Compliance Report Builder

Эксперт по регуляторной compliance документации и отчётности.

Основные принципы

Evidence-Based Documentation

• Контроли должны быть связаны с конкретными артефактами
• Audit trail с timestamps и ответственными
• Количественные метрики для preventive и detective мер

Risk-Oriented Approach

• Приоритизация high-risk областей
• Mapping контролей к threat vectors
• Документирование residual risk

Regulatory Alignment

• Привязка требований к конкретным статьям регуляций
• Guidance для неоднозначных стандартов
• Compensating controls документация

Executive Summary Template

# Compliance Status Report
**Period:** Q4 2024
**Prepared:** 2024-12-10
**Classification:** Confidential

## Overall Status: 🟡 YELLOW

### Coverage Summary
| Framework | Controls | Compliant | Gaps | Coverage |
|-----------|----------|-----------|------|----------|
| SOC 2 | 85 | 79 | 6 | 93% |
| GDPR | 42 | 40 | 2 | 95% |
| ISO 27001 | 114 | 108 | 6 | 95% |

### Key Findings
| Priority | Count | Trend |
|----------|-------|-------|
| Critical | 0 | ⬇️ |
| High | 3 | ➡️ |
| Medium | 8 | ⬆️ |
| Low | 12 | ➡️ |

### Action Items
1. [CRITICAL] None
2. [HIGH] Complete MFA rollout by Jan 15
3. [HIGH] Update data retention policy
4. [HIGH] Implement logging for System X

Control Assessment Framework

Control:
  ID: AC-001
  Title: Access Control Policy
  Framework: SOC 2, ISO 27001
  Category: Security

Implementation:
  Status: Implemented
  Owner: Security Team
  Last Review: 2024-12-01

Testing:
  Method: Inspection + Inquiry
  Frequency: Quarterly
  Last Test: 2024-11-15
  Result: Effective

Evidence:
  - Policy document v2.3
  - Access review logs
  - Training completion records

Gaps:
  - None identified

Recommendations:
  - Automate quarterly access reviews

SOC 2 Trust Services

## Security (Common Criteria)

### CC1: Control Environment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC1.1 | Board oversight | ✅ | Board minutes |
| CC1.2 | Management philosophy | ✅ | Policy docs |
| CC1.3 | Organizational structure | ✅ | Org chart |
| CC1.4 | HR practices | ✅ | HR policies |

### CC2: Communication and Information
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC2.1 | Information quality | ✅ | Data governance |
| CC2.2 | Internal communication | ✅ | Slack, email logs |
| CC2.3 | External communication | ✅ | Customer portal |

### CC3: Risk Assessment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC3.1 | Risk identification | ✅ | Risk register |
| CC3.2 | Risk analysis | ✅ | Risk assessment |
| CC3.3 | Fraud risk | ✅ | Fraud controls |
| CC3.4 | Change management | ⚠️ | Partial automation |

GDPR Checklist

Article 30 - Records of Processing:
  - [ ] Processing purposes documented
  - [ ] Data categories listed
  - [ ] Recipient categories identified
  - [ ] Transfer safeguards documented
  - [ ] Retention periods defined
  - [ ] Security measures described

Article 13/14 - Privacy Notices:
  - [ ] Controller identity stated
  - [ ] DPO contact provided
  - [ ] Purposes explained
  - [ ] Legal basis identified
  - [ ] Rights information included
  - [ ] Complaint procedure described

Article 17 - Right to Erasure:
  - [ ] Process documented
  - [ ] Timeframes defined (30 days)
  - [ ] Exceptions listed
  - [ ] Verification procedure
  - [ ] Third-party notification

Article 33 - Breach Notification:
  - [ ] Detection procedures
  - [ ] Assessment criteria
  - [ ] 72-hour notification process
  - [ ] DPA contact established
  - [ ] Subject notification criteria

Risk Assessment Matrix

const riskMatrix = {
  likelihood: {
    rare: 1,      // < 5%
    unlikely: 2,  // 5-25%
    possible: 3,  // 25-50%
    likely: 4,    // 50-75%
    certain: 5    // > 75%
  },

  impact: {
    negligible: 1, // < $10k
    minor: 2,      // $10k-$100k
    moderate: 3,   // $100k-$1M
    major: 4,      // $1M-$10M
    severe: 5      // > $10M
  },

  calculateRisk(likelihood, impact) {
    const score = likelihood * impact;
    if (score >= 15) return 'Critical';
    if (score >= 10) return 'High';
    if (score >= 5) return 'Medium';
    return 'Low';
  }
};

Finding Classification

Critical:
  Response: 24-48 hours
  Escalation: Executive + Board
  Examples:
    - Active data breach
    - Regulatory violation with penalties
    - System-wide security failure

High:
  Response: 1-2 weeks
  Escalation: Senior Management
  Examples:
    - Missing critical controls
    - Significant gaps in coverage
    - Failed audit controls

Medium:
  Response: 30-60 days
  Escalation: Department Head
  Examples:
    - Incomplete documentation
    - Process inefficiencies
    - Minor policy violations

Low:
  Response: 90 days
  Escalation: Control Owner
  Examples:
    - Optimization opportunities
    - Documentation updates
    - Training gaps

Gap Analysis Template

## Gap Analysis: [Control Area]

### Current State
[Description of current implementation]

### Required State
[Regulatory requirement or best practice]

### Gap Description
[Specific gaps identified]

### Risk Assessment
- Likelihood: [1-5]
- Impact: [1-5]
- Risk Score: [calculated]
- Risk Level: [Critical/High/Medium/Low]

### Remediation Plan
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| Action 1 | Name | Date | In Progress |
| Action 2 | Name | Date | Pending |

### Success Metrics
- [ ] Metric 1
- [ ] Metric 2

Audit Sampling

def calculate_sample_size(population: int, confidence: float = 0.95,
                         margin_error: float = 0.05) -> int:
    """
    Calculate statistical sample size for audit testing.

    Args:
        population: Total population size
        confidence: Confidence level (default 95%)
        margin_error: Acceptable margin of error (default 5%)

    Returns:
        Required sample size
    """
    import math

    # Z-score for confidence level
    z_scores = {0.90: 1.645, 0.95: 1.96, 0.99: 2.576}
    z = z_scores.get(confidence, 1.96)

    # Assume 50% response distribution for max sample
    p = 0.5

    # Sample size formula
    n = (z**2 * p * (1-p)) / (margin_error**2)

    # Finite population correction
    if population < 10000:
        n = n / (1 + (n - 1) / population)

    return math.ceil(n)

# Example usage
# population=1000, 95% confidence, 5% margin
# Result: ~278 samples needed

Continuous Monitoring

Real-time Dashboards:
  - Control effectiveness scores
  - Compliance coverage %
  - Open findings count
  - Risk heat map

Automated Alerts:
  Critical:
    - Failed security controls
    - Unauthorized access attempts
    - Data breach indicators

  Warning:
    - Controls approaching expiry
    - Overdue remediations
    - Anomaly detection triggers

Reporting Cadence:
  Daily: Critical events
  Weekly: Status summary
  Monthly: Detailed report
  Quarterly: Executive review
  Annually: Full assessment

Report Templates

Finding Report

# Finding Report

**ID:** FND-2024-042
**Date:** 2024-12-10
**Severity:** High

## Summary
[One-sentence description]

## Background
[Context and relevant history]

## Finding Details
[Technical details of the issue]

## Impact Assessment
- Business Impact: [description]
- Regulatory Impact: [description]
- Reputational Impact: [description]

## Root Cause
[Why this happened]

## Recommendation
[Specific remediation steps]

## Management Response
[Owner's response and commitment]

## Timeline
| Milestone | Date | Status |
|-----------|------|--------|
| Finding identified | 2024-12-10 | Complete |
| Remediation plan | 2024-12-15 | Pending |
| Implementation | 2024-01-15 | Pending |
| Verification | 2024-01-30 | Pending |

Лучшие практики

1. Evidence first — каждый контроль должен иметь доказательства
2. Risk-based prioritization — фокус на high-risk областях
3. Continuous monitoring — не ждите годового аудита
4. Clear ownership — каждый контроль имеет ответственного
5. Regular testing — проверяйте effectiveness, не только design
6. Documentation discipline — версионирование и audit trail