github.com/gemaraproj/gemara@v0.23.0

test/test-data/good-policy.yaml raw

 1metadata:
 2  id: "security-policy-001"
 3  type: Policy
 4  gemara-version: "0.20.0"
 5  description: "Establish comprehensive information security controls and procedures to protect organizational assets"
 6  version: "2.1.0"
 7  author:
 8    id: security-team
 9    name: "Security Team"
10    type: Human
11    contact:
12      name: "Security Team Lead"
13      affiliation: "Security Department"
14      email: "security-lead@company.com"
15  mapping-references:
16    - id: "NIST-800-53"
17      title: "NIST Special Publication 800-53"
18      version: "Rev. 5"
19      description: "Security and Privacy Controls for Federal Information Systems"
20      url: "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final"
21    - id: "ISO-27001"
22      title: "ISO/IEC 27001"
23      version: "2022"
24      description: "Information security management systems"
25      url: "https://www.iso.org/standard/27001"
26
27title: "Information Security Policy"
28contacts:
29  responsible:
30    - name: "IT Director"
31      affiliation: "Information Technology"
32      email: "it-director@company.com"
33    - name: "Compliance Officer"
34      affiliation: "Legal & Compliance"
35      email: "compliance@company.com"
36  accountable:
37    - name: "Chief Information Security Officer"
38      affiliation: "Executive Team"
39      email: "ciso@company.com"
40  consulted:
41    - name: "Legal Counsel"
42      affiliation: "Legal Department"
43      email: "legal@company.com"
44  informed:
45    - name: "All Employees"
46      affiliation: "Company-wide"
47
48scope:
49  in:
50    geopolitical:
51      - "United States"
52      - "European Union"
53      - "Canada"
54    technologies:
55      - "Cloud Computing"
56      - "Mobile Devices"
57      - "Web Applications"
58      - "Database Systems"
59
60imports:
61  catalogs:
62    - reference-id: "NIST-800-53"
63      constraints:
64        - id: "nist-cloud-constraint"
65          target-id: "AC-1"
66          text: "Enhanced access control requirements for cloud environments"
67      assessment-requirement-modifications:
68        - id: "nist-ac1-mod"
69          target-id: "AC-1.1"
70          modification-type: "Modify"
71          modification-rationale: "Clarified assessment procedures for multi-cloud environments"
72          text: "Assessment procedures must include multi-cloud environment considerations"
73          applicability:
74            - "cloud"
75            - "multi-cloud"
76          recommendation: "Conduct quarterly assessments"
77  guidance:
78    - reference-id: "ISO-27001"
79
80adherence:
81  evaluation-methods:
82    - id: "EV-AUTO-01"
83      type: "Behavioral"
84      mode: "Automated"
85      required: true
86      description: "Automated compliance scanning of cloud environments"
87    - id: "EV-MANUAL-01"
88      type: "Behavioral"
89      mode: "Manual"
90      description: "Annual security audit by external assessors"
91  enforcement-methods:
92    - id: "EM-GATE-01"
93      type: "Gate"
94      mode: "Automated"
95      required: true
96      description: "Pre-deployment compliance gate in CI/CD pipeline"
97  non-compliance: "Non-compliant systems will be quarantined pending remediation"