grc
3
总安装量
2
周安装量
#59395
全站排名
安装命令
npx skills add https://github.com/sherifeldeeb/agentskills --skill grc
Agent 安装分布
opencode
2
claude-code
2
codex
2
mcpjam
1
openhands
1
zencoder
1
Skill 文档
GRC Skill
Support Governance, Risk, and Compliance activities with policy generation, control assessment, risk management, and compliance tracking.
Capabilities
- Policy Management: Generate and track security policies
- Control Assessment: Document and assess control effectiveness
- Risk Management: Maintain risk registers and assessments
- Compliance Tracking: Track compliance with multiple frameworks
- Audit Support: Generate audit evidence and reports
- Framework Mapping: Map controls across frameworks
Quick Start
from grc_utils import PolicyGenerator, ControlAssessment, RiskRegister, ComplianceTracker
# Generate a policy
policy = PolicyGenerator('Access Control Policy')
policy.add_section('Purpose', 'Define access control requirements...')
policy.add_control('AC-1', 'Users must use unique identifiers')
print(policy.generate())
# Assess a control
assessment = ControlAssessment('AC-1', 'Access Control')
assessment.set_effectiveness('effective')
assessment.add_evidence('access_review_report.pdf', 'Quarterly access review')
# Track compliance
tracker = ComplianceTracker('SOC 2')
tracker.add_control('CC6.1', status='compliant')
print(tracker.get_compliance_status())
Usage
Policy Management
Generate and manage security policies.
Example:
from grc_utils import PolicyGenerator
# Create policy
policy = PolicyGenerator(
title='Information Security Policy',
version='1.0',
owner='CISO',
classification='Internal'
)
# Add sections
policy.add_section(
'Purpose',
'''This policy establishes the information security requirements
for protecting organizational assets and data.'''
)
policy.add_section(
'Scope',
'''This policy applies to all employees, contractors, and third
parties with access to organizational systems.'''
)
policy.add_section(
'Policy Statements',
'''1. All users must complete security awareness training annually.
2. Multi-factor authentication is required for all remote access.
3. Data must be classified and handled according to its sensitivity.'''
)
# Add controls
policy.add_control('AC-1', 'Access control policy and procedures')
policy.add_control('AC-2', 'Account management')
policy.add_control('AT-1', 'Security awareness training')
# Set review schedule
policy.set_review_schedule(frequency='annual', next_review='2025-01-01')
# Generate outputs
print(policy.generate()) # Markdown format
print(policy.to_json()) # JSON for storage
Control Assessment
Document and assess control effectiveness.
Example:
from grc_utils import ControlAssessment
# Create assessment
assessment = ControlAssessment(
control_id='AC-2',
control_name='Account Management',
framework='NIST 800-53'
)
# Set control details
assessment.set_description('''
The organization manages information system accounts, including:
- Identifying account types
- Establishing conditions for group membership
- Identifying authorized users
- Specifying access privileges
''')
# Document implementation
assessment.set_implementation('''
Account management is implemented through:
- Active Directory for identity management
- Privileged Access Management (PAM) solution
- Quarterly access reviews
- Automated deprovisioning workflows
''')
# Add evidence
assessment.add_evidence(
filename='access_review_q4_2024.pdf',
description='Q4 2024 access review report',
date_collected='2024-01-15'
)
assessment.add_evidence(
filename='pam_config_screenshot.png',
description='PAM solution configuration',
date_collected='2024-01-10'
)
# Set effectiveness
assessment.set_effectiveness(
rating='effective',
notes='Control operating as intended with minor documentation gaps'
)
# Identify gaps
assessment.add_gap(
description='Service account reviews not documented',
remediation='Implement service account review process',
priority='Medium',
due_date='2024-03-01'
)
# Generate report
print(assessment.generate_report())
Risk Management
Maintain risk registers and assessments.
Example:
from grc_utils import RiskRegister
register = RiskRegister()
# Add risks
register.add_risk(
risk_id='RISK-001',
title='Ransomware Attack',
description='Risk of ransomware infection causing data loss and operational disruption',
category='Cybersecurity',
likelihood='medium',
impact='high',
inherent_risk='high'
)
register.add_risk(
risk_id='RISK-002',
title='Third-Party Data Breach',
description='Risk of data breach through third-party vendor',
category='Third Party',
likelihood='medium',
impact='medium',
inherent_risk='medium'
)
# Add controls/mitigations
register.add_mitigation(
risk_id='RISK-001',
control='Endpoint Detection and Response (EDR)',
effectiveness='high'
)
register.add_mitigation(
risk_id='RISK-001',
control='Backup and Recovery Solution',
effectiveness='high'
)
# Calculate residual risk
register.calculate_residual_risk('RISK-001')
# Set treatment
register.set_treatment(
risk_id='RISK-001',
treatment='mitigate',
owner='Security Operations',
notes='Continuing to enhance detection and response capabilities'
)
# Generate risk report
print(register.generate_report())
print(register.generate_heatmap_data())
Compliance Tracking
Track compliance across frameworks.
Example:
from grc_utils import ComplianceTracker
# Create tracker for SOC 2
tracker = ComplianceTracker('SOC 2 Type II')
# Add controls with status
tracker.add_control(
control_id='CC6.1',
description='Logical and physical access controls',
status='compliant',
evidence=['access_control_policy.pdf', 'access_review_q4.xlsx']
)
tracker.add_control(
control_id='CC6.2',
description='Access credentials management',
status='compliant',
evidence=['mfa_implementation.pdf']
)
tracker.add_control(
control_id='CC6.3',
description='Access removal',
status='partially_compliant',
evidence=['termination_checklist.pdf'],
gaps=['Delayed offboarding for contractors']
)
tracker.add_control(
control_id='CC7.1',
description='Detection of unauthorized changes',
status='non_compliant',
gaps=['FIM not fully implemented']
)
# Get compliance status
status = tracker.get_compliance_status()
print(f"Compliant: {status['compliant']}")
print(f"Partially Compliant: {status['partially_compliant']}")
print(f"Non-Compliant: {status['non_compliant']}")
# Generate compliance report
print(tracker.generate_report())
Framework Mapping
Map controls across multiple frameworks.
Example:
from grc_utils import FrameworkMapper
mapper = FrameworkMapper()
# Add control mappings
mapper.add_mapping(
control_name='Access Control Policy',
mappings={
'NIST 800-53': 'AC-1',
'ISO 27001': 'A.9.1.1',
'SOC 2': 'CC6.1',
'CIS': 'Control 6.1'
}
)
mapper.add_mapping(
control_name='Multi-Factor Authentication',
mappings={
'NIST 800-53': 'IA-2(1)',
'ISO 27001': 'A.9.4.2',
'SOC 2': 'CC6.1',
'CIS': 'Control 6.5'
}
)
# Get control by framework
nist_controls = mapper.get_by_framework('NIST 800-53')
# Find equivalent controls
equivalents = mapper.find_equivalents('NIST 800-53', 'AC-1')
# Generate mapping matrix
print(mapper.generate_matrix())
Audit Support
Generate audit evidence and reports.
Example:
from grc_utils import AuditPackage
audit = AuditPackage(
audit_name='SOC 2 Type II 2024',
period_start='2024-01-01',
period_end='2024-12-31'
)
# Add evidence
audit.add_evidence(
request_id='RQ-001',
description='Access control policy',
filename='access_control_policy_v2.1.pdf',
control_ids=['CC6.1', 'CC6.2'],
provided_by='security-team',
date_provided='2024-01-15'
)
audit.add_evidence(
request_id='RQ-002',
description='Quarterly access reviews',
filename='access_reviews_2024.xlsx',
control_ids=['CC6.1'],
provided_by='it-team',
date_provided='2024-01-16'
)
# Track findings
audit.add_finding(
finding_id='FIND-001',
description='Delayed access removal for terminated employees',
severity='Medium',
control_ids=['CC6.3'],
management_response='Implementing automated deprovisioning',
remediation_date='2024-03-01'
)
# Generate audit package
print(audit.generate_evidence_index())
print(audit.generate_finding_summary())
Configuration
Environment Variables
| Variable | Description | Required | Default |
|---|---|---|---|
GRC_OUTPUT_DIR |
Output directory for reports | No | ./output |
GRC_TEMPLATE_DIR |
Directory for policy templates | No | ./templates |
Supported Frameworks
- NIST 800-53 – Security and Privacy Controls
- NIST CSF – Cybersecurity Framework
- ISO 27001 – Information Security Management
- SOC 2 – Service Organization Controls
- PCI DSS – Payment Card Industry
- HIPAA – Health Insurance Portability
- GDPR – General Data Protection Regulation
- CIS Controls – Center for Internet Security
Limitations
- No Database: Data stored in memory only
- No Workflow: Manual status updates required
- Template-Based: Limited customization
Troubleshooting
Invalid Risk Rating
Use valid risk rating values:
# Valid ratings
register.add_risk(..., likelihood='high') # high, medium, low
register.add_risk(..., impact='critical') # critical, high, medium, low
# Invalid
register.add_risk(..., likelihood='very high') # Error!
Compliance Status Values
Use standard compliance statuses:
# Valid
tracker.add_control(..., status='compliant')
tracker.add_control(..., status='partially_compliant')
tracker.add_control(..., status='non_compliant')
tracker.add_control(..., status='not_applicable')
Related Skills
- vulnerability-management: Technical compliance
- docx: Policy document generation
- xlsx: Compliance tracking spreadsheets