GraphGRC Documentation
A comprehensive, interconnected GRC (Governance, Risk, and Compliance) documentation system with bidirectional linking between controls, standards, processes, policies, and framework requirements.
Table of Contents
Charter
Strategic governance documents defining the information security program.
Policies
Security policies defining requirements for all personnel.
| Policy |
Applies To |
Description |
| Baseline Security Policy |
All Employees |
Minimum security practices for account security, data handling, devices, and incident reporting |
| Engineering Security Policy |
Engineers |
Secure coding, secrets management, code review, and deployment security |
| Data Access Policy |
Engineers, Data Team, Support |
Requirements for accessing, handling, and protecting customer and employee data |
Standards
Technical security standards and baseline configurations.
| Standard |
Owner |
Description |
| AWS Security Standard |
Infrastructure Team |
Baseline security configurations for all AWS resources |
| Cryptography Standard |
Security Team |
Requirements for encryption at rest, in transit, and key management |
| Data Classification Standard |
Security Team |
Four-tier data classification system (Public, Internal, Confidential, Restricted) |
| Data Retention Standard |
Security Team |
Retention periods and secure deletion requirements |
| Endpoint Security Standard |
IT Team |
Baseline security for employee endpoints (macOS laptops) |
| GitHub Security Standard |
Engineering Team |
Security requirements for GitHub organizations and repositories |
| Incident Response Standard |
Security Team |
Requirements for detecting, responding to, and recovering from incidents |
| Logging and Monitoring Standard |
Infrastructure Team |
Requirements for security logging, monitoring, and alerting |
| SaaS IAM Standard |
IT Team |
Identity and access management requirements for SaaS applications |
| Vulnerability Management Standard |
Security Team |
Requirements for identifying, assessing, and remediating vulnerabilities |
Processes
Step-by-step operational procedures.
| Process |
Owner |
Description |
| Access Provisioning Process |
IT Team |
Steps for granting new user access with MFA enrollment and role-based permissions |
| Access Review Process |
Security Team |
Quarterly access reviews by managers with documentation and certification |
| Backup and Recovery Process |
Infrastructure Team |
Automated backups, monitoring, quarterly recovery testing, and annual DR drills |
| Change Management Process |
Engineering Team |
Managing changes to production systems with testing, review, and rollback procedures |
| Data Breach Response Process |
Security Team |
10-step response for unauthorized data access with GDPR notification requirements |
| Incident Response Process |
Security Team |
9-step process for detecting, investigating, and responding to security incidents |
| Security Training Process |
Security Team |
Training program with new hire, annual refresher, role-specific, and phishing simulations |
| Vendor Risk Assessment Process |
Security Team |
8-step vendor assessment with questionnaires, SOC 2 review, and DPA negotiation |
| Vulnerability Management Process |
Security Team |
Automated scanning, triage, risk assessment, remediation, and verification |
Custom Controls
Organization-specific security controls mapped to SOC 2 and GDPR.
Access Control (ACC)
| Control |
Title |
Objective |
| ACC-01 |
Identity & Authentication |
Ensure all users are uniquely identified and authenticated using strong, phishing-resistant methods |
| ACC-02 |
Least Privilege & RBAC |
Ensure users have only the minimum access necessary for their job function |
| ACC-03 |
Access Reviews |
Periodically review and certify that user access remains appropriate |
| ACC-04 |
Privileged Access Management |
Secure, monitor, and audit all privileged (admin) access |
Data Protection (DAT)
| Control |
Title |
Objective |
| DAT-01 |
Data Classification |
Classify data based on sensitivity to enable appropriate protection controls |
| DAT-02 |
Encryption |
Protect data confidentiality through encryption at rest and in transit |
| DAT-03 |
Data Retention & Deletion |
Retain data only as long as necessary and securely delete when no longer needed |
| DAT-04 |
Data Privacy (GDPR Compliance) |
Comply with GDPR and CCPA privacy requirements |
Endpoint Security (END)
| Control |
Title |
Objective |
| END-01 |
Device Management (macOS MDM) |
Ensure all endpoints are enrolled in MDM with security configurations enforced |
| END-02 |
Endpoint Protection |
Detect and prevent malware and unauthorized software on endpoints |
| END-03 |
Software Updates |
Ensure endpoints have latest security patches to prevent exploitation |
Governance (GOV)
| Control |
Title |
Objective |
| GOV-01 |
Security Policies |
Establish and maintain security policies that define organizational security requirements |
| GOV-02 |
Risk Assessment |
Identify, assess, and manage information security risks |
Infrastructure (INF)
| Control |
Title |
Objective |
| INF-01 |
Cloud Security Configuration (AWS) |
Ensure cloud infrastructure is securely configured according to best practices |
| INF-02 |
Network Security |
Protect network perimeter and segment internal networks |
| INF-03 |
Logging & Monitoring |
Detect and respond to security events through comprehensive logging |
| INF-04 |
Backup & Recovery |
Ensure business continuity through regular backups and tested recovery procedures |
Operations (OPS)
| Control |
Title |
Objective |
| OPS-01 |
Change Management |
Manage changes to production systems to maintain security and stability |
| OPS-02 |
Vulnerability Management |
Identify and remediate security vulnerabilities in a timely manner |
| OPS-03 |
Incident Response |
Detect, respond to, and recover from security incidents |
| OPS-04 |
Business Continuity |
Ensure critical operations can continue during disruptions |
People (PEO)
| Control |
Title |
Objective |
| PEO-01 |
Background Checks |
Verify trustworthiness of employees before granting access |
| PEO-02 |
Security Training |
Ensure all personnel are aware of security policies and threats |
| PEO-03 |
Offboarding |
Ensure access is promptly removed when employment ends |
Vendor (VEN)
| Control |
Title |
Objective |
| VEN-01 |
Third-Party Risk Assessment |
Assess security and privacy risks of third-party vendors before onboarding |
| VEN-02 |
Vendor Contracts & DPAs |
Ensure vendors are contractually obligated to protect data |
Frameworks
SOC 2
SOC 2 Trust Services Criteria controls with backlinks showing which custom controls satisfy them.
| Control |
Title |
| CC1.1 |
Management and board demonstrate commitment to integrity and ethical values |
| CC1.2 |
Board demonstrates independence and oversight |
| CC1.4 |
Management demonstrates commitment to competence |
| CC2.1 |
Communication of information security responsibilities |
| CC2.2 |
Internal and external communication of system objectives |
| CC3.1 |
Risk identification and assessment |
| CC3.2 |
Assessment of fraud risk |
| CC3.4 |
Risk response and acceptance |
| CC6.1 |
Logical access security software |
| CC6.2 |
User registration and authorization before access |
| CC6.3 |
Access removal on termination |
| CC6.6 |
Access restricted to information assets |
| CC6.7 |
Transmission, movement, and removal protection |
| CC6.8 |
Encryption in transit and at rest |
| CC7.1 |
Detection of processing errors and security issues |
| CC7.2 |
Monitoring of system components |
| CC7.3 |
System capacity evaluation |
| CC7.4 |
System availability monitoring and incident response |
| CC7.5 |
System availability protection |
| CC8.1 |
Authorization and testing before implementation |
| CC9.1 |
Identification and mitigation of risks from vendors |
| CC9.2 |
Assessment of vendor compliance |
| A1.1 |
System availability and commitments |
| A1.2 |
System capacity meets commitments |
| A1.3 |
Environmental safeguards for system availability |
View all SOC 2 controls →
GDPR
GDPR articles with backlinks showing which custom controls help achieve compliance.
| Article |
Title |
| Article 5 |
Principles relating to processing of personal data |
| Article 6 |
Lawfulness of processing |
| Article 15 |
Right of access by the data subject |
| Article 17 |
Right to erasure (right to be forgotten) |
| Article 20 |
Right to data portability |
| Article 24 |
Responsibility of the controller |
| Article 28 |
Processor obligations and data processing agreements |
| Article 30 |
Records of processing activities |
| Article 32 |
Security of processing |
| Article 33 |
Notification of a personal data breach to the supervisory authority |
| Article 34 |
Communication of a personal data breach to the data subject |
View all GDPR articles →
About This Documentation
This documentation system uses:
- Bidirectional linking: Navigate from controls to frameworks and back
- Semantic markdown: Pure markdown with YAML frontmatter (Obsidian and GitHub Pages compatible)
- Automated backlinks:
make generate-backlinks creates Referenced By sections automatically
- Four-tier architecture: Charter → Policies → Standards/Processes → Custom Controls → Frameworks
For more information:
Documentation generated with GraphGRC • Last updated: 2025-01-13