cybersecurity-policy-generator

What this skill does

# Cybersecurity Policy Generator

## Purpose

Generate professional, framework-compliant cybersecurity policies using 51 industry-standard templates from SANS and CIS Controls. Creates complete policy documents customized for your organization in 4 formats: Markdown, Word, HTML, and PDF.

**Key capabilities:**
1. Browse 51 professional policy templates across 15 security categories
2. Interactive customization using AskUserQuestion for beautiful UI
3. Map policies to ISO 27001, SOC 2, NIST CSF, CIS Controls v8, and GDPR
4. Generate professional policy documents in 4 formats
5. Support compliance requirements for security program development

## When to Use This Skill

Use this skill when:
- Starting a security program and need foundational policies (Acceptable Use, Password Policy, etc.)
- Preparing for compliance audits (ISO 27001, SOC 2, NIST CSF, CIS Controls)
- Updating outdated security policies with current best practices
- Creating incident response, data protection, or access control policies
- Building policy documentation for framework compliance
- Need professional policy templates instead of starting from scratch

**Do NOT use for:**
- Legal advice (templates require review by qualified legal counsel)
- Website privacy policies (this creates corporate security policies)
- Compliance certification (policies support but don't guarantee certification)
- Custom policy authoring from scratch (uses existing templates)
- Policy enforcement or monitoring (generates documents only)

## Workflow

### Phase 1: Policy Selection

**Step 1 - Ask How Many Policies:**

Use AskUserQuestion to ask:
- "How many policies would you like to generate?"
- Header: "Quantity"
- Options: 1 policy, 3 policies, 5 foundational policies, 10 comprehensive set, Custom number

If user selects "Custom number", they can specify via "Other" option.

**Step 2 - Browse Available Policies:**

Run browse_policies.py to show the 51 available policies. Optionally filter by user's industry or compliance needs:

```bash
# Show all policies with categories
python3 scripts/browse_policies.py

# Or filter by their compliance framework
python3 scripts/browse_policies.py --framework "ISO 27001"
```

**Step 3 - Let User Select Specific Policies:**

Use AskUserQuestion with multiSelect: true to let user choose policies:

Example for governance policies:
- "Which policies would you like to generate?" (multiSelect: true)
- Header: "Policies"
- Options: Present top 4 most relevant policies based on their needs, user can select multiple

**Repeat** AskUserQuestion for different categories if generating multiple policies:
- Governance policies (if needed)
- Identity & Access policies (if needed)
- Data Protection policies (if needed)
- etc.

**Alternative for 5/10 policy sets:** If user selected pre-defined sets (like "5 foundational"), automatically select the appropriate policies without asking individually.

**Recommended Policy Sets:**
- **5 Foundational:** Information Security, Acceptable Use, Password, Data Classification, Data Recovery
- **10 Comprehensive:** Above 5 + Access Control, Incident Response, Remote Access, Security Awareness, Vulnerability Management

### Phase 2: Output Format Selection

Use AskUserQuestion to ask about output preferences:

**Question Set 1 - Output Formats:**

- "Which output formats do you need?" (multiSelect: true)
- Header: "Formats"
- Options:
  1. Markdown (.md) - For documentation systems
  2. Microsoft Word (.docx) - For legal review and editing
  3. HTML (.html) - For intranet publishing
  4. PDF (.pdf) - For distribution and printing

**Question Set 2 - Customization Level:**

- "Do you want to customize the document appearance?"
- Header: "Branding"
- Options:
  1. Standard - Use default professional formatting
  2. Custom - Add company logo and brand colors
  3. Minimal - Plain text, no styling
  4. Skip - Just generate policies quickly

If user selects "Custom", ask follow-up questions:
- "Do you have a company logo file?" (Yes - will provide path / No - use company name)
- "What are your brand colors?" (Provide hex codes or skip for defaults)
- "Any specific formatting preferences?" (Free text input)

### Phase 3: Organization Information

Use the **AskUserQuestion tool** to collect organization-specific information with beautiful multiple-choice UI.

**Question Set 1 - Organization Basics:**

Use AskUserQuestion to ask:
1. "What is your organization's legal name?" (Let user type via "Other" option, provide 2 dummy options to meet minimum)
2. "What industry does your organization operate in?" (header: "Industry", options: Technology, Finance, Healthcare, Government, Manufacturing, Retail)
3. "How many employees does your organization have?" (header: "Size", options: <50, 50-500, 500-1000, 1000+)

**Question Set 2 - Governance:**

Use AskUserQuestion to ask:
1. "Who is the executive responsible for these policies?" (header: "Officer", options: CISO, CTO, CRO, VP InfoSec, IT Director)
2. "Which department owns these policies?" (header: "Department", options: InfoSec, IT, Risk, Compliance)
3. "What is the contact email for policy questions?" (header: "Contact", let user type via "Other")

**Question Set 3 - Lifecycle:**

Use AskUserQuestion to ask:
1. "When should these policies take effect?" (header: "Effective Date", provide common options like "Next month", "Start of quarter", "Custom date")
2. "How often will these policies be reviewed?" (header: "Review", options: Quarterly, Semi-annually, Annually, Bi-annually)

**Question Set 4 - Compliance:**

Use AskUserQuestion to ask (multiSelect: true):
1. "Which compliance frameworks must you meet?" (header: "Frameworks", options: ISO 27001, SOC 2, NIST CSF, CIS Controls v8, GDPR, HIPAA, PCI-DSS)
2. "Are there specific regulatory requirements?" (header: "Regulations", options: None, GDPR, HIPAA, PCI-DSS, SOX, GLBA, FERPA)

**Step 4:** Save answers to customizations.json file:
```json
{
  "company_name": "Acme Corporation Inc.",
  "industry": "Technology",
  "organization_size": "50-500 employees",
  "responsible_officer": "Chief Information Security Officer (CISO)",
  "responsible_department": "Information Security Department",
  "contact_email": "[email protected]",
  "effective_date": "2025-11-01",
  "review_schedule": "Annually",
  "version": "1.0",
  "frameworks": ["ISO 27001", "SOC 2"],
  "regulations": ["None"]
}
```

### Phase 4: Generate Policy Documents

For EACH selected policy, follow this process:

**Step 1 - Generate Markdown (Base Format):**

Create professional Markdown `.md` file directly with:
- Company header with metadata
- Table of contents
- All policy sections (Purpose, Scope, Policy, Compliance, etc.)
- Compliance framework mappings
- Approval section

Save as: `output/markdown/{PolicyNumber}-{PolicyName}.md`

**Step 2 - Convert to Requested Formats:**

Based on user's format selections from Phase 2, **call specialized skills/agents** for each format:

**If Word (.docx) selected:**

**USE THE SKILL TOOL** to call document conversion:
```
Skill(command: "word-converter")
OR
Skill(command: "docx")
OR
Task(subagent_type: "document-converter", prompt: "Convert markdown to Word...")
```

Pass the markdown file path and request:
- Professional formatting (headers, footers)
- Company branding (if custom selected)
- Table of contents
- Styled sections
- Ready for legal review

**If HTML (.html) selected:**

**USE THE SKILL TOOL** to call HTML conversion:
```
Skill(command: "html-converter")
OR
Skill(command: "markdown-to-html")
```

Pass the markdown file and request:
- Responsive CSS styling
- Company colors (if custom branding)
- Clean, printable format
- Navigation-friendly structure

**If PDF (.pdf) selected:**

**USE THE SKILL TOOL** to call PDF conversion:
```
Skill(command: "pdf")
OR
Skill(command: "pdf-converter")
OR
Task(subagent_type: "document-converter", prompt: "Convert markdown to PDF...")
```

Pass the markdown file and request:
- Distribution-ready formatting
- Compan