security-compliance

仓库: davila7/claude-code-templates
安装量: 383
排名: #2503

安装

npx skills add https://github.com/davila7/claude-code-templates --skill security-compliance

Security & Compliance Expert Core Principles 1. Defense in Depth

Apply multiple layers of security controls so that if one fails, others provide protection. Never rely on a single security mechanism.

  1. Zero Trust Architecture

Never trust, always verify. Assume breach and verify every access request regardless of location or network.

  1. Least Privilege

Grant the minimum access necessary for users and systems to perform their functions. Regularly review and revoke unused permissions.

  1. Security by Design

Integrate security requirements from the earliest stages of system design, not as an afterthought.

  1. Continuous Monitoring

Implement ongoing monitoring and alerting to detect anomalies and security events in real-time.

  1. Risk-Based Approach

Prioritize security efforts based on risk assessment, focusing resources on the most critical assets and likely threats.

  1. Compliance as Foundation

Use compliance frameworks as a baseline, but go beyond minimum requirements to achieve actual security.

  1. Incident Readiness

Prepare for security incidents through planning, testing, and regular tabletop exercises. Assume compromise will occur.

Security & Compliance Lifecycle Phase 1: Assess & Plan

Objective: Understand current security posture and compliance requirements

Activities:

Conduct security assessments and gap analysis Identify compliance requirements (SOC2, ISO27001, GDPR, HIPAA, PCI-DSS) Perform risk assessments and threat modeling Define security policies and standards Establish security governance structure Create security roadmap with prioritized initiatives

Deliverables:

Risk register with prioritized risks Compliance gap analysis report Security architecture documentation Security policies and procedures Security roadmap and budget Phase 2: Design & Architect

Objective: Design secure systems and architectures

Activities:

Design defense-in-depth architectures Implement Zero Trust network architecture Design identity and access management (IAM) systems Architect data protection and encryption solutions Design secure CI/CD pipelines Create threat models for applications and systems Define security controls and compensating controls

Deliverables:

Security architecture diagrams Threat models (STRIDE, PASTA, or attack trees) Data flow diagrams with security boundaries Encryption and key management design IAM design with RBAC/ABAC models Security control matrix Phase 3: Implement & Harden

Objective: Deploy security controls and harden systems

Activities:

Implement security controls (preventive, detective, corrective) Configure security tools (SIEM, EDR, CASB, WAF, IDS/IPS) Harden operating systems and applications Implement encryption at rest and in transit Deploy multi-factor authentication (MFA) Configure logging and monitoring Implement data loss prevention (DLP) Set up vulnerability management program

Deliverables:

Hardening baselines and configuration standards Deployed security tools and controls Encryption implementation MFA deployment Security monitoring dashboards Vulnerability management procedures Phase 4: Monitor & Detect

Objective: Continuously monitor for threats and anomalies

Activities:

Monitor security logs and events (SIEM) Analyze security alerts and anomalies Conduct threat hunting Perform vulnerability scanning and penetration testing Monitor compliance controls Track security metrics and KPIs Review access logs and privileged account activity Analyze threat intelligence feeds

Deliverables:

Security operations center (SOC) runbooks Alert triage and escalation procedures Threat hunting playbooks Vulnerability scan reports Penetration test reports Security metrics dashboard Compliance monitoring reports Phase 5: Respond & Recover

Objective: Respond to security incidents and recover operations

Activities:

Execute incident response plan Contain and eradicate threats Perform forensic analysis Recover affected systems Conduct post-incident reviews Update security controls based on lessons learned Report incidents to stakeholders and regulators Improve detection rules and response procedures

Deliverables:

Incident response reports Forensic analysis findings Root cause analysis Remediation plans Updated incident response playbooks Regulatory breach notifications (if required) Post-incident review and recommendations Phase 6: Audit & Improve

Objective: Validate compliance and continuously improve security

Activities:

Conduct internal audits Prepare for external audits (SOC2, ISO27001) Perform compliance assessments Review and update security policies Conduct security training and awareness programs Perform tabletop exercises and disaster recovery drills Update risk assessments Implement security improvements

Deliverables:

Audit reports (internal and external) SOC2 Type II report ISO27001 certification Compliance attestations Updated policies and procedures Training completion metrics Tabletop exercise results Continuous improvement plan Decision Frameworks 1. Risk Assessment Framework

When to use: Evaluating security risks and prioritizing mitigation efforts

Process:

  1. Identify Assets
  2. What systems, data, and services need protection?
  3. What is the business value of each asset?

  4. Who are the asset owners?

  5. Identify Threats

  6. What threat actors might target these assets? (nation-state, cybercriminals, insiders)
  7. What are their motivations? (financial gain, espionage, disruption)

  8. What are current threat trends?

  9. Identify Vulnerabilities

  10. What weaknesses exist in systems or processes?
  11. What security controls are missing or ineffective?

  12. What are known CVEs affecting your systems?

  13. Calculate Risk Risk = Likelihood × Impact

Likelihood scale (1-5): 1 = Rare (< 5% chance in 1 year) 2 = Unlikely (5-25%) 3 = Possible (25-50%) 4 = Likely (50-75%) 5 = Almost Certain (> 75%)

Impact scale (1-5): 1 = Minimal (< $10K loss, no data breach) 2 = Minor ($10K-$100K, limited data exposure) 3 = Moderate ($100K-$1M, significant data breach) 4 = Major ($1M-$10M, extensive data breach, regulatory fines) 5 = Catastrophic (> $10M, business-threatening)

Risk Score = Likelihood × Impact (max 25)

  1. Prioritize Risks
  2. Critical: Risk score 15-25 (immediate action)
  3. High: Risk score 10-14 (action within 30 days)
  4. Medium: Risk score 5-9 (action within 90 days)

  5. Low: Risk score 1-4 (monitor and accept)

  6. Determine Risk Response

  7. Mitigate: Implement controls to reduce risk
  8. Accept: Document acceptance if risk is within tolerance
  9. Transfer: Use insurance or third-party services
  10. Avoid: Eliminate the activity that creates risk

Output: Risk register with prioritized risks and mitigation plans

  1. Security Control Selection

When to use: Choosing appropriate security controls for identified risks

Framework: Use NIST CSF categories or CIS Controls

NIST CSF Functions: 1. Identify (ID) - Asset Management - Risk Assessment - Governance

  1. Protect (PR)
  2. Access Control
  3. Data Security

  4. Protective Technology

  5. Detect (DE)

  6. Anomalies and Events
  7. Security Monitoring

  8. Detection Processes

  9. Respond (RS)

  10. Response Planning
  11. Communications

  12. Analysis and Mitigation

  13. Recover (RC)

  14. Recovery Planning
  15. Improvements
  16. Communications

Control Types: - Preventive: Stop incidents before they occur (MFA, firewalls, encryption) - Detective: Identify incidents when they occur (SIEM, IDS, log monitoring) - Corrective: Fix issues after detection (patching, incident response) - Deterrent: Discourage attackers (security policies, warnings) - Compensating: Alternative controls when primary controls aren't feasible

Selection Criteria: 1. Does it address the identified risk? 2. Is it cost-effective? (Control cost < Risk value) 3. Is it technically feasible? 4. Does it meet compliance requirements? 5. Can we maintain and monitor it?

  1. Compliance Framework Selection

When to use: Determining which compliance frameworks to implement

Decision Tree:

What type of organization are you?

├─ SaaS/Cloud Service Provider │ ├─ Selling to enterprises? → SOC2 Type II (required) │ ├─ International customers? → ISO27001 (strongly recommended) │ ├─ Handling health data? → HIPAA + HITRUST │ └─ Handling payment cards? → PCI-DSS

├─ Healthcare Provider/Payer │ ├─ U.S.-based → HIPAA (required) │ ├─ International → HIPAA + GDPR │ └─ Plus: HITRUST for comprehensive framework

├─ Financial Services │ ├─ U.S. banks → GLBA, SOX (if public) │ ├─ Payment processing → PCI-DSS (required) │ ├─ International → ISO27001, local regulations │ └─ Plus: NIST CSF for framework

├─ E-commerce/Retail │ ├─ Accept credit cards → PCI-DSS (required) │ ├─ EU customers → GDPR (required) │ ├─ California customers → CCPA │ └─ B2B sales → SOC2 Type II

└─ General Enterprise ├─ Selling to enterprises → SOC2 Type II ├─ Want broad recognition → ISO27001 ├─ Government contracts → FedRAMP, NIST 800-53 └─ Industry-specific → Check sector regulations

Multi-Framework Strategy: - Start with: SOC2 or ISO27001 (choose one as foundation) - Add: Data privacy regulations (GDPR, CCPA) as needed - Layer on: Industry-specific requirements

  1. Incident Severity Classification

When to use: Triaging and responding to security incidents

Severity Levels:

P0 - Critical (Immediate Response) - Active breach with data exfiltration occurring - Ransomware encryption in progress - Complete system outage of critical services - Unauthorized access to production databases - Response: Engage CIRT immediately, executive notification, 24/7 effort

P1 - High (Response within 1 hour) - Confirmed malware on critical systems - Attempted unauthorized access to sensitive data - DDoS attack affecting availability - Significant vulnerability with active exploits - Response: Engage CIRT, manager notification, work until contained

P2 - Medium (Response within 4 hours) - Malware on non-critical systems - Suspicious account activity - Policy violations with security impact - Vulnerability requiring patching - Response: Security team investigation, business hours

P3 - Low (Response within 24 hours) - Failed login attempts (below threshold) - Minor policy violations - Informational security events - Response: Standard queue, document findings

Classification Factors: 1. Data confidentiality impact (PHI, PII, financial, IP) 2. System availability impact (revenue, operations) 3. Data integrity impact (corruption, unauthorized changes) 4. Number of affected systems/users 5. Regulatory reporting requirements

  1. Vulnerability Prioritization

When to use: Prioritizing vulnerability remediation

Framework: Enhanced CVSS with business context

Base CVSS Score × Business Context Multiplier = Priority Score

CVSS Severity Ranges: - Critical: 9.0-10.0 - High: 7.0-8.9 - Medium: 4.0-6.9 - Low: 0.1-3.9

Business Context Multipliers: - Internet-facing production system: 2.0× - Internal production system: 1.5× - Systems with sensitive data: 1.5× - Development/test environment: 0.5× - Active exploit in the wild: 2.0× - Compensating controls in place: 0.7×

Priority Levels: - P0 (Critical): Score ≥ 14 → Patch within 24-48 hours - P1 (High): Score 10-13.9 → Patch within 7 days - P2 (Medium): Score 6-9.9 → Patch within 30 days - P3 (Low): Score < 6 → Patch within 90 days or accept risk

Additional Considerations: - Can the system be isolated/segmented? - Are there effective detective controls? - What is the patching complexity/risk? - Is there a vendor patch available?

  1. Third-Party Risk Assessment

When to use: Evaluating security risks of vendors and partners

Assessment Framework:

  1. Categorize Vendor Risk Level

Low Risk (Minimal assessment): - No access to systems or data - Limited integration - Non-critical service → Simple questionnaire

Medium Risk (Standard assessment): - Limited system access - Non-sensitive data access - Important but not critical service → Security questionnaire + evidence review

High Risk (Comprehensive assessment): - Production system access - Sensitive data processing - Critical service dependency → Full assessment + audit reports + pen test

Critical Risk (Extensive assessment): - Full production access - PHI/PII processing - Business-critical dependency → On-site audit + continuous monitoring + SLA

  1. Assessment Components

For Medium/High/Critical vendors: □ Security questionnaire (SIG, CAIQ, or custom) □ Compliance certifications (SOC2, ISO27001) □ Insurance certificates (cyber liability) □ Security policies and procedures □ Incident response plan □ Disaster recovery/business continuity plan □ Data processing agreement (DPA) □ Penetration test results (for high/critical) □ Right to audit clause in contract

  1. Ongoing Monitoring

  2. Annual reassessment

  3. Monitor for breaches/incidents
  4. Review security updates and patches
  5. Track compliance certification renewals

  6. Conduct periodic audits (for critical vendors)

  7. Vendor Risk Score

Calculate score (0-100): - Security maturity: 40 points - Compliance certifications: 20 points - Incident history: 15 points - Financial stability: 15 points - References and reputation: 10 points

Action based on score: - 80-100: Approved - 60-79: Approved with conditions - 40-59: Requires remediation plan - < 40: Do not engage

Key Security Frameworks & Standards NIST Cybersecurity Framework (CSF) Purpose: Risk-based framework for improving cybersecurity Structure: 5 Functions, 23 Categories, 108 Subcategories Best for: General organizations, government contractors Maturity model: Tier 1 (Partial) to Tier 4 (Adaptive) CIS Critical Security Controls Purpose: Prioritized set of actions for cyber defense Structure: 18 Controls with Implementation Groups (IG1, IG2, IG3) Best for: Practical implementation guidance Focus: Defense against common attack patterns ISO/IEC 27001 Purpose: International standard for information security management Structure: 14 domains, 114 controls (Annex A) Best for: International recognition, formal certification Requirements: ISMS (Information Security Management System) SOC 2 Type II Purpose: Service organization controls for security and availability Structure: Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) Best for: SaaS companies, cloud service providers Audit: 3-12 month observation period NIST 800-53 Purpose: Security controls for federal systems Structure: 20 families, 1000+ controls Best for: Government contractors, FedRAMP Baselines: Low, Moderate, High impact systems GDPR (General Data Protection Regulation) Purpose: EU data privacy regulation Scope: Any organization processing EU residents' data Requirements: Lawful basis, consent, data subject rights, breach notification Penalties: Up to 4% of global revenue or €20M HIPAA (Health Insurance Portability and Accountability Act) Purpose: Protect health information (PHI) Scope: Healthcare providers, payers, business associates Requirements: Administrative, Physical, Technical safeguards Penalties: $100-$50,000 per violation, criminal charges possible PCI-DSS (Payment Card Industry Data Security Standard) Purpose: Protect cardholder data Structure: 12 requirements, 6 control objectives Scope: Any organization storing, processing, or transmitting card data Levels: Based on transaction volume (Level 1-4) Core Security Domains 1. Identity & Access Management (IAM) Authentication mechanisms (MFA, SSO, passwordless) Authorization models (RBAC, ABAC, ReBAC) Privileged access management (PAM) Identity governance and administration (IGA) Directory services (Active Directory, LDAP, Okta, Auth0) 2. Network Security Network segmentation and micro-segmentation Firewalls (next-gen, WAF, application-layer) Intrusion detection/prevention (IDS/IPS) VPN and secure remote access Zero Trust network architecture (ZTNA) DDoS protection 3. Data Security Encryption at rest and in transit (AES-256, TLS 1.3) Key management (KMS, HSM) Data classification and labeling Data loss prevention (DLP) Database security (encryption, masking, tokenization) Secrets management (Vault, AWS Secrets Manager) 4. Application Security Secure SDLC and DevSecOps SAST (Static Application Security Testing) DAST (Dynamic Application Security Testing) SCA (Software Composition Analysis) Secure code review OWASP Top 10 mitigation 5. Cloud Security Cloud security posture management (CSPM) Cloud access security broker (CASB) Container security (image scanning, runtime protection) Serverless security Infrastructure as Code (IaC) security scanning Multi-cloud security architecture 6. Endpoint Security Endpoint detection and response (EDR) Antivirus and anti-malware Host-based firewalls Device encryption (BitLocker, FileVault) Mobile device management (MDM) Patch management 7. Security Operations Security Information and Event Management (SIEM) Security Orchestration, Automation, and Response (SOAR) Threat intelligence platforms (TIP) Threat hunting Vulnerability management Penetration testing and red teaming 8. Incident Response Incident response plan and playbooks Computer forensics and investigation Malware analysis Threat containment and eradication Post-incident review and lessons learned Regulatory breach notification 9. Governance, Risk & Compliance (GRC) Security policies and procedures Risk assessment and management Compliance management and auditing Security awareness training Vendor risk management Business continuity and disaster recovery Security Metrics & KPIs Risk & Compliance Metrics Number of critical/high risks open Risk remediation time (mean time to remediate) Compliance audit findings (open/closed) Compliance control effectiveness rate Policy acknowledgment completion rate Training completion rate Vulnerability Management Metrics Mean time to detect (MTTD) vulnerabilities Mean time to patch (MTTP) Vulnerability backlog (total open, by severity) Patch compliance rate (% systems patched within SLA) Vulnerability recurrence rate Incident Response Metrics Mean time to detect (MTTD) incidents Mean time to respond (MTTR) Mean time to contain (MTTC) Mean time to recover (MTTR) Number of incidents by severity Incident recurrence rate False positive rate Security Operations Metrics SIEM alert volume (total, by severity) Alert triage time Alert false positive rate Security tool coverage (% assets monitored) Threat hunting coverage (% environment reviewed) Penetration test findings Access Management Metrics MFA adoption rate Privileged account review completion rate Access certification completion rate Orphaned account count Password policy compliance rate Failed login attempt rate Awareness & Culture Metrics Phishing simulation click rate Security training completion rate Security awareness quiz scores Security policy violations Security-related helpdesk tickets Security Tools Ecosystem SIEM (Security Information & Event Management) Splunk Enterprise Security IBM QRadar Microsoft Sentinel Elastic Security Sumo Logic EDR/XDR (Endpoint/Extended Detection & Response) CrowdStrike Falcon SentinelOne Microsoft Defender for Endpoint Palo Alto Cortex XDR Carbon Black Vulnerability Management Tenable Nessus/Tenable.io Qualys VMDR Rapid7 InsightVM Greenbone OpenVAS (open source) Cloud Security Wiz Prisma Cloud (Palo Alto) Lacework Orca Security AWS Security Hub / Azure Security Center / GCP Security Command Center SAST/DAST Snyk Veracode Checkmarx SonarQube OWASP ZAP (open source) Container Security Aqua Security Sysdig Secure Prisma Cloud Compute Trivy (open source) Secrets Management HashiCorp Vault AWS Secrets Manager Azure Key Vault CyberArk Identity & Access Okta Auth0 Azure AD / Entra ID Ping Identity CyberArk (PAM) Common Security Workflows 1. Security Incident Response Workflow 1. Detection & Alert ↓ 2. Triage & Classification - Determine severity (P0-P3) - Assign to responder ↓ 3. Investigation - Gather evidence - Analyze logs (SIEM) - Determine scope ↓ 4. Containment - Isolate affected systems - Block malicious IPs/domains - Disable compromised accounts ↓ 5. Eradication - Remove malware - Close vulnerabilities - Patch systems ↓ 6. Recovery - Restore from backups - Verify system integrity - Return to production ↓ 7. Post-Incident Review - Document timeline - Root cause analysis - Update playbooks - Implement improvements ↓ 8. Reporting - Executive summary - Regulatory notification (if required) - Stakeholder communication

  1. Vulnerability Management Workflow
  2. Asset Discovery
  3. Scan network for assets
  4. Maintain asset inventory ↓
  5. Vulnerability Scanning
  6. Authenticated scans
  7. Unauthenticated scans
  8. Agent-based monitoring ↓
  9. Assessment & Validation
  10. Validate findings
  11. Remove false positives
  12. Add business context ↓
  13. Prioritization
  14. Apply CVSS + context
  15. Assign severity (P0-P3)
  16. Create remediation tickets ↓
  17. Remediation
  18. Patch systems
  19. Apply compensating controls
  20. Update configurations ↓
  21. Verification
  22. Rescan to confirm fix
  23. Update vulnerability status ↓
  24. Reporting
  25. Metrics dashboard
  26. Executive reports

  27. Trend analysis

  28. Access Review Workflow

  29. Schedule Review (Quarterly) ↓
  30. Generate Access Reports
  31. User access by role
  32. Privileged accounts
  33. Service accounts
  34. Orphaned accounts ↓
  35. Distribute to Managers
  36. Each manager reviews their team
  37. Certify appropriate access ↓
  38. Review & Certify
  39. Approve legitimate access
  40. Flag inappropriate access
  41. Identify orphaned accounts ↓
  42. Remediation
  43. Revoke unapproved access
  44. Disable orphaned accounts
  45. Update RBAC assignments ↓
  46. Document & Report
  47. Certification completion rate
  48. Access changes made

  49. Compliance evidence

  50. SOC2 Audit Preparation Workflow

  51. Scoping (3-4 months before)
  52. Define in-scope systems
  53. Select Trust Service Criteria
  54. Engage auditor ↓
  55. Gap Assessment (2-3 months before)
  56. Map controls to requirements
  57. Identify control gaps
  58. Create remediation plan ↓
  59. Readiness (1-2 months before)
  60. Implement missing controls
  61. Document policies/procedures
  62. Conduct mock audit ↓
  63. Evidence Collection (Ongoing)
  64. Automate evidence gathering
  65. Organize evidence repository
  66. Prepare control narratives ↓
  67. Audit Kickoff
  68. Provide evidence to auditor
  69. Respond to requests
  70. Schedule interviews ↓
  71. Fieldwork (4-6 weeks)
  72. Auditor tests controls
  73. Provide additional evidence
  74. Address findings ↓
  75. Report Issuance
  76. Review draft report
  77. Address any exceptions
  78. Receive final SOC2 report ↓
  79. Continuous Monitoring
  80. Monitor control effectiveness
  81. Prepare for next audit cycle

Best Practices Security Architecture Design with security in mind from the start (shift-left) Apply defense in depth with multiple security layers Implement Zero Trust: verify explicitly, use least privilege, assume breach Segment networks and limit lateral movement Encrypt data at rest and in transit Use secure defaults and fail securely Access Control Enforce multi-factor authentication (MFA) everywhere Implement least privilege access Use just-in-time (JIT) privileged access Regularly review and certify access Disable accounts promptly on termination Avoid shared accounts and service account abuse Security Operations Centralize logging with SIEM Automate detection and response where possible Maintain an incident response plan and test it Conduct regular threat hunting exercises Keep vulnerability remediation SLAs aggressive Practice incident response through tabletop exercises Application Security Integrate security into CI/CD (DevSecOps) Scan code for vulnerabilities (SAST, DAST, SCA) Follow OWASP Top 10 guidelines Conduct security code reviews for critical changes Implement secure API design (authentication, rate limiting, input validation) Use security headers (CSP, HSTS, X-Frame-Options) Cloud Security Use infrastructure as code (IaC) with security scanning Enable cloud-native security services (GuardDuty, Security Hub) Implement CSPM to monitor misconfigurations Use cloud-native encryption and key management Apply least privilege IAM policies Monitor for shadow IT and unauthorized resources Compliance Treat compliance as a continuous process, not one-time Map controls to multiple frameworks for efficiency Automate evidence collection where possible Maintain a compliance calendar for deadlines Document everything (if it's not documented, it doesn't exist) Conduct internal audits before external audits Security Culture Make security everyone's responsibility Conduct regular security awareness training Run phishing simulations to test awareness Reward security-conscious behavior Create clear, accessible security policies Foster a culture where reporting security concerns is encouraged Integration with Other Disciplines With DevOps/Platform Engineering Integrate security scanning into CI/CD pipelines Automate security testing and compliance checks Implement Infrastructure as Code (IaC) security Use container scanning and runtime protection Coordinate on incident response for production issues With Enterprise Architecture Align security architecture with enterprise architecture Participate in architecture review boards Ensure security requirements in architecture standards Design secure integration patterns Define security reference architectures With IT Operations Coordinate on patch management and change control Collaborate on monitoring and alerting Joint incident response for security and operational incidents Align on backup and disaster recovery procedures Coordinate access management and privileged access With Product Management Provide security requirements for new features Participate in threat modeling for new products Balance security with user experience Advise on privacy and compliance implications Support security as a product differentiator With Legal/Privacy Coordinate on data privacy regulations (GDPR, CCPA) Collaborate on breach notification requirements Review vendor contracts for security terms Support privacy impact assessments Align on data retention and deletion policies When to Engage Security & Compliance Required Engagement New system or application design Architecture changes affecting security boundaries Regulatory compliance initiatives Security incidents Vendor risk assessments Pre-production security reviews Audit preparation Data breach or suspected breach Recommended Engagement Major feature releases Cloud migrations M&A due diligence Infrastructure changes New third-party integrations Significant process changes Security tool selection Policy updates Continuous Collaboration Security review of pull requests (for critical systems) Vulnerability remediation prioritization Security awareness and training Threat intelligence sharing Risk assessment updates Compliance monitoring

返回排行榜