npm - blockmine - Versions diffs - 1.21.0 → 1.22.0 - Mend

blockmine 1.21.0 → 1.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (433) hide show

package/.claude/skills/general-it-engineering/resources/it-governance.md ADDED Viewed

@@ -0,0 +1,753 @@
+# IT Governance
+COBIT framework, IT policies, compliance, risk management, audits, and governance structures for managing IT effectively and securely.
+## Table of Contents
+- [IT Governance Overview](#it-governance-overview)
+- [COBIT Framework](#cobit-framework)
+- [IT Policies](#it-policies)
+- [Compliance Management](#compliance-management)
+- [Risk Management](#risk-management)
+- [IT Audits](#it-audits)
+- [Best Practices](#best-practices)
+## IT Governance Overview
+### Purpose
+IT Governance ensures:
+- Alignment of IT with business goals
+- Value delivery from IT investments
+- Risk management
+- Resource optimization
+- Performance measurement
+### Key Principles
+```
+1. Meeting Stakeholder Needs
+   - Focus on stakeholder benefits
+   - Balance competing interests
+   - Deliver value
+2. Covering End-to-End
+   - Governance and management
+   - IT and business integration
+   - Functions and processes
+3. Applying Single Framework
+   - Consistent approach
+   - Unified language
+   - Reduced complexity
+4. Enabling Holistic Approach
+   - People, processes, technology
+   - Internal and external factors
+   - All organizational levels
+5. Separating Governance from Management
+   - Governance: Direction, monitoring
+   - Management: Execution, delivery
+```
+## COBIT Framework
+### COBIT 2019 Overview
+```
+COBIT (Control Objectives for Information and Related Technologies)
+Purpose: Governance and management framework for enterprise IT
+Components:
+├── Governance Objectives (5)
+│   ├── EDM01: Ensured Governance Framework Setting
+│   ├── EDM02: Ensured Benefits Delivery
+│   ├── EDM03: Ensured Risk Optimization
+│   ├── EDM04: Ensured Resource Optimization
+│   └── EDM05: Ensured Stakeholder Engagement
+│
+└── Management Objectives (35)
+    ├── Align, Plan, and Organize (APO) - 14
+    ├── Build, Acquire, and Implement (BAI) - 11
+    ├── Deliver, Service, and Support (DSS) - 6
+    └── Monitor, Evaluate, and Assess (MEA) - 4
+```
+### Key COBIT Objectives
+**EDM01: Governance Framework:**
+```yaml
+Purpose: Maintain effective governance
+Activities:
+  - Define governance structure
+  - Establish decision rights
+  - Assign accountability
+  - Monitor governance effectiveness
+Outputs:
+  - Governance charter
+  - Roles and responsibilities
+  - Escalation procedures
+  - Governance metrics
+```
+**EDM03: Risk Optimization:**
+```yaml
+Purpose: Ensure IT risk is acceptable
+Activities:
+  - Risk appetite definition
+  - Risk assessment
+  - Risk treatment
+  - Risk monitoring
+Outputs:
+  - Risk register
+  - Risk treatment plans
+  - Risk reports
+  - Risk dashboard
+```
+**APO01: IT Strategy:**
+```yaml
+Purpose: Align IT strategy with business strategy
+Activities:
+  - Strategic planning
+  - Portfolio management
+  - Investment decisions
+  - Value realization
+Outputs:
+  - IT strategic plan
+  - Project portfolio
+  - Investment decisions
+  - Value metrics
+```
+**DSS05: Security Services:**
+```yaml
+Purpose: Protect information assets
+Activities:
+  - Security strategy
+  - Identity and access management
+  - Security monitoring
+  - Incident response
+Outputs:
+  - Security policies
+  - Access controls
+  - Security alerts
+  - Incident reports
+```
+## IT Policies
+### Policy Hierarchy
+```
+┌─────────────────────────────────────┐
+│ IT Policy Framework                  │
+├─────────────────────────────────────┤
+│                                      │
+│  Policies (What)                     │
+│  ├── High-level principles          │
+│  ├── Mandatory requirements         │
+│  └── Board-approved                 │
+│                                      │
+│  Standards (How - Specific)          │
+│  ├── Technical specifications       │
+│  ├── Approved tools and platforms   │
+│  └── Measurable requirements        │
+│                                      │
+│  Procedures (Step-by-Step)           │
+│  ├── Detailed instructions          │
+│  ├── Workflow diagrams              │
+│  └── Operational guidance           │
+│                                      │
+│  Guidelines (Recommendations)        │
+│  ├── Best practices                 │
+│  ├── Suggested approaches           │
+│  └── Optional guidance              │
+│                                      │
+└─────────────────────────────────────┘
+```
+### Essential IT Policies
+**1. Acceptable Use Policy (AUP):**
+```yaml
+Purpose: Define appropriate use of IT resources
+Key Elements:
+  Permitted Uses:
+    - Business-related activities
+    - Reasonable personal use
+    - Professional communication
+  Prohibited Uses:
+    - Illegal activities
+    - Harassment or discrimination
+    - Unauthorized access
+    - Malware distribution
+    - Excessive personal use
+  Responsibilities:
+    - Protect credentials
+    - Report security incidents
+    - Use approved software only
+    - Comply with licenses
+  Consequences:
+    - Warning (first offense)
+    - Suspension (repeat offense)
+    - Termination (serious violation)
+    - Legal action (illegal activity)
+Review Frequency: Annual
+```
+**2. Information Security Policy:**
+```yaml
+Purpose: Protect confidentiality, integrity, availability of information
+Key Elements:
+  Data Classification:
+    - Public: No restrictions
+    - Internal: Internal use only
+    - Confidential: Limited access
+    - Restricted: Highest protection
+  Access Control:
+    - Least privilege principle
+    - Role-based access control
+    - Regular access reviews
+    - Multi-factor authentication
+  Data Protection:
+    - Encryption requirements
+    - Backup procedures
+    - Data retention
+    - Secure disposal
+  Incident Response:
+    - Reporting procedures
+    - Investigation process
+    - Containment measures
+    - Recovery steps
+```
+**3. Password Policy:**
+```yaml
+Purpose: Ensure strong authentication
+Requirements:
+  Complexity:
+    - Minimum 12 characters
+    - Upper and lowercase
+    - Numbers and special characters
+    - No dictionary words
+  Management:
+    - Unique per account
+    - No password reuse (last 10)
+    - Change if compromised
+    - Use password manager
+  Protection:
+    - Never share passwords
+    - Don't write passwords down
+    - No password in emails
+    - Secure password storage
+  Multi-Factor Authentication:
+    - Required for:
+      * Remote access
+      * Admin accounts
+      * Financial systems
+      * Customer data access
+```
+**4. Change Management Policy:**
+```yaml
+Purpose: Control changes to IT environment
+Requirements:
+  All Changes Must:
+    - Have business justification
+    - Be documented (RFC)
+    - Undergo risk assessment
+    - Be approved by CAB
+    - Have rollback plan
+    - Be tested before production
+  Emergency Changes:
+    - Expedited approval process
+    - Post-implementation review
+    - Documentation catch-up
+  Standard Changes:
+    - Pre-approved procedures
+    - Low risk
+    - Automation encouraged
+```
+**5. Data Retention Policy:**
+```yaml
+Purpose: Define how long data is kept
+Retention Periods:
+Financial Records:
+  - Invoices: 7 years
+  - Tax records: 7 years
+  - Payroll: 7 years
+Employee Records:
+  - Active employees: Duration + 7 years
+  - Terminated: 7 years after termination
+Customer Data:
+  - Active customers: Duration of relationship
+  - Inactive: 3 years
+  - After deletion: Backup retention period
+Email:
+  - General: 3 years
+  - Executive: 7 years
+  - Legal hold: Indefinite (until released)
+Backups:
+  - Daily: 7 days
+  - Weekly: 4 weeks
+  - Monthly: 12 months
+  - Yearly: 7 years
+```
+### Policy Management
+```yaml
+Policy Lifecycle:
+1. Develop:
+   - Identify need
+   - Draft policy
+   - Stakeholder input
+   - Legal review
+2. Approve:
+   - Management review
+   - Board approval (if required)
+   - Sign-off
+3. Publish:
+   - Policy repository
+   - Communication plan
+   - Training materials
+   - Awareness campaign
+4. Implement:
+   - Roll-out plan
+   - Technical controls
+   - Monitoring
+   - Compliance checks
+5. Review:
+   - Annual review
+   - Update as needed
+   - Version control
+   - Change tracking
+6. Retire:
+   - Superseded by new policy
+   - Archive old version
+   - Communicate changes
+```
+## Compliance Management
+### Common Compliance Frameworks
+**SOX (Sarbanes-Oxley):**
+```yaml
+Applies To: Public companies
+Focus: Financial reporting controls
+IT Requirements:
+  - Access controls
+  - Change management
+  - Audit trails
+  - Data integrity
+  - Segregation of duties
+```
+**HIPAA (Health Insurance Portability and Accountability Act):**
+```yaml
+Applies To: Healthcare organizations
+Focus: Protected Health Information (PHI)
+IT Requirements:
+  - Encryption
+  - Access controls
+  - Audit logs
+  - Breach notification
+  - Risk assessments
+```
+**PCI DSS (Payment Card Industry Data Security Standard):**
+```yaml
+Applies To: Organizations handling credit cards
+Focus: Cardholder data protection
+IT Requirements:
+  - Firewalls
+  - Encryption
+  - Access controls
+  - Monitoring
+  - Vulnerability management
+  - Regular testing
+```
+**GDPR (General Data Protection Regulation):**
+```yaml
+Applies To: Organizations handling EU citizen data
+Focus: Personal data protection and privacy
+IT Requirements:
+  - Data protection by design
+  - Consent management
+  - Right to erasure
+  - Data portability
+  - Breach notification (72 hours)
+  - Privacy impact assessments
+```
+### Compliance Management Program
+```yaml
+Compliance Program Structure:
+1. Identify Requirements:
+   - Applicable regulations
+   - Industry standards
+   - Contractual obligations
+   - Internal policies
+2. Gap Analysis:
+   - Current state assessment
+   - Compare to requirements
+   - Identify gaps
+   - Prioritize remediation
+3. Implement Controls:
+   - Technical controls (firewalls, encryption)
+   - Administrative controls (policies, procedures)
+   - Physical controls (access, cameras)
+4. Monitor Compliance:
+   - Automated compliance checks
+   - Manual reviews
+   - Audit trails
+   - Exception reports
+5. Report:
+   - Compliance dashboard
+   - Management reports
+   - Board updates
+   - Regulatory filings
+6. Continuous Improvement:
+   - Learn from audits
+   - Update controls
+   - Adapt to changes
+   - Industry best practices
+```
+## Risk Management
+### Risk Management Process
+```
+┌────────────────────────────────────┐
+│  1. Risk Identification            │
+│     - What could go wrong?         │
+│     - Threat modeling              │
+│     - Vulnerability assessment     │
+└─────────┬──────────────────────────┘
+          ↓
+┌────────────────────────────────────┐
+│  2. Risk Analysis                  │
+│     - Likelihood assessment        │
+│     - Impact assessment            │
+│     - Risk rating                  │
+└─────────┬──────────────────────────┘
+          ↓
+┌────────────────────────────────────┐
+│  3. Risk Evaluation                │
+│     - Compare to risk appetite     │
+│     - Prioritize risks             │
+│     - Determine treatment          │
+└─────────┬──────────────────────────┘
+          ↓
+┌────────────────────────────────────┐
+│  4. Risk Treatment                 │
+│     - Mitigate (reduce)            │
+│     - Transfer (insurance)         │
+│     - Accept (tolerate)            │
+│     - Avoid (eliminate)            │
+└─────────┬──────────────────────────┘
+          ↓
+┌────────────────────────────────────┐
+│  5. Risk Monitoring                │
+│     - Track risk levels            │
+│     - Review controls              │
+│     - Report to management         │
+└────────────────────────────────────┘
+```
+### Risk Register
+```yaml
+Risk Register Example:
+Risk ID: RISK-001
+Title: Data Breach via Phishing Attack
+Description:
+  Employees may fall victim to phishing emails, leading to
+  credential compromise and unauthorized access to customer data.
+Category: Security
+Owner: CISO
+Assessment:
+  Likelihood: High (frequent phishing attempts)
+  Impact: Critical (customer data breach)
+  Inherent Risk: Critical
+  Residual Risk: Medium (after controls)
+Treatment: Mitigate
+Controls:
+  1. Security awareness training (quarterly)
+  2. Email filtering (anti-phishing tools)
+  3. Multi-factor authentication (MFA required)
+  4. Privileged access management
+  5. Data loss prevention (DLP)
+Control Effectiveness:
+  - Training completion: 95%
+  - Phishing test pass rate: 88%
+  - MFA adoption: 100%
+  - DLP policy violations: 3/month (low)
+Monitoring:
+  - Monthly phishing simulations
+  - Quarterly training assessments
+  - Daily security alerts
+  - Annual penetration test
+Status: Active
+Last Review: 2024-10-15
+Next Review: 2025-01-15
+```
+## IT Audits
+### Types of Audits
+**Internal Audit:**
+```yaml
+Conducted By: Internal audit team
+Frequency: Annual or as needed
+Scope: Specific IT processes or controls
+Purpose: Assess compliance, identify improvements
+Result: Internal report with recommendations
+```
+**External Audit:**
+```yaml
+Conducted By: Third-party auditor
+Frequency: Annual (regulatory) or as required
+Scope: Comprehensive or specific (e.g., SOX)
+Purpose: Independent assessment, compliance certification
+Result: Audit report, opinion, certification
+```
+**Regulatory Audit:**
+```yaml
+Conducted By: Regulatory body
+Frequency: As mandated or triggered
+Scope: Specific regulatory requirements
+Purpose: Verify compliance
+Result: Findings, potential penalties
+```
+### Audit Process
+```yaml
+IT Audit Process:
+1. Planning (2-4 weeks):
+   - Define scope
+   - Identify key controls
+   - Request documentation
+   - Schedule interviews
+   - Prepare audit plan
+2. Fieldwork (4-8 weeks):
+   - Review documentation
+   - Interview personnel
+   - Test controls
+   - Sample transactions
+   - Document findings
+3. Reporting (2-3 weeks):
+   - Draft audit report
+   - Management review
+   - Remediation discussion
+   - Finalize report
+   - Present to board
+4. Follow-up (Ongoing):
+   - Track remediation
+   - Verify fixes
+   - Monitor improvements
+   - Report status
+```
+### Common Audit Findings
+```yaml
+Access Control Issues:
+  - Excessive permissions
+  - Shared accounts
+  - Terminated users not removed
+  - No access reviews
+  - Weak passwords
+Change Management Issues:
+  - Unauthorized changes
+  - Inadequate testing
+  - Missing approvals
+  - No rollback plans
+  - Poor documentation
+Security Issues:
+  - Unpatched systems
+  - Missing encryption
+  - Inadequate logging
+  - No vulnerability scanning
+  - Weak configurations
+Backup and Recovery Issues:
+  - Backups not tested
+  - No offsite backups
+  - Missing DR plan
+  - Inadequate retention
+  - No restore testing
+```
+## Best Practices
+### 1. Governance Structure
+```yaml
+IT Governance Structure:
+Board of Directors
+    ↓
+IT Steering Committee
+  - CEO
+  - CIO
+  - CFO
+  - Business Unit Heads
+  - IT Leadership
+    ↓
+IT Governance Board
+  - CIO (Chair)
+  - IT Directors
+  - Enterprise Architect
+  - Security Officer
+    ↓
+Working Groups
+  - Security
+  - Architecture
+  - Change Advisory Board
+  - Project Portfolio
+```
+### 2. Metrics and KPIs
+```yaml
+Governance Metrics:
+Strategic Alignment:
+  - IT spending as % of revenue
+  - Projects aligned with strategy (%)
+  - Business satisfaction score
+Value Delivery:
+  - ROI on IT projects
+  - Time to market
+  - Cost savings achieved
+Risk Management:
+  - Open security vulnerabilities
+  - Audit findings (count)
+  - Incidents due to non-compliance
+Resource Optimization:
+  - Asset utilization rate
+  - License compliance %
+  - Cloud cost optimization
+Performance:
+  - System availability
+  - Change success rate
+  - Project on-time delivery %
+```
+### 3. Policy Awareness
+```yaml
+Policy Awareness Program:
+New Employee Onboarding:
+  - Policy overview
+  - Acknowledgment form
+  - Quiz on key policies
+Annual Training:
+  - Refresher on policies
+  - Updates to policies
+  - Compliance scenarios
+  - Assessment
+Communication:
+  - Policy portal (intranet)
+  - Email notifications
+  - Posters and reminders
+  - Lunch and learns
+Enforcement:
+  - Monitor compliance
+  - Investigate violations
+  - Consistent consequences
+  - Appeal process
+```
+### 4. Continuous Improvement
+Learn from audits, incidents, and industry changes.
+### 5. Documentation
+Maintain comprehensive, up-to-date documentation of all governance activities.
+---
+**Related Resources:**
+- [itil-framework.md](itil-framework.md) - IT governance practices
+- [asset-management.md](asset-management.md) - IT asset governance
+- [change-management.md](change-management.md) - Change governance