Spaces:
Sleeping
Sleeping
File size: 24,637 Bytes
715927e |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 |
import streamlit as st
import pandas as pd
from docx import Document
import io
import json
# Page configuration
st.set_page_config(
page_title="Cybersecurity Compliance Checklist Creator",
page_icon="π",
layout="wide"
)
# Sample compliance frameworks data
COMPLIANCE_FRAMEWORKS = {
"ISO27001": {
"name": "ISO/IEC 27001:2022",
"controls": [
{"id": "A.5.1", "description": "Information security policies", "category": "Organizational"},
{"id": "A.5.2", "description": "Information security roles and responsibilities", "category": "Organizational"},
{"id": "A.5.3", "description": "Segregation of duties", "category": "Organizational"},
{"id": "A.5.4", "description": "Management responsibilities", "category": "Organizational"},
{"id": "A.6.1", "description": "Information security in project management", "category": "Organizational"},
{"id": "A.7.1", "description": "Personnel screening", "category": "Human Resources"},
{"id": "A.7.2", "description": "Terms and conditions of employment", "category": "Human Resources"},
{"id": "A.8.1", "description": "Inventory of assets", "category": "Asset Management"},
{"id": "A.8.2", "description": "Ownership of assets", "category": "Asset Management"},
{"id": "A.9.1", "description": "Access control policy", "category": "Access Control"},
{"id": "A.9.2", "description": "User access management", "category": "Access Control"},
{"id": "A.9.3", "description": "User responsibilities", "category": "Access Control"},
{"id": "A.9.4", "description": "System and application access control", "category": "Access Control"},
{"id": "A.10.1", "description": "Cryptographic controls", "category": "Cryptography"},
{"id": "A.11.1", "description": "Physical security perimeters", "category": "Physical Security"},
{"id": "A.11.2", "description": "Physical entry controls", "category": "Physical Security"},
{"id": "A.12.1", "description": "Operational procedures", "category": "Operations Security"},
{"id": "A.12.2", "description": "Protection from malware", "category": "Operations Security"},
{"id": "A.12.3", "description": "Backup", "category": "Operations Security"},
{"id": "A.12.4", "description": "Logging and monitoring", "category": "Operations Security"},
{"id": "A.12.5", "description": "Control of operational software", "category": "Operations Security"},
{"id": "A.12.6", "description": "Technical vulnerability management", "category": "Operations Security"},
{"id": "A.12.7", "description": "Information systems audit considerations", "category": "Operations Security"},
{"id": "A.13.1", "description": "Network security management", "category": "Communications Security"},
{"id": "A.13.2", "description": "Information transfer", "category": "Communications Security"},
{"id": "A.14.1", "description": "Security requirements of information systems", "category": "System Development"},
{"id": "A.14.2", "description": "Security in development and support processes", "category": "System Development"},
{"id": "A.14.3", "description": "Test data", "category": "System Development"},
{"id": "A.15.1", "description": "Information security in supplier relationships", "category": "Supplier Relationships"},
{"id": "A.15.2", "description": "Supplier service delivery management", "category": "Supplier Relationships"},
{"id": "A.16.1", "description": "Management of information security incidents and improvements", "category": "Incident Management"},
{"id": "A.17.1", "description": "Information security continuity", "category": "Business Continuity"},
{"id": "A.17.2", "description": "Redundancies", "category": "Business Continuity"},
{"id": "A.18.1", "description": "Compliance with legal and contractual requirements", "category": "Compliance"}
]
},
"NIST": {
"name": "NIST Cybersecurity Framework",
"controls": [
{"id": "ID.AM-1", "description": "Physical devices and systems within the organization are inventoried", "category": "Identify"},
{"id": "ID.AM-2", "description": "Software platforms and applications within the organization are inventoried", "category": "Identify"},
{"id": "ID.AM-3", "description": "Organizational communication and data flows are mapped", "category": "Identify"},
{"id": "ID.AM-4", "description": "External information systems are catalogued", "category": "Identify"},
{"id": "ID.AM-5", "description": "Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value", "category": "Identify"},
{"id": "ID.AM-6", "description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established", "category": "Identify"},
{"id": "PR.AC-1", "description": "Identities and credentials are managed for authorized devices and users", "category": "Protect"},
{"id": "PR.AC-2", "description": "Physical access to assets is managed and protected", "category": "Protect"},
{"id": "PR.AC-3", "description": "Remote access is managed", "category": "Protect"},
{"id": "PR.AC-4", "description": "Access permissions are managed, incorporating the principles of least privilege and separation of duties", "category": "Protect"},
{"id": "PR.AC-5", "description": "Network integrity is protected, incorporating network segregation where appropriate", "category": "Protect"},
{"id": "PR.AT-1", "description": "All users are informed and trained", "category": "Protect"},
{"id": "PR.AT-2", "description": "Privileged users understand their roles and responsibilities", "category": "Protect"},
{"id": "PR.AT-3", "description": "Third-party stakeholders understand their roles and responsibilities", "category": "Protect"},
{"id": "PR.AT-4", "description": "Senior executives understand their roles and responsibilities", "category": "Protect"},
{"id": "PR.AT-5", "description": "Physical and cybersecurity personnel understand their roles and responsibilities", "category": "Protect"},
{"id": "PR.DS-1", "description": "Data-at-rest is protected", "category": "Protect"},
{"id": "PR.DS-2", "description": "Data-in-transit is protected", "category": "Protect"},
{"id": "PR.DS-3", "description": "Assets are formally managed throughout removal, transfers, and disposition", "category": "Protect"},
{"id": "PR.DS-4", "description": "Adequate capacity to ensure availability is maintained", "category": "Protect"},
{"id": "PR.DS-5", "description": "Protections against data leaks are implemented", "category": "Protect"},
{"id": "PR.DS-6", "description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity", "category": "Protect"},
{"id": "PR.DS-7", "description": "The development and testing environment(s) are separate from the production environment", "category": "Protect"},
{"id": "PR.IP-1", "description": "A baseline configuration of information technology/industrial control systems is created and maintained", "category": "Protect"},
{"id": "PR.IP-2", "description": "A System Development Life Cycle to manage systems is implemented", "category": "Protect"},
{"id": "PR.IP-3", "description": "Configuration change control processes are in place", "category": "Protect"},
{"id": "PR.IP-4", "description": "Backups of information are conducted, maintained, and tested periodically", "category": "Protect"},
{"id": "PR.IP-5", "description": "Policy and regulations regarding the physical operating environment for organizational assets are met", "category": "Protect"},
{"id": "PR.IP-6", "description": "Data is destroyed according to policy", "category": "Protect"},
{"id": "PR.IP-7", "description": "Protection processes are continuously improved", "category": "Protect"},
{"id": "PR.IP-8", "description": "Effectiveness of protection technologies is shared with appropriate parties", "category": "Protect"},
{"id": "PR.IP-9", "description": "Response plans (Incident Response and Business Continuity) and recovery plans (Disaster Recovery) are in place and managed", "category": "Protect"},
{"id": "PR.IP-10", "description": "Response and recovery plans are tested", "category": "Protect"},
{"id": "PR.IP-11", "description": "Cybersecurity is included in human resources practices", "category": "Protect"},
{"id": "PR.IP-12", "description": "A vulnerability management plan is developed and implemented", "category": "Protect"},
{"id": "PR.PT-1", "description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy", "category": "Protect"},
{"id": "PR.PT-2", "description": "Removable media is protected and its use restricted according to policy", "category": "Protect"},
{"id": "PR.PT-3", "description": "Access to systems and assets is controlled, incorporating the principle of least functionality", "category": "Protect"},
{"id": "PR.PT-4", "description": "Communications and control networks are protected", "category": "Protect"},
{"id": "PR.PT-5", "description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations", "category": "Protect"},
{"id": "DE.AE-1", "description": "A baseline of network operations and expected data flows for users and systems is established and managed", "category": "Detect"},
{"id": "DE.AE-2", "description": "Detected events are analyzed to understand attack targets and methods", "category": "Detect"},
{"id": "DE.AE-3", "description": "Event data are aggregated and correlated from multiple sources and sensors", "category": "Detect"},
{"id": "DE.AE-4", "description": "Impact of events is determined", "category": "Detect"},
{"id": "DE.AE-5", "description": "Incident alert thresholds are established", "category": "Detect"},
{"id": "DE.CM-1", "description": "The network is monitored to detect potential cybersecurity events", "category": "Detect"},
{"id": "DE.CM-2", "description": "The physical environment is monitored to detect potential cybersecurity events", "category": "Detect"},
{"id": "DE.CM-3", "description": "Personnel activity is monitored to detect potential cybersecurity events", "category": "Detect"},
{"id": "DE.CM-4", "description": "Malicious code is detected", "category": "Detect"},
{"id": "DE.CM-5", "description": "Unauthorized mobile code is detected", "category": "Detect"},
{"id": "DE.CM-6", "description": "External service provider activity is monitored to detect potential cybersecurity events", "category": "Detect"},
{"id": "DE.CM-7", "description": "Monitoring for unauthorized personnel, connections, devices, and software is performed", "category": "Detect"},
{"id": "DE.CM-8", "description": "Vulnerability scans are performed", "category": "Detect"},
{"id": "DE.DP-1", "description": "Roles and responsibilities for detection are well defined to ensure accountability", "category": "Detect"},
{"id": "DE.DP-2", "description": "Detection activities comply with all applicable requirements", "category": "Detect"},
{"id": "DE.DP-3", "description": "Detection processes are tested", "category": "Detect"},
{"id": "DE.DP-4", "description": "Event detection information is communicated to appropriate parties", "category": "Detect"},
{"id": "DE.DP-5", "description": "Detection processes are continuously improved", "category": "Detect"},
{"id": "RS.RP-1", "description": "Response plan is executed during or after an event", "category": "Respond"},
{"id": "RS.CO-1", "description": "Personnel know their roles and order of operations when a response is needed", "category": "Respond"},
{"id": "RS.CO-2", "description": "Events are reported consistent with established criteria", "category": "Respond"},
{"id": "RS.CO-3", "description": "Information is shared consistent with response plans", "category": "Respond"},
{"id": "RS.CO-4", "description": "Coordination with stakeholders occurs consistent with response plans", "category": "Respond"},
{"id": "RS.CO-5", "description": "Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness", "category": "Respond"},
{"id": "RS.AN-1", "description": "Notifications from detection systems are investigated", "category": "Respond"},
{"id": "RS.AN-2", "description": "The impact of the incident is understood", "category": "Respond"},
{"id": "RS.AN-3", "description": "Forensics are performed", "category": "Respond"},
{"id": "RS.AN-4", "description": "Incidents are categorized consistent with response plans", "category": "Respond"},
{"id": "RS.MI-1", "description": "Incidents are contained", "category": "Respond"},
{"id": "RS.MI-2", "description": "Incidents are mitigated", "category": "Respond"},
{"id": "RS.MI-3", "description": "Newly identified vulnerabilities are mitigated or documented as accepted risks", "category": "Respond"},
{"id": "RS.IM-1", "description": "Response plans incorporate lessons learned", "category": "Respond"},
{"id": "RS.IM-2", "description": "Response strategies are updated", "category": "Respond"},
{"id": "RC.RP-1", "description": "Recovery plan is executed during or after an event", "category": "Recover"},
{"id": "RC.IM-1", "description": "Recovery plans incorporate lessons learned", "category": "Recover"},
{"id": "RC.IM-2", "description": "Recovery strategies are updated", "category": "Recover"},
{"id": "RC.CO-1", "description": "Public relations are managed", "category": "Recover"},
{"id": "RC.CO-2", "description": "Reputation is repaired after an incident", "category": "Recover"},
{"id": "RC.CO-3", "description": "Recovery activities are communicated to internal stakeholders and executive and management teams", "category": "Recover"}
]
},
"PCIDSS": {
"name": "PCI DSS v4.0",
"controls": [
{"id": "1.1.1", "description": "Establish and implement firewall and router configuration standards", "category": "Network Security"},
{"id": "1.2.1", "description": "Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment", "category": "Network Security"},
{"id": "1.3.1", "description": "Implement DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports", "category": "Network Security"},
{"id": "1.4.1", "description": "Do not allow unauthorized outbound traffic from the cardholder data environment to the internet", "category": "Network Security"},
{"id": "2.1.1", "description": "Change vendor-supplied defaults before installing a system on the network", "category": "Vendor Defaults"},
{"id": "2.2.1", "description": "Develop configuration standards for all system components", "category": "System Configuration"},
{"id": "3.1.1", "description": "Keep cardholder data storage to a minimum", "category": "Data Protection"},
{"id": "3.2.1", "description": "Do not store sensitive authentication data after authorization", "category": "Data Protection"},
{"id": "4.1.1", "description": "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks", "category": "Encryption"},
{"id": "5.1.1", "description": "Deploy anti-virus software on all systems commonly affected by malicious software", "category": "Malware Protection"},
{"id": "6.1.1", "description": "Establish a process to identify security vulnerabilities", "category": "Vulnerability Management"},
{"id": "7.1.1", "description": "Limit access to system components and cardholder data to only those individuals whose job requires such access", "category": "Access Control"},
{"id": "8.1.1", "description": "Assign all users a unique ID before allowing them to access system components or cardholder data", "category": "Access Control"},
{"id": "9.1.1", "description": "Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment", "category": "Physical Security"},
{"id": "10.1.1", "description": "Implement audit trails to link all access to system components to each individual user", "category": "Monitoring"},
{"id": "11.1.1", "description": "Test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points", "category": "Testing"},
{"id": "12.1.1", "description": "Establish, publish, maintain, and disseminate a security policy", "category": "Policy"}
]
}
}
def main():
st.title("π Cybersecurity Compliance Checklist Creator")
st.markdown("Create customized checklists for various cybersecurity compliance frameworks")
# Sidebar for framework selection
st.sidebar.header("Framework Selection")
selected_frameworks = st.sidebar.multiselect(
"Select Compliance Frameworks:",
list(COMPLIANCE_FRAMEWORKS.keys()),
default=["ISO27001"]
)
# Main content area
if not selected_frameworks:
st.warning("Please select at least one compliance framework from the sidebar.")
return
# Display selected frameworks
st.header("Selected Frameworks")
cols = st.columns(len(selected_frameworks))
for i, framework in enumerate(selected_frameworks):
with cols[i]:
st.info(f"**{COMPLIANCE_FRAMEWORKS[framework]['name']}**")
# Checklist creation section
st.header("π Checklist Items")
all_controls = []
for framework in selected_frameworks:
framework_controls = COMPLIANCE_FRAMEWORKS[framework]['controls']
for control in framework_controls:
control['framework'] = framework
all_controls.append(control)
# Create a DataFrame for better display
df_controls = pd.DataFrame(all_controls)
# Add selection checkboxes
selected_controls = []
# Group by category for better organization
categories = df_controls['category'].unique()
for category in sorted(categories):
st.subheader(f"Category: {category}")
category_controls = df_controls[df_controls['category'] == category]
for _, control in category_controls.iterrows():
col1, col2 = st.columns([1, 4])
with col1:
selected = st.checkbox(
f"Select {control['id']}",
key=f"{control['framework']}_{control['id']}"
)
with col2:
st.write(f"**{control['id']}** - {control['description']}")
st.caption(f"Framework: {control['framework']}")
if selected:
selected_controls.append(control.to_dict())
# Export options
if selected_controls:
st.header("π€ Export Checklist")
col1, col2, col3 = st.columns(3)
with col1:
if st.button("π Export to Word Document"):
export_to_word(selected_controls)
with col2:
if st.button("π Export to Excel"):
export_to_excel(selected_controls)
with col3:
if st.button("π Export to CSV"):
export_to_csv(selected_controls)
# Display selected items
st.subheader("Selected Items Summary")
df_selected = pd.DataFrame(selected_controls)
st.dataframe(df_selected[['framework', 'id', 'description', 'category']])
st.success(f"β
Selected {len(selected_controls)} controls for your checklist")
def export_to_word(controls):
doc = Document()
doc.add_heading('Cybersecurity Compliance Checklist', 0)
# Group by framework
frameworks = {}
for control in controls:
framework = control['framework']
if framework not in frameworks:
frameworks[framework] = []
frameworks[framework].append(control)
for framework, framework_controls in frameworks.items():
doc.add_heading(f'Framework: {COMPLIANCE_FRAMEWORKS[framework]["name"]}', level=1)
# Group by category within framework
categories = {}
for control in framework_controls:
category = control['category']
if category not in categories:
categories[category] = []
categories[category].append(control)
for category, category_controls in categories.items():
doc.add_heading(f'Category: {category}', level=2)
table = doc.add_table(rows=1, cols=3)
table.style = 'Table Grid'
hdr_cells = table.rows[0].cells
hdr_cells[0].text = 'Control ID'
hdr_cells[1].text = 'Description'
hdr_cells[2].text = 'Status'
for control in category_controls:
row_cells = table.add_row().cells
row_cells[0].text = control['id']
row_cells[1].text = control['description']
row_cells[2].text = 'β‘ Not Implemented β‘ In Progress β‘ Implemented'
# Save to bytes buffer
buffer = io.BytesIO()
doc.save(buffer)
buffer.seek(0)
st.download_button(
label="β¬οΈ Download Word Document",
data=buffer,
file_name="compliance_checklist.docx",
mime="application/vnd.openxmlformats-officedocument.wordprocessingml.document"
)
def export_to_excel(controls):
df = pd.DataFrame(controls)
df['Status'] = 'Not Started'
df['Notes'] = ''
df['Implementation Date'] = ''
df['Responsible Person'] = ''
# Reorder columns for better readability
df = df[['framework', 'category', 'id', 'description', 'Status', 'Implementation Date', 'Responsible Person', 'Notes']]
buffer = io.BytesIO()
with pd.ExcelWriter(buffer, engine='openpyxl') as writer:
df.to_excel(writer, sheet_name='Compliance Checklist', index=False)
# Auto-adjust columns' width
worksheet = writer.sheets['Compliance Checklist']
for column in worksheet.columns:
max_length = 0
column_letter = column[0].column_letter
for cell in column:
try:
if len(str(cell.value)) > max_length:
max_length = len(str(cell.value))
except:
pass
adjusted_width = min(max_length + 2, 50)
worksheet.column_dimensions[column_letter].width = adjusted_width
buffer.seek(0)
st.download_button(
label="β¬οΈ Download Excel Spreadsheet",
data=buffer,
file_name="compliance_checklist.xlsx",
mime="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
)
def export_to_csv(controls):
df = pd.DataFrame(controls)
df['Status'] = 'Not Started'
df['Notes'] = ''
df['Implementation Date'] = ''
df['Responsible Person'] = ''
csv = df.to_csv(index=False)
st.download_button(
label="β¬οΈ Download CSV File",
data=csv,
file_name="compliance_checklist.csv",
mime="text/csv"
)
if __name__ == "__main__":
main() |