import streamlit as st import pandas as pd from docx import Document import io import json # Page configuration st.set_page_config( page_title="Cybersecurity Compliance Checklist Creator", page_icon="🔒", layout="wide" ) # Sample compliance frameworks data COMPLIANCE_FRAMEWORKS = { "ISO27001": { "name": "ISO/IEC 27001:2022", "controls": [ {"id": "A.5.1", "description": "Information security policies", "category": "Organizational"}, {"id": "A.5.2", "description": "Information security roles and responsibilities", "category": "Organizational"}, {"id": "A.5.3", "description": "Segregation of duties", "category": "Organizational"}, {"id": "A.5.4", "description": "Management responsibilities", "category": "Organizational"}, {"id": "A.6.1", "description": "Information security in project management", "category": "Organizational"}, {"id": "A.7.1", "description": "Personnel screening", "category": "Human Resources"}, {"id": "A.7.2", "description": "Terms and conditions of employment", "category": "Human Resources"}, {"id": "A.8.1", "description": "Inventory of assets", "category": "Asset Management"}, {"id": "A.8.2", "description": "Ownership of assets", "category": "Asset Management"}, {"id": "A.9.1", "description": "Access control policy", "category": "Access Control"}, {"id": "A.9.2", "description": "User access management", "category": "Access Control"}, {"id": "A.9.3", "description": "User responsibilities", "category": "Access Control"}, {"id": "A.9.4", "description": "System and application access control", "category": "Access Control"}, {"id": "A.10.1", "description": "Cryptographic controls", "category": "Cryptography"}, {"id": "A.11.1", "description": "Physical security perimeters", "category": "Physical Security"}, {"id": "A.11.2", "description": "Physical entry controls", "category": "Physical Security"}, {"id": "A.12.1", "description": "Operational procedures", "category": "Operations Security"}, {"id": "A.12.2", "description": "Protection from malware", "category": "Operations Security"}, {"id": "A.12.3", "description": "Backup", "category": "Operations Security"}, {"id": "A.12.4", "description": "Logging and monitoring", "category": "Operations Security"}, {"id": "A.12.5", "description": "Control of operational software", "category": "Operations Security"}, {"id": "A.12.6", "description": "Technical vulnerability management", "category": "Operations Security"}, {"id": "A.12.7", "description": "Information systems audit considerations", "category": "Operations Security"}, {"id": "A.13.1", "description": "Network security management", "category": "Communications Security"}, {"id": "A.13.2", "description": "Information transfer", "category": "Communications Security"}, {"id": "A.14.1", "description": "Security requirements of information systems", "category": "System Development"}, {"id": "A.14.2", "description": "Security in development and support processes", "category": "System Development"}, {"id": "A.14.3", "description": "Test data", "category": "System Development"}, {"id": "A.15.1", "description": "Information security in supplier relationships", "category": "Supplier Relationships"}, {"id": "A.15.2", "description": "Supplier service delivery management", "category": "Supplier Relationships"}, {"id": "A.16.1", "description": "Management of information security incidents and improvements", "category": "Incident Management"}, {"id": "A.17.1", "description": "Information security continuity", "category": "Business Continuity"}, {"id": "A.17.2", "description": "Redundancies", "category": "Business Continuity"}, {"id": "A.18.1", "description": "Compliance with legal and contractual requirements", "category": "Compliance"} ] }, "NIST": { "name": "NIST Cybersecurity Framework", "controls": [ {"id": "ID.AM-1", "description": "Physical devices and systems within the organization are inventoried", "category": "Identify"}, {"id": "ID.AM-2", "description": "Software platforms and applications within the organization are inventoried", "category": "Identify"}, {"id": "ID.AM-3", "description": "Organizational communication and data flows are mapped", "category": "Identify"}, {"id": "ID.AM-4", "description": "External information systems are catalogued", "category": "Identify"}, {"id": "ID.AM-5", "description": "Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value", "category": "Identify"}, {"id": "ID.AM-6", "description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established", "category": "Identify"}, {"id": "PR.AC-1", "description": "Identities and credentials are managed for authorized devices and users", "category": "Protect"}, {"id": "PR.AC-2", "description": "Physical access to assets is managed and protected", "category": "Protect"}, {"id": "PR.AC-3", "description": "Remote access is managed", "category": "Protect"}, {"id": "PR.AC-4", "description": "Access permissions are managed, incorporating the principles of least privilege and separation of duties", "category": "Protect"}, {"id": "PR.AC-5", "description": "Network integrity is protected, incorporating network segregation where appropriate", "category": "Protect"}, {"id": "PR.AT-1", "description": "All users are informed and trained", "category": "Protect"}, {"id": "PR.AT-2", "description": "Privileged users understand their roles and responsibilities", "category": "Protect"}, {"id": "PR.AT-3", "description": "Third-party stakeholders understand their roles and responsibilities", "category": "Protect"}, {"id": "PR.AT-4", "description": "Senior executives understand their roles and responsibilities", "category": "Protect"}, {"id": "PR.AT-5", "description": "Physical and cybersecurity personnel understand their roles and responsibilities", "category": "Protect"}, {"id": "PR.DS-1", "description": "Data-at-rest is protected", "category": "Protect"}, {"id": "PR.DS-2", "description": "Data-in-transit is protected", "category": "Protect"}, {"id": "PR.DS-3", "description": "Assets are formally managed throughout removal, transfers, and disposition", "category": "Protect"}, {"id": "PR.DS-4", "description": "Adequate capacity to ensure availability is maintained", "category": "Protect"}, {"id": "PR.DS-5", "description": "Protections against data leaks are implemented", "category": "Protect"}, {"id": "PR.DS-6", "description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity", "category": "Protect"}, {"id": "PR.DS-7", "description": "The development and testing environment(s) are separate from the production environment", "category": "Protect"}, {"id": "PR.IP-1", "description": "A baseline configuration of information technology/industrial control systems is created and maintained", "category": "Protect"}, {"id": "PR.IP-2", "description": "A System Development Life Cycle to manage systems is implemented", "category": "Protect"}, {"id": "PR.IP-3", "description": "Configuration change control processes are in place", "category": "Protect"}, {"id": "PR.IP-4", "description": "Backups of information are conducted, maintained, and tested periodically", "category": "Protect"}, {"id": "PR.IP-5", "description": "Policy and regulations regarding the physical operating environment for organizational assets are met", "category": "Protect"}, {"id": "PR.IP-6", "description": "Data is destroyed according to policy", "category": "Protect"}, {"id": "PR.IP-7", "description": "Protection processes are continuously improved", "category": "Protect"}, {"id": "PR.IP-8", "description": "Effectiveness of protection technologies is shared with appropriate parties", "category": "Protect"}, {"id": "PR.IP-9", "description": "Response plans (Incident Response and Business Continuity) and recovery plans (Disaster Recovery) are in place and managed", "category": "Protect"}, {"id": "PR.IP-10", "description": "Response and recovery plans are tested", "category": "Protect"}, {"id": "PR.IP-11", "description": "Cybersecurity is included in human resources practices", "category": "Protect"}, {"id": "PR.IP-12", "description": "A vulnerability management plan is developed and implemented", "category": "Protect"}, {"id": "PR.PT-1", "description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy", "category": "Protect"}, {"id": "PR.PT-2", "description": "Removable media is protected and its use restricted according to policy", "category": "Protect"}, {"id": "PR.PT-3", "description": "Access to systems and assets is controlled, incorporating the principle of least functionality", "category": "Protect"}, {"id": "PR.PT-4", "description": "Communications and control networks are protected", "category": "Protect"}, {"id": "PR.PT-5", "description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations", "category": "Protect"}, {"id": "DE.AE-1", "description": "A baseline of network operations and expected data flows for users and systems is established and managed", "category": "Detect"}, {"id": "DE.AE-2", "description": "Detected events are analyzed to understand attack targets and methods", "category": "Detect"}, {"id": "DE.AE-3", "description": "Event data are aggregated and correlated from multiple sources and sensors", "category": "Detect"}, {"id": "DE.AE-4", "description": "Impact of events is determined", "category": "Detect"}, {"id": "DE.AE-5", "description": "Incident alert thresholds are established", "category": "Detect"}, {"id": "DE.CM-1", "description": "The network is monitored to detect potential cybersecurity events", "category": "Detect"}, {"id": "DE.CM-2", "description": "The physical environment is monitored to detect potential cybersecurity events", "category": "Detect"}, {"id": "DE.CM-3", "description": "Personnel activity is monitored to detect potential cybersecurity events", "category": "Detect"}, {"id": "DE.CM-4", "description": "Malicious code is detected", "category": "Detect"}, {"id": "DE.CM-5", "description": "Unauthorized mobile code is detected", "category": "Detect"}, {"id": "DE.CM-6", "description": "External service provider activity is monitored to detect potential cybersecurity events", "category": "Detect"}, {"id": "DE.CM-7", "description": "Monitoring for unauthorized personnel, connections, devices, and software is performed", "category": "Detect"}, {"id": "DE.CM-8", "description": "Vulnerability scans are performed", "category": "Detect"}, {"id": "DE.DP-1", "description": "Roles and responsibilities for detection are well defined to ensure accountability", "category": "Detect"}, {"id": "DE.DP-2", "description": "Detection activities comply with all applicable requirements", "category": "Detect"}, {"id": "DE.DP-3", "description": "Detection processes are tested", "category": "Detect"}, {"id": "DE.DP-4", "description": "Event detection information is communicated to appropriate parties", "category": "Detect"}, {"id": "DE.DP-5", "description": "Detection processes are continuously improved", "category": "Detect"}, {"id": "RS.RP-1", "description": "Response plan is executed during or after an event", "category": "Respond"}, {"id": "RS.CO-1", "description": "Personnel know their roles and order of operations when a response is needed", "category": "Respond"}, {"id": "RS.CO-2", "description": "Events are reported consistent with established criteria", "category": "Respond"}, {"id": "RS.CO-3", "description": "Information is shared consistent with response plans", "category": "Respond"}, {"id": "RS.CO-4", "description": "Coordination with stakeholders occurs consistent with response plans", "category": "Respond"}, {"id": "RS.CO-5", "description": "Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness", "category": "Respond"}, {"id": "RS.AN-1", "description": "Notifications from detection systems are investigated", "category": "Respond"}, {"id": "RS.AN-2", "description": "The impact of the incident is understood", "category": "Respond"}, {"id": "RS.AN-3", "description": "Forensics are performed", "category": "Respond"}, {"id": "RS.AN-4", "description": "Incidents are categorized consistent with response plans", "category": "Respond"}, {"id": "RS.MI-1", "description": "Incidents are contained", "category": "Respond"}, {"id": "RS.MI-2", "description": "Incidents are mitigated", "category": "Respond"}, {"id": "RS.MI-3", "description": "Newly identified vulnerabilities are mitigated or documented as accepted risks", "category": "Respond"}, {"id": "RS.IM-1", "description": "Response plans incorporate lessons learned", "category": "Respond"}, {"id": "RS.IM-2", "description": "Response strategies are updated", "category": "Respond"}, {"id": "RC.RP-1", "description": "Recovery plan is executed during or after an event", "category": "Recover"}, {"id": "RC.IM-1", "description": "Recovery plans incorporate lessons learned", "category": "Recover"}, {"id": "RC.IM-2", "description": "Recovery strategies are updated", "category": "Recover"}, {"id": "RC.CO-1", "description": "Public relations are managed", "category": "Recover"}, {"id": "RC.CO-2", "description": "Reputation is repaired after an incident", "category": "Recover"}, {"id": "RC.CO-3", "description": "Recovery activities are communicated to internal stakeholders and executive and management teams", "category": "Recover"} ] }, "PCIDSS": { "name": "PCI DSS v4.0", "controls": [ {"id": "1.1.1", "description": "Establish and implement firewall and router configuration standards", "category": "Network Security"}, {"id": "1.2.1", "description": "Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment", "category": "Network Security"}, {"id": "1.3.1", "description": "Implement DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports", "category": "Network Security"}, {"id": "1.4.1", "description": "Do not allow unauthorized outbound traffic from the cardholder data environment to the internet", "category": "Network Security"}, {"id": "2.1.1", "description": "Change vendor-supplied defaults before installing a system on the network", "category": "Vendor Defaults"}, {"id": "2.2.1", "description": "Develop configuration standards for all system components", "category": "System Configuration"}, {"id": "3.1.1", "description": "Keep cardholder data storage to a minimum", "category": "Data Protection"}, {"id": "3.2.1", "description": "Do not store sensitive authentication data after authorization", "category": "Data Protection"}, {"id": "4.1.1", "description": "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks", "category": "Encryption"}, {"id": "5.1.1", "description": "Deploy anti-virus software on all systems commonly affected by malicious software", "category": "Malware Protection"}, {"id": "6.1.1", "description": "Establish a process to identify security vulnerabilities", "category": "Vulnerability Management"}, {"id": "7.1.1", "description": "Limit access to system components and cardholder data to only those individuals whose job requires such access", "category": "Access Control"}, {"id": "8.1.1", "description": "Assign all users a unique ID before allowing them to access system components or cardholder data", "category": "Access Control"}, {"id": "9.1.1", "description": "Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment", "category": "Physical Security"}, {"id": "10.1.1", "description": "Implement audit trails to link all access to system components to each individual user", "category": "Monitoring"}, {"id": "11.1.1", "description": "Test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points", "category": "Testing"}, {"id": "12.1.1", "description": "Establish, publish, maintain, and disseminate a security policy", "category": "Policy"} ] } } def main(): st.title("🔒 Cybersecurity Compliance Checklist Creator") st.markdown("Create customized checklists for various cybersecurity compliance frameworks") # Sidebar for framework selection st.sidebar.header("Framework Selection") selected_frameworks = st.sidebar.multiselect( "Select Compliance Frameworks:", list(COMPLIANCE_FRAMEWORKS.keys()), default=["ISO27001"] ) # Main content area if not selected_frameworks: st.warning("Please select at least one compliance framework from the sidebar.") return # Display selected frameworks st.header("Selected Frameworks") cols = st.columns(len(selected_frameworks)) for i, framework in enumerate(selected_frameworks): with cols[i]: st.info(f"**{COMPLIANCE_FRAMEWORKS[framework]['name']}**") # Checklist creation section st.header("📋 Checklist Items") all_controls = [] for framework in selected_frameworks: framework_controls = COMPLIANCE_FRAMEWORKS[framework]['controls'] for control in framework_controls: control['framework'] = framework all_controls.append(control) # Create a DataFrame for better display df_controls = pd.DataFrame(all_controls) # Add selection checkboxes selected_controls = [] # Group by category for better organization categories = df_controls['category'].unique() for category in sorted(categories): st.subheader(f"Category: {category}") category_controls = df_controls[df_controls['category'] == category] for _, control in category_controls.iterrows(): col1, col2 = st.columns([1, 4]) with col1: selected = st.checkbox( f"Select {control['id']}", key=f"{control['framework']}_{control['id']}" ) with col2: st.write(f"**{control['id']}** - {control['description']}") st.caption(f"Framework: {control['framework']}") if selected: selected_controls.append(control.to_dict()) # Export options if selected_controls: st.header("📤 Export Checklist") col1, col2, col3 = st.columns(3) with col1: if st.button("📄 Export to Word Document"): export_to_word(selected_controls) with col2: if st.button("📊 Export to Excel"): export_to_excel(selected_controls) with col3: if st.button("📋 Export to CSV"): export_to_csv(selected_controls) # Display selected items st.subheader("Selected Items Summary") df_selected = pd.DataFrame(selected_controls) st.dataframe(df_selected[['framework', 'id', 'description', 'category']]) st.success(f"✅ Selected {len(selected_controls)} controls for your checklist") def export_to_word(controls): doc = Document() doc.add_heading('Cybersecurity Compliance Checklist', 0) # Group by framework frameworks = {} for control in controls: framework = control['framework'] if framework not in frameworks: frameworks[framework] = [] frameworks[framework].append(control) for framework, framework_controls in frameworks.items(): doc.add_heading(f'Framework: {COMPLIANCE_FRAMEWORKS[framework]["name"]}', level=1) # Group by category within framework categories = {} for control in framework_controls: category = control['category'] if category not in categories: categories[category] = [] categories[category].append(control) for category, category_controls in categories.items(): doc.add_heading(f'Category: {category}', level=2) table = doc.add_table(rows=1, cols=3) table.style = 'Table Grid' hdr_cells = table.rows[0].cells hdr_cells[0].text = 'Control ID' hdr_cells[1].text = 'Description' hdr_cells[2].text = 'Status' for control in category_controls: row_cells = table.add_row().cells row_cells[0].text = control['id'] row_cells[1].text = control['description'] row_cells[2].text = '□ Not Implemented □ In Progress □ Implemented' # Save to bytes buffer buffer = io.BytesIO() doc.save(buffer) buffer.seek(0) st.download_button( label="⬇️ Download Word Document", data=buffer, file_name="compliance_checklist.docx", mime="application/vnd.openxmlformats-officedocument.wordprocessingml.document" ) def export_to_excel(controls): df = pd.DataFrame(controls) df['Status'] = 'Not Started' df['Notes'] = '' df['Implementation Date'] = '' df['Responsible Person'] = '' # Reorder columns for better readability df = df[['framework', 'category', 'id', 'description', 'Status', 'Implementation Date', 'Responsible Person', 'Notes']] buffer = io.BytesIO() with pd.ExcelWriter(buffer, engine='openpyxl') as writer: df.to_excel(writer, sheet_name='Compliance Checklist', index=False) # Auto-adjust columns' width worksheet = writer.sheets['Compliance Checklist'] for column in worksheet.columns: max_length = 0 column_letter = column[0].column_letter for cell in column: try: if len(str(cell.value)) > max_length: max_length = len(str(cell.value)) except: pass adjusted_width = min(max_length + 2, 50) worksheet.column_dimensions[column_letter].width = adjusted_width buffer.seek(0) st.download_button( label="⬇️ Download Excel Spreadsheet", data=buffer, file_name="compliance_checklist.xlsx", mime="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" ) def export_to_csv(controls): df = pd.DataFrame(controls) df['Status'] = 'Not Started' df['Notes'] = '' df['Implementation Date'] = '' df['Responsible Person'] = '' csv = df.to_csv(index=False) st.download_button( label="⬇️ Download CSV File", data=csv, file_name="compliance_checklist.csv", mime="text/csv" ) if __name__ == "__main__": main()