ReddRadar
Agent skill
grc
Governance, Risk, and Compliance documentation and assessment support. Generate policies, assess controls, and track compliance status. Use for GRC programs, audits, and regulatory compliance.
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/grc
Metadata
Additional technical details for this skill
- author
- SherifEldeeb
- version
- 1.0.0
- category
- cybersecurity
SKILL.md
GRC Skill
Support Governance, Risk, and Compliance activities with policy generation, control assessment, risk management, and compliance tracking.
Capabilities
- Policy Management: Generate and track security policies
- Control Assessment: Document and assess control effectiveness
- Risk Management: Maintain risk registers and assessments
- Compliance Tracking: Track compliance with multiple frameworks
- Audit Support: Generate audit evidence and reports
- Framework Mapping: Map controls across frameworks
Quick Start
from grc_utils import PolicyGenerator, ControlAssessment, RiskRegister, ComplianceTracker
# Generate a policy
policy = PolicyGenerator('Access Control Policy')
policy.add_section('Purpose', 'Define access control requirements...')
policy.add_control('AC-1', 'Users must use unique identifiers')
print(policy.generate())
# Assess a control
assessment = ControlAssessment('AC-1', 'Access Control')
assessment.set_effectiveness('effective')
assessment.add_evidence('access_review_report.pdf', 'Quarterly access review')
# Track compliance
tracker = ComplianceTracker('SOC 2')
tracker.add_control('CC6.1', status='compliant')
print(tracker.get_compliance_status())
Usage
Policy Management
Generate and manage security policies.
Example:
from grc_utils import PolicyGenerator
# Create policy
policy = PolicyGenerator(
title='Information Security Policy',
version='1.0',
owner='CISO',
classification='Internal'
)
# Add sections
policy.add_section(
'Purpose',
'''This policy establishes the information security requirements
for protecting organizational assets and data.'''
)
policy.add_section(
'Scope',
'''This policy applies to all employees, contractors, and third
parties with access to organizational systems.'''
)
policy.add_section(
'Policy Statements',
'''1. All users must complete security awareness training annually.
2. Multi-factor authentication is required for all remote access.
3. Data must be classified and handled according to its sensitivity.'''
)
# Add controls
policy.add_control('AC-1', 'Access control policy and procedures')
policy.add_control('AC-2', 'Account management')
policy.add_control('AT-1', 'Security awareness training')
# Set review schedule
policy.set_review_schedule(frequency='annual', next_review='2025-01-01')
# Generate outputs
print(policy.generate()) # Markdown format
print(policy.to_json()) # JSON for storage
Control Assessment
Document and assess control effectiveness.
Example:
from grc_utils import ControlAssessment
# Create assessment
assessment = ControlAssessment(
control_id='AC-2',
control_name='Account Management',
framework='NIST 800-53'
)
# Set control details
assessment.set_description('''
The organization manages information system accounts, including:
- Identifying account types
- Establishing conditions for group membership
- Identifying authorized users
- Specifying access privileges
''')
# Document implementation
assessment.set_implementation('''
Account management is implemented through:
- Active Directory for identity management
- Privileged Access Management (PAM) solution
- Quarterly access reviews
- Automated deprovisioning workflows
''')
# Add evidence
assessment.add_evidence(
filename='access_review_q4_2024.pdf',
description='Q4 2024 access review report',
date_collected='2024-01-15'
)
assessment.add_evidence(
filename='pam_config_screenshot.png',
description='PAM solution configuration',
date_collected='2024-01-10'
)
# Set effectiveness
assessment.set_effectiveness(
rating='effective',
notes='Control operating as intended with minor documentation gaps'
)
# Identify gaps
assessment.add_gap(
description='Service account reviews not documented',
remediation='Implement service account review process',
priority='Medium',
due_date='2024-03-01'
)
# Generate report
print(assessment.generate_report())
Risk Management
Maintain risk registers and assessments.
Example:
from grc_utils import RiskRegister
register = RiskRegister()
# Add risks
register.add_risk(
risk_id='RISK-001',
title='Ransomware Attack',
description='Risk of ransomware infection causing data loss and operational disruption',
category='Cybersecurity',
likelihood='medium',
impact='high',
inherent_risk='high'
)
register.add_risk(
risk_id='RISK-002',
title='Third-Party Data Breach',
description='Risk of data breach through third-party vendor',
category='Third Party',
likelihood='medium',
impact='medium',
inherent_risk='medium'
)
# Add controls/mitigations
register.add_mitigation(
risk_id='RISK-001',
control='Endpoint Detection and Response (EDR)',
effectiveness='high'
)
register.add_mitigation(
risk_id='RISK-001',
control='Backup and Recovery Solution',
effectiveness='high'
)
# Calculate residual risk
register.calculate_residual_risk('RISK-001')
# Set treatment
register.set_treatment(
risk_id='RISK-001',
treatment='mitigate',
owner='Security Operations',
notes='Continuing to enhance detection and response capabilities'
)
# Generate risk report
print(register.generate_report())
print(register.generate_heatmap_data())
Compliance Tracking
Track compliance across frameworks.
Example:
from grc_utils import ComplianceTracker
# Create tracker for SOC 2
tracker = ComplianceTracker('SOC 2 Type II')
# Add controls with status
tracker.add_control(
control_id='CC6.1',
description='Logical and physical access controls',
status='compliant',
evidence=['access_control_policy.pdf', 'access_review_q4.xlsx']
)
tracker.add_control(
control_id='CC6.2',
description='Access credentials management',
status='compliant',
evidence=['mfa_implementation.pdf']
)
tracker.add_control(
control_id='CC6.3',
description='Access removal',
status='partially_compliant',
evidence=['termination_checklist.pdf'],
gaps=['Delayed offboarding for contractors']
)
tracker.add_control(
control_id='CC7.1',
description='Detection of unauthorized changes',
status='non_compliant',
gaps=['FIM not fully implemented']
)
# Get compliance status
status = tracker.get_compliance_status()
print(f"Compliant: {status['compliant']}")
print(f"Partially Compliant: {status['partially_compliant']}")
print(f"Non-Compliant: {status['non_compliant']}")
# Generate compliance report
print(tracker.generate_report())
Framework Mapping
Map controls across multiple frameworks.
Example:
from grc_utils import FrameworkMapper
mapper = FrameworkMapper()
# Add control mappings
mapper.add_mapping(
control_name='Access Control Policy',
mappings={
'NIST 800-53': 'AC-1',
'ISO 27001': 'A.9.1.1',
'SOC 2': 'CC6.1',
'CIS': 'Control 6.1'
}
)
mapper.add_mapping(
control_name='Multi-Factor Authentication',
mappings={
'NIST 800-53': 'IA-2(1)',
'ISO 27001': 'A.9.4.2',
'SOC 2': 'CC6.1',
'CIS': 'Control 6.5'
}
)
# Get control by framework
nist_controls = mapper.get_by_framework('NIST 800-53')
# Find equivalent controls
equivalents = mapper.find_equivalents('NIST 800-53', 'AC-1')
# Generate mapping matrix
print(mapper.generate_matrix())
Audit Support
Generate audit evidence and reports.
Example:
from grc_utils import AuditPackage
audit = AuditPackage(
audit_name='SOC 2 Type II 2024',
period_start='2024-01-01',
period_end='2024-12-31'
)
# Add evidence
audit.add_evidence(
request_id='RQ-001',
description='Access control policy',
filename='access_control_policy_v2.1.pdf',
control_ids=['CC6.1', 'CC6.2'],
provided_by='security-team',
date_provided='2024-01-15'
)
audit.add_evidence(
request_id='RQ-002',
description='Quarterly access reviews',
filename='access_reviews_2024.xlsx',
control_ids=['CC6.1'],
provided_by='it-team',
date_provided='2024-01-16'
)
# Track findings
audit.add_finding(
finding_id='FIND-001',
description='Delayed access removal for terminated employees',
severity='Medium',
control_ids=['CC6.3'],
management_response='Implementing automated deprovisioning',
remediation_date='2024-03-01'
)
# Generate audit package
print(audit.generate_evidence_index())
print(audit.generate_finding_summary())
Configuration
Environment Variables
| Variable | Description | Required | Default |
|---|---|---|---|
GRC_OUTPUT_DIR |
Output directory for reports | No | ./output |
GRC_TEMPLATE_DIR |
Directory for policy templates | No | ./templates |
Supported Frameworks
- NIST 800-53 - Security and Privacy Controls
- NIST CSF - Cybersecurity Framework
- ISO 27001 - Information Security Management
- SOC 2 - Service Organization Controls
- PCI DSS - Payment Card Industry
- HIPAA - Health Insurance Portability
- GDPR - General Data Protection Regulation
- CIS Controls - Center for Internet Security
Limitations
- No Database: Data stored in memory only
- No Workflow: Manual status updates required
- Template-Based: Limited customization
Troubleshooting
Invalid Risk Rating
Use valid risk rating values:
# Valid ratings
register.add_risk(..., likelihood='high') # high, medium, low
register.add_risk(..., impact='critical') # critical, high, medium, low
# Invalid
register.add_risk(..., likelihood='very high') # Error!
Compliance Status Values
Use standard compliance statuses:
# Valid
tracker.add_control(..., status='compliant')
tracker.add_control(..., status='partially_compliant')
tracker.add_control(..., status='non_compliant')
tracker.add_control(..., status='not_applicable')
Related Skills
- vulnerability-management: Technical compliance
- docx: Policy document generation
- xlsx: Compliance tracking spreadsheets
References
- Detailed API Reference
- NIST 800-53 Rev 5
- ISO 27001:2022
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
Didn't find tool you were looking for?