← Back to context

Comment by alexsmolen

7 hours ago

I love this idea despite the real world operational challenges - most people with governance responsibilities in organizations don't want to code, and code is often too precise to model messy social/organizational context without constant tweaking, tending, and exception management.

I'm an advocate for bringing software culture to GRC, or as it's sometimes called “GRC Engineering”. While there are plenty of products to automate evidence generation for auditors, the underlying policies and documents that they prescribe are usually still old-school Word/PDF-style boilerplate junk.

I'm working on an open source project for security policies/processes/standards that map back to underlying frameworks (e.g. SOC 2, GDPR, ISO 27001, etc.) Docs are Markdown with YAML frontmatter metadata, interlinks generated automatically, site is published via GitHub actions.

The code is at https://github.com/engseclabs/graphgrc, and you can see an example published site here https://graphgrc.engseclabs.com.

Would love to know if others find it useful or have built similar systems.

2 comments

alexsmolen

Reply
Terretta  7 hours ago

> I'm working on an open source project for security policies/processes/standards that map back to underlying frameworks (e.g. SOC 2, GDPR, ISO 27001, etc.) Docs are Markdown with YAML frontmatter metadata, interlinks generated automatically, site is published via GitHub actions.

> Would love to know if others find it useful or have built similar systems.

Yes, to both for over a decade now, and by now there are many so one doesn't need to rewalk the whole path, some are developed in open on GitHub.

Commercial firms have built on that for live monitoring of the mappings, although don't scratch at that too hard, it's generally mostly (a) self-selected subsets of controls, and (b) manually self-reported at the end of the day.

Product examples: https://delve.co or https://safebase.io/products/trust-center

Applied example: https://trust.openai.com

Have you Googled this or talked to large firms (e.g. banks) that care about avoiding footfalls with regularly scheduled regulator exams? Writing your own shows you grok the concept, many need (well paid!) help applying something off the shelf or from OSS.

  • alexsmolen  7 hours ago

    In my research I haven’t come across the prior art you suggest exists. The trust centers you linked aren’t fungible with what I’m building with GraphGRC. The idea is to make all your security docs just a GitHub repo with structured markdown that permits useful automation (e.g. generating linked internal site, validating all docs have been “reviewed” annually by checking metadata, change control via PR, etc.)

    There are plenty of GRC products out there and are popular for good reasons, but I don’t think any of them are Git/Markdown/developer-first.