This repository consolidates all documents related to the BritePool Compliance Program.
Compliance documents are organized as follows:
narratives/ Narratives provide an overview of the organization and the compliance environment.
policies/ Policies govern the behavior of employees and contractors.
procedures/ Procedures prescribe specific steps that are taken in response to key events.
standards/ Standards specify the controls satisfied by the compliance program.
templates/ Templates control the output format of the HTML Dashboard and PDF assets.
Assets are built using comply, which can be installed via brew install comply (macOS) or go get github.com/strongdm/comply
The output/ directory contains all generated assets. Links in the HTML dashboard a relative, and all dependencies are included via direct CDN references. The entire output/ directory therefore may be uploaded to an S3 bucket or other static asset host without further modification.
Right now we are uploading the contents of the output/ directory to the toplevel folder of another github repository for easy and free hosting:
Procedure tracking is updated whenever comply sync is invoked. Invoke a sync prior to comply build to include the most current ticket status.
Any procedures/ that include a cron schedule will automatically created in your configured ticketing system whenever comply scheduler is executed. The scheduler will backfill any overdue tickets.
Invoke a script similar to the following at least once per day:
#!/bin/bash
#
# prerequisites:
# git access
# ticketing configuration in comply.yml
# upload.sh to publish static site
#
# get latest policies and procedures
git pull
# update ticketing status
comply sync
# trigger creation of scheduled tickets
comply scheduler
# build latest
comply build
# publish static site from output/ directory
upload.sh output/
=======
Comply is a SOC2-focused compliance automation tool:
- Policy Generator: markdown-powered document pipeline for publishing auditor-friendly policy documents
- Ticketing Integration: automate compliance throughout the year via your existing ticketing system
- SOC2 Templates: open source policy and procedure templates suitable for satisfying a SOC2 audit
macOS:
brew tap strongdm/comply; brew install comply
Linux:
Go users:
go get github.com/strongdm/comply
Start with comply init:
$ mkdir my-company
$ cd my-company
$ comply init
Once comply init is complete, just git init and git push your project to a new repository. You're ready to begin editing the included policy boilerplate text.
Join us in Comply Users
Comply relies on pandoc, which can be installed directly as an OS package or invoked via Docker.
NAME:
comply - policy compliance toolkit
USAGE:
comply [global options] command [command options] [arguments...]
COMMANDS:
init initialize a new compliance repository (interactive)
build, b generate a static website summarizing the compliance program
procedure, proc create ticket by procedure ID
scheduler create tickets based on procedure schedule
serve live updating version of the build command
sync sync ticket status to local cache
todo list declared vs satisfied compliance controls
help, h Shows a list of commands or help for one command
Comply is currently only released for Linux and macOS, however from other operating systems it's possible to run using Docker:
# first pull the latest published docker image
$ docker pull strongdm/comply
# from an empty directory that will contain your comply project
$ docker run --rm -v "$PWD":/source -p 4000:4000 -it strongdm/comply
root@ec4544732298:/source# comply init
✗ Organization Name:
# serve content live from an established project
$ docker run --rm -v "$PWD":/source -p 4000:4000 -it strongdm/comply
root@ae4d499583fc:/source# comply serve
Serving content of output/ at http://127.0.0.1:4000 (ctrl-c to quit)
For Windows users, replace $PWD with the full path to your project directory
- Jira
- Github
- Gitlab
When comply creates a ticket (through proc, for instance), it sets the following fields.
- assignee
- description
- issuetype
- labels
- project key
- reporter
- summary
Please make sure that the default Create Screen has all of those fields enabled. Additionally, make sure that there are no other required fields for the issue type you choose.
Assumes installation of golang and configuration of GOPATH in .bash_profile, .zshrc, etc Inspiration: http://code.openark.org/blog/development/forking-golang-repositories-on-github-and-managing-the-import-path
$ go get github.com/strongdm/comply
$ cd $GOPATH/src/github.com/strongdm/comply ; go get ./...
$ make
$ cd example
$ mv comply.yml.example comply.yml
$ ../comply -h
$ ../comply sync
$ ../comply serve
#
$ make # recompile as needed with in $GOPATH/src/github.com/strongdm/comply