Spaces:
Sleeping
Sleeping
| import streamlit as st | |
| import pandas as pd | |
| from docx import Document | |
| import io | |
| import json | |
| # Page configuration | |
| st.set_page_config( | |
| page_title="Cybersecurity Compliance Checklist Creator", | |
| page_icon="π", | |
| layout="wide" | |
| ) | |
| # Sample compliance frameworks data | |
| COMPLIANCE_FRAMEWORKS = { | |
| "ISO27001": { | |
| "name": "ISO/IEC 27001:2022", | |
| "controls": [ | |
| {"id": "A.5.1", "description": "Information security policies", "category": "Organizational"}, | |
| {"id": "A.5.2", "description": "Information security roles and responsibilities", "category": "Organizational"}, | |
| {"id": "A.5.3", "description": "Segregation of duties", "category": "Organizational"}, | |
| {"id": "A.5.4", "description": "Management responsibilities", "category": "Organizational"}, | |
| {"id": "A.6.1", "description": "Information security in project management", "category": "Organizational"}, | |
| {"id": "A.7.1", "description": "Personnel screening", "category": "Human Resources"}, | |
| {"id": "A.7.2", "description": "Terms and conditions of employment", "category": "Human Resources"}, | |
| {"id": "A.8.1", "description": "Inventory of assets", "category": "Asset Management"}, | |
| {"id": "A.8.2", "description": "Ownership of assets", "category": "Asset Management"}, | |
| {"id": "A.9.1", "description": "Access control policy", "category": "Access Control"}, | |
| {"id": "A.9.2", "description": "User access management", "category": "Access Control"}, | |
| {"id": "A.9.3", "description": "User responsibilities", "category": "Access Control"}, | |
| {"id": "A.9.4", "description": "System and application access control", "category": "Access Control"}, | |
| {"id": "A.10.1", "description": "Cryptographic controls", "category": "Cryptography"}, | |
| {"id": "A.11.1", "description": "Physical security perimeters", "category": "Physical Security"}, | |
| {"id": "A.11.2", "description": "Physical entry controls", "category": "Physical Security"}, | |
| {"id": "A.12.1", "description": "Operational procedures", "category": "Operations Security"}, | |
| {"id": "A.12.2", "description": "Protection from malware", "category": "Operations Security"}, | |
| {"id": "A.12.3", "description": "Backup", "category": "Operations Security"}, | |
| {"id": "A.12.4", "description": "Logging and monitoring", "category": "Operations Security"}, | |
| {"id": "A.12.5", "description": "Control of operational software", "category": "Operations Security"}, | |
| {"id": "A.12.6", "description": "Technical vulnerability management", "category": "Operations Security"}, | |
| {"id": "A.12.7", "description": "Information systems audit considerations", "category": "Operations Security"}, | |
| {"id": "A.13.1", "description": "Network security management", "category": "Communications Security"}, | |
| {"id": "A.13.2", "description": "Information transfer", "category": "Communications Security"}, | |
| {"id": "A.14.1", "description": "Security requirements of information systems", "category": "System Development"}, | |
| {"id": "A.14.2", "description": "Security in development and support processes", "category": "System Development"}, | |
| {"id": "A.14.3", "description": "Test data", "category": "System Development"}, | |
| {"id": "A.15.1", "description": "Information security in supplier relationships", "category": "Supplier Relationships"}, | |
| {"id": "A.15.2", "description": "Supplier service delivery management", "category": "Supplier Relationships"}, | |
| {"id": "A.16.1", "description": "Management of information security incidents and improvements", "category": "Incident Management"}, | |
| {"id": "A.17.1", "description": "Information security continuity", "category": "Business Continuity"}, | |
| {"id": "A.17.2", "description": "Redundancies", "category": "Business Continuity"}, | |
| {"id": "A.18.1", "description": "Compliance with legal and contractual requirements", "category": "Compliance"} | |
| ] | |
| }, | |
| "NIST": { | |
| "name": "NIST Cybersecurity Framework", | |
| "controls": [ | |
| {"id": "ID.AM-1", "description": "Physical devices and systems within the organization are inventoried", "category": "Identify"}, | |
| {"id": "ID.AM-2", "description": "Software platforms and applications within the organization are inventoried", "category": "Identify"}, | |
| {"id": "ID.AM-3", "description": "Organizational communication and data flows are mapped", "category": "Identify"}, | |
| {"id": "ID.AM-4", "description": "External information systems are catalogued", "category": "Identify"}, | |
| {"id": "ID.AM-5", "description": "Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value", "category": "Identify"}, | |
| {"id": "ID.AM-6", "description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established", "category": "Identify"}, | |
| {"id": "PR.AC-1", "description": "Identities and credentials are managed for authorized devices and users", "category": "Protect"}, | |
| {"id": "PR.AC-2", "description": "Physical access to assets is managed and protected", "category": "Protect"}, | |
| {"id": "PR.AC-3", "description": "Remote access is managed", "category": "Protect"}, | |
| {"id": "PR.AC-4", "description": "Access permissions are managed, incorporating the principles of least privilege and separation of duties", "category": "Protect"}, | |
| {"id": "PR.AC-5", "description": "Network integrity is protected, incorporating network segregation where appropriate", "category": "Protect"}, | |
| {"id": "PR.AT-1", "description": "All users are informed and trained", "category": "Protect"}, | |
| {"id": "PR.AT-2", "description": "Privileged users understand their roles and responsibilities", "category": "Protect"}, | |
| {"id": "PR.AT-3", "description": "Third-party stakeholders understand their roles and responsibilities", "category": "Protect"}, | |
| {"id": "PR.AT-4", "description": "Senior executives understand their roles and responsibilities", "category": "Protect"}, | |
| {"id": "PR.AT-5", "description": "Physical and cybersecurity personnel understand their roles and responsibilities", "category": "Protect"}, | |
| {"id": "PR.DS-1", "description": "Data-at-rest is protected", "category": "Protect"}, | |
| {"id": "PR.DS-2", "description": "Data-in-transit is protected", "category": "Protect"}, | |
| {"id": "PR.DS-3", "description": "Assets are formally managed throughout removal, transfers, and disposition", "category": "Protect"}, | |
| {"id": "PR.DS-4", "description": "Adequate capacity to ensure availability is maintained", "category": "Protect"}, | |
| {"id": "PR.DS-5", "description": "Protections against data leaks are implemented", "category": "Protect"}, | |
| {"id": "PR.DS-6", "description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity", "category": "Protect"}, | |
| {"id": "PR.DS-7", "description": "The development and testing environment(s) are separate from the production environment", "category": "Protect"}, | |
| {"id": "PR.IP-1", "description": "A baseline configuration of information technology/industrial control systems is created and maintained", "category": "Protect"}, | |
| {"id": "PR.IP-2", "description": "A System Development Life Cycle to manage systems is implemented", "category": "Protect"}, | |
| {"id": "PR.IP-3", "description": "Configuration change control processes are in place", "category": "Protect"}, | |
| {"id": "PR.IP-4", "description": "Backups of information are conducted, maintained, and tested periodically", "category": "Protect"}, | |
| {"id": "PR.IP-5", "description": "Policy and regulations regarding the physical operating environment for organizational assets are met", "category": "Protect"}, | |
| {"id": "PR.IP-6", "description": "Data is destroyed according to policy", "category": "Protect"}, | |
| {"id": "PR.IP-7", "description": "Protection processes are continuously improved", "category": "Protect"}, | |
| {"id": "PR.IP-8", "description": "Effectiveness of protection technologies is shared with appropriate parties", "category": "Protect"}, | |
| {"id": "PR.IP-9", "description": "Response plans (Incident Response and Business Continuity) and recovery plans (Disaster Recovery) are in place and managed", "category": "Protect"}, | |
| {"id": "PR.IP-10", "description": "Response and recovery plans are tested", "category": "Protect"}, | |
| {"id": "PR.IP-11", "description": "Cybersecurity is included in human resources practices", "category": "Protect"}, | |
| {"id": "PR.IP-12", "description": "A vulnerability management plan is developed and implemented", "category": "Protect"}, | |
| {"id": "PR.PT-1", "description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy", "category": "Protect"}, | |
| {"id": "PR.PT-2", "description": "Removable media is protected and its use restricted according to policy", "category": "Protect"}, | |
| {"id": "PR.PT-3", "description": "Access to systems and assets is controlled, incorporating the principle of least functionality", "category": "Protect"}, | |
| {"id": "PR.PT-4", "description": "Communications and control networks are protected", "category": "Protect"}, | |
| {"id": "PR.PT-5", "description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations", "category": "Protect"}, | |
| {"id": "DE.AE-1", "description": "A baseline of network operations and expected data flows for users and systems is established and managed", "category": "Detect"}, | |
| {"id": "DE.AE-2", "description": "Detected events are analyzed to understand attack targets and methods", "category": "Detect"}, | |
| {"id": "DE.AE-3", "description": "Event data are aggregated and correlated from multiple sources and sensors", "category": "Detect"}, | |
| {"id": "DE.AE-4", "description": "Impact of events is determined", "category": "Detect"}, | |
| {"id": "DE.AE-5", "description": "Incident alert thresholds are established", "category": "Detect"}, | |
| {"id": "DE.CM-1", "description": "The network is monitored to detect potential cybersecurity events", "category": "Detect"}, | |
| {"id": "DE.CM-2", "description": "The physical environment is monitored to detect potential cybersecurity events", "category": "Detect"}, | |
| {"id": "DE.CM-3", "description": "Personnel activity is monitored to detect potential cybersecurity events", "category": "Detect"}, | |
| {"id": "DE.CM-4", "description": "Malicious code is detected", "category": "Detect"}, | |
| {"id": "DE.CM-5", "description": "Unauthorized mobile code is detected", "category": "Detect"}, | |
| {"id": "DE.CM-6", "description": "External service provider activity is monitored to detect potential cybersecurity events", "category": "Detect"}, | |
| {"id": "DE.CM-7", "description": "Monitoring for unauthorized personnel, connections, devices, and software is performed", "category": "Detect"}, | |
| {"id": "DE.CM-8", "description": "Vulnerability scans are performed", "category": "Detect"}, | |
| {"id": "DE.DP-1", "description": "Roles and responsibilities for detection are well defined to ensure accountability", "category": "Detect"}, | |
| {"id": "DE.DP-2", "description": "Detection activities comply with all applicable requirements", "category": "Detect"}, | |
| {"id": "DE.DP-3", "description": "Detection processes are tested", "category": "Detect"}, | |
| {"id": "DE.DP-4", "description": "Event detection information is communicated to appropriate parties", "category": "Detect"}, | |
| {"id": "DE.DP-5", "description": "Detection processes are continuously improved", "category": "Detect"}, | |
| {"id": "RS.RP-1", "description": "Response plan is executed during or after an event", "category": "Respond"}, | |
| {"id": "RS.CO-1", "description": "Personnel know their roles and order of operations when a response is needed", "category": "Respond"}, | |
| {"id": "RS.CO-2", "description": "Events are reported consistent with established criteria", "category": "Respond"}, | |
| {"id": "RS.CO-3", "description": "Information is shared consistent with response plans", "category": "Respond"}, | |
| {"id": "RS.CO-4", "description": "Coordination with stakeholders occurs consistent with response plans", "category": "Respond"}, | |
| {"id": "RS.CO-5", "description": "Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness", "category": "Respond"}, | |
| {"id": "RS.AN-1", "description": "Notifications from detection systems are investigated", "category": "Respond"}, | |
| {"id": "RS.AN-2", "description": "The impact of the incident is understood", "category": "Respond"}, | |
| {"id": "RS.AN-3", "description": "Forensics are performed", "category": "Respond"}, | |
| {"id": "RS.AN-4", "description": "Incidents are categorized consistent with response plans", "category": "Respond"}, | |
| {"id": "RS.MI-1", "description": "Incidents are contained", "category": "Respond"}, | |
| {"id": "RS.MI-2", "description": "Incidents are mitigated", "category": "Respond"}, | |
| {"id": "RS.MI-3", "description": "Newly identified vulnerabilities are mitigated or documented as accepted risks", "category": "Respond"}, | |
| {"id": "RS.IM-1", "description": "Response plans incorporate lessons learned", "category": "Respond"}, | |
| {"id": "RS.IM-2", "description": "Response strategies are updated", "category": "Respond"}, | |
| {"id": "RC.RP-1", "description": "Recovery plan is executed during or after an event", "category": "Recover"}, | |
| {"id": "RC.IM-1", "description": "Recovery plans incorporate lessons learned", "category": "Recover"}, | |
| {"id": "RC.IM-2", "description": "Recovery strategies are updated", "category": "Recover"}, | |
| {"id": "RC.CO-1", "description": "Public relations are managed", "category": "Recover"}, | |
| {"id": "RC.CO-2", "description": "Reputation is repaired after an incident", "category": "Recover"}, | |
| {"id": "RC.CO-3", "description": "Recovery activities are communicated to internal stakeholders and executive and management teams", "category": "Recover"} | |
| ] | |
| }, | |
| "PCIDSS": { | |
| "name": "PCI DSS v4.0", | |
| "controls": [ | |
| {"id": "1.1.1", "description": "Establish and implement firewall and router configuration standards", "category": "Network Security"}, | |
| {"id": "1.2.1", "description": "Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment", "category": "Network Security"}, | |
| {"id": "1.3.1", "description": "Implement DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports", "category": "Network Security"}, | |
| {"id": "1.4.1", "description": "Do not allow unauthorized outbound traffic from the cardholder data environment to the internet", "category": "Network Security"}, | |
| {"id": "2.1.1", "description": "Change vendor-supplied defaults before installing a system on the network", "category": "Vendor Defaults"}, | |
| {"id": "2.2.1", "description": "Develop configuration standards for all system components", "category": "System Configuration"}, | |
| {"id": "3.1.1", "description": "Keep cardholder data storage to a minimum", "category": "Data Protection"}, | |
| {"id": "3.2.1", "description": "Do not store sensitive authentication data after authorization", "category": "Data Protection"}, | |
| {"id": "4.1.1", "description": "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks", "category": "Encryption"}, | |
| {"id": "5.1.1", "description": "Deploy anti-virus software on all systems commonly affected by malicious software", "category": "Malware Protection"}, | |
| {"id": "6.1.1", "description": "Establish a process to identify security vulnerabilities", "category": "Vulnerability Management"}, | |
| {"id": "7.1.1", "description": "Limit access to system components and cardholder data to only those individuals whose job requires such access", "category": "Access Control"}, | |
| {"id": "8.1.1", "description": "Assign all users a unique ID before allowing them to access system components or cardholder data", "category": "Access Control"}, | |
| {"id": "9.1.1", "description": "Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment", "category": "Physical Security"}, | |
| {"id": "10.1.1", "description": "Implement audit trails to link all access to system components to each individual user", "category": "Monitoring"}, | |
| {"id": "11.1.1", "description": "Test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points", "category": "Testing"}, | |
| {"id": "12.1.1", "description": "Establish, publish, maintain, and disseminate a security policy", "category": "Policy"} | |
| ] | |
| } | |
| } | |
| def main(): | |
| st.title("π Cybersecurity Compliance Checklist Creator") | |
| st.markdown("Create customized checklists for various cybersecurity compliance frameworks") | |
| # Sidebar for framework selection | |
| st.sidebar.header("Framework Selection") | |
| selected_frameworks = st.sidebar.multiselect( | |
| "Select Compliance Frameworks:", | |
| list(COMPLIANCE_FRAMEWORKS.keys()), | |
| default=["ISO27001"] | |
| ) | |
| # Main content area | |
| if not selected_frameworks: | |
| st.warning("Please select at least one compliance framework from the sidebar.") | |
| return | |
| # Display selected frameworks | |
| st.header("Selected Frameworks") | |
| cols = st.columns(len(selected_frameworks)) | |
| for i, framework in enumerate(selected_frameworks): | |
| with cols[i]: | |
| st.info(f"**{COMPLIANCE_FRAMEWORKS[framework]['name']}**") | |
| # Checklist creation section | |
| st.header("π Checklist Items") | |
| all_controls = [] | |
| for framework in selected_frameworks: | |
| framework_controls = COMPLIANCE_FRAMEWORKS[framework]['controls'] | |
| for control in framework_controls: | |
| control['framework'] = framework | |
| all_controls.append(control) | |
| # Create a DataFrame for better display | |
| df_controls = pd.DataFrame(all_controls) | |
| # Add selection checkboxes | |
| selected_controls = [] | |
| # Group by category for better organization | |
| categories = df_controls['category'].unique() | |
| for category in sorted(categories): | |
| st.subheader(f"Category: {category}") | |
| category_controls = df_controls[df_controls['category'] == category] | |
| for _, control in category_controls.iterrows(): | |
| col1, col2 = st.columns([1, 4]) | |
| with col1: | |
| selected = st.checkbox( | |
| f"Select {control['id']}", | |
| key=f"{control['framework']}_{control['id']}" | |
| ) | |
| with col2: | |
| st.write(f"**{control['id']}** - {control['description']}") | |
| st.caption(f"Framework: {control['framework']}") | |
| if selected: | |
| selected_controls.append(control.to_dict()) | |
| # Export options | |
| if selected_controls: | |
| st.header("π€ Export Checklist") | |
| col1, col2, col3 = st.columns(3) | |
| with col1: | |
| if st.button("π Export to Word Document"): | |
| export_to_word(selected_controls) | |
| with col2: | |
| if st.button("π Export to Excel"): | |
| export_to_excel(selected_controls) | |
| with col3: | |
| if st.button("π Export to CSV"): | |
| export_to_csv(selected_controls) | |
| # Display selected items | |
| st.subheader("Selected Items Summary") | |
| df_selected = pd.DataFrame(selected_controls) | |
| st.dataframe(df_selected[['framework', 'id', 'description', 'category']]) | |
| st.success(f"β Selected {len(selected_controls)} controls for your checklist") | |
| def export_to_word(controls): | |
| doc = Document() | |
| doc.add_heading('Cybersecurity Compliance Checklist', 0) | |
| # Group by framework | |
| frameworks = {} | |
| for control in controls: | |
| framework = control['framework'] | |
| if framework not in frameworks: | |
| frameworks[framework] = [] | |
| frameworks[framework].append(control) | |
| for framework, framework_controls in frameworks.items(): | |
| doc.add_heading(f'Framework: {COMPLIANCE_FRAMEWORKS[framework]["name"]}', level=1) | |
| # Group by category within framework | |
| categories = {} | |
| for control in framework_controls: | |
| category = control['category'] | |
| if category not in categories: | |
| categories[category] = [] | |
| categories[category].append(control) | |
| for category, category_controls in categories.items(): | |
| doc.add_heading(f'Category: {category}', level=2) | |
| table = doc.add_table(rows=1, cols=3) | |
| table.style = 'Table Grid' | |
| hdr_cells = table.rows[0].cells | |
| hdr_cells[0].text = 'Control ID' | |
| hdr_cells[1].text = 'Description' | |
| hdr_cells[2].text = 'Status' | |
| for control in category_controls: | |
| row_cells = table.add_row().cells | |
| row_cells[0].text = control['id'] | |
| row_cells[1].text = control['description'] | |
| row_cells[2].text = 'β‘ Not Implemented β‘ In Progress β‘ Implemented' | |
| # Save to bytes buffer | |
| buffer = io.BytesIO() | |
| doc.save(buffer) | |
| buffer.seek(0) | |
| st.download_button( | |
| label="β¬οΈ Download Word Document", | |
| data=buffer, | |
| file_name="compliance_checklist.docx", | |
| mime="application/vnd.openxmlformats-officedocument.wordprocessingml.document" | |
| ) | |
| def export_to_excel(controls): | |
| df = pd.DataFrame(controls) | |
| df['Status'] = 'Not Started' | |
| df['Notes'] = '' | |
| df['Implementation Date'] = '' | |
| df['Responsible Person'] = '' | |
| # Reorder columns for better readability | |
| df = df[['framework', 'category', 'id', 'description', 'Status', 'Implementation Date', 'Responsible Person', 'Notes']] | |
| buffer = io.BytesIO() | |
| with pd.ExcelWriter(buffer, engine='openpyxl') as writer: | |
| df.to_excel(writer, sheet_name='Compliance Checklist', index=False) | |
| # Auto-adjust columns' width | |
| worksheet = writer.sheets['Compliance Checklist'] | |
| for column in worksheet.columns: | |
| max_length = 0 | |
| column_letter = column[0].column_letter | |
| for cell in column: | |
| try: | |
| if len(str(cell.value)) > max_length: | |
| max_length = len(str(cell.value)) | |
| except: | |
| pass | |
| adjusted_width = min(max_length + 2, 50) | |
| worksheet.column_dimensions[column_letter].width = adjusted_width | |
| buffer.seek(0) | |
| st.download_button( | |
| label="β¬οΈ Download Excel Spreadsheet", | |
| data=buffer, | |
| file_name="compliance_checklist.xlsx", | |
| mime="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" | |
| ) | |
| def export_to_csv(controls): | |
| df = pd.DataFrame(controls) | |
| df['Status'] = 'Not Started' | |
| df['Notes'] = '' | |
| df['Implementation Date'] = '' | |
| df['Responsible Person'] = '' | |
| csv = df.to_csv(index=False) | |
| st.download_button( | |
| label="β¬οΈ Download CSV File", | |
| data=csv, | |
| file_name="compliance_checklist.csv", | |
| mime="text/csv" | |
| ) | |
| if __name__ == "__main__": | |
| main() |