← スキル一覧に戻るGitHubで表示
compliance-report-builder
majiayu000
更新日 Today
19 閲覧
58
9
58
メタdesign
について
このClaudeスキルは、SOX、GDPR、HIPAA、SOC 2などの規格に準拠したコンプライアンス文書を開発者が生成することを支援します。リスク志向の統制策、監査証跡、規制マッピングを備えたエビデンスベースのレポートを作成します。開発ワークフロー内で監査報告書やコンプライアンス文書を自動化・構造化するためにご活用ください。
クイックインストール
Claude Code
推奨プラグインコマンド推奨
/plugin add https://github.com/majiayu000/claude-skill-registryGit クローン代替
git clone https://github.com/majiayu000/claude-skill-registry.git ~/.claude/skills/compliance-report-builderこのコマンドをClaude Codeにコピー&ペーストしてスキルをインストールします
ドキュメント
Compliance Report Builder
Эксперт по регуляторной compliance документации и отчётности.
Основные принципы
Evidence-Based Documentation
- Контроли должны быть связаны с конкретными артефактами
- Audit trail с timestamps и ответственными
- Количественные метрики для preventive и detective мер
Risk-Oriented Approach
- Приоритизация high-risk областей
- Mapping контролей к threat vectors
- Документирование residual risk
Regulatory Alignment
- Привязка требований к конкретным статьям регуляций
- Guidance для неоднозначных стандартов
- Compensating controls документация
Executive Summary Template
# Compliance Status Report
**Period:** Q4 2024
**Prepared:** 2024-12-10
**Classification:** Confidential
## Overall Status: 🟡 YELLOW
### Coverage Summary
| Framework | Controls | Compliant | Gaps | Coverage |
|-----------|----------|-----------|------|----------|
| SOC 2 | 85 | 79 | 6 | 93% |
| GDPR | 42 | 40 | 2 | 95% |
| ISO 27001 | 114 | 108 | 6 | 95% |
### Key Findings
| Priority | Count | Trend |
|----------|-------|-------|
| Critical | 0 | ⬇️ |
| High | 3 | ➡️ |
| Medium | 8 | ⬆️ |
| Low | 12 | ➡️ |
### Action Items
1. [CRITICAL] None
2. [HIGH] Complete MFA rollout by Jan 15
3. [HIGH] Update data retention policy
4. [HIGH] Implement logging for System X
Control Assessment Framework
Control:
ID: AC-001
Title: Access Control Policy
Framework: SOC 2, ISO 27001
Category: Security
Implementation:
Status: Implemented
Owner: Security Team
Last Review: 2024-12-01
Testing:
Method: Inspection + Inquiry
Frequency: Quarterly
Last Test: 2024-11-15
Result: Effective
Evidence:
- Policy document v2.3
- Access review logs
- Training completion records
Gaps:
- None identified
Recommendations:
- Automate quarterly access reviews
SOC 2 Trust Services
## Security (Common Criteria)
### CC1: Control Environment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC1.1 | Board oversight | ✅ | Board minutes |
| CC1.2 | Management philosophy | ✅ | Policy docs |
| CC1.3 | Organizational structure | ✅ | Org chart |
| CC1.4 | HR practices | ✅ | HR policies |
### CC2: Communication and Information
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC2.1 | Information quality | ✅ | Data governance |
| CC2.2 | Internal communication | ✅ | Slack, email logs |
| CC2.3 | External communication | ✅ | Customer portal |
### CC3: Risk Assessment
| Control | Description | Status | Evidence |
|---------|-------------|--------|----------|
| CC3.1 | Risk identification | ✅ | Risk register |
| CC3.2 | Risk analysis | ✅ | Risk assessment |
| CC3.3 | Fraud risk | ✅ | Fraud controls |
| CC3.4 | Change management | ⚠️ | Partial automation |
GDPR Checklist
Article 30 - Records of Processing:
- [ ] Processing purposes documented
- [ ] Data categories listed
- [ ] Recipient categories identified
- [ ] Transfer safeguards documented
- [ ] Retention periods defined
- [ ] Security measures described
Article 13/14 - Privacy Notices:
- [ ] Controller identity stated
- [ ] DPO contact provided
- [ ] Purposes explained
- [ ] Legal basis identified
- [ ] Rights information included
- [ ] Complaint procedure described
Article 17 - Right to Erasure:
- [ ] Process documented
- [ ] Timeframes defined (30 days)
- [ ] Exceptions listed
- [ ] Verification procedure
- [ ] Third-party notification
Article 33 - Breach Notification:
- [ ] Detection procedures
- [ ] Assessment criteria
- [ ] 72-hour notification process
- [ ] DPA contact established
- [ ] Subject notification criteria
Risk Assessment Matrix
const riskMatrix = {
likelihood: {
rare: 1, // < 5%
unlikely: 2, // 5-25%
possible: 3, // 25-50%
likely: 4, // 50-75%
certain: 5 // > 75%
},
impact: {
negligible: 1, // < $10k
minor: 2, // $10k-$100k
moderate: 3, // $100k-$1M
major: 4, // $1M-$10M
severe: 5 // > $10M
},
calculateRisk(likelihood, impact) {
const score = likelihood * impact;
if (score >= 15) return 'Critical';
if (score >= 10) return 'High';
if (score >= 5) return 'Medium';
return 'Low';
}
};
Finding Classification
Critical:
Response: 24-48 hours
Escalation: Executive + Board
Examples:
- Active data breach
- Regulatory violation with penalties
- System-wide security failure
High:
Response: 1-2 weeks
Escalation: Senior Management
Examples:
- Missing critical controls
- Significant gaps in coverage
- Failed audit controls
Medium:
Response: 30-60 days
Escalation: Department Head
Examples:
- Incomplete documentation
- Process inefficiencies
- Minor policy violations
Low:
Response: 90 days
Escalation: Control Owner
Examples:
- Optimization opportunities
- Documentation updates
- Training gaps
Gap Analysis Template
## Gap Analysis: [Control Area]
### Current State
[Description of current implementation]
### Required State
[Regulatory requirement or best practice]
### Gap Description
[Specific gaps identified]
### Risk Assessment
- Likelihood: [1-5]
- Impact: [1-5]
- Risk Score: [calculated]
- Risk Level: [Critical/High/Medium/Low]
### Remediation Plan
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| Action 1 | Name | Date | In Progress |
| Action 2 | Name | Date | Pending |
### Success Metrics
- [ ] Metric 1
- [ ] Metric 2
Audit Sampling
def calculate_sample_size(population: int, confidence: float = 0.95,
margin_error: float = 0.05) -> int:
"""
Calculate statistical sample size for audit testing.
Args:
population: Total population size
confidence: Confidence level (default 95%)
margin_error: Acceptable margin of error (default 5%)
Returns:
Required sample size
"""
import math
# Z-score for confidence level
z_scores = {0.90: 1.645, 0.95: 1.96, 0.99: 2.576}
z = z_scores.get(confidence, 1.96)
# Assume 50% response distribution for max sample
p = 0.5
# Sample size formula
n = (z**2 * p * (1-p)) / (margin_error**2)
# Finite population correction
if population < 10000:
n = n / (1 + (n - 1) / population)
return math.ceil(n)
# Example usage
# population=1000, 95% confidence, 5% margin
# Result: ~278 samples needed
Continuous Monitoring
Real-time Dashboards:
- Control effectiveness scores
- Compliance coverage %
- Open findings count
- Risk heat map
Automated Alerts:
Critical:
- Failed security controls
- Unauthorized access attempts
- Data breach indicators
Warning:
- Controls approaching expiry
- Overdue remediations
- Anomaly detection triggers
Reporting Cadence:
Daily: Critical events
Weekly: Status summary
Monthly: Detailed report
Quarterly: Executive review
Annually: Full assessment
Report Templates
Finding Report
# Finding Report
**ID:** FND-2024-042
**Date:** 2024-12-10
**Severity:** High
## Summary
[One-sentence description]
## Background
[Context and relevant history]
## Finding Details
[Technical details of the issue]
## Impact Assessment
- Business Impact: [description]
- Regulatory Impact: [description]
- Reputational Impact: [description]
## Root Cause
[Why this happened]
## Recommendation
[Specific remediation steps]
## Management Response
[Owner's response and commitment]
## Timeline
| Milestone | Date | Status |
|-----------|------|--------|
| Finding identified | 2024-12-10 | Complete |
| Remediation plan | 2024-12-15 | Pending |
| Implementation | 2024-01-15 | Pending |
| Verification | 2024-01-30 | Pending |
Лучшие практики
- Evidence first — каждый контроль должен иметь доказательства
- Risk-based prioritization — фокус на high-risk областях
- Continuous monitoring — не ждите годового аудита
- Clear ownership — каждый контроль имеет ответственного
- Regular testing — проверяйте effectiveness, не только design
- Documentation discipline — версионирование и audit trail
GitHub リポジトリ
majiayu000/claude-skill-registry
パス: skills/compliance-report-builder
関連スキル
content-collections
メタThis skill provides a production-tested setup for Content Collections, a TypeScript-first tool that transforms Markdown/MDX files into type-safe data collections with Zod validation. Use it when building blogs, documentation sites, or content-heavy Vite + React applications to ensure type safety and automatic content validation. It covers everything from Vite plugin configuration and MDX compilation to deployment optimization and schema validation.
スキルを見る
creating-opencode-plugins
メタThis skill provides the structure and API specifications for creating OpenCode plugins that hook into 25+ event types like commands, files, and LSP operations. It offers implementation patterns for JavaScript/TypeScript modules that intercept and extend the AI assistant's lifecycle. Use it when you need to build event-driven plugins for monitoring, custom handling, or extending OpenCode's capabilities.
スキルを見る
polymarket
メタThis skill enables developers to build applications with the Polymarket prediction markets platform, including API integration for trading and market data. It also provides real-time data streaming via WebSocket to monitor live trades and market activity. Use it for implementing trading strategies or creating tools that process live market updates.
スキルを見る
cloudflare-turnstile
メタThis skill provides comprehensive guidance for implementing Cloudflare Turnstile as a CAPTCHA-alternative bot protection system. It covers integration for forms, login pages, API endpoints, and frameworks like React/Next.js/Hono, while handling invisible challenges that maintain user experience. Use it when migrating from reCAPTCHA, debugging error codes, or implementing token validation and E2E tests.
スキルを見る