AgentSkillsCN

security-frameworks

Gemini CLI 检查点功能的中央权威机构。支持基于 Git 的文件快照、自动状态保存、/restore 命令以及回滚操作。适用于启用检查点功能、恢复历史状态、撤销变更,或规划使用 Gemini 的实验性工作流时。官方文档由 gemini-cli-docs 全权负责。

SKILL.md
--- frontmatter
name: security-frameworks
description: Security framework alignment including ISO 27001, SOC 2, NIST CSF 2.0, and CIS Controls mapping
allowed-tools: Read, Glob, Grep, Write, Edit, Task

Security Frameworks Planning

Comprehensive guidance for security framework alignment and control mapping before development begins.

When to Use This Skill

  • Preparing for ISO 27001 certification
  • Planning SOC 2 Type I or Type II audits
  • Implementing NIST Cybersecurity Framework 2.0
  • Mapping CIS Controls to your environment
  • Creating cross-framework control mappings

Framework Comparison

When to Use Which Framework

FrameworkBest ForCertification?Geography
ISO 27001Enterprise ISMS, international recognitionYes (3rd party)Global
SOC 2SaaS/Cloud providers, customer trustYes (CPA firm)Primarily US
NIST CSFRisk management, federal requirementsNoUS-focused
CIS ControlsTactical implementation, prioritizationNoGlobal

Framework Relationships

text
                    ┌─────────────────┐
                    │   Regulations   │
                    │ (GDPR, HIPAA)   │
                    └────────┬────────┘
                             │ drives
                    ┌────────▼────────┐
                    │   Frameworks    │
                    │(ISO, NIST, CIS) │
                    └────────┬────────┘
                             │ implements
                    ┌────────▼────────┐
                    │    Controls     │
                    │ (specific tech) │
                    └────────┬────────┘
                             │ evidenced by
                    ┌────────▼────────┐
                    │    Audits       │
                    │ (SOC 2, ISO)    │
                    └─────────────────┘

ISO 27001:2022

Structure Overview

text
Clauses 4-10: Management System Requirements
├── 4. Context of the organization
├── 5. Leadership
├── 6. Planning
├── 7. Support
├── 8. Operation
├── 9. Performance evaluation
└── 10. Improvement

Annex A: 93 Controls in 4 Themes
├── A.5 Organizational controls (37)
├── A.6 People controls (8)
├── A.7 Physical controls (14)
└── A.8 Technological controls (34)

Key Controls for Development

ControlTitleImplementation
A.5.1Policies for information securityDocument security policies
A.5.15Access controlRBAC, least privilege
A.5.23Information security for cloud servicesCloud security controls
A.8.4Access to source codeGit access, code review
A.8.8Management of technical vulnerabilitiesVulnerability scanning
A.8.9Configuration managementIaC, hardening
A.8.25Secure development lifecycleSSDLC
A.8.28Secure codingOWASP, static analysis
A.8.29Security testingDAST, penetration testing
A.8.31Separation of environmentsDev/Test/Prod isolation

ISMS Implementation Approach

csharp
// Control implementation tracking
public class IsmsControlTracker
{
    public record ControlStatus
    {
        public required string ControlId { get; init; } // e.g., "A.8.28"
        public required string ControlTitle { get; init; }
        public required ImplementationStatus Status { get; init; }
        public required string Owner { get; init; }
        public required List<string> Evidence { get; init; }
        public required DateTimeOffset LastReviewDate { get; init; }
        public required DateTimeOffset NextReviewDate { get; init; }
        public string? GapDescription { get; init; }
        public string? RemediationPlan { get; init; }
    }

    public enum ImplementationStatus
    {
        NotApplicable,
        NotImplemented,
        PartiallyImplemented,
        FullyImplemented
    }

    public GapAnalysisReport GenerateGapAnalysis(
        IEnumerable<ControlStatus> controls)
    {
        var gaps = controls
            .Where(c => c.Status != ImplementationStatus.FullyImplemented
                     && c.Status != ImplementationStatus.NotApplicable)
            .OrderBy(c => c.ControlId);

        return new GapAnalysisReport
        {
            TotalControls = controls.Count(),
            FullyImplemented = controls.Count(c =>
                c.Status == ImplementationStatus.FullyImplemented),
            PartiallyImplemented = controls.Count(c =>
                c.Status == ImplementationStatus.PartiallyImplemented),
            NotImplemented = controls.Count(c =>
                c.Status == ImplementationStatus.NotImplemented),
            NotApplicable = controls.Count(c =>
                c.Status == ImplementationStatus.NotApplicable),
            Gaps = gaps.ToList()
        };
    }
}

SOC 2

Trust Services Criteria (TSC)

CategoryDescriptionKey Criteria
Security (Required)System protected against unauthorized accessCC6.x
AvailabilitySystem available for operationA1.x
Processing IntegritySystem processing is complete, accuratePI1.x
ConfidentialityConfidential information protectedC1.x
PrivacyPersonal information protectedP1.x-P8.x

Common Criteria (Security)

text
CC1 - Control Environment
CC2 - Communication and Information
CC3 - Risk Assessment
CC4 - Monitoring Activities
CC5 - Control Activities
CC6 - Logical and Physical Access Controls
CC7 - System Operations
CC8 - Change Management
CC9 - Risk Mitigation

SOC 2 Control Examples

markdown
## CC6.1 - Logical Access Security

### Control Description
The entity implements logical access security software, infrastructure,
and architectures over protected information assets to protect them
from security events to meet the entity's objectives.

### Implementation
- Authentication via Azure AD with MFA required
- RBAC with least privilege principle
- Service accounts with managed identities
- API access via OAuth 2.0 tokens

### Evidence
- Azure AD configuration export
- Role assignment documentation
- Access review reports (quarterly)
- MFA enforcement policy

Type I vs Type II

AspectType IType II
ScopePoint in timePeriod of time (6-12 months)
FocusDesign of controlsDesign AND operating effectiveness
EvidencePolicies, configurationsLogs, samples, testing
Use CaseFirst audit, quick reportCustomer assurance, ongoing

NIST Cybersecurity Framework 2.0

Core Functions

text
┌────────────────────────────────────────────────────┐
│                      GOVERN                         │
│   Organizational context, strategy, oversight       │
├────────────┬────────────┬────────────┬─────────────┤
│  IDENTIFY  │  PROTECT   │   DETECT   │   RESPOND   │
│  Assets &  │ Safeguards │ Continuous │  Incident   │
│   Risks    │            │ Monitoring │  Response   │
├────────────┴────────────┴────────────┴─────────────┤
│                      RECOVER                        │
│             Resilience & Recovery                   │
└────────────────────────────────────────────────────┘

Function Breakdown

FunctionCategoryKey Activities
GOVERNOrganizational ContextEstablish risk management strategy
Risk Management StrategyDefine risk tolerance
Roles & ResponsibilitiesAssign accountability
PolicyDocument policies
OversightBoard/executive involvement
IDENTIFYAsset ManagementInventory systems and data
Risk AssessmentIdentify and assess risks
ImprovementContinuous improvement
PROTECTIdentity ManagementAccess control, authentication
Awareness & TrainingSecurity training
Data SecurityEncryption, classification
Platform SecuritySecure configurations
Technology InfrastructureSecure architecture
DETECTContinuous MonitoringSecurity monitoring
Adverse Event AnalysisThreat detection
RESPONDIncident ManagementIncident response
Incident AnalysisRoot cause analysis
Incident ResponseContainment, eradication
Incident MitigationLimit impact
RECOVERIncident RecoveryRestore operations
ImprovementsPost-incident learning

Implementation Tiers

TierNameDescription
1PartialAd hoc, reactive
2Risk InformedRisk aware but informal
3RepeatableFormal policies, consistent
4AdaptiveContinuous improvement, predictive

CIS Controls v8

Control Categories

text
Implementation Groups (IG):
IG1 - Essential Cyber Hygiene (56 safeguards)
IG2 - IG1 + Enhanced (130 safeguards)
IG3 - IG1 + IG2 + Advanced (153 safeguards)

18 Control Areas

#ControlIG1Key Safeguards
1Inventory of Enterprise AssetsAsset discovery, inventory
2Inventory of Software AssetsSoftware inventory
3Data ProtectionClassification, encryption
4Secure ConfigurationHardening, baselines
5Account ManagementCentralized auth, MFA
6Access Control ManagementLeast privilege, RBAC
7Continuous Vulnerability ManagementScanning, patching
8Audit Log ManagementCentralized logging
9Email and Web Browser ProtectionsFiltering, sandboxing
10Malware DefensesAnti-malware, EDR
11Data RecoveryBackups, testing
12Network Infrastructure ManagementSegmentation, hardening
13Network Monitoring and DefenseIDS/IPS, NDR
14Security Awareness and Skills TrainingTraining program
15Service Provider ManagementVendor assessment
16Application Software SecuritySSDLC, testing
17Incident Response ManagementIR plan, testing
18Penetration TestingAnnual pen test

Priority Implementation

markdown
## CIS IG1 Priority Controls

### Start Here (Quick Wins)
1. **Control 1.1**: Maintain accurate asset inventory
2. **Control 4.1**: Establish secure configuration process
3. **Control 5.1**: Establish centralized account management
4. **Control 6.1**: Establish access granting process

### Next Priority
5. **Control 7.1**: Establish vulnerability management process
6. **Control 8.1**: Establish audit logging
7. **Control 11.1**: Establish data recovery practices
8. **Control 14.1**: Establish security awareness program

### Then
9. **Control 3.1**: Establish data management process
10. **Control 10.1**: Deploy anti-malware

Cross-Framework Mapping

Control Mapping Matrix

CapabilityISO 27001SOC 2 TSCNIST CSF 2.0CIS v8
Access ControlA.5.15, A.8.2-8.5CC6.1-6.3PR.AA5, 6
Asset ManagementA.5.9-5.11CC6.1ID.AM1, 2
EncryptionA.8.24CC6.1, CC6.7PR.DS3.6, 3.9
LoggingA.8.15CC7.2DE.AE8
Vulnerability MgmtA.8.8CC7.1ID.RA7
Incident ResponseA.5.24-5.28CC7.4, CC7.5RS17
Change ManagementA.8.32CC8.1PR.IP4.2
Secure DevelopmentA.8.25-8.31CC8.1PR.IP16

.NET Control Implementation Examples

csharp
// Access Control implementation (multiple frameworks)
// ISO 27001 A.5.15 / SOC 2 CC6.1 / NIST PR.AA / CIS 5,6

public class AccessControlService
{
    private readonly IAuthorizationService _authService;
    private readonly IAuditLogger _auditLogger;

    public async Task<AuthorizationResult> Authorize(
        ClaimsPrincipal user,
        string resource,
        string action,
        CancellationToken ct)
    {
        // Log access attempt (CIS 8 / NIST DE.AE)
        var accessAttempt = new AccessAttempt
        {
            UserId = user.GetUserId(),
            Resource = resource,
            Action = action,
            Timestamp = DateTimeOffset.UtcNow
        };

        var result = await _authService.AuthorizeAsync(user, resource, action);

        accessAttempt.Success = result.Succeeded;
        accessAttempt.Reason = result.Failure?.FailureReasons
            .FirstOrDefault()?.Message;

        await _auditLogger.Log(accessAttempt, ct);

        return result;
    }
}

// Secure configuration (ISO A.8.9 / NIST PR.IP / CIS 4)
public class SecureConfigurationValidator
{
    public ValidationResult ValidateConfiguration(IConfiguration config)
    {
        var issues = new List<ConfigurationIssue>();

        // Check for secure defaults
        if (config["AllowHttp"] == "true")
        {
            issues.Add(new ConfigurationIssue
            {
                Setting = "AllowHttp",
                Issue = "HTTP should be disabled in production",
                Severity = Severity.High,
                Remediation = "Set AllowHttp=false"
            });
        }

        // Check TLS configuration
        var tlsVersion = config["MinTlsVersion"];
        if (tlsVersion != "1.2" && tlsVersion != "1.3")
        {
            issues.Add(new ConfigurationIssue
            {
                Setting = "MinTlsVersion",
                Issue = "TLS 1.2 or higher required",
                Severity = Severity.Critical,
                Remediation = "Set MinTlsVersion=1.2"
            });
        }

        return new ValidationResult { Issues = issues };
    }
}

Framework Selection Guide

Decision Tree

text
What is your primary driver?

├─ Customer requirement for audit report?
│   ├─ US customers → SOC 2
│   └─ International customers → ISO 27001
│
├─ Regulatory requirement?
│   ├─ US Federal → NIST CSF + FedRAMP
│   └─ Healthcare → HIPAA (use NIST CSF)
│
├─ Starting security program?
│   └─ CIS Controls IG1 (practical starting point)
│
└─ Enterprise-wide ISMS?
    └─ ISO 27001 (comprehensive management system)

Security Framework Checklist

Pre-Assessment

  • Identify applicable frameworks
  • Determine scope boundaries
  • Inventory systems in scope
  • Document current controls
  • Conduct gap analysis

Control Implementation

  • Prioritize gaps by risk
  • Create remediation roadmap
  • Implement missing controls
  • Document evidence
  • Test control effectiveness

Audit Preparation

  • Collect evidence artifacts
  • Prepare control narratives
  • Test samples (Type II)
  • Address known gaps
  • Brief stakeholders

Cross-References

  • Data Privacy: gdpr-compliance, hipaa-compliance for data protection
  • PCI: pci-dss-compliance for payment security
  • AI: ai-governance for AI-specific controls

Resources