Skip to content

Governance pack generation #5

Description

@mrmez

Overview

Extend AuditKit beyond technical scanning to generate complete governance documentation (policies, standards, procedures) that maps directly to technical controls and evidence, eliminating "Excel merge week" during audits.

Problem Statement

As highlighted by community feedback from an ex-auditor:

"Auditors don't just ask 'did you scan?', they ask 'show me the policy, the standard, the procedure, and the evidence that it's enforced.' Right now that lives in a mess of Google Docs, Confluence, and screenshots."

Technical compliance scanning is only 30% of audit prep. The other 70% is documentation that proves:

  1. You have policies defining security requirements
  2. You have standards implementing those policies
  3. You have procedures showing how to execute
  4. Your technical controls actually enforce the above

Proposed Solution

Phase 1: Control Mapping Layer (Priority: HIGH - v0.7.0)

  • Create bidirectional mapping: Technical checks ↔ Compliance requirements ↔ Policy sections
  • Generate control traceability matrix
  • Link evidence to specific policy requirements

Example:

# /mappings/soc2_cc6_3.yaml
control: CC6.3
name: "Encryption at Rest"
description: "The entity encrypts data at rest"

technical_checks:
  - aws.s3.encryption
  - azure.storage.encryption  
  - scubagear.MS.SHAREPOINT.1.2

policy_requirements:
  - "All data at rest must be encrypted using AES-256 or stronger"
  - "Encryption keys must be rotated annually"
  - "Key management must follow principle of least privilege"

evidence_required:
  - screenshot: "S3 bucket encryption settings"
  - screenshot: "KMS key rotation configuration"
  - document: "Key management procedure"

Phase 2: Policy Generation (Priority: MEDIUM - v0.8.0)

  • Policy templates with organization-specific placeholders
  • Standards documents with technical specifications
  • Procedure documents with step-by-step instructions
  • Auto-populate from scan results where possible

Example usage:

# Initialize governance docs for your stack
auditkit docs init \
  --framework soc2 \
  --providers aws,azure \
  --integrations scubagear \
  --org "Acme Corp" \
  --data-retention 90 \
  --key-rotation 365

# Generate complete audit package
auditkit report --unified --include-governance --output audit-package/

Phase 3: Complete Audit Binder (Priority: LOW - Future)

  • Management assertions
  • System descriptions
  • CUEC (Complementary User Entity Controls)
  • Risk assessment templates
  • Evidence index with checksums

Technical Implementation

Architecture

/docpacks/
├── base/                          # Framework-agnostic templates
│   ├── policies/
│   │   ├── information_security.md
│   │   ├── access_control.md
│   │   ├── encryption.md
│   │   ├── logging_monitoring.md
│   │   ├── incident_response.md
│   │   ├── change_management.md
│   │   ├── vendor_risk.md
│   │   └── bcdr.md
│   ├── standards/
│   │   ├── technical_standards.yaml
│   │   └── operational_standards.yaml
│   └── procedures/
│       └── evidence_collection.md
├── soc2/                          # SOC2-specific additions
│   ├── control_matrix.yaml
│   └── cuecs.md
├── pci/                           # PCI-specific requirements
│   ├── control_matrix.yaml
│   └── network_diagram_template.md
└── iso27001/                      # ISO-specific
    └── statement_of_applicability.md

/pkg/governance/
├── generator.go                  # Document generation engine
├── mapper.go                      # Control↔Policy↔Evidence mapping
├── templates.go                   # Template processing
└── variables.go                   # Organization variables

Policy Template Example

<!-- /docpacks/base/policies/encryption.md -->
# {{ORG_NAME}} Encryption Policy

**Document ID:** POL-SEC-003  
**Version:** {{VERSION}}  
**Effective Date:** {{EFFECTIVE_DATE}}  
**Owner:** {{CISO_NAME}}  
**Classification:** {{CLASSIFICATION}}

## 1. Purpose
This policy establishes requirements for protecting {{ORG_NAME}} information through encryption.

## 2. Scope
This policy applies to all {{ORG_NAME}} systems processing {{DATA_CLASSIFICATIONS}}.

## 3. Policy Statements

### 3.1 Encryption at Rest
- All {{SENSITIVE_DATA_TYPES}} MUST be encrypted at rest
- Minimum encryption standard: {{MIN_ENCRYPTION_STANDARD}}
- Key length: {{MIN_KEY_LENGTH}} bits minimum

**Technical Implementation:** {{LINK:aws.s3.encryption,azure.storage.encryption}}  
**Last Validated:** {{LAST_SCAN_DATE}}  
**Compliance Status:** {{COMPLIANCE_STATUS:CC6.3}}

### 3.2 Encryption in Transit
- All data transmission MUST use TLS {{MIN_TLS_VERSION}} or higher
- Deprecated protocols (SSL, TLS 1.0, TLS 1.1) are PROHIBITED

**Technical Implementation:** {{LINK:aws.elb.tls,azure.appgw.ssl}}  
**Last Validated:** {{LAST_SCAN_DATE}}  
**Compliance Status:** {{COMPLIANCE_STATUS:CC6.3}}

### 3.3 Key Management
- Encryption keys MUST be rotated every {{KEY_ROTATION_DAYS}} days
- Key material MUST NOT be stored with encrypted data
- Keys MUST be managed using {{KMS_SOLUTION}}

## 4. Compliance Mapping
- SOC2: CC6.3, CC6.7
- PCI-DSS: 3.4, 3.4.1, 4.1
- ISO 27001: A.10.1

## 5. Exceptions
Exceptions must be approved by {{APPROVAL_ROLE}} and documented in {{GRC_SYSTEM}}.

## 6. Enforcement
Non-compliance will be automatically detected via AuditKit scans and reported to {{SECURITY_TEAM}}.

Variables Configuration

# /templates/variables.yaml
organization:
  ORG_NAME: "Acme Corp"
  CISO_NAME: "Jane Smith"
  SECURITY_TEAM: "security@acme.com"

technical:
  MIN_ENCRYPTION_STANDARD: "AES-256"
  MIN_KEY_LENGTH: 256
  MIN_TLS_VERSION: "1.2"
  KEY_ROTATION_DAYS: 365
  KMS_SOLUTION: "AWS KMS"

compliance:
  DATA_CLASSIFICATIONS: ["PII", "PCI", "Confidential"]
  SENSITIVE_DATA_TYPES: ["customer data", "payment information", "employee records"]

systems:
  GRC_SYSTEM: "ServiceNow GRC"
  APPROVAL_ROLE: "Chief Information Security Officer"

Success Criteria

  • Generate policy documents that reference actual technical controls
  • Technical scan results auto-populate compliance status in policies
  • Control matrix maps every check to framework requirements
  • Evidence collection links to specific policy sections
  • Reduce audit prep time by 70%

Acceptance Testing

  1. Document Generation

    • Generate full policy set for SOC2
    • Variables properly replaced
    • Technical controls linked correctly
  2. Mapping Accuracy

    • Every technical check maps to policy section
    • Every policy requirement has technical validation
    • Evidence requirements clearly defined
  3. Auditor Review

    • Get feedback from actual auditors
    • Validate against real audit requirements
    • Ensure format matches expectations

Risk Considerations

⚠️ Legal Disclaimer Required

  • Templates are examples only
  • Organizations must review and customize
  • Not legal advice
  • No guarantee of compliance

Community Contribution

Looking for help with:

  • Policy template contributions
  • Control mapping validation
  • Auditor feedback on format
  • Industry-specific requirements (HIPAA, FedRAMP)

Monetization Potential

  • Free Tier: Basic templates, community-maintained
  • Pro Tier: Industry-specific templates, quarterly updates
  • Enterprise: Custom templates, audit support

Related Issues

  • #[TBD] - ScubaGear integration
  • #[TBD] - Plugin architecture
  • #[TBD] - Evidence orchestration

Labels: enhancement, documentation, help-wanted
Milestone: v0.8.0 (Phase 2)

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requesthelp wantedExtra attention is needed

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions