizationFramework }); - - return null; - - // Calculate compliance metrics - // const totalControls = data?.categories.reduce( - // (acc, cat) => acc + cat.controls.length, - // 0 - // ); - - // const compliantControls = organizationFramework.organizationControl.filter( - // (oc) => oc.status === "compliant" - // ).length; - - // const compliancePercentage = Math.round( - // (compliantControls / totalControls) * 100 - // ); - - // return ( - //
- // - // - // {framework.name} - // - // - //

- // {framework.description} - //

- //
- // Version {framework.version} - //
- // - // - - // - // - // Compliance Progress - // - // - //
- // - //

- // {compliantControls} of {totalControls} controls compliant - //

- //
- // - // - - // - // - // Assessment Status - // - // - //
- //
- // - // - // Last assessed:{" "} - // {organizationFramework.lastAssessed - // ? format(organizationFramework.lastAssessed, "MMM d, yyyy") - // : "Never"} - // - //
- //
- // - // - // Next assessment:{" "} - // {organizationFramework.nextAssessment - // ? format(organizationFramework.nextAssessment, "MMM d, yyyy") - // : "Not scheduled"} - // - //
- //
- // - // - //
- // ); -} diff --git a/packages/db/prisma/seed.ts b/packages/db/prisma/seed.ts index 9ee44f21db..77c31f99d3 100644 --- a/packages/db/prisma/seed.ts +++ b/packages/db/prisma/seed.ts @@ -188,8 +188,8 @@ async function seedFrameworkCategoryControls( const controlsData = JSON.parse(controls) as Record; const filteredControlsData = Object.fromEntries( - Object.entries(controlsData).filter(([code, data]) => - code.includes(categoryCode) + Object.entries(controlsData).filter( + ([_, data]) => data.categoryId === categoryCode ) ); diff --git a/packages/db/prisma/seedTypes.ts b/packages/db/prisma/seedTypes.ts index 48faca844b..d6f6ca01dd 100644 --- a/packages/db/prisma/seedTypes.ts +++ b/packages/db/prisma/seedTypes.ts @@ -12,11 +12,20 @@ export interface FrameworkCategory { code: string; } +export interface Requirement { + id: string; + type: string; + description: string; + policyId?: string; +} + export interface Control { name: string; description: string; + code: string; domain: string; - requirements: ControlRequirement[]; + categoryId: string; + requirements: Requirement[]; } export interface ControlRequirement { From c2870bb09f0ebe3c24cc5616eb77bf695003b496 Mon Sep 17 00:00:00 2001 From: Mariano Fuentes Date: Thu, 13 Feb 2025 13:18:26 -0800 Subject: [PATCH 4/7] fix layouts... --- .../app/[locale]/(app)/(dashboard)/integrations/page.tsx | 2 +- .../(app)/(dashboard)/policies/(overview)/layout.tsx | 2 +- .../[locale]/(app)/(dashboard)/risk/(overview)/layout.tsx | 2 +- .../app/[locale]/(app)/(dashboard)/risk/[riskId]/layout.tsx | 4 ++-- .../app/[locale]/(app)/(dashboard)/risk/register/layout.tsx | 6 ++++-- .../src/app/[locale]/(app)/(dashboard)/settings/layout.tsx | 6 ++++-- 6 files changed, 13 insertions(+), 9 deletions(-) diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/integrations/page.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/integrations/page.tsx index cbb34cb36d..56f2d97267 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/integrations/page.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/integrations/page.tsx @@ -31,7 +31,7 @@ export default async function IntegrationsPage({ } return ( -
+
}> diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/policies/(overview)/layout.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/policies/(overview)/layout.tsx index 1dfa87a8c0..f289e93654 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/policies/(overview)/layout.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/policies/(overview)/layout.tsx @@ -10,7 +10,7 @@ export default async function Layout({ const t = await getI18n(); return ( -
+
+
+
<SecondaryMenu @@ -57,5 +57,5 @@ const getRisk = unstable_cache( return risk; }, - ["risk-cache"], + ["risk-cache"] ); diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/risk/register/layout.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/risk/register/layout.tsx index a4a3adc07c..401f953cdf 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/risk/register/layout.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/risk/register/layout.tsx @@ -3,11 +3,13 @@ import { SecondaryMenu } from "@bubba/ui/secondary-menu"; export default async function Layout({ children, -}: { children: React.ReactNode }) { +}: { + children: React.ReactNode; +}) { const t = await getI18n(); return ( - <div className="max-w-[1200px]"> + <div className="max-w-[1200px] mx-auto"> <SecondaryMenu items={[ { path: "/risk", label: t("risk.dashboard.title") }, diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/settings/layout.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/settings/layout.tsx index 7103268daa..3a32de45c8 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/settings/layout.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/settings/layout.tsx @@ -4,11 +4,13 @@ import { Suspense } from "react"; export default async function Layout({ children, -}: { children: React.ReactNode }) { +}: { + children: React.ReactNode; +}) { const t = await getI18n(); return ( - <div className="max-w-[800px]"> + <div className="max-w-[800px] mx-auto"> <Suspense fallback={<div>Loading...</div>}> <SecondaryMenu items={[ From 0d7f855843a7fc306abc943e289546b2249d5c38 Mon Sep 17 00:00:00 2001 From: Mariano Fuentes <marfuen98@gmail.com> Date: Thu, 13 Feb 2025 13:38:49 -0800 Subject: [PATCH 5/7] add single control page --- .../[id]/Actions/getOrganizationControl.ts | 60 +++++++++++++++++++ .../[id]/Components/SingleControl.tsx | 20 +++++++ .../[id]/hooks/useOrganizationControl.tsx | 44 ++++++++++++++ .../(app)/(dashboard)/controls/[id]/page.tsx | 11 ++++ .../(app)/(dashboard)/controls/page.tsx | 3 + .../Components/FrameworkControls.tsx | 2 - .../components/tables/frameworks/columns.tsx | 14 +++-- 7 files changed, 148 insertions(+), 6 deletions(-) create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Actions/getOrganizationControl.ts create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Components/SingleControl.tsx create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/hooks/useOrganizationControl.tsx create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/page.tsx create mode 100644 apps/app/src/app/[locale]/(app)/(dashboard)/controls/page.tsx diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Actions/getOrganizationControl.ts b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Actions/getOrganizationControl.ts new file mode 100644 index 0000000000..9dd4a2c9a0 --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Actions/getOrganizationControl.ts @@ -0,0 +1,60 @@ +"use server"; + +import { db, OrganizationControl, Control } from "@bubba/db"; +import { authActionClient } from "@/actions/safe-action"; +import { z } from "zod"; + +export interface OrganizationControlResponse { + organizationControl: OrganizationControl & { + control: Control; + }; +} + +export const getOrganizationControl = authActionClient + .schema(z.object({ controlId: z.string() })) + .metadata({ + name: "getOrganizationControl", + track: { + event: "get-organization-control", + channel: "server", + }, + }) + .action(async ({ ctx, parsedInput }) => { + const { user } = ctx; + const { controlId } = parsedInput; + + if (!user.organizationId) { + return { + error: "Not authorized - no organization found", + }; + } + + try { + const organizationControl = await db.organizationControl.findUnique({ + where: { + organizationId: user.organizationId, + id: controlId, + }, + include: { + control: true, + }, + }); + + if (!organizationControl) { + return { + error: "Organization control not found", + }; + } + + return { + data: { + organizationControl, + }, + }; + } catch (error) { + console.error("Error fetching organization control:", error); + return { + error: "Failed to fetch organization control", + }; + } + }); diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Components/SingleControl.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Components/SingleControl.tsx new file mode 100644 index 0000000000..96f874671f --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Components/SingleControl.tsx @@ -0,0 +1,20 @@ +"use client"; + +import { useOrganizationControl } from "../hooks/useOrganizationControl"; + +interface SingleControlProps { + controlId: string; +} + +export const SingleControl = ({ controlId }: SingleControlProps) => { + const { data: control } = useOrganizationControl(controlId); + + return ( + <div className="max-w-4xl mx-auto py-8"> + <h1 className="text-2xl font-bold">{control?.control.name}</h1> + <p className="text-sm text-muted-foreground"> + {control?.control.description} + </p> + </div> + ); +}; diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/hooks/useOrganizationControl.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/hooks/useOrganizationControl.tsx new file mode 100644 index 0000000000..bb2bdbd9f5 --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/hooks/useOrganizationControl.tsx @@ -0,0 +1,44 @@ +"use client"; + +import { OrganizationControl } from "@bubba/db"; +import useSWR from "swr"; +import { + getOrganizationControl, + OrganizationControlResponse, +} from "../Actions/getOrganizationControl"; + +async function fetchOrganizationControl( + controlId: string +): Promise<OrganizationControlResponse> { + const result = await getOrganizationControl({ controlId }); + + if (!result) { + throw new Error("Failed to fetch control"); + } + + const data = result.data?.data; + if (!data) { + throw new Error("Invalid response from server"); + } + + return data; +} + +export function useOrganizationControl(controlId: string) { + const { data, error, isLoading, mutate } = + useSWR<OrganizationControlResponse>( + ["organization-control", controlId], + () => fetchOrganizationControl(controlId), + { + revalidateOnFocus: false, + revalidateOnReconnect: false, + } + ); + + return { + data: data?.organizationControl, + isLoading, + error, + mutate, + }; +} diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/page.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/page.tsx new file mode 100644 index 0000000000..b845759a67 --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/page.tsx @@ -0,0 +1,11 @@ +import { SingleControl } from "./Components/SingleControl"; + +interface PageProps { + params: Promise<{ id: string }>; +} + +export default async function SingleControlPage({ params }: PageProps) { + const { id } = await params; + + return <SingleControl controlId={id} />; +} diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/controls/page.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/page.tsx new file mode 100644 index 0000000000..0f3ced7431 --- /dev/null +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/page.tsx @@ -0,0 +1,3 @@ +export default function ControlsPage() { + return <div>Controls</div>; +} diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkControls.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkControls.tsx index e639d32b9a..139b897688 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkControls.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/frameworks/[frameworkId]/Components/FrameworkControls.tsx @@ -21,8 +21,6 @@ export function FrameworkControls({ frameworkId }: FrameworkControlsProps) { const { data: organizationCategories } = useOrganizationCategories(frameworkId); - console.log({ organizationCategories, frameworkId }); - if (!organizationCategories) { return null; } diff --git a/apps/app/src/components/tables/frameworks/columns.tsx b/apps/app/src/components/tables/frameworks/columns.tsx index a17d8243fc..fdb0a11127 100644 --- a/apps/app/src/components/tables/frameworks/columns.tsx +++ b/apps/app/src/components/tables/frameworks/columns.tsx @@ -7,6 +7,7 @@ import { import { useI18n } from "@/locales/client"; import type { ArtifactType, ComplianceStatus } from "@bubba/db"; import type { ColumnDef } from "@tanstack/react-table"; +import Link from "next/link"; export type OrganizationControlType = { id: string; @@ -28,10 +29,15 @@ export function columns(): ColumnDef<OrganizationControlType>[] { cell: ({ row }) => { return ( <div className="flex flex-col w-[300px]"> - <span className="font-medium truncate">{row.original.name}</span> - <span className="text-sm text-muted-foreground truncate"> - {row.original.code} - </span> + <Link + href={`/controls/${row.original.id}`} + className="flex flex-col" + > + <span className="font-medium truncate">{row.original.name}</span> + <span className="text-sm text-muted-foreground truncate"> + {row.original.code} + </span> + </Link> </div> ); }, From acb7df80eefcd0fee2e4e6cb74fd91d87e488e2a Mon Sep 17 00:00:00 2001 From: Mariano Fuentes <marfuen98@gmail.com> Date: Thu, 13 Feb 2025 13:39:09 -0800 Subject: [PATCH 6/7] comment out delete tables from seed --- packages/db/prisma/seed.ts | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/packages/db/prisma/seed.ts b/packages/db/prisma/seed.ts index 77c31f99d3..99a5e20245 100644 --- a/packages/db/prisma/seed.ts +++ b/packages/db/prisma/seed.ts @@ -14,23 +14,23 @@ import type { JsonValue } from "@prisma/client/runtime/library"; const prisma = new PrismaClient(); async function main() { - console.log("\n🗑️ Cleaning up existing data..."); + // console.log("\n🗑️ Cleaning up existing data..."); // Delete in order of dependencies - await prisma.organizationFramework.deleteMany(); - await prisma.organizationCategory.deleteMany(); - await prisma.organizationControl.deleteMany(); - await prisma.organizationPolicy.deleteMany(); + // await prisma.organizationFramework.deleteMany(); + // await prisma.organizationCategory.deleteMany(); + // await prisma.organizationControl.deleteMany(); + // await prisma.organizationPolicy.deleteMany(); - await prisma.policy.deleteMany(); - await prisma.policyControl.deleteMany(); - await prisma.policyFramework.deleteMany(); + // await prisma.policy.deleteMany(); + // await prisma.policyControl.deleteMany(); + // await prisma.policyFramework.deleteMany(); - await prisma.control.deleteMany(); - await prisma.controlRequirement.deleteMany(); + // await prisma.control.deleteMany(); + // await prisma.controlRequirement.deleteMany(); - await prisma.framework.deleteMany(); - await prisma.frameworkCategory.deleteMany(); - console.log("✅ Database cleaned"); + // await prisma.framework.deleteMany(); + // await prisma.frameworkCategory.deleteMany(); + // console.log("✅ Database cleaned"); console.log("\n📋 Seeding policies..."); await seedPolicies(); From 09b3d2c7fbf4b73ec1d6d175f8c6fa98390310ad Mon Sep 17 00:00:00 2001 From: Mariano Fuentes <marfuen98@gmail.com> Date: Mon, 17 Feb 2025 12:31:43 -0800 Subject: [PATCH 7/7] add single control --- .../[id]/Components/SingleControl.tsx | 37 +- packages/data/controls/soc2.json | 457 ++++++++++------ packages/data/policies/access.json | 507 ------------------ packages/data/policies/access_control.json | 151 ++++++ .../data/policies/business_continuity.json | 158 ++++++ packages/data/policies/change_management.json | 151 ++++++ packages/data/policies/code_of_conduct.json | 355 ++++++++++++ packages/data/policies/confidentiality.json | 346 ++++++++++++ .../data/policies/corporate_governance.json | 234 ++++++++ packages/data/policies/cyber_risk.json | 317 +++++++++++ packages/data/policies/data_center.json | 358 +++++++++++++ .../data/policies/data_classification.json | 151 ++++++ packages/data/policies/disaster_recovery.json | 358 +++++++++++++ packages/data/policies/human_resources.json | 151 ++++++ packages/data/policies/incident_response.json | 151 ++++++ .../data/policies/information_security.json | 168 ++++++ packages/data/policies/privacy.json | 151 ++++++ packages/data/policies/risk_assessment.json | 301 +++++++++++ packages/data/policies/risk_management.json | 168 ++++++ .../data/policies/software_development.json | 345 ++++++++++++ packages/data/policies/thirdparty.json | 298 ++++++++++ .../data/policies/vendor_risk_management.json | 151 ++++++ packages/data/policies/workstation.json | 373 +++++++++++++ 23 files changed, 5162 insertions(+), 675 deletions(-) delete mode 100644 packages/data/policies/access.json create mode 100644 packages/data/policies/access_control.json create mode 100644 packages/data/policies/business_continuity.json create mode 100644 packages/data/policies/change_management.json create mode 100644 packages/data/policies/code_of_conduct.json create mode 100644 packages/data/policies/confidentiality.json create mode 100644 packages/data/policies/corporate_governance.json create mode 100644 packages/data/policies/cyber_risk.json create mode 100644 packages/data/policies/data_center.json create mode 100644 packages/data/policies/data_classification.json create mode 100644 packages/data/policies/disaster_recovery.json create mode 100644 packages/data/policies/human_resources.json create mode 100644 packages/data/policies/incident_response.json create mode 100644 packages/data/policies/information_security.json create mode 100644 packages/data/policies/privacy.json create mode 100644 packages/data/policies/risk_assessment.json create mode 100644 packages/data/policies/risk_management.json create mode 100644 packages/data/policies/software_development.json create mode 100644 packages/data/policies/thirdparty.json create mode 100644 packages/data/policies/vendor_risk_management.json create mode 100644 packages/data/policies/workstation.json diff --git a/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Components/SingleControl.tsx b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Components/SingleControl.tsx index 96f874671f..c21286c5f4 100644 --- a/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Components/SingleControl.tsx +++ b/apps/app/src/app/[locale]/(app)/(dashboard)/controls/[id]/Components/SingleControl.tsx @@ -1,6 +1,12 @@ "use client"; +import { + DisplayFrameworkStatus, + StatusType, +} from "@/components/frameworks/framework-status"; import { useOrganizationControl } from "../hooks/useOrganizationControl"; +import { Card } from "@bubba/ui/card"; +import { Label } from "@bubba/ui/label"; interface SingleControlProps { controlId: string; @@ -8,13 +14,34 @@ interface SingleControlProps { export const SingleControl = ({ controlId }: SingleControlProps) => { const { data: control } = useOrganizationControl(controlId); + if (!control) return null; return ( - <div className="max-w-4xl mx-auto py-8"> - <h1 className="text-2xl font-bold">{control?.control.name}</h1> - <p className="text-sm text-muted-foreground"> - {control?.control.description} - </p> + <div className="max-w-[1200px] mx-auto py-8 gap-4 flex flex-col"> + <div className="flex flex-row justify-between items-center"> + <h1 className="text-3xl font-bold">{control?.control.name}</h1> + <DisplayFrameworkStatus + status={control?.status.toLowerCase() as StatusType} + /> + </div> + <div className="grid grid-cols-2 gap-4"> + <Card className="flex flex-col gap-2 p-4 px-8 min-h-[200px]"> + <div> + <Label className="text-lg">Description</Label> + <p className="text-sm">{control?.control.description}</p> + </div> + </Card> + <Card className="gap-2 p-4 px-8 grid grid-cols-2"> + <div> + <Label className="text-lg">Code</Label> + <h1 className="text-sm">{control?.control.code}</h1> + </div> + <div> + <Label className="text-lg">Domain</Label> + <p className="text-sm">{control?.control.domain}</p> + </div> + </Card> + </div> </div> ); }; diff --git a/packages/data/controls/soc2.json b/packages/data/controls/soc2.json index 852128952c..970f0fddff 100644 --- a/packages/data/controls/soc2.json +++ b/packages/data/controls/soc2.json @@ -9,13 +9,18 @@ { "id": "CC1.1-policy", "type": "policy", - "description": "Board oversight and governance policy", - "policyId": "password_policy" + "description": "Reference to the Corporate Governance Policy that defines board oversight responsibilities, roles, review frequency, and reporting requirements.", + "policyId": "corporate_governance" }, { "id": "CC1.1-procedure", "type": "procedure", - "description": "Board oversight procedures" + "description": "Documented procedures for board oversight, including scheduled reviews, risk assessments, and communication channels with management." + }, + { + "id": "CC1.1-evidence", + "type": "evidence", + "description": "Minutes of board meetings and oversight reports demonstrating active review of internal controls." } ] }, @@ -29,13 +34,23 @@ { "id": "CC1.2-policy", "type": "policy", - "description": "Organizational structure and management policy", - "policyId": "password_policy" + "description": "Reference to the Corporate Governance Policy that outlines management responsibilities and the organizational structure for effective oversight.", + "policyId": "corporate_governance" }, { "id": "CC1.2-procedure", "type": "procedure", - "description": "Management oversight procedures" + "description": "Procedures for management oversight, including decision-making processes and periodic reporting." + }, + { + "id": "CC1.2-training", + "type": "training", + "description": "Training for management on internal control responsibilities and ethical decision-making." + }, + { + "id": "CC1.2-evidence", + "type": "evidence", + "description": "Organizational charts, management meeting minutes, and training records." } ] }, @@ -49,13 +64,18 @@ { "id": "CC1.3-policy", "type": "policy", - "description": "Personnel management policy", - "policyId": "password_policy" + "description": "Reference to the Human Resources Policy that defines recruitment, retention, and competency requirements.", + "policyId": "human_resources" }, { "id": "CC1.3-procedure", "type": "procedure", - "description": "Personnel management procedures" + "description": "Procedures for talent acquisition, performance management, and professional development." + }, + { + "id": "CC1.3-evidence", + "type": "evidence", + "description": "HR records, training logs, and performance evaluations." } ] }, @@ -69,18 +89,23 @@ { "id": "CC1.4-policy", "type": "policy", - "description": "Personnel accountability policy", - "policyId": "password_policy" + "description": "Reference to the Human Resources Policy that outlines roles, responsibilities, and disciplinary measures.", + "policyId": "human_resources" }, { "id": "CC1.4-procedure", "type": "procedure", - "description": "Personnel accountability procedures" + "description": "Procedures for monitoring, enforcing, and reviewing personnel accountability." }, { "id": "CC1.4-training", "type": "training", - "description": "Personnel accountability training" + "description": "Mandatory training on internal control responsibilities and ethical conduct." + }, + { + "id": "CC1.4-evidence", + "type": "evidence", + "description": "Employee acknowledgment forms, training records, and disciplinary documentation." } ] }, @@ -94,13 +119,23 @@ { "id": "CC1.5-policy", "type": "policy", - "description": "Code of conduct policy", - "policyId": "password_policy" + "description": "Reference to the Corporate Governance Policy (or a dedicated Code of Conduct within it) that defines ethical behavior and compliance expectations.", + "policyId": "corporate_governance" + }, + { + "id": "CC1.5-procedure", + "type": "procedure", + "description": "Procedures for reporting, investigating, and addressing breaches of the code." }, { "id": "CC1.5-training", "type": "training", - "description": "Ethics and integrity training" + "description": "Regular ethics and integrity training for all employees." + }, + { + "id": "CC1.5-evidence", + "type": "evidence", + "description": "Signed acknowledgment forms, training completion records, and records of investigations or disciplinary actions." } ] }, @@ -114,18 +149,18 @@ { "id": "CC2.1-policy", "type": "policy", - "description": "Information quality policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that outlines data accuracy, completeness, and timeliness requirements.", + "policyId": "information_security" }, { "id": "CC2.1-procedure", "type": "procedure", - "description": "Information management procedures" + "description": "Procedures for validating data inputs and correcting errors throughout data processing." }, { "id": "CC2.1-evidence", "type": "evidence", - "description": "Information quality metrics and reports" + "description": "Data quality reports, audit logs, and records of corrective actions." } ] }, @@ -139,18 +174,18 @@ { "id": "CC2.2-policy", "type": "policy", - "description": "Internal communication policy", - "policyId": "password_policy" + "description": "Reference to the Corporate Governance Policy that includes guidelines for internal communications of control objectives.", + "policyId": "corporate_governance" }, { "id": "CC2.2-procedure", "type": "procedure", - "description": "Communication procedures" + "description": "Procedures for internal reporting, announcements, and feedback regarding internal controls." }, { "id": "CC2.2-evidence", "type": "evidence", - "description": "Internal communication records" + "description": "Communication logs, email distributions, and meeting minutes." } ] }, @@ -164,18 +199,18 @@ { "id": "CC2.3-policy", "type": "policy", - "description": "External communication policy", - "policyId": "password_policy" + "description": "Reference to the Corporate Governance Policy that outlines external communication guidelines for control-related matters.", + "policyId": "corporate_governance" }, { "id": "CC2.3-procedure", "type": "procedure", - "description": "External communication procedures" + "description": "Procedures for drafting, approving, and disseminating external communications related to internal controls." }, { "id": "CC2.3-evidence", "type": "evidence", - "description": "External communication records" + "description": "Records of external communications, press releases, and stakeholder correspondence." } ] }, @@ -189,18 +224,18 @@ { "id": "CC3.1-policy", "type": "policy", - "description": "Risk assessment policy", - "policyId": "password_policy" + "description": "Reference to the Risk Management Policy that defines methodologies, frequency, and scope for risk assessments.", + "policyId": "risk_management" }, { "id": "CC3.1-procedure", "type": "procedure", - "description": "Risk assessment procedures" + "description": "Procedures for conducting regular risk assessments, documenting risks, and assigning risk owners." }, { "id": "CC3.1-evidence", "type": "evidence", - "description": "Risk assessment documentation" + "description": "Risk assessment reports, risk registers, and management review minutes." } ] }, @@ -214,18 +249,18 @@ { "id": "CC3.2-policy", "type": "policy", - "description": "Risk identification policy", - "policyId": "password_policy" + "description": "Reference to the Risk Management Policy requiring systematic identification of risks across all business areas.", + "policyId": "risk_management" }, { "id": "CC3.2-procedure", "type": "procedure", - "description": "Risk identification procedures" + "description": "Procedures for risk identification using workshops, surveys, and data analysis." }, { "id": "CC3.2-evidence", "type": "evidence", - "description": "Risk register and analysis" + "description": "Risk register entries, workshop records, and risk analysis documentation." } ] }, @@ -239,18 +274,18 @@ { "id": "CC3.3-policy", "type": "policy", - "description": "Fraud risk assessment policy", - "policyId": "password_policy" + "description": "Reference to the Risk Management Policy with provisions for assessing and mitigating fraud risks.", + "policyId": "risk_management" }, { "id": "CC3.3-procedure", "type": "procedure", - "description": "Fraud risk assessment procedures" + "description": "Procedures for conducting fraud risk assessments and reporting findings." }, { "id": "CC3.3-evidence", "type": "evidence", - "description": "Fraud risk assessment reports" + "description": "Fraud risk assessment reports, internal audit findings, and remediation tracking records." } ] }, @@ -264,18 +299,18 @@ { "id": "CC3.4-policy", "type": "policy", - "description": "Change management risk policy", - "policyId": "password_policy" + "description": "Reference to the Change Management Policy that outlines how risks associated with changes are evaluated.", + "policyId": "change_management" }, { "id": "CC3.4-procedure", "type": "procedure", - "description": "Change impact assessment procedures" + "description": "Procedures for assessing the impact of changes and planning mitigations for associated risks." }, { "id": "CC3.4-evidence", "type": "evidence", - "description": "Change impact assessments" + "description": "Change impact assessments, risk logs, and management approval records." } ] }, @@ -289,18 +324,18 @@ { "id": "CC4.1-policy", "type": "policy", - "description": "Control monitoring policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that outlines monitoring requirements for internal controls.", + "policyId": "information_security" }, { "id": "CC4.1-procedure", "type": "procedure", - "description": "Control monitoring procedures" + "description": "Procedures for ongoing and periodic testing of internal controls." }, { "id": "CC4.1-evidence", "type": "evidence", - "description": "Control monitoring reports" + "description": "Internal audit reports, control testing records, and management review documentation." } ] }, @@ -314,18 +349,18 @@ { "id": "CC4.2-policy", "type": "policy", - "description": "Deficiency management policy", - "policyId": "password_policy" + "description": "Reference to the Risk Management Policy that establishes a framework for identifying, reporting, and remediating control deficiencies.", + "policyId": "risk_management" }, { "id": "CC4.2-procedure", "type": "procedure", - "description": "Deficiency management procedures" + "description": "Procedures for documenting, tracking, and remediating control deficiencies." }, { "id": "CC4.2-evidence", "type": "evidence", - "description": "Deficiency tracking and resolution reports" + "description": "Deficiency logs, remediation plans, and follow-up audit reports." } ] }, @@ -339,18 +374,18 @@ { "id": "CC5.1-policy", "type": "policy", - "description": "Control selection policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that outlines criteria for the design and selection of controls.", + "policyId": "information_security" }, { "id": "CC5.1-procedure", "type": "procedure", - "description": "Control selection procedures" + "description": "Procedures for developing, documenting, and implementing controls to mitigate risks." }, { "id": "CC5.1-evidence", "type": "evidence", - "description": "Control selection documentation" + "description": "Control design documents, implementation records, and risk mitigation assessments." } ] }, @@ -364,18 +399,18 @@ { "id": "CC5.2-policy", "type": "policy", - "description": "Technology control policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that specifies baseline security configurations and technology management practices.", + "policyId": "information_security" }, { "id": "CC5.2-procedure", "type": "procedure", - "description": "Technology control procedures" + "description": "Procedures for implementing and monitoring technology controls such as firewalls, antivirus, and system hardening." }, { "id": "CC5.2-evidence", "type": "evidence", - "description": "Technology control documentation" + "description": "System configuration records, monitoring reports, and technology audit logs." } ] }, @@ -389,18 +424,18 @@ { "id": "CC5.3-policy", "type": "policy", - "description": "Policy implementation framework", - "policyId": "password_policy" + "description": "Reference to the Corporate Governance Policy that outlines how policies are communicated, enforced, and monitored.", + "policyId": "corporate_governance" }, { "id": "CC5.3-procedure", "type": "procedure", - "description": "Policy implementation procedures" + "description": "Procedures for operationalizing policies including documentation, training, and compliance monitoring." }, { "id": "CC5.3-evidence", "type": "evidence", - "description": "Policy implementation records" + "description": "Policy distribution records, training logs, and compliance monitoring reports." } ] }, @@ -414,18 +449,18 @@ { "id": "CC6.1-policy", "type": "policy", - "description": "Access security policy", - "policyId": "password_policy" + "description": "Reference to the Access Control Policy that defines controls for network and system access including segmentation and firewalls.", + "policyId": "access_control" }, { "id": "CC6.1-procedure", "type": "procedure", - "description": "Access security procedures" + "description": "Procedures for granting, monitoring, and revoking system access including access logging and periodic reviews." }, { "id": "CC6.1-evidence", "type": "evidence", - "description": "Access security configurations" + "description": "Access control configurations, firewall logs, and system access review reports." } ] }, @@ -439,18 +474,18 @@ { "id": "CC6.2-policy", "type": "policy", - "description": "User authentication policy", - "policyId": "password_policy" + "description": "Reference to the Access Control Policy requiring strong authentication methods including passwords and multi-factor authentication.", + "policyId": "access_control" }, { "id": "CC6.2-procedure", "type": "procedure", - "description": "User authentication procedures" + "description": "Procedures for user registration, credential issuance, and ongoing authentication management." }, { "id": "CC6.2-evidence", "type": "evidence", - "description": "User authentication records" + "description": "Authentication logs, MFA configuration records, and user account management records." } ] }, @@ -464,18 +499,18 @@ { "id": "CC6.3-policy", "type": "policy", - "description": "Access removal policy", - "policyId": "password_policy" + "description": "Reference to the Access Control Policy detailing prompt revocation of user access upon termination or role change.", + "policyId": "access_control" }, { "id": "CC6.3-procedure", "type": "procedure", - "description": "Access removal procedures" + "description": "Procedures for de-provisioning user access immediately after termination or role change." }, { "id": "CC6.3-evidence", "type": "evidence", - "description": "Access removal records" + "description": "User termination logs, de-provisioning records, and access review reports." } ] }, @@ -489,18 +524,18 @@ { "id": "CC6.4-policy", "type": "policy", - "description": "Access review policy", - "policyId": "password_policy" + "description": "Reference to the Access Control Policy mandating periodic reviews of user access rights and privileges.", + "policyId": "access_control" }, { "id": "CC6.4-procedure", "type": "procedure", - "description": "Access review procedures" + "description": "Procedures for conducting regular access reviews and validating that user permissions align with current roles." }, { "id": "CC6.4-evidence", "type": "evidence", - "description": "Access review records" + "description": "Access review logs, user access reports, and management sign-off documentation." } ] }, @@ -514,18 +549,18 @@ { "id": "CC6.5-policy", "type": "policy", - "description": "System account management policy", - "policyId": "password_policy" + "description": "Reference to the Access Control Policy that defines processes for creating, maintaining, and terminating system accounts.", + "policyId": "access_control" }, { "id": "CC6.5-procedure", "type": "procedure", - "description": "System account management procedures" + "description": "Procedures for provisioning system accounts, managing privileged access, and monitoring account activity." }, { "id": "CC6.5-evidence", "type": "evidence", - "description": "System account management records" + "description": "Account provisioning logs, privileged account review reports, and system audit logs." } ] }, @@ -539,18 +574,18 @@ { "id": "CC6.6-policy", "type": "policy", - "description": "Physical access policy", - "policyId": "password_policy" + "description": "Reference to the Access Control Policy that establishes requirements for securing facilities and restricting physical entry to sensitive areas.", + "policyId": "access_control" }, { "id": "CC6.6-procedure", "type": "procedure", - "description": "Physical access procedures" + "description": "Procedures for issuing physical access credentials, managing visitor access, and monitoring facility entry." }, { "id": "CC6.6-evidence", "type": "evidence", - "description": "Physical access records" + "description": "Facility access logs, visitor sign-in records, and security camera reports." } ] }, @@ -564,18 +599,18 @@ { "id": "CC6.7-policy", "type": "policy", - "description": "Change management policy", - "policyId": "password_policy" + "description": "Reference to the Change Management Policy that governs modifications to information assets.", + "policyId": "change_management" }, { "id": "CC6.7-procedure", "type": "procedure", - "description": "Change management procedures" + "description": "Procedures for managing, reviewing, and approving changes to information assets, including rollback measures." }, { "id": "CC6.7-evidence", "type": "evidence", - "description": "Change management records" + "description": "Change logs, approval records, and configuration management documentation." } ] }, @@ -589,43 +624,43 @@ { "id": "CC6.8-policy", "type": "policy", - "description": "Malware prevention policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that requires the use of antivirus, anti-malware, and threat detection solutions.", + "policyId": "information_security" }, { "id": "CC6.8-procedure", "type": "procedure", - "description": "Malware prevention procedures" + "description": "Procedures for scanning, detecting, and responding to malware incidents on endpoints and networks." }, { "id": "CC6.8-evidence", "type": "evidence", - "description": "Malware prevention configurations" + "description": "Antivirus logs, malware detection alerts, and remediation records." } ] }, "CC7.1": { "code": "CC7.1", "name": "Infrastructure Monitoring", - "description": "To detect and act upon security events in a timely manner, the organization monitors system capacity, security threats, changing regulatory requirements, and other system vulnerabilities.", + "description": "To detect and act upon security events in a timely manner, the organization monitors system capacity, security threats, and vulnerabilities.", "domain": "System Operations", "categoryId": "CC7", "requirements": [ { "id": "CC7.1-policy", "type": "policy", - "description": "Infrastructure monitoring policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that outlines monitoring requirements for infrastructure and systems.", + "policyId": "information_security" }, { "id": "CC7.1-procedure", "type": "procedure", - "description": "Infrastructure monitoring procedures" + "description": "Procedures for real-time monitoring of infrastructure performance, security events, and system vulnerabilities." }, { "id": "CC7.1-evidence", "type": "evidence", - "description": "Infrastructure monitoring reports" + "description": "Monitoring tool reports, alert logs, and incident tracking records." } ] }, @@ -639,18 +674,18 @@ { "id": "CC7.2-policy", "type": "policy", - "description": "Incident response policy", - "policyId": "password_policy" + "description": "Reference to the Incident Response Policy that defines roles, responsibilities, and procedures for addressing security events.", + "policyId": "incident_response" }, { "id": "CC7.2-procedure", "type": "procedure", - "description": "Incident response procedures" + "description": "Procedures for detecting, containing, eradicating, and recovering from security incidents." }, { "id": "CC7.2-evidence", "type": "evidence", - "description": "Incident response records" + "description": "Incident logs, response drill reports, and post-incident review documentation." } ] }, @@ -664,18 +699,18 @@ { "id": "CC7.3-policy", "type": "policy", - "description": "Recovery policy", - "policyId": "password_policy" + "description": "Reference to the Business Continuity & Disaster Recovery Policy that outlines strategies for restoring systems and data.", + "policyId": "business_continuity_dr" }, { "id": "CC7.3-procedure", "type": "procedure", - "description": "Recovery procedures" + "description": "Procedures for restoring systems and data following a security incident, including backup restoration and validation." }, { "id": "CC7.3-evidence", "type": "evidence", - "description": "Recovery test results" + "description": "Recovery test results, restoration logs, and incident recovery reports." } ] }, @@ -689,18 +724,18 @@ { "id": "CC7.4-policy", "type": "policy", - "description": "Incident analysis policy", - "policyId": "password_policy" + "description": "Reference to the Incident Response Policy that requires root cause analysis for security incidents.", + "policyId": "incident_response" }, { "id": "CC7.4-procedure", "type": "procedure", - "description": "Incident analysis procedures" + "description": "Procedures for conducting root cause analysis and developing remediation plans for recurring issues." }, { "id": "CC7.4-evidence", "type": "evidence", - "description": "Incident analysis reports" + "description": "Incident analysis reports, lessons learned documentation, and remediation tracking records." } ] }, @@ -714,18 +749,18 @@ { "id": "CC7.5-policy", "type": "policy", - "description": "Security event communication policy", - "policyId": "password_policy" + "description": "Reference to the Incident Response Policy that defines processes for internal and external incident notifications.", + "policyId": "incident_response" }, { "id": "CC7.5-procedure", "type": "procedure", - "description": "Security event communication procedures" + "description": "Procedures for timely communication of security incidents to stakeholders, regulators, and internal teams." }, { "id": "CC7.5-evidence", "type": "evidence", - "description": "Security event communication records" + "description": "Communication logs, notifications, and records of stakeholder communications during incidents." } ] }, @@ -739,18 +774,18 @@ { "id": "CC8.1-policy", "type": "policy", - "description": "Change authorization policy", - "policyId": "password_policy" + "description": "Reference to the Change Management Policy that establishes controls for reviewing, approving, and documenting changes.", + "policyId": "change_management" }, { "id": "CC8.1-procedure", "type": "procedure", - "description": "Change authorization procedures" + "description": "Procedures for submitting, reviewing, and approving changes, including emergency change processes." }, { "id": "CC8.1-evidence", "type": "evidence", - "description": "Change authorization records" + "description": "Change request logs, approval records, and post-change review reports." } ] }, @@ -764,18 +799,18 @@ { "id": "CC9.1-policy", "type": "policy", - "description": "Business continuity policy", - "policyId": "password_policy" + "description": "Reference to the Business Continuity & Disaster Recovery Policy that outlines recovery objectives, strategies, and responsibilities.", + "policyId": "business_continuity_dr" }, { "id": "CC9.1-procedure", "type": "procedure", - "description": "Business continuity procedures" + "description": "Procedures for conducting business impact analyses, backup operations, and disaster recovery testing." }, { "id": "CC9.1-evidence", "type": "evidence", - "description": "Business continuity plans" + "description": "Business continuity plans, BIA reports, and disaster recovery test results." } ] }, @@ -789,18 +824,18 @@ { "id": "CC9.2-policy", "type": "policy", - "description": "Vendor risk management policy", - "policyId": "password_policy" + "description": "Reference to the Vendor Risk Management Policy outlining criteria for vendor selection, risk assessment, and ongoing monitoring.", + "policyId": "vendor_risk_management" }, { "id": "CC9.2-procedure", "type": "procedure", - "description": "Vendor risk management procedures" + "description": "Procedures for assessing vendor risk through questionnaires, audits, and continuous monitoring." }, { "id": "CC9.2-evidence", "type": "evidence", - "description": "Vendor risk assessments" + "description": "Vendor risk assessment reports, due diligence records, and contract reviews." } ] }, @@ -814,18 +849,18 @@ { "id": "CC9.9-policy", "type": "policy", - "description": "BC/DR testing policy", - "policyId": "password_policy" + "description": "Reference to the Business Continuity & Disaster Recovery Policy that defines testing frequency, methodologies, and remediation procedures.", + "policyId": "business_continuity_dr" }, { "id": "CC9.9-procedure", "type": "procedure", - "description": "BC/DR testing procedures" + "description": "Procedures for conducting regular BC/DR tests and documenting test results with follow-up actions." }, { "id": "CC9.9-evidence", "type": "evidence", - "description": "BC/DR test results" + "description": "Test reports, remediation logs, and updated BC/DR plans." } ] }, @@ -835,7 +870,24 @@ "description": "The entity maintains commitments to ensure systems are available for operation.", "domain": "Availability", "categoryId": "A1", - "requirements": [] + "requirements": [ + { + "id": "A1.1-policy", + "type": "policy", + "description": "Reference to the Availability Policy that outlines uptime, performance, and service level requirements.", + "policyId": "availability" + }, + { + "id": "A1.1-procedure", + "type": "procedure", + "description": "Procedures for monitoring system availability, reporting outages, and ensuring continuity of operations." + }, + { + "id": "A1.1-evidence", + "type": "evidence", + "description": "Uptime reports, incident logs, and SLA monitoring records." + } + ] }, "A1.2": { "code": "A1.2", @@ -843,7 +895,24 @@ "description": "The entity monitors and manages system capacity to meet demands.", "domain": "Availability", "categoryId": "A1", - "requirements": [] + "requirements": [ + { + "id": "A1.2-policy", + "type": "policy", + "description": "Reference to the Availability Policy defining procedures for monitoring, forecasting, and managing system capacity.", + "policyId": "availability" + }, + { + "id": "A1.2-procedure", + "type": "procedure", + "description": "Procedures for capacity analysis, resource allocation, and performance tuning." + }, + { + "id": "A1.2-evidence", + "type": "evidence", + "description": "Capacity reports, trend analysis, and resource utilization logs." + } + ] }, "A1.3": { "code": "A1.3", @@ -851,7 +920,24 @@ "description": "The entity has controls to restore system availability after incidents.", "domain": "Availability", "categoryId": "A1", - "requirements": [] + "requirements": [ + { + "id": "A1.3-policy", + "type": "policy", + "description": "Reference to the Business Continuity & Disaster Recovery Policy that outlines procedures to restore services after an outage.", + "policyId": "business_continuity_dr" + }, + { + "id": "A1.3-procedure", + "type": "procedure", + "description": "Procedures for incident response, recovery, and restoration of systems after an outage." + }, + { + "id": "A1.3-evidence", + "type": "evidence", + "description": "Incident recovery test results, post-incident reviews, and restoration logs." + } + ] }, "C1.1": { "code": "C1.1", @@ -863,13 +949,18 @@ { "id": "C1.1-policy", "type": "policy", - "description": "Information classification policy", - "policyId": "password_policy" + "description": "Reference to the Data Classification Policy that outlines classification levels and handling requirements for confidential information.", + "policyId": "data_classification" }, { "id": "C1.1-procedure", "type": "procedure", - "description": "Information classification procedures" + "description": "Procedures for classifying, labeling, and handling confidential information." + }, + { + "id": "C1.1-evidence", + "type": "evidence", + "description": "Data classification records, labeling practices, and access control lists for confidential information." } ] }, @@ -883,13 +974,18 @@ { "id": "C1.2-policy", "type": "policy", - "description": "Confidential data access policy", - "policyId": "password_policy" + "description": "Reference to the Data Classification Policy which includes controls for restricting access to confidential information.", + "policyId": "data_classification" }, { "id": "C1.2-procedure", "type": "procedure", - "description": "Confidential data access procedures" + "description": "Procedures for granting, monitoring, and revoking access to confidential data based on need-to-know." + }, + { + "id": "C1.2-evidence", + "type": "evidence", + "description": "Access logs, periodic access reviews, and certification records." } ] }, @@ -903,13 +999,18 @@ { "id": "C1.3-policy", "type": "policy", - "description": "Data disposal policy", - "policyId": "password_policy" + "description": "Reference to the Data Classification Policy which includes provisions for secure data disposal.", + "policyId": "data_classification" }, { "id": "C1.3-procedure", "type": "procedure", - "description": "Data disposal procedures" + "description": "Procedures for secure data destruction and disposal (electronic and physical)." + }, + { + "id": "C1.3-evidence", + "type": "evidence", + "description": "Disposal records, certificates of destruction, and audit logs." } ] }, @@ -923,13 +1024,18 @@ { "id": "PI1.1-policy", "type": "policy", - "description": "Data accuracy policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that addresses data accuracy and completeness.", + "policyId": "information_security" }, { "id": "PI1.1-procedure", "type": "procedure", - "description": "Data accuracy procedures" + "description": "Procedures for validating data inputs and outputs to ensure completeness and accuracy." + }, + { + "id": "PI1.1-evidence", + "type": "evidence", + "description": "Data validation reports, exception logs, and audit records." } ] }, @@ -943,13 +1049,18 @@ { "id": "PI1.2-policy", "type": "policy", - "description": "Data processing controls policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that outlines controls over data processing.", + "policyId": "information_security" }, { "id": "PI1.2-procedure", "type": "procedure", - "description": "Data processing control procedures" + "description": "Procedures for ensuring proper validation, error handling, and reconciliation during data processing." + }, + { + "id": "PI1.2-evidence", + "type": "evidence", + "description": "Data processing logs, validation reports, and exception handling records." } ] }, @@ -963,13 +1074,18 @@ { "id": "PI1.3-policy", "type": "policy", - "description": "Exception handling policy", - "policyId": "password_policy" + "description": "Reference to the Information Security Policy that outlines procedures for handling processing exceptions.", + "policyId": "information_security" }, { "id": "PI1.3-procedure", "type": "procedure", - "description": "Exception handling procedures" + "description": "Procedures for detecting exceptions, escalating issues, and documenting resolutions." + }, + { + "id": "PI1.3-evidence", + "type": "evidence", + "description": "Exception logs, resolution documentation, and process improvement records." } ] }, @@ -983,13 +1099,18 @@ { "id": "P1.1-policy", "type": "policy", - "description": "Privacy notice policy", - "policyId": "password_policy" + "description": "Reference to the Privacy Policy that informs individuals about personal data collection, usage, and disclosure practices.", + "policyId": "privacy" }, { "id": "P1.1-procedure", "type": "procedure", - "description": "Privacy notice procedures" + "description": "Procedures for distributing and updating the privacy notice." + }, + { + "id": "P1.1-evidence", + "type": "evidence", + "description": "Copies of the privacy notice, version history, and distribution logs." } ] }, @@ -1003,13 +1124,18 @@ { "id": "P1.2-policy", "type": "policy", - "description": "Consent policy", - "policyId": "password_policy" + "description": "Reference to the Privacy Policy that requires explicit consent for the collection and processing of personal data.", + "policyId": "privacy" }, { "id": "P1.2-procedure", "type": "procedure", - "description": "Consent procedures" + "description": "Procedures for obtaining, recording, and managing individual consent." + }, + { + "id": "P1.2-evidence", + "type": "evidence", + "description": "Consent records, opt-in logs, and audit trails for consent management." } ] }, @@ -1023,13 +1149,18 @@ { "id": "P1.3-policy", "type": "policy", - "description": "Data retention policy", - "policyId": "password_policy" + "description": "Reference to the Privacy Policy that defines retention periods and secure disposal methods for personal data.", + "policyId": "privacy" }, { "id": "P1.3-procedure", "type": "procedure", - "description": "Data retention procedures" + "description": "Procedures for reviewing, archiving, and securely disposing of personal data." + }, + { + "id": "P1.3-evidence", + "type": "evidence", + "description": "Retention schedules, disposal logs, and certificates of data destruction." } ] } diff --git a/packages/data/policies/access.json b/packages/data/policies/access.json deleted file mode 100644 index 4c7c1c129e..0000000000 --- a/packages/data/policies/access.json +++ /dev/null @@ -1,507 +0,0 @@ -{ - "type": "doc", - "metadata": { - "id": "access-onboarding-and-termination-policy", - "slug": "access-onboarding-and-termination-policy", - "name": "Access Onboarding and Termination Policy", - "description": "This policy outlines the procedures for onboarding and offboarding users to technical infrastructure.", - "usedBy": { - "soc2": ["CC6.1", "CC6.2", "CC6.4", "CC6.8"] - } - }, - "content": [ - { - "type": "heading", - "attrs": { - "level": 1 - }, - "content": [ - { - "type": "text", - "text": "Access Onboarding and Termination Policy" - } - ] - }, - { - "type": "heading", - "attrs": { - "level": 2 - }, - "content": [ - { - "type": "text", - "text": "Policy Information" - } - ] - }, - { - "type": "table", - "content": [ - { - "type": "tableRow", - "content": [ - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Organization" - } - ] - } - ] - }, - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Last Review" - } - ] - } - ] - }, - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Review Frequency" - } - ] - } - ] - }, - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Approved By" - } - ] - } - ] - }, - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Classification" - } - ] - } - ] - } - ] - }, - { - "type": "tableRow", - "content": [ - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "{{organization}}" - } - ] - } - ] - }, - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "{{date}}" - } - ] - } - ] - }, - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Annual" - } - ] - } - ] - }, - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Chief Information Security Officer" - } - ] - } - ] - }, - { - "type": "tableCell", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Confidential" - } - ] - } - ] - } - ] - } - ] - }, - { - "type": "heading", - "attrs": { "level": 2 }, - "content": [{ "type": "text", "text": "Revision History" }] - }, - { - "type": "table", - "content": [ - { - "type": "tableRow", - "content": [ - { - "type": "tableCell", - "content": [{ "type": "text", "text": "Version" }] - }, - { - "type": "tableCell", - "content": [{ "type": "text", "text": "Date" }] - }, - { - "type": "tableCell", - "content": [{ "type": "text", "text": "Description" }] - } - ] - }, - { - "type": "tableRow", - "content": [ - { - "type": "tableCell", - "content": [{ "type": "text", "text": "1.0" }] - }, - { - "type": "tableCell", - "content": [{ "type": "text", "text": "{{date}}" }] - }, - { - "type": "tableCell", - "content": [{ "type": "text", "text": "Initial document" }] - } - ] - } - ] - }, - { - "type": "heading", - "attrs": { "level": 2 }, - "content": [{ "type": "text", "text": "Purpose and Scope" }] - }, - { - "type": "orderedList", - "attrs": { "tight": true, "start": 1 }, - "content": [ - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "The purpose of this policy is to define procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "This policy applies to all technical infrastructure within the organization." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "This policy applies to all full-time and part-time employees and contractors." - } - ] - } - ] - } - ] - }, - { - "type": "heading", - "attrs": { "level": 2 }, - "content": [{ "type": "text", "text": "Background" }] - }, - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "The organization relies on the principle of least privilege to minimize the risk of information loss or exposure (from both inside and outside the organization). Account creation and permission levels are restricted to only the resources absolutely needed to perform each person's job duties. When a user's role within the organization changes, those accounts and permission levels are changed/revoked to fit the new role and disabled when the user leaves the organization altogether." - } - ] - }, - { - "type": "heading", - "attrs": { "level": 2 }, - "content": [{ "type": "text", "text": "Policy" }] - }, - { - "type": "heading", - "attrs": { "level": 3 }, - "content": [{ "type": "text", "text": "During Onboarding" }] - }, - { - "type": "orderedList", - "attrs": { "tight": true, "start": 1 }, - "content": [ - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Hiring Manager informs HR upon hire of a new employee." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "HR emails IT to inform them of a new hire and their role." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "IT creates a checklist of accounts and permission levels needed for that role." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "The owner of each resource reviews and approves account creation and the associated permissions." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "IT works with the owner of each resource to set up the user." - } - ] - } - ] - } - ] - }, - { - "type": "heading", - "attrs": { "level": 3 }, - "content": [{ "type": "text", "text": "During Offboarding" }] - }, - { - "type": "orderedList", - "attrs": { "tight": true, "start": 1 }, - "content": [ - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Hiring Manager notifies HR when an employee has been terminated." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "HR sends a weekly email report to IT summarizing list of users terminated and instructs IT to disable their access." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "IT terminates access within five business days from receipt of notification." - } - ] - } - ] - } - ] - }, - { - "type": "heading", - "attrs": { "level": 3 }, - "content": [{ "type": "text", "text": "Role Changes" }] - }, - { - "type": "orderedList", - "attrs": { "tight": true, "start": 1 }, - "content": [ - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Hiring Manager will inform HR of a change in role." - } - ] - } - ] - }, - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "HR and IT will follow the same steps as outlined in the onboarding and offboarding procedures." - } - ] - } - ] - } - ] - }, - { - "type": "heading", - "attrs": { "level": 3 }, - "content": [{ "type": "text", "text": "Account Reviews" }] - }, - { - "type": "orderedList", - "attrs": { "tight": true, "start": 1 }, - "content": [ - { - "type": "listItem", - "content": [ - { - "type": "paragraph", - "content": [ - { - "type": "text", - "text": "Each month, IT and HR will review accounts and permission levels for accuracy." - } - ] - } - ] - } - ] - } - ] -} diff --git a/packages/data/policies/access_control.json b/packages/data/policies/access_control.json new file mode 100644 index 0000000000..e0aa5c92c0 --- /dev/null +++ b/packages/data/policies/access_control.json @@ -0,0 +1,151 @@ +{ + "type": "doc", + "metadata": { + "id": "access-control-policy", + "slug": "access-control-policy", + "name": "Access Control Policy", + "description": "This policy defines the requirements for granting, monitoring, and revoking access to the organization’s information systems and data based on the principle of least privilege.", + "usedBy": { + "soc2": ["CC6.1", "CC6.2", "CC6.3", "CC6.4", "CC6.5", "CC6.6"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Access Control Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "CISO" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Restricted" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy governs access to all organizational systems and data. It is designed to enforce the principle of least privilege and protect sensitive information from unauthorized access." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Access rights must be granted based on business need and reviewed periodically." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "User authentication must incorporate strong passwords and multi-factor authentication." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Access privileges must be promptly revoked upon termination or role change." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + } + ] +} diff --git a/packages/data/policies/business_continuity.json b/packages/data/policies/business_continuity.json new file mode 100644 index 0000000000..d93dd72655 --- /dev/null +++ b/packages/data/policies/business_continuity.json @@ -0,0 +1,158 @@ +{ + "type": "doc", + "metadata": { + "id": "business-continuity-dr-policy", + "slug": "business-continuity-dr-policy", + "name": "Business Continuity & Disaster Recovery Policy", + "description": "This policy outlines the strategies and procedures for ensuring the availability of critical systems and data during and after a disruptive event.", + "usedBy": { + "soc2": ["CC7.3", "A1.3", "CC9.1", "CC9.9"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [ + { + "type": "text", + "text": "Business Continuity & Disaster Recovery Policy" + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "IT & Business Continuity Committee" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy provides guidelines and procedures to ensure the continuous operation of critical business processes and the rapid recovery of IT systems following a disruptive event." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Identify critical business functions and define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Develop, maintain, and test business continuity and disaster recovery plans." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Ensure backup systems, data redundancy, and failover mechanisms are in place." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + } + ] +} diff --git a/packages/data/policies/change_management.json b/packages/data/policies/change_management.json new file mode 100644 index 0000000000..9d903223ee --- /dev/null +++ b/packages/data/policies/change_management.json @@ -0,0 +1,151 @@ +{ + "type": "doc", + "metadata": { + "id": "change-management-policy", + "slug": "change-management-policy", + "name": "Change Management Policy", + "description": "This policy defines the process for requesting, reviewing, approving, and documenting changes to the organization's information systems and infrastructure.", + "usedBy": { + "soc2": ["CC3.4", "CC8.1", "CC6.7"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Change Management Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "IT Management" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Restricted" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy outlines the process for managing changes to systems and infrastructure, ensuring all modifications are reviewed, approved, tested, and documented." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All change requests must be submitted via the designated change management system." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Changes must be reviewed and approved by the Change Advisory Board (CAB) before implementation, except for approved emergency changes." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Post-implementation reviews must be conducted to ensure changes did not negatively impact operations." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + } + ] +} diff --git a/packages/data/policies/code_of_conduct.json b/packages/data/policies/code_of_conduct.json new file mode 100644 index 0000000000..5c7d6d024a --- /dev/null +++ b/packages/data/policies/code_of_conduct.json @@ -0,0 +1,355 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC1.1", "CC6.1"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Code of Conduct Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Human Resources" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The purpose of this policy is to define expected behavior from employees towards their colleagues, supervisors, and the organization as a whole." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All employees and contractors must follow this policy as outlined in their Employment Offer Letter or Independent Contractor Agreement while performing their duties." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Compliance with Law: Employees must understand and comply with environmental, safety, and fair dealing laws while ensuring ethical and responsible conduct in their job duties." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Respect in the Workplace: Discriminatory behavior, harassment, or victimization is strictly prohibited." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Protection of Company Property: Employees must not misuse company equipment, respect intellectual property, and protect material property from damage." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Personal Appearance: Employees must present themselves in a professional manner and adhere to the company dress code." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Corruption: Employees must not accept bribes or inappropriate gifts from clients or partners." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Job Duties and Authority: Employees must act with integrity, respect team members, and avoid abuse of authority when delegating responsibilities." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Absenteeism and Tardiness: Employees must adhere to their designated work schedules unless exceptions are approved by their hiring manager." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Conflict of Interest: Employees must avoid personal or financial interests that interfere with their job duties." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Collaboration: Employees must promote a positive and cooperative work environment." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Communication: Employees must maintain open and professional communication with colleagues and supervisors." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Benefits: Employees must not abuse employment benefits, such as time off, insurance, or company resources." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Policy Adherence: Employees must comply with all company policies. Questions should be directed to HR or their hiring manager." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Disciplinary Actions" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Violations of this policy may result in disciplinary actions, including but not limited to:" + } + ] + }, + { + "type": "bulletList", + "content": [ + { + "type": "listItem", + "content": [{ "type": "text", "text": "Demotion" }] + }, + { + "type": "listItem", + "content": [{ "type": "text", "text": "Reprimand" }] + }, + { + "type": "listItem", + "content": [ + { "type": "text", "text": "Suspension or termination" } + ] + }, + { + "type": "listItem", + "content": [ + { "type": "text", "text": "Reduction of benefits" } + ] + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Serious violations such as corruption, theft, or embezzlement may result in legal action." + } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/confidentiality.json b/packages/data/policies/confidentiality.json new file mode 100644 index 0000000000..4ef6409b2a --- /dev/null +++ b/packages/data/policies/confidentiality.json @@ -0,0 +1,346 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC9.9", "CC6.1"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Confidentiality Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "Chief Information Security Officer" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The purpose of this policy is to define guidelines for maintaining the confidentiality of sensitive and proprietary information within the organization." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all employees, contractors, third-party vendors, and other individuals who access confidential information belonging to the organization." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Confidential information includes, but is not limited to, customer data, trade secrets, intellectual property, financial records, employee records, and other sensitive organizational data." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Confidential Information Handling" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Confidential information must be accessed only by authorized individuals with a legitimate business need." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Confidential data must be encrypted at rest and in transit to prevent unauthorized access." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Employees must use company-approved systems and communication channels for handling confidential data." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Unauthorized disclosure, duplication, or transmission of confidential data is strictly prohibited." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Non-Disclosure Agreements (NDAs)" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All employees, contractors, and third-party vendors must sign a Non-Disclosure Agreement (NDA) before accessing confidential information." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "NDAs outline obligations to protect and prevent the unauthorized use or disclosure of confidential information." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Violations of an NDA may result in disciplinary action, contract termination, and potential legal consequences." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Access Control Measures" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Access to confidential information is based on the principle of least privilege (PoLP)." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Users must authenticate via company-approved methods (e.g., Multi-Factor Authentication) before accessing confidential data." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Confidential data must not be stored on personal devices unless explicitly authorized." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Incident Reporting and Enforcement" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Employees must report any suspected or actual breaches of confidentiality to the Information Security Manager (ISM) immediately." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Violations of this policy may result in disciplinary actions, including termination of employment or legal action." + } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/corporate_governance.json b/packages/data/policies/corporate_governance.json new file mode 100644 index 0000000000..ec28df284a --- /dev/null +++ b/packages/data/policies/corporate_governance.json @@ -0,0 +1,234 @@ +{ + "type": "doc", + "metadata": { + "id": "corporate-governance-policy", + "slug": "corporate-governance-policy", + "name": "Corporate Governance Policy", + "description": "This policy defines the overall governance framework including board oversight, management responsibilities, and organizational structure to ensure effective oversight and accountability.", + "usedBy": { + "soc2": ["CC1.1", "CC1.2", "CC1.5", "CC2.2", "CC2.3"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Corporate Governance Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Board of Directors" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Revision History" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Version" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Date" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Description" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "1.0" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Initial version" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy provides a framework for effective governance by outlining the responsibilities of the board, senior management, and related committees. It applies to all members of the board and senior leadership." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 3 }, + "content": [ + { + "type": "text", + "text": "Board Oversight and Management Responsibilities" + } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Ensure the board maintains independence from management." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Review and approve internal control frameworks and risk management reports regularly." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Establish committees and processes for oversight of key business functions." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Review and update this policy at least annually." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [{ "type": "text", "text": "Risk Management Policy" }] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/cyber_risk.json b/packages/data/policies/cyber_risk.json new file mode 100644 index 0000000000..373cbdc604 --- /dev/null +++ b/packages/data/policies/cyber_risk.json @@ -0,0 +1,317 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC1.1", "CC1.2", "CC1.3", "CC1.4", "CC1.5"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Cyber Risk Assessment Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "Chief Information Security Officer" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The purpose of this policy is to establish a structured approach for conducting cyber risk assessments to identify, evaluate, and mitigate cybersecurity threats to the organization." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all employees, contractors, and third parties responsible for cybersecurity risk management within the organization." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Cyber risk assessments must be conducted on all critical systems, networks, and applications to ensure compliance with security policies and regulatory requirements." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Cyber Risk Assessment Process" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must establish a cyber risk assessment methodology that includes identifying assets, assessing threats, evaluating vulnerabilities, and determining potential impact." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All risks must be documented in a cyber risk register and categorized based on severity and business impact." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Cyber risk assessments must be conducted at least annually and whenever significant changes to the IT infrastructure or threat landscape occur." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Identified risks must be assigned an owner responsible for implementing appropriate mitigation measures." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Cyber Risk Mitigation Strategies" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must implement cyber risk mitigation strategies based on the severity of identified risks, including risk avoidance, acceptance, transfer, or reduction." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Cybersecurity controls such as firewalls, encryption, endpoint protection, and access controls must be implemented to reduce risk to an acceptable level." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Cyber risk treatment plans must be reviewed periodically to ensure their continued effectiveness." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Reporting and Compliance" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Cyber risk assessment results must be reported to senior management and cybersecurity stakeholders for informed decision-making." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must comply with industry standards, regulations, and best practices for cybersecurity risk management." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Cyber risk assessments must be updated periodically to adapt to evolving cyber threats and business changes." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Non-compliance with this policy may result in corrective actions, including enhanced security controls, additional training, or disciplinary measures." + } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/data_center.json b/packages/data/policies/data_center.json new file mode 100644 index 0000000000..e453e5fa0b --- /dev/null +++ b/packages/data/policies/data_center.json @@ -0,0 +1,358 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC6.1", "CC6.2", "CC8.1", "CC7.1"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Datacenter Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "Chief Information Security Officer" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The purpose of this policy is to define security and operational requirements for the organization's datacenter facilities to ensure protection, availability, and reliability of critical systems and data." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all employees, contractors, vendors, and third-party service providers who access or maintain datacenter infrastructure." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All datacenter locations, including on-premises, colocation, and cloud facilities that host the organization's critical IT infrastructure, fall under this policy's scope." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Datacenter Security Requirements" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Datacenters must have physical security controls such as access restrictions, video surveillance, and intrusion detection systems." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Access to the datacenter must be granted only to authorized personnel with a legitimate business need." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Visitor access must be logged, monitored, and restricted to authorized escorts within the facility." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Multi-factor authentication must be required for personnel accessing restricted areas of the datacenter." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Environmental Controls" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Datacenters must have redundant power supplies and backup generators to ensure continuous operation." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Temperature and humidity must be monitored and maintained within manufacturer-recommended ranges for critical equipment." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Fire suppression systems must be in place to protect against damage to IT infrastructure." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Datacenter Access and Auditing" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Access logs must be maintained and reviewed periodically to ensure compliance with access control policies." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Annual security assessments must be conducted to evaluate compliance with datacenter security requirements." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Unauthorized access attempts must be reported immediately to security personnel." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Disaster Recovery and Business Continuity" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Datacenter facilities must be included in the organization's Business Continuity and Disaster Recovery plans." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Data backups must be stored securely and regularly tested to ensure data recoverability." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Datacenter failover plans must be documented and tested periodically." + } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/data_classification.json b/packages/data/policies/data_classification.json new file mode 100644 index 0000000000..ba81805bf6 --- /dev/null +++ b/packages/data/policies/data_classification.json @@ -0,0 +1,151 @@ +{ + "type": "doc", + "metadata": { + "id": "data-classification-policy", + "slug": "data-classification-policy", + "name": "Data Classification Policy", + "description": "This policy establishes a framework for classifying data based on sensitivity and defines handling requirements for each classification level.", + "usedBy": { + "soc2": ["C1.1", "C1.2", "C1.3"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Data Classification Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "CISO" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Restricted" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy establishes the criteria for classifying data into categories (e.g., Public, Internal, Confidential, Highly Sensitive) and specifies handling requirements for each category." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All data must be classified at the time of creation or receipt." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Classification levels must be defined with corresponding handling, storage, and disposal requirements." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Access to confidential data must be restricted on a need-to-know basis." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + } + ] +} diff --git a/packages/data/policies/disaster_recovery.json b/packages/data/policies/disaster_recovery.json new file mode 100644 index 0000000000..e644f0de18 --- /dev/null +++ b/packages/data/policies/disaster_recovery.json @@ -0,0 +1,358 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC9.1", "CC8.1"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Disaster Recovery Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "Chief Information Security Officer" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The purpose of this policy is to establish a structured approach for disaster recovery (DR) planning to ensure that critical business operations can be resumed in the event of a disruption." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all employees, contractors, and third parties responsible for IT infrastructure, data, and business continuity planning." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The policy covers disaster recovery procedures for IT systems, applications, network infrastructure, and data." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Disaster Recovery Planning Requirements" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must maintain a Disaster Recovery Plan (DRP) that defines recovery objectives, responsibilities, and procedures to restore operations following a disaster." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The DRP must identify critical systems, applications, and personnel required for recovery." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) must be established and tested periodically." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Disaster recovery drills and tests must be conducted at least annually to ensure readiness." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Backup and Data Protection" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Critical business data must be backed up regularly and stored securely." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Backups must be encrypted and stored in geographically separate locations." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Backup restoration tests must be conducted periodically to verify data integrity and recovery procedures." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Incident Response and Communication" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must have an incident response plan outlining procedures for disaster response and business continuity activation." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "A designated Disaster Recovery Team (DRT) must oversee crisis management and ensure recovery measures are implemented." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Employees must be informed of emergency procedures, including alternative work arrangements if needed." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Compliance and Review" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The Disaster Recovery Policy must be reviewed annually and updated as necessary." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must ensure compliance with industry standards and regulatory requirements related to disaster recovery and business continuity." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Non-compliance with this policy may result in corrective actions, including training, enhanced security controls, or disciplinary measures." + } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/human_resources.json b/packages/data/policies/human_resources.json new file mode 100644 index 0000000000..9567c9f380 --- /dev/null +++ b/packages/data/policies/human_resources.json @@ -0,0 +1,151 @@ +{ + "type": "doc", + "metadata": { + "id": "human-resources-policy", + "slug": "human-resources-policy", + "name": "Human Resources Policy", + "description": "This policy outlines the principles and practices for recruitment, employee management, performance evaluations, and the enforcement of internal control responsibilities.", + "usedBy": { + "soc2": ["CC1.3", "CC1.4"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Human Resources Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "HR Director" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Internal" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy governs all aspects of human resource management including recruitment, performance management, and employee accountability for internal control responsibilities." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Recruitment processes must include background checks and verification of qualifications for roles with access to sensitive information." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Employees must complete training on internal controls and ethical behavior during onboarding and at regular intervals." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Performance evaluations shall include assessments of adherence to internal control responsibilities." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + } + ] +} diff --git a/packages/data/policies/incident_response.json b/packages/data/policies/incident_response.json new file mode 100644 index 0000000000..239c5f4298 --- /dev/null +++ b/packages/data/policies/incident_response.json @@ -0,0 +1,151 @@ +{ + "type": "doc", + "metadata": { + "id": "incident-response-policy", + "slug": "incident-response-policy", + "name": "Incident Response Policy", + "description": "This policy establishes the framework and procedures for detecting, responding to, and recovering from security incidents.", + "usedBy": { + "soc2": ["CC7.2", "CC7.4", "CC7.5"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Incident Response Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "CISO" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy defines the steps for identifying, reporting, and responding to security incidents to minimize impact and restore normal operations as quickly as possible." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Establish an Incident Response Team (IRT) with defined roles and responsibilities." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Implement processes for incident detection, reporting, containment, eradication, and recovery." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Conduct regular incident response training and simulation exercises." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + } + ] +} diff --git a/packages/data/policies/information_security.json b/packages/data/policies/information_security.json new file mode 100644 index 0000000000..04e22f2fec --- /dev/null +++ b/packages/data/policies/information_security.json @@ -0,0 +1,168 @@ +{ + "type": "doc", + "metadata": { + "id": "information-security-policy", + "slug": "information-security-policy", + "name": "Information Security Policy", + "description": "This policy establishes the framework for protecting the organization's information assets by defining security objectives, roles, responsibilities, and controls.", + "usedBy": { + "soc2": ["CC2.1", "PI1.1", "PI1.2", "PI1.3", "CC5.2"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Information Security Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "CISO" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The purpose of this policy is to protect the confidentiality, integrity, and availability of information assets by establishing security requirements and responsibilities across the organization. This policy applies to all employees, contractors, and third-party service providers." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All information assets shall be classified and handled according to their sensitivity." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Access to information must be restricted based on role and business need." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Security controls such as encryption, firewalls, and intrusion detection systems must be implemented and regularly tested." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { "type": "text", "text": "Data Classification Policy" } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/privacy.json b/packages/data/policies/privacy.json new file mode 100644 index 0000000000..afaa99707e --- /dev/null +++ b/packages/data/policies/privacy.json @@ -0,0 +1,151 @@ +{ + "type": "doc", + "metadata": { + "id": "privacy-policy", + "slug": "privacy-policy", + "name": "Privacy Policy", + "description": "This policy describes how the organization collects, uses, discloses, and protects personal information in compliance with applicable privacy regulations.", + "usedBy": { + "soc2": ["P1.1", "P1.2", "P1.3"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Privacy Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Privacy Officer" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy outlines the organization’s practices for handling personal data, including collection, processing, retention, and disposal, to ensure compliance with privacy regulations." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Obtain explicit consent prior to collecting personal data where required." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Limit the collection of personal data to what is necessary for business purposes." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Ensure personal data is stored securely and only accessible to authorized personnel." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + } + ] +} diff --git a/packages/data/policies/risk_assessment.json b/packages/data/policies/risk_assessment.json new file mode 100644 index 0000000000..9e2ccb8746 --- /dev/null +++ b/packages/data/policies/risk_assessment.json @@ -0,0 +1,301 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC3.2", "CC3.4", "CC8.1"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Risk Assessment Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "Chief Information Security Officer" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The purpose of this policy is to establish a structured approach for identifying, evaluating, and mitigating risks associated with the organization's information systems, operations, and assets." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all employees, contractors, and third parties responsible for assessing and managing risk within the organization." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Risk assessments must be conducted for all business units, departments, and critical systems to ensure compliance with regulatory and security requirements." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Risk Assessment Process" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must establish a formal risk assessment methodology that includes identifying assets, assessing threats, determining vulnerabilities, and evaluating impact and likelihood." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All risks must be documented in a risk register and categorized based on their severity and potential business impact." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Risk assessments must be conducted at least annually and whenever significant changes to systems, processes, or threats occur." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All identified risks must be assigned an owner responsible for implementing appropriate mitigation measures." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Risk Mitigation Strategies" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must implement risk mitigation strategies based on the level of identified risk, including risk avoidance, acceptance, transfer, and reduction." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Controls must be implemented to reduce risk to an acceptable level, including security controls, process improvements, and technical safeguards." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Risk treatment plans must be reviewed periodically to ensure continued effectiveness." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Reporting and Review" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Risk assessment results must be reported to senior management and stakeholders to ensure informed decision-making." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Risk management activities must be reviewed and updated periodically to adapt to emerging threats and business changes." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Non-compliance with the risk assessment policy may result in corrective actions, including additional training, enhanced security controls, or disciplinary measures." + } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/risk_management.json b/packages/data/policies/risk_management.json new file mode 100644 index 0000000000..d5a8fa0dcf --- /dev/null +++ b/packages/data/policies/risk_management.json @@ -0,0 +1,168 @@ +{ + "type": "doc", + "metadata": { + "id": "risk-management-policy", + "slug": "risk-management-policy", + "name": "Risk Management Policy", + "description": "This policy defines the process for identifying, assessing, and mitigating risks to the organization’s objectives and information assets.", + "usedBy": { + "soc2": ["CC3.1", "CC3.2", "CC3.3", "CC4.2"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Risk Management Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Risk Committee" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy establishes the framework and process for identifying, assessing, and mitigating risks that could impact the organization’s objectives. It applies to all business units and processes." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Conduct risk assessments at least annually and whenever significant changes occur." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Document identified risks in a risk register and assign risk owners." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Implement risk mitigation strategies based on the assessed impact and likelihood." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { "type": "text", "text": "Information Security Policy" } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/software_development.json b/packages/data/policies/software_development.json new file mode 100644 index 0000000000..a026d94e92 --- /dev/null +++ b/packages/data/policies/software_development.json @@ -0,0 +1,345 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC6.2", "CC7.1", "CC7.2", "CC8.1"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [ + { + "type": "text", + "text": "Software Development Lifecycle (SDLC) Policy" + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "Chief Information Security Officer" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The purpose of this policy is to define a structured Software Development Lifecycle (SDLC) to ensure secure, reliable, and high-quality software development practices." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all software development teams, including employees, contractors, and third-party developers involved in designing, developing, testing, deploying, and maintaining software for the organization." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The policy covers all software, including internal applications, customer-facing applications, and third-party integrated software solutions." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Software Development Lifecycle Phases" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "marks": [{ "type": "bold" }], + "text": "1. Planning & Requirements:" + } + ] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Define business, functional, and security requirements before software development begins. Risk assessments must be conducted to identify security concerns early in the process." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "marks": [{ "type": "bold" }], + "text": "2. Design & Architecture:" + } + ] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Software design must incorporate security principles, including secure authentication, encryption, and least privilege access controls." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "marks": [{ "type": "bold" }], + "text": "3. Development & Implementation:" + } + ] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Developers must adhere to secure coding practices, including input validation, proper error handling, and protection against known vulnerabilities (e.g., OWASP Top Ten threats)." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "marks": [{ "type": "bold" }], + "text": "4. Testing & Validation:" + } + ] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All software must undergo security, functional, and performance testing before deployment. Automated and manual security testing must be conducted, including penetration testing and code reviews." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "marks": [{ "type": "bold" }], + "text": "5. Deployment & Release:" + } + ] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Deployment processes must be documented and follow controlled release cycles. All code must be reviewed and approved before being deployed to production environments." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "marks": [{ "type": "bold" }], + "text": "6. Maintenance & Continuous Improvement:" + } + ] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Software must be continuously monitored for vulnerabilities, and security patches must be applied promptly." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [ + { "type": "text", "text": "Security & Compliance Requirements" } + ] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Secure coding practices must be followed in all phases of development." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Regular security testing must be conducted, including static and dynamic code analysis." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All software must comply with applicable legal, regulatory, and contractual security requirements." + } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/thirdparty.json b/packages/data/policies/thirdparty.json new file mode 100644 index 0000000000..64f929434b --- /dev/null +++ b/packages/data/policies/thirdparty.json @@ -0,0 +1,298 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC2.3", "CC7.3", "CC8.1"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Third-Party Management Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "Chief Information Security Officer" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy defines the rules for relationships with the organization’s Information Technology (IT) third-parties and partners." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all IT third-parties and partners who can impact the confidentiality, integrity, and availability of the organization’s technology and sensitive information, or who are within the scope of the organization’s information security program." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all employees and contractors responsible for the management and oversight of IT third-parties and partners of the organization." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Background" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The overall security of the organization is highly dependent on the security of its contractual relationships with its IT suppliers and partners. This policy defines requirements for effective management and oversight of such suppliers and partners from an information security perspective. It prescribes minimum security standards third-parties must meet, including security clauses, risk assessments, service level agreements, and incident management." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { "type": "text", "text": "Information Security Policy" } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { "type": "text", "text": "Security Incident Response Policy" } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "IT third-parties are prohibited from accessing the organization’s information security assets until a contract containing security controls is agreed to and signed by the appropriate parties." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All IT third-parties must comply with the security policies defined in the Information Security Policy." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "All security incidents involving IT third-parties or partners must be documented per the Security Incident Response Policy and immediately reported to the Information Security Manager (ISM)." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization must adhere to the terms of all Service Level Agreements (SLAs) entered into with IT third-parties. As SLAs are updated or new agreements are made, necessary changes or controls must be implemented to maintain compliance." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Before entering into a contract and gaining access to the organization’s information systems, IT third-parties must undergo a risk assessment." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Security risks related to IT third-parties and partners must be identified during the risk assessment process, including risks related to IT third-party supply chains and sub-suppliers." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "IT third-parties and partners must ensure that organizational records are protected, safeguarded, and securely disposed of in accordance with legal, regulatory, and contractual requirements regarding the collection, processing, and transmission of sensitive data such as Personally-Identifiable Information (PII)." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "The organization reserves the right to audit IT third-parties and partners to ensure compliance with applicable security policies, legal requirements, regulatory standards, and contractual obligations." + } + ] + } + ] + } + ] + } + ] +} diff --git a/packages/data/policies/vendor_risk_management.json b/packages/data/policies/vendor_risk_management.json new file mode 100644 index 0000000000..fdae5a1ea0 --- /dev/null +++ b/packages/data/policies/vendor_risk_management.json @@ -0,0 +1,151 @@ +{ + "type": "doc", + "metadata": { + "id": "vendor-risk-management-policy", + "slug": "vendor-risk-management-policy", + "name": "Vendor Risk Management Policy", + "description": "This policy outlines the criteria and procedures for evaluating, selecting, and monitoring third-party vendors to manage risks associated with external service providers.", + "usedBy": { + "soc2": ["CC9.2"] + } + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Vendor Risk Management Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Procurement" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Restricted" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy establishes guidelines for evaluating and managing risks associated with vendors and third-party service providers." + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Conduct risk assessments for all vendors prior to engagement." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Maintain ongoing monitoring and periodic reassessment of vendor risk." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Include appropriate security and compliance requirements in vendor contracts." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "References" }] + } + ] +} diff --git a/packages/data/policies/workstation.json b/packages/data/policies/workstation.json new file mode 100644 index 0000000000..bba6865b43 --- /dev/null +++ b/packages/data/policies/workstation.json @@ -0,0 +1,373 @@ +{ + "type": "doc", + "metadata": { + "controls": ["CC6.2", "CC6.7", "CC7.2"] + }, + "content": [ + { + "type": "heading", + "attrs": { "level": 1 }, + "content": [{ "type": "text", "text": "Workstation Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy Information" }] + }, + { + "type": "table", + "content": [ + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Organization" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Last Review" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Review Frequency" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Approved By" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Classification" }] + } + ] + }, + { + "type": "tableRow", + "content": [ + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{organization}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "{{date}}" }] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Annual" }] + }, + { + "type": "tableCell", + "content": [ + { "type": "text", "text": "Chief Information Security Officer" } + ] + }, + { + "type": "tableCell", + "content": [{ "type": "text", "text": "Confidential" }] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Purpose and Scope" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy defines best practices to reduce the risk of data loss or exposure through workstations." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "This policy applies to all employees and contractors using workstations." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Workstations are defined as all company-owned and personal devices containing company data." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 2 }, + "content": [{ "type": "text", "text": "Policy" }] + }, + { + "type": "heading", + "attrs": { "level": 3 }, + "content": [{ "type": "text", "text": "Workstation Device Requirements" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Operating systems must be no more than one generation older than the current version." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Devices must be encrypted at rest to protect company data." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Devices must be locked when not in use or when an employee leaves the workstation." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Workstations must be used for authorized business purposes only." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Loss or destruction of devices must be reported immediately to IT." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Laptops and desktop devices must run the latest version of IT-approved antivirus software." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 3 }, + "content": [{ "type": "text", "text": "Desktop & Laptop Devices" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Employees will be issued a desktop, laptop, or both based on their job duties." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Contractors must provide their own laptops." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Desktops and laptops must operate on macOS or Windows." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 3 }, + "content": [{ "type": "text", "text": "Mobile Devices" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Mobile devices must be operated as defined in the Removable Media Policy, Cloud Storage Policy, and Bring Your Own Device (BYOD) Policy." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Mobile devices must operate on iOS or Android." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Company data may only be accessed on mobile devices using Slack and Gmail." + } + ] + } + ] + } + ] + }, + { + "type": "heading", + "attrs": { "level": 3 }, + "content": [{ "type": "text", "text": "Removable Media" }] + }, + { + "type": "orderedList", + "attrs": { "tight": true, "start": 1 }, + "content": [ + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Removable media must be used as defined in the Removable Media Policy, Cloud Storage Policy, and Bring Your Own Device (BYOD) Policy." + } + ] + } + ] + }, + { + "type": "listItem", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Removable media is permitted on approved devices as long as it does not conflict with other policies." + } + ] + } + ] + } + ] + } + ] +}