openclaw/docs/compliance/readiness-checklist.md
ronitchidara 7ff1dc3bba compliance: add Phase 7 governance and procedure documentation
Add SOC2/ISO 27001 compliance documentation suite:
- incident-response.md: P1-P4 severity, 5-phase response, templates
- access-control-policy.md: RBAC governance, provisioning/revocation
- readiness-checklist.md: Self-assessment for all SOC2 TSC criteria
- change-management.md: Standard/normal/emergency change workflows
- vulnerability-disclosure.md: Safe harbor, reporting channels
- security-metrics.md: KPIs, Prometheus alerts, Grafana dashboard
- index.md: Navigation hub with control mapping

Documents reference existing technical controls (audit-log.ts, rbac.ts)
and provide practical audit log queries and alerting configurations.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 17:01:41 +05:30

361 lines
13 KiB
Markdown

---
title: Compliance Readiness Checklist
summary: Self-assessment checklist for SOC2 Type II and ISO 27001 compliance readiness.
permalink: /compliance/readiness-checklist/
---
# Compliance Readiness Checklist
This checklist helps assess readiness for SOC2 Type II and ISO 27001 compliance audits. Use it to identify gaps and collect evidence.
## How to Use This Checklist
1. **Run automated checks**: `clawdbot security audit --deep`
2. **Review each section**: Verify controls are implemented
3. **Collect evidence**: Document artifacts for each control
4. **Track remediation**: Address any gaps identified
5. **Schedule reviews**: Re-assess quarterly
## SOC2 Trust Services Criteria
### CC1: Control Environment
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC1.1 | Security policies documented | Review `/compliance/*` docs exist | Policy documents |
| CC1.2 | Roles and responsibilities defined | Check RBAC config | `clawdbot config get rbac` |
| CC1.3 | Security training provided | N/A (organizational) | Training records |
| CC1.4 | Competence evaluated | N/A (organizational) | Performance records |
**Automated Check:**
```bash
# Verify RBAC is enabled and configured
clawdbot config get rbac.enabled
clawdbot config get rbac.roles
```
### CC2: Communication and Information
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC2.1 | Security policies communicated | Policies accessible | Documentation links |
| CC2.2 | External party communications | Disclosure policy exists | [Vulnerability Disclosure](/compliance/vulnerability-disclosure) |
| CC2.3 | Incident communication | Incident response documented | [Incident Response](/compliance/incident-response) |
### CC3: Risk Assessment
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC3.1 | Risk objectives defined | Threat model documented | [Threat Model](/security/threat-model) |
| CC3.2 | Risk identification | Security audit identifies risks | `clawdbot security audit --deep` |
| CC3.3 | Fraud risk considered | Prompt injection risks documented | Threat model attack vectors |
| CC3.4 | Change risk assessed | Change management documented | [Change Management](/compliance/change-management) |
**Automated Check:**
```bash
# Run full security audit
clawdbot security audit --deep
# Check for critical findings
clawdbot security audit --summary
```
### CC4: Monitoring Activities
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC4.1 | Ongoing monitoring | Audit logging enabled | Check audit.jsonl exists |
| CC4.2 | Control effectiveness evaluated | Security metrics tracked | [Security Metrics](/compliance/security-metrics) |
**Automated Check:**
```bash
# Verify audit logging is working
ls -la ~/.clawdbot/audit.jsonl
# Check recent audit events
tail -10 ~/.clawdbot/audit.jsonl | jq .type
# Verify Prometheus metrics available (if configured)
curl -s http://localhost:18789/metrics | head -20
```
### CC5: Control Activities
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC5.1 | Controls mitigate risks | Security controls documented | Security hardening guide |
| CC5.2 | Technology controls | Automated checks implemented | Security audit CLI |
| CC5.3 | Policies deployed | Configuration enforces policy | Config validation |
### CC6: Logical and Physical Access
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC6.1 | Access rights defined | RBAC roles documented | [Access Control Policy](/compliance/access-control-policy) |
| CC6.2 | Access provisioned | Assignment process defined | Access policy procedures |
| CC6.3 | Access removed | Revocation process defined | Access policy procedures |
| CC6.4 | Access reviewed | Review schedule exists | Quarterly review records |
| CC6.5 | Physical access | N/A (software system) | - |
| CC6.6 | Authentication mechanisms | Token/password/Tailscale configured | Gateway auth config |
| CC6.7 | Access credentials managed | Token rotation guidance | Security hardening guide |
| CC6.8 | Transmission protected | Rate limiting implemented | Rate limit config |
**Automated Check:**
```bash
# Verify authentication is configured
clawdbot security audit --deep | grep -i "auth"
# Check RBAC is enabled
clawdbot config get rbac.enabled
# Verify no wildcard allowlists
clawdbot security audit --deep | grep -i "wildcard"
```
### CC7: System Operations
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC7.1 | Vulnerabilities detected | Security audit runs | Audit output |
| CC7.2 | Anomalies monitored | Alerting configured | Prometheus alerts |
| CC7.3 | Incidents evaluated | Incident response defined | [Incident Response](/compliance/incident-response) |
| CC7.4 | Incidents responded to | Response procedures exist | Incident response phases |
| CC7.5 | Recovery activities | Recovery procedures exist | Incident response Phase 4 |
**Automated Check:**
```bash
# Run vulnerability scan
clawdbot security audit --deep
# Check for security findings
clawdbot security audit --summary
```
### CC8: Change Management
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC8.1 | Changes authorized | Change process documented | [Change Management](/compliance/change-management) |
**Automated Check:**
```bash
# Check config change audit events
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change")' | tail -5
```
### CC9: Risk Mitigation
| Req | Control | Verification | Evidence |
|-----|---------|--------------|----------|
| CC9.1 | Risk mitigation | Controls reduce risk | Threat model mitigations |
| CC9.2 | Vendor risk | Provider risks documented | Data handling policy |
## ISO 27001 Annex A Controls
### A.5: Information Security Policies
| Control | Requirement | Evidence |
|---------|-------------|----------|
| A.5.1.1 | Policies for information security | Compliance documentation suite |
| A.5.1.2 | Review of policies | Review dates on policy documents |
### A.6: Organization of Information Security
| Control | Requirement | Evidence |
|---------|-------------|----------|
| A.6.1.1 | Information security roles | RBAC role definitions |
| A.6.1.2 | Segregation of duties | Role separation (admin vs user) |
### A.9: Access Control
| Control | Requirement | Evidence |
|---------|-------------|----------|
| A.9.1.1 | Access control policy | [Access Control Policy](/compliance/access-control-policy) |
| A.9.1.2 | Access to networks | Gateway bind configuration |
| A.9.2.1 | User registration | Pairing procedures |
| A.9.2.2 | Access provisioning | Role assignment procedures |
| A.9.2.3 | Privileged access | Admin/operator role restrictions |
| A.9.2.4 | Secret authentication | Token generation guidance |
| A.9.2.5 | Access rights review | Quarterly review schedule |
| A.9.2.6 | Access removal | Revocation procedures |
| A.9.4.1 | Access restriction | RBAC permission checks |
| A.9.4.2 | Secure log-on | Rate limiting, exponential backoff |
| A.9.4.3 | Password management | Token/password requirements |
**Automated Check:**
```bash
# Full access control verification
clawdbot security audit --deep | grep -E "(rbac|auth|pairing|allowlist)"
```
### A.12: Operations Security
| Control | Requirement | Evidence |
|---------|-------------|----------|
| A.12.1.1 | Documented procedures | CLI documentation |
| A.12.1.2 | Change management | [Change Management](/compliance/change-management) |
| A.12.1.4 | Separation of environments | Config isolation per agent |
| A.12.4.1 | Event logging | Audit log implementation |
| A.12.4.2 | Protection of logs | File permissions (0o600) |
| A.12.4.3 | Admin/operator logs | Auth events logged |
| A.12.6.1 | Technical vulnerabilities | Security audit CLI |
### A.14: System Development
| Control | Requirement | Evidence |
|---------|-------------|----------|
| A.14.2.2 | Change control | Change management procedures |
| A.14.2.3 | Technical review | Security audit after changes |
### A.16: Incident Management
| Control | Requirement | Evidence |
|---------|-------------|----------|
| A.16.1.1 | Responsibilities defined | Incident response roles |
| A.16.1.2 | Reporting events | Detection procedures |
| A.16.1.3 | Reporting weaknesses | Vulnerability disclosure |
| A.16.1.4 | Assessment of events | Severity classification |
| A.16.1.5 | Response to incidents | Response phases |
| A.16.1.6 | Learning from incidents | Post-incident review |
| A.16.1.7 | Collection of evidence | Evidence collection guidance |
### A.18: Compliance
| Control | Requirement | Evidence |
|---------|-------------|----------|
| A.18.2.2 | Compliance with policies | Security audit verification |
| A.18.2.3 | Technical compliance | Automated compliance checks |
## Evidence Collection Guide
### Automated Evidence
| Evidence Type | Collection Method | Frequency |
|--------------|-------------------|-----------|
| Security audit report | `clawdbot security audit --deep > audit-$(date +%Y%m%d).txt` | Weekly |
| Configuration snapshot | `clawdbot config show > config-$(date +%Y%m%d).yaml` | After changes |
| Audit log export | `cp ~/.clawdbot/audit*.jsonl evidence/` | Daily |
| Metrics snapshot | `curl localhost:18789/metrics > metrics-$(date +%Y%m%d).txt` | Weekly |
### Manual Evidence
| Evidence Type | Collection Method | Frequency |
|--------------|-------------------|-----------|
| Access review records | Document review meetings | Quarterly |
| Incident records | Completed incident templates | Per incident |
| Training records | Training completion certificates | Annually |
| Policy acknowledgments | Signed policy forms | At hire, annually |
### Evidence Retention
| Evidence Type | Retention Period | Storage |
|--------------|------------------|---------|
| Audit logs | 1 year | Secure backup |
| Security audits | 2 years | Document management |
| Incident records | 3 years | Secure archive |
| Configuration history | 1 year | Version control |
## Gap Remediation
### Priority Matrix
| Severity | Example | Remediation Timeframe |
|----------|---------|----------------------|
| Critical | No gateway auth, wildcard allowlists | Immediate (24 hours) |
| High | RBAC disabled, weak tokens | 1 week |
| Medium | Missing documentation, review overdue | 30 days |
| Low | Informational findings | 90 days |
### Common Gaps and Remediation
| Gap | Finding | Remediation |
|-----|---------|-------------|
| No RBAC | `rbac.enabled: false` | Enable RBAC, assign roles |
| Weak auth | Token < 24 chars | Generate strong token |
| Open DMs | `dmPolicy: "open"` | Use pairing or allowlist |
| No audit | Audit file missing | Verify audit logging config |
| Wildcard access | `allowFrom: ["*"]` | Replace with explicit IDs |
## Compliance Summary Dashboard
Run this script to generate a compliance status summary:
```bash
#!/bin/bash
echo "=== Clawdbot Compliance Status ==="
echo "Date: $(date)"
echo ""
echo "--- Security Audit Summary ---"
clawdbot security audit --summary 2>/dev/null || echo "Security audit failed"
echo ""
echo "--- RBAC Status ---"
clawdbot config get rbac.enabled 2>/dev/null || echo "RBAC config unavailable"
echo ""
echo "--- Gateway Auth ---"
clawdbot config get gateway.auth.mode 2>/dev/null || echo "Auth config unavailable"
echo ""
echo "--- Audit Log Status ---"
if [ -f ~/.clawdbot/audit.jsonl ]; then
echo "Audit log exists"
echo "Last entry: $(tail -1 ~/.clawdbot/audit.jsonl | jq -r '.ts')"
echo "Total events: $(wc -l < ~/.clawdbot/audit.jsonl)"
else
echo "WARNING: No audit log found"
fi
echo ""
echo "--- Critical Findings ---"
clawdbot security audit --deep 2>/dev/null | grep -i "critical" || echo "No critical findings"
```
## Review Schedule
| Review Type | Frequency | Participants | Output |
|-------------|-----------|--------------|--------|
| Access review | Quarterly | Security, HR | Updated assignments |
| Policy review | Semi-annually | Security, Legal | Updated policies |
| Security audit | Weekly (automated) | Security | Audit report |
| Full compliance assessment | Annually | Security, Audit | Readiness report |
## Certification Path
### SOC2 Type II
1. **Gap assessment** (this checklist)
2. **Remediation** (address critical/high gaps)
3. **Control operation** (3-12 month observation period)
4. **Auditor engagement**
5. **Evidence collection** (automated + manual)
6. **Audit examination**
7. **Report issuance**
### ISO 27001
1. **Gap assessment** (this checklist)
2. **ISMS documentation**
3. **Control implementation**
4. **Internal audit**
5. **Management review**
6. **Certification audit (Stage 1)**
7. **Certification audit (Stage 2)**
8. **Certification**
9. **Surveillance audits** (annually)
## Related Documentation
- [Compliance Overview](/compliance/) - Compliance documentation hub
- [Incident Response](/compliance/incident-response) - Incident procedures
- [Access Control Policy](/compliance/access-control-policy) - Access management
- [Security Metrics](/compliance/security-metrics) - Monitoring KPIs
- [Threat Model](/security/threat-model) - Risk assessment
---
*Checklist owner: Security Team*
*Last updated: 2026-01-27*
*Next review: 2026-04-27*