[FEATURE]: Support industry regulatory compliance checks (pre-set templates) #37
Description
Is there an existing issue for this?
- I have searched the existing issues
Problem statement
For specific industry regulations we need pre-set complaince checks.
Proposed Solution
Implement a repository of pre-built compliance checks that can be imported into the app. For example, for GDPR we have to ensure data is accessed with reason and expiration time. Here some ideas:
Implementable Compliance Checks for Ontos
- GDPR (General Data Protection Regulation)
✅ Implementable Checks:
- Access Grant Expiration Dates
- Verify all grants to PII tables have expiration dates via tags
- Check: HAS_TAG('access_expiration') for tables tagged with contains_pii - Data Minimization Verification
- Ensure tables with PII only grant access to necessary columns
- Check: Tables with contains_pii tag must have minimized_columns tag or justification - Purpose Limitation
- Verify data access grants include purpose documentation
- Check: HAS_TAG('access_purpose') for sensitive data - Lawful Basis Documentation
- Ensure tables with PII have documented lawful basis
- Check: TAG('lawful_basis') IN ['consent', 'contract', 'legal_obligation', 'vital_interests', 'public_task', 'legitimate_interests'] - Data Retention Policies
- Verify retention periods are defined
- Check: HAS_TAG('retention_period') for all production tables - Right to Erasure Support
- Ensure tables with PII are tagged as supporting deletion
- Check: TAG('supports_deletion') = 'true' for PII tables - Data Portability Support
- Verify export capability is documented
- Check: TAG('supports_export') = 'true' for customer data - Cross-Border Transfer Documentation
- Check international storage locations are documented
- Check: Tables in non-EU catalogs with EU data have transfer_mechanism tag - Data Processing Agreement Tracking
- Verify third-party processor agreements are documented
- Check: Schemas shared with external groups have processor_agreement_id tag - Consent Tracking
- Ensure consent-based data has consent tracking table references
- Check: TAG('consent_table') exists for consent-based PII
❌ Cannot Implement:
- DPIA (requires manual assessment)
- Actual breach detection (requires monitoring tools)
- Real-time 72-hour breach notification (requires incident management system)
- CCPA/CPRA (California Consumer Privacy Act)
✅ Implementable Checks:
- Data Sale/Share Tracking
- Verify tables shared externally are tagged
- Check: TAG('data_sharing') IN ['sale', 'share', 'internal'] for all tables - Purpose Disclosure
- Ensure collection purposes are documented
- Check: HAS_TAG('collection_purpose') for customer data tables - Third-Party Disclosure Tracking
- Verify third-party recipients are documented
- Check: Schemas with external access have third_party_recipients tag - Sensitive Personal Information Handling
- Identify and tag sensitive PI per CPRA definition
- Check: TAG('data_sensitivity') IN ['public', 'internal', 'confidential', 'sensitive_pi'] - Data Retention Limits
- Verify maximum retention periods are defined
- Check: HAS_TAG('max_retention_days') - Consumer Request Capability
- Ensure tables support deletion and export
- Check: TAG('supports_dsar') = 'true' for customer tables
❌ Cannot Implement:
- Opt-out mechanism enforcement (application logic)
- 45-day response tracking (requires ITSM integration)
- HIPAA (Health Insurance Portability and Accountability Act)
✅ Implementable Checks:
- Minimum Necessary Access
- Verify PHI tables have access justifications
- Check: Grants to PHI tables have access_justification tag - Audit Trail Requirements
- Ensure PHI tables have audit logging enabled
- Check: TAG('audit_enabled') = 'true' for PHI tables - Authorization Tracking
- Verify patient authorization is documented
- Check: HAS_TAG('authorization_ref') for PHI tables - Emergency Access Documentation
- Ensure emergency access procedures are documented
- Check: HAS_TAG('emergency_access_procedure') for PHI schemas - Access Termination
- Verify access grants have end dates
- Check: HAS_TAG('access_expiration') for PHI tables - De-identification Tracking
- Mark de-identified datasets
- Check: PHI tables must have TAG('phi_status') IN ['identified', 'deidentified', 'limited_dataset'] - Business Associate Agreement (BAA) Tracking
- Verify BAAs for external data sharing
- Check: External schemas have baa_agreement_id tag
❌ Cannot Implement:
- Encryption verification (infrastructure level)
- Physical safeguards (not data-level)
- Workforce training tracking (HR system)
- Actual breach notification (requires incident system)
- SOX (Sarbanes-Oxley Act)
✅ Implementable Checks:
- Segregation of Duties (SoD)
- Detect conflicting access combinations on financial tables
- Check: Users with both write and approve privileges on same financial data - Access Certification Requirements
- Verify access reviews are documented
- Check: TAG('last_access_review') within last 90 days for financial tables - Change Management Documentation
- Ensure schema changes have approval tracking
- Check: HAS_TAG('change_approval_id') for production financial schemas - Financial Data Lineage
- Verify lineage documentation exists
- Check: Financial tables have HAS_TAG('data_lineage') or HAS_TAG('source_system') - Access Revocation Tracking
- Ensure terminated user access is logged
- Check: Access grants have revocation_date when status changes - Data Integrity Controls
- Verify write access restrictions on financial tables
- Check: Financial tables have TAG('write_protected') = 'true' or limited write grants - Privileged Access Monitoring
- Identify and track privileged users
- Check: Admin access to financial data has TAG('privileged_access_justification') - IT General Controls (ITGC)
- Verify control documentation for critical systems
- Check: Production catalogs have TAG('itgc_control_id')
❌ Cannot Implement:
- Actual audit log immutability (storage level)
- Disaster recovery testing (operational)
- PCI DSS (Payment Card Industry Data Security Standard)
✅ Implementable Checks:
- Cardholder Data Environment (CDE) Identification
- Mark and restrict CDE tables
- Check: TAG('pci_scope') = 'cde' for cardholder data - Unique User ID Requirements
- Verify no shared accounts have CDE access
- Check: CDE tables do not have group-level write access - Access Log Retention
- Verify audit retention tags (1 year minimum)
- Check: TAG('audit_retention_days') >= '365' for CDE tables - Quarterly Access Reviews
- Ensure regular review schedule
- Check: TAG('last_access_review') within last 90 days for CDE - Access Revocation for Terminated Users
- Verify immediate revocation documented
- Check: CDE access grants have expiration dates - Data Retention Policies
- Verify no storage beyond business need
- Check: HAS_TAG('retention_period') and TAG('retention_justification') for CDE - PAN Masking Requirements
- Ensure masking is documented
- Check: TAG('pan_masked') = 'true' for CDE tables or views
❌ Cannot Implement:
- Encryption verification (infrastructure level)
- Multi-factor authentication (auth system)
- Vulnerability scanning (security tools)
- Physical access controls (facility level)
- SOC 2 (Service Organization Control 2)
✅ Implementable Checks:
- Security - Access Controls
- Verify access restrictions are documented
- Check: All production tables have defined ownership and access policies - Confidentiality - Data Classification
- Ensure proper classification tags
- Check: TAG('data_classification') IN ['public', 'internal', 'confidential', 'restricted'] - Privacy - Collection Notice Alignment
- Verify privacy notice references
- Check: Customer data tables have privacy_notice_version tag - Processing Integrity - Data Quality
- Ensure quality metrics are tracked
- Check: Critical tables have TAG('quality_score') or TAG('data_quality_checks') - Availability - Asset Criticality
- Identify and tag critical assets
- Check: Production tables have TAG('criticality') IN ['low', 'medium', 'high', 'critical'] - Change Management
- Track change approvals
- Check: Production schemas have last_change_approval tag - Vendor Management
- Document third-party data sharing
- Check: External access has vendor_name and vendor_risk_assessment tags
❌ Cannot Implement:
- System uptime monitoring (infrastructure)
- Disaster recovery testing (operational)
- Incident response execution (security tools)
- GLBA (Gramm-Leach-Bliley Act)
✅ Implementable Checks:
- NPI Access Restrictions
- Verify restricted access to nonpublic personal information
- Check: TAG('contains_npi') = 'true' tables have limited access grants - Privacy Notice References
- Ensure privacy notices are documented
- Check: NPI tables have privacy_notice_url or privacy_notice_version tag - Information Sharing Tracking
- Document data sharing arrangements
- Check: HAS_TAG('sharing_arrangement') for NPI tables - Opt-Out Support
- Verify opt-out capability is documented
- Check: TAG('supports_optout') = 'true' for shared NPI - Service Provider Oversight
- Track third-party processors
- Check: External schemas have service_provider_agreement tag - Disposal Procedures
- Document secure disposal capability
- Check: HAS_TAG('disposal_procedure') for NPI tables
❌ Cannot Implement:
- Information security program audit (organizational)
- Pretexting protections (application/process level)
- FERPA (Family Educational Rights and Privacy Act)
✅ Implementable Checks:
- Legitimate Educational Interest
- Verify access justifications
- Check: Education record tables have access_justification tag for all grants - Consent Tracking
- Document consent for non-exception disclosures
- Check: HAS_TAG('disclosure_consent') or TAG('disclosure_exception') for education records - Directory Information Opt-Out
- Mark directory information tables
- Check: TAG('directory_info') = 'true' and TAG('supports_optout') = 'true' - Access Logging Requirements
- Ensure audit trails exist
- Check: TAG('audit_enabled') = 'true' for education records - Third-Party Disclosure Tracking
- Document external disclosures
- Check: HAS_TAG('disclosure_log_table') for education records - Amendment Request Support
- Verify update capability
- Check: TAG('supports_amendments') = 'true' for student records
❌ Cannot Implement:
- Annual notification process (organizational)
- LGPD (Lei Geral de Proteção de Dados) - Brazil
✅ Implementable Checks:
- Similar to GDPR - reuse GDPR checks with LGPD-specific adjustments
- Lawful basis (10 legal bases): TAG('lgpd_legal_basis')
- Data Protection Agent designation: TAG('data_protection_agent')
- International transfer safeguards: TAG('international_transfer_mechanism')
- PIPEDA (Canada)
✅ Implementable Checks:
- Similar to GDPR/CCPA - reuse consent and purpose checks
- Consent documentation: TAG('pipeda_consent')
- Purpose identification: TAG('collection_purpose')
- Safeguards documentation: TAG('safeguard_level')
- Cross-border transfer: TAG('cross_border_transfer_doc')
- FINRA/SEC Regulations
✅ Implementable Checks:
- Books and Records Retention
- Verify immutable storage tags (SEC Rule 17a-4)
- Check: Financial records have TAG('immutable_storage') = 'true' - Record Retention Periods
- Ensure minimum retention (6 years for most records)
- Check: TAG('retention_period_years') >= '6' for financial records - Segregation of Duties - Trading
- Detect conflicting trading system access
- Check: No user has both trade_execution and trade_approval on same tables - KYC Data Access Controls
- Restrict Know Your Customer data access
- Check: KYC tables have strict access controls and TAG('pii_type') = 'kyc' - Supervision Documentation
- Verify communications data lineage
- Check: Communications tables have supervision_policy_id tag
❌ Cannot Implement:
- Best execution monitoring (trading system)
- Insider trading surveillance (requires trading data analysis)
- Market manipulation detection (complex analytics)
- BCBS 239 (Basel Committee - Banking)
✅ Implementable Checks:
- Data Lineage Tracking
- Ensure lineage is documented
- Check: Risk data tables have HAS_TAG('data_lineage') or lineage_documented = true - Data Quality Metrics
- Verify quality scoring exists
- Check: Risk tables have TAG('accuracy_score'), TAG('completeness_score'), TAG('timeliness_sla') - Data Governance Framework
- Ensure ownership and stewardship
- Check: All risk data has defined owner and data steward - Historical Data Retention
- Verify historical data availability
- Check: Risk tables have TAG('historical_retention_years') - Reconciliation Controls
- Document reconciliation processes
- Check: Aggregated risk tables have reconciliation_table_ref tag - Data Architecture Documentation
- Ensure source system documentation
- Check: Risk data has source_system and data_architecture_doc tags
❌ Cannot Implement:
- Actual data quality measurement (requires profiling tools)
- Aggregation accuracy testing (requires calculation verification)
- NIST Frameworks
✅ Implementable Checks:
- Asset Inventory
- Verify all assets are cataloged
- Check: All catalogs/schemas/tables have metadata and ownership - Data Classification
- Ensure classification tags exist
- Check: HAS_TAG('data_classification') - Access Control Policy Enforcement
- Verify access policies are documented
- Check: Sensitive data has access_policy_id tag - Privacy Risk Assessment
- Document PIA completion
- Check: PII tables have privacy_impact_assessment_id tag - Supply Chain Risk Management
- Track third-party data sources
- Check: External data sources have vendor_risk_rating tag
❌ Cannot Implement:
- Anomaly detection (requires monitoring tools)
- Incident response execution (security operations)
- Recovery testing (operational)
- FedRAMP (US Government Cloud)
✅ Implementable Checks:
- Least Privilege Verification
- Ensure minimal access grants
- Check: Federal data tables have access justifications - Audit Log Protection
- Verify audit settings
- Check: Federal data has TAG('audit_immutable') = 'true' - Separation of Duties
- Detect SoD violations
- Check: Conflicting access combinations on federal data - Security Assessment Documentation
- Track assessment dates
- Check: Federal catalogs have last_security_assessment tag
❌ Cannot Implement:
- Continuous monitoring (requires SIEM)
- Boundary protection (network level)
- Multi-factor authentication (auth system)
Cross-Cutting Checks (Universal)
Access Management
- ✅ Role-based access verification
- ✅ Access grant justification requirements
- ✅ Time-bound access (expiration dates)
- ✅ Access revocation tracking
- ✅ Least privilege verification
- ✅ Privileged access documentation
- ✅ Emergency access procedures documented
- ✅ Regular access reviews/recertification tracking
Audit & Compliance
- ✅ Audit logging enabled tags
- ✅ Audit log retention period definition
- ✅ Access attempt logging tags
Data Governance
- ✅ Data ownership requirements
- ✅ Data stewardship assignment
- ✅ Retention policy definition
- ✅ Data lineage documentation
- ✅ Data quality metrics tracking
- ✅ Metadata completeness (descriptions/comments)
- ✅ Data catalog completeness
Data Protection
- ✅ Data classification tagging
- ✅ Encryption tags (documenting encryption status)
- ✅ Masking/anonymization tags
- ✅ Sensitive data identification
Vendor & Third-Party
- ✅ Third-party access tracking
- ✅ Data processing agreements documented
- ✅ Vendor risk assessment tags
- ✅ Subprocessor documentation
Incident Response
- ✅ Incident detection capability tags
- ✅ Breach notification workflow tags
Implementation Priority
Tier 1 (Universal - High Impact)
- Data classification and sensitive data identification
- Access grant expiration dates
- Data owner assignment
- Retention policy definition
- Access justification requirements
Tier 2 (Regulation-Specific - High Compliance Value)
- GDPR: Lawful basis + purpose limitation
- HIPAA: Minimum necessary + PHI audit trails
- SOX: Segregation of duties
- PCI DSS: CDE identification + quarterly reviews
- CCPA: Sale/share tracking
Tier 3 (Enhanced Governance)
- Data lineage documentation
- Data quality metrics
- Third-party disclosure tracking
- Privacy impact assessments
- Change management documentation
Additional Context
No response