bmad-plus 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +45 -1
  2. package/LICENSE +21 -21
  3. package/README.md +107 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +18 -5
  24. package/readme-international/README.es.md +40 -12
  25. package/readme-international/README.fr.md +36 -8
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/bmad-plus-npx.js +3 -5
  180. package/tools/cli/bmad-plus-cli.js +5 -3
  181. package/tools/cli/commands/autoconfig.js +18 -61
  182. package/tools/cli/commands/doctor.js +30 -31
  183. package/tools/cli/commands/install.js +33 -343
  184. package/tools/cli/commands/memory.js +1 -0
  185. package/tools/cli/commands/scan.js +61 -74
  186. package/tools/cli/commands/uninstall.js +7 -4
  187. package/tools/cli/commands/update.js +15 -72
  188. package/tools/cli/i18n.js +92 -10
  189. package/tools/cli/lib/ide-config.js +259 -0
  190. package/tools/cli/lib/memory-init.js +113 -0
  191. package/tools/cli/lib/pack-copy.js +84 -0
  192. package/tools/cli/lib/packs.js +114 -0
  193. package/tools/cli/lib/stack-detect.js +102 -0
  194. package/tools/cli/lib/validate.js +45 -0
  195. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
  196. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
  197. package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
  198. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
  199. package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
  200. package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
  201. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
  202. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
  203. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
  204. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
  205. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
  206. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
  207. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
  208. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
  209. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
  210. package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
  211. package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
  212. package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
  213. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
@@ -1,254 +1,254 @@
1
- # SOC 2 Policy Writing Reference
2
-
3
- ## Table of Contents
4
- 1. [Policy Writing Standards](#policy-writing-standards)
5
- 2. [Required Policy Set](#required-policy-set)
6
- 3. [Policy Templates](#policy-templates)
7
- 4. [Common Mistakes to Avoid](#common-mistakes-to-avoid)
8
-
9
- ---
10
-
11
- ## Policy Writing Standards
12
-
13
- ### Universal Policy Header
14
-
15
- Every policy should start with:
16
-
17
- ```
18
- Policy Title: [Name]
19
- Policy ID: [e.g., ISP-001]
20
- Version: [e.g., 1.2]
21
- Effective Date: [Date]
22
- Last Reviewed: [Date]
23
- Next Review Date: [Date — maximum 12 months from last review]
24
- Policy Owner: [Role]
25
- Approved By: [Executive/leadership role + name]
26
- TSC Criteria: [e.g., CC1.1, CC2.1, CC5.3]
27
- ```
28
-
29
- ### Required Sections (every policy)
30
-
31
- 1. **Purpose** — Why this policy exists; what it protects
32
- 2. **Scope** — Who and what systems it applies to (be explicit)
33
- 3. **Policy Statements** — The actual rules (use "must", not "should")
34
- 4. **Roles and Responsibilities** — Who enforces it, who complies
35
- 5. **Exceptions** — How to request an exception; who approves
36
- 6. **Enforcement** — Consequences of non-compliance
37
- 7. **Related Documents** — Links to procedures, standards, other policies
38
- 8. **Review and Revision History** — Version log
39
-
40
- ### Language Standards
41
-
42
- | Weak (avoid) | Strong (use) |
43
- |---|---|
44
- | should, may, could | must, shall, is required to |
45
- | as appropriate | [specific action] |
46
- | where possible | [specific action or explicit exception process] |
47
- | periodically | [specific frequency: quarterly, annually] |
48
- | sensitive data | [defined data classification tier] |
49
- | promptly | within [X] hours/days |
50
-
51
- ---
52
-
53
- ## Required Policy Set
54
-
55
- ### 1. Information Security Policy (ISP)
56
- **Criteria:** CC1.1, CC1.2, CC2.1, CC5.1, CC5.3
57
- **Purpose:** Overarching policy establishing management's commitment to security
58
- **Must include:**
59
- - Executive statement of commitment
60
- - Security objectives aligned to business
61
- - Reference to all subordinate security policies
62
- - Defined security roles (CISO, security committee, data owners, users)
63
- - Annual review requirement
64
-
65
- ---
66
-
67
- ### 2. Access Control Policy
68
- **Criteria:** CC6.1, CC6.2, CC6.3, CC6.4, CC6.5, CC6.6
69
- **Must include:**
70
- - Principles: least privilege, need-to-know, separation of duties
71
- - MFA requirements (which systems require it — be specific)
72
- - Provisioning process: how access is requested, approved, granted
73
- - Termination process: timeline for de-provisioning (e.g., within 24 hours)
74
- - Privileged access: how admin/root access is controlled and reviewed
75
- - Access review cadence (e.g., quarterly for privileged, annual for standard)
76
- - Password/authentication standards (or reference to auth policy)
77
-
78
- ---
79
-
80
- ### 3. Incident Response Policy
81
- **Criteria:** CC7.3, CC7.4, CC2.3
82
- **Must include:**
83
- - Incident classification levels (with examples: P1–P4 or Critical/High/Medium/Low)
84
- - Roles: Incident Commander, responders, communications lead
85
- - Detection and reporting process (how incidents are identified and escalated)
86
- - Response phases: Identify → Contain → Eradicate → Recover → Lessons Learned
87
- - Customer notification SLA (e.g., material breaches within 72 hours)
88
- - Post-incident review requirement
89
- - Annual IR tabletop exercise requirement
90
-
91
- **Template snippet:**
92
- ```
93
- 4. Incident Classification
94
-
95
- Severity 1 (Critical): Confirmed breach of customer data, ransomware, complete
96
- system outage. Requires immediate escalation to CEO and CISO. Customer
97
- notification within 72 hours if PII involved.
98
-
99
- Severity 2 (High): Suspected breach, significant service degradation >30 min,
100
- compromised admin credentials. Requires CISO notification within 2 hours.
101
-
102
- Severity 3 (Medium): Isolated malware, failed intrusion attempt, minor outage.
103
- Requires Security team response within 4 hours.
104
-
105
- Severity 4 (Low): Security policy violations, phishing attempts (no compromise),
106
- suspicious activity (unconfirmed). Requires ticket within 24 hours.
107
- ```
108
-
109
- ---
110
-
111
- ### 4. Change Management Policy
112
- **Criteria:** CC8.1
113
- **Must include:**
114
- - Scope: what constitutes a "change" (code, infrastructure, configurations)
115
- - Change types: standard (pre-approved), normal (requires review), emergency
116
- - Approval requirements by change type
117
- - Testing requirements (staging/QA before production)
118
- - Rollback requirements: every change must have a documented rollback plan
119
- - Emergency change: allowed with retroactive approval within 24 hours
120
- - Change freeze periods (optional but common)
121
-
122
- ---
123
-
124
- ### 5. Risk Assessment Policy
125
- **Criteria:** CC3.1, CC3.2, CC3.3, CC3.4
126
- **Must include:**
127
- - Frequency: at minimum annual, plus triggered by significant changes
128
- - Risk scoring methodology (likelihood × impact matrix)
129
- - Risk tolerance/appetite statement
130
- - Risk register: ownership, format, review cadence
131
- - Treatment options: accept, mitigate, transfer, avoid
132
- - Escalation: who reviews and approves risk acceptance
133
-
134
- ---
135
-
136
- ### 6. Vendor Management Policy
137
- **Criteria:** CC9.2
138
- **Must include:**
139
- - Vendor tiering criteria (Critical / High / Medium / Low)
140
- - Due diligence requirements per tier (SOC 2 report, questionnaire, etc.)
141
- - Contractual requirements: DPA, security addendum, right-to-audit
142
- - Ongoing monitoring: annual review schedule
143
- - Offboarding: data deletion requirements, access revocation
144
- - Subprocessor disclosure for customer-facing vendors
145
-
146
- ---
147
-
148
- ### 7. Business Continuity & Disaster Recovery Policy
149
- **Criteria:** A1.2, A1.3, CC9.1
150
- **Must include:**
151
- - RTO (Recovery Time Objective) and RPO (Recovery Point Objective) per system
152
- - Backup frequency, retention, and verification requirements
153
- - DR environment description (hot/warm/cold standby)
154
- - DR test requirement: at minimum annual tabletop or failover test
155
- - BCP activation criteria and escalation path
156
- - Communication plan during an incident
157
-
158
- ---
159
-
160
- ### 8. Data Classification Policy
161
- **Criteria:** C1.1, P3, CC6.7
162
- **Must include:**
163
- - Classification tiers (example: Public / Internal / Confidential / Restricted)
164
- - Definition of each tier with examples
165
- - Handling requirements per tier (storage, transmission, sharing, disposal)
166
- - Labeling requirements
167
- - Default classification (unclassified data = treated as what tier?)
168
-
169
- **Template tiers:**
170
- ```
171
- Restricted: PII, PHI, payment card data, credentials, encryption keys.
172
- Encrypted at rest and in transit. Access strictly limited.
173
- Cannot be stored in personal devices or unapproved cloud services.
174
-
175
- Confidential: Business-sensitive data, source code, audit reports, contracts.
176
- Encrypted in transit. Access on need-to-know basis. NDA required
177
- for external sharing.
178
-
179
- Internal: Internal communications, non-sensitive operational data.
180
- Not for public distribution. Standard access controls apply.
181
-
182
- Public: Marketing materials, published docs, press releases.
183
- No special controls required.
184
- ```
185
-
186
- ---
187
-
188
- ### 9. Acceptable Use Policy
189
- **Criteria:** CC1.1, CC6.6, CC6.8
190
- **Must include:**
191
- - Acceptable use of company systems, networks, and data
192
- - Prohibited activities (explicit list)
193
- - Personal device / BYOD rules
194
- - Monitoring disclosure ("Company may monitor use of systems")
195
- - Reporting obligations for suspected incidents
196
- - Acknowledgment requirement (signed annually)
197
-
198
- ---
199
-
200
- ### 10. Privacy Policy / Notice
201
- **Criteria:** P1, P2, P3, P6, P8
202
- **Must include (per AICPA GAPP):**
203
- - What personal information is collected and why
204
- - Legal basis for processing (if GDPR-applicable)
205
- - How information is used
206
- - With whom it is shared (third parties, subprocessors)
207
- - Retention periods
208
- - Individual rights (access, correction, deletion, portability)
209
- - How to submit a data subject request
210
- - Contact information for privacy inquiries
211
- - How policy changes are communicated
212
-
213
- ---
214
-
215
- ### 11. Encryption Policy
216
- **Criteria:** CC6.7, C1.1
217
- **Must include:**
218
- - Encryption standards (e.g., AES-256 at rest, TLS 1.2+ in transit)
219
- - Which systems and data require encryption
220
- - Key management: generation, rotation, storage, destruction
221
- - Prohibition on deprecated algorithms (MD5, SHA-1, DES, RC4)
222
-
223
- ---
224
-
225
- ### 12. Vulnerability Management Policy
226
- **Criteria:** CC7.1, CC7.5
227
- **Must include:**
228
- - Scanning frequency (e.g., weekly automated + quarterly penetration test)
229
- - Severity-based remediation SLAs:
230
- - Critical: patch within 24–72 hours
231
- - High: patch within 7–14 days
232
- - Medium: patch within 30 days
233
- - Low: patch within 90 days or accepted risk
234
- - Exception process for systems that can't be patched immediately
235
- - Penetration testing requirement (annual minimum)
236
- - Responsible disclosure / bug bounty program (optional)
237
-
238
- ---
239
-
240
- ## Common Mistakes to Avoid
241
-
242
- 1. **Writing policies that describe the ideal, not the actual** — auditors test what you do, not what you aspirationally wrote. Only commit to what you'll consistently do.
243
-
244
- 2. **No approval signatures** — policies must be formally approved by an appropriate executive or the board.
245
-
246
- 3. **Copy-paste from the internet** — boilerplate policies often contain controls you don't have. Every control stated must be evidenced.
247
-
248
- 4. **Missing scope statements** — "this policy applies to all employees" may be incomplete if contractors, vendors, or specific systems need to be called out.
249
-
250
- 5. **Not distributing policies** — policies must be accessible to all in-scope personnel. Distribution evidence is required (e.g., intranet link, email announcement, acknowledgment log).
251
-
252
- 6. **Neglecting annual review** — dated policies are a flag. Every policy must have a documented review with any changes noted.
253
-
254
- 7. **Procedures missing from policies** — policies state *what* and *why*; procedures state *how*. Both are needed. "We will respond to incidents" without a runbook is a gap.
1
+ # SOC 2 Policy Writing Reference
2
+
3
+ ## Table of Contents
4
+ 1. [Policy Writing Standards](#policy-writing-standards)
5
+ 2. [Required Policy Set](#required-policy-set)
6
+ 3. [Policy Templates](#policy-templates)
7
+ 4. [Common Mistakes to Avoid](#common-mistakes-to-avoid)
8
+
9
+ ---
10
+
11
+ ## Policy Writing Standards
12
+
13
+ ### Universal Policy Header
14
+
15
+ Every policy should start with:
16
+
17
+ ```
18
+ Policy Title: [Name]
19
+ Policy ID: [e.g., ISP-001]
20
+ Version: [e.g., 1.2]
21
+ Effective Date: [Date]
22
+ Last Reviewed: [Date]
23
+ Next Review Date: [Date — maximum 12 months from last review]
24
+ Policy Owner: [Role]
25
+ Approved By: [Executive/leadership role + name]
26
+ TSC Criteria: [e.g., CC1.1, CC2.1, CC5.3]
27
+ ```
28
+
29
+ ### Required Sections (every policy)
30
+
31
+ 1. **Purpose** — Why this policy exists; what it protects
32
+ 2. **Scope** — Who and what systems it applies to (be explicit)
33
+ 3. **Policy Statements** — The actual rules (use "must", not "should")
34
+ 4. **Roles and Responsibilities** — Who enforces it, who complies
35
+ 5. **Exceptions** — How to request an exception; who approves
36
+ 6. **Enforcement** — Consequences of non-compliance
37
+ 7. **Related Documents** — Links to procedures, standards, other policies
38
+ 8. **Review and Revision History** — Version log
39
+
40
+ ### Language Standards
41
+
42
+ | Weak (avoid) | Strong (use) |
43
+ |---|---|
44
+ | should, may, could | must, shall, is required to |
45
+ | as appropriate | [specific action] |
46
+ | where possible | [specific action or explicit exception process] |
47
+ | periodically | [specific frequency: quarterly, annually] |
48
+ | sensitive data | [defined data classification tier] |
49
+ | promptly | within [X] hours/days |
50
+
51
+ ---
52
+
53
+ ## Required Policy Set
54
+
55
+ ### 1. Information Security Policy (ISP)
56
+ **Criteria:** CC1.1, CC1.2, CC2.1, CC5.1, CC5.3
57
+ **Purpose:** Overarching policy establishing management's commitment to security
58
+ **Must include:**
59
+ - Executive statement of commitment
60
+ - Security objectives aligned to business
61
+ - Reference to all subordinate security policies
62
+ - Defined security roles (CISO, security committee, data owners, users)
63
+ - Annual review requirement
64
+
65
+ ---
66
+
67
+ ### 2. Access Control Policy
68
+ **Criteria:** CC6.1, CC6.2, CC6.3, CC6.4, CC6.5, CC6.6
69
+ **Must include:**
70
+ - Principles: least privilege, need-to-know, separation of duties
71
+ - MFA requirements (which systems require it — be specific)
72
+ - Provisioning process: how access is requested, approved, granted
73
+ - Termination process: timeline for de-provisioning (e.g., within 24 hours)
74
+ - Privileged access: how admin/root access is controlled and reviewed
75
+ - Access review cadence (e.g., quarterly for privileged, annual for standard)
76
+ - Password/authentication standards (or reference to auth policy)
77
+
78
+ ---
79
+
80
+ ### 3. Incident Response Policy
81
+ **Criteria:** CC7.3, CC7.4, CC2.3
82
+ **Must include:**
83
+ - Incident classification levels (with examples: P1–P4 or Critical/High/Medium/Low)
84
+ - Roles: Incident Commander, responders, communications lead
85
+ - Detection and reporting process (how incidents are identified and escalated)
86
+ - Response phases: Identify → Contain → Eradicate → Recover → Lessons Learned
87
+ - Customer notification SLA (e.g., material breaches within 72 hours)
88
+ - Post-incident review requirement
89
+ - Annual IR tabletop exercise requirement
90
+
91
+ **Template snippet:**
92
+ ```
93
+ 4. Incident Classification
94
+
95
+ Severity 1 (Critical): Confirmed breach of customer data, ransomware, complete
96
+ system outage. Requires immediate escalation to CEO and CISO. Customer
97
+ notification within 72 hours if PII involved.
98
+
99
+ Severity 2 (High): Suspected breach, significant service degradation >30 min,
100
+ compromised admin credentials. Requires CISO notification within 2 hours.
101
+
102
+ Severity 3 (Medium): Isolated malware, failed intrusion attempt, minor outage.
103
+ Requires Security team response within 4 hours.
104
+
105
+ Severity 4 (Low): Security policy violations, phishing attempts (no compromise),
106
+ suspicious activity (unconfirmed). Requires ticket within 24 hours.
107
+ ```
108
+
109
+ ---
110
+
111
+ ### 4. Change Management Policy
112
+ **Criteria:** CC8.1
113
+ **Must include:**
114
+ - Scope: what constitutes a "change" (code, infrastructure, configurations)
115
+ - Change types: standard (pre-approved), normal (requires review), emergency
116
+ - Approval requirements by change type
117
+ - Testing requirements (staging/QA before production)
118
+ - Rollback requirements: every change must have a documented rollback plan
119
+ - Emergency change: allowed with retroactive approval within 24 hours
120
+ - Change freeze periods (optional but common)
121
+
122
+ ---
123
+
124
+ ### 5. Risk Assessment Policy
125
+ **Criteria:** CC3.1, CC3.2, CC3.3, CC3.4
126
+ **Must include:**
127
+ - Frequency: at minimum annual, plus triggered by significant changes
128
+ - Risk scoring methodology (likelihood × impact matrix)
129
+ - Risk tolerance/appetite statement
130
+ - Risk register: ownership, format, review cadence
131
+ - Treatment options: accept, mitigate, transfer, avoid
132
+ - Escalation: who reviews and approves risk acceptance
133
+
134
+ ---
135
+
136
+ ### 6. Vendor Management Policy
137
+ **Criteria:** CC9.2
138
+ **Must include:**
139
+ - Vendor tiering criteria (Critical / High / Medium / Low)
140
+ - Due diligence requirements per tier (SOC 2 report, questionnaire, etc.)
141
+ - Contractual requirements: DPA, security addendum, right-to-audit
142
+ - Ongoing monitoring: annual review schedule
143
+ - Offboarding: data deletion requirements, access revocation
144
+ - Subprocessor disclosure for customer-facing vendors
145
+
146
+ ---
147
+
148
+ ### 7. Business Continuity & Disaster Recovery Policy
149
+ **Criteria:** A1.2, A1.3, CC9.1
150
+ **Must include:**
151
+ - RTO (Recovery Time Objective) and RPO (Recovery Point Objective) per system
152
+ - Backup frequency, retention, and verification requirements
153
+ - DR environment description (hot/warm/cold standby)
154
+ - DR test requirement: at minimum annual tabletop or failover test
155
+ - BCP activation criteria and escalation path
156
+ - Communication plan during an incident
157
+
158
+ ---
159
+
160
+ ### 8. Data Classification Policy
161
+ **Criteria:** C1.1, P3, CC6.7
162
+ **Must include:**
163
+ - Classification tiers (example: Public / Internal / Confidential / Restricted)
164
+ - Definition of each tier with examples
165
+ - Handling requirements per tier (storage, transmission, sharing, disposal)
166
+ - Labeling requirements
167
+ - Default classification (unclassified data = treated as what tier?)
168
+
169
+ **Template tiers:**
170
+ ```
171
+ Restricted: PII, PHI, payment card data, credentials, encryption keys.
172
+ Encrypted at rest and in transit. Access strictly limited.
173
+ Cannot be stored in personal devices or unapproved cloud services.
174
+
175
+ Confidential: Business-sensitive data, source code, audit reports, contracts.
176
+ Encrypted in transit. Access on need-to-know basis. NDA required
177
+ for external sharing.
178
+
179
+ Internal: Internal communications, non-sensitive operational data.
180
+ Not for public distribution. Standard access controls apply.
181
+
182
+ Public: Marketing materials, published docs, press releases.
183
+ No special controls required.
184
+ ```
185
+
186
+ ---
187
+
188
+ ### 9. Acceptable Use Policy
189
+ **Criteria:** CC1.1, CC6.6, CC6.8
190
+ **Must include:**
191
+ - Acceptable use of company systems, networks, and data
192
+ - Prohibited activities (explicit list)
193
+ - Personal device / BYOD rules
194
+ - Monitoring disclosure ("Company may monitor use of systems")
195
+ - Reporting obligations for suspected incidents
196
+ - Acknowledgment requirement (signed annually)
197
+
198
+ ---
199
+
200
+ ### 10. Privacy Policy / Notice
201
+ **Criteria:** P1, P2, P3, P6, P8
202
+ **Must include (per AICPA GAPP):**
203
+ - What personal information is collected and why
204
+ - Legal basis for processing (if GDPR-applicable)
205
+ - How information is used
206
+ - With whom it is shared (third parties, subprocessors)
207
+ - Retention periods
208
+ - Individual rights (access, correction, deletion, portability)
209
+ - How to submit a data subject request
210
+ - Contact information for privacy inquiries
211
+ - How policy changes are communicated
212
+
213
+ ---
214
+
215
+ ### 11. Encryption Policy
216
+ **Criteria:** CC6.7, C1.1
217
+ **Must include:**
218
+ - Encryption standards (e.g., AES-256 at rest, TLS 1.2+ in transit)
219
+ - Which systems and data require encryption
220
+ - Key management: generation, rotation, storage, destruction
221
+ - Prohibition on deprecated algorithms (MD5, SHA-1, DES, RC4)
222
+
223
+ ---
224
+
225
+ ### 12. Vulnerability Management Policy
226
+ **Criteria:** CC7.1, CC7.5
227
+ **Must include:**
228
+ - Scanning frequency (e.g., weekly automated + quarterly penetration test)
229
+ - Severity-based remediation SLAs:
230
+ - Critical: patch within 24–72 hours
231
+ - High: patch within 7–14 days
232
+ - Medium: patch within 30 days
233
+ - Low: patch within 90 days or accepted risk
234
+ - Exception process for systems that can't be patched immediately
235
+ - Penetration testing requirement (annual minimum)
236
+ - Responsible disclosure / bug bounty program (optional)
237
+
238
+ ---
239
+
240
+ ## Common Mistakes to Avoid
241
+
242
+ 1. **Writing policies that describe the ideal, not the actual** — auditors test what you do, not what you aspirationally wrote. Only commit to what you'll consistently do.
243
+
244
+ 2. **No approval signatures** — policies must be formally approved by an appropriate executive or the board.
245
+
246
+ 3. **Copy-paste from the internet** — boilerplate policies often contain controls you don't have. Every control stated must be evidenced.
247
+
248
+ 4. **Missing scope statements** — "this policy applies to all employees" may be incomplete if contractors, vendors, or specific systems need to be called out.
249
+
250
+ 5. **Not distributing policies** — policies must be accessible to all in-scope personnel. Distribution evidence is required (e.g., intranet link, email announcement, acknowledgment log).
251
+
252
+ 6. **Neglecting annual review** — dated policies are a flag. Every policy must have a documented review with any changes noted.
253
+
254
+ 7. **Procedures missing from policies** — policies state *what* and *why*; procedures state *how*. Both are needed. "We will respond to incidents" without a runbook is a gap.