mikeparcewski/policy

Policy Skill

Interpret policies and translate into actionable requirements.

When to Use

• User needs policy interpretation
• Translating regulatory requirements to controls
• Mapping policies to implementation
• Gap analysis against policies
• User says "policy", "requirement", "what does this mean", "how do I comply"

Commands

/wicked-garden:platform:policy [--map] [--gap] [--guide]

Policy Types

| Type | Examples | Focus | |------|----------|-------| | Regulatory | GDPR, HIPAA, PCI | Legal requirements | | Industry | ISO 27001, NIST | Best practices | | Corporate | Security, Data policies | Internal rules | | Contractual | SLA, BAA, DPA | Agreement terms |

Analysis Process

1. Parse Policy

Extract requirements:

• MUST requirements (mandatory)
• SHOULD requirements (recommended)
• MAY requirements (optional)
• Exceptions and conditions

2. Map to Controls

Translate to technical controls:

Policy: "Personal data must be encrypted"

Controls:

• Encryption at rest (database, files)
• Encryption in transit (TLS)
• Key management
• Encryption verification

See detailed policy-to-control mappings:

• GDPR Mappings
• HIPAA Mappings
• SOC2 & PCI DSS Mappings

3. Identify Applicability

Determine scope:

• Which systems
• Which data types
• Which processes
• Which roles responsible

4. Assess Current State

Check what exists:

• Controls implemented
• Controls documented
• Controls tested
• Evidence collected

5. Identify Gaps

Find missing:

• Missing controls
• Incomplete implementation
• Insufficient documentation
• Inadequate testing

See refs/checklists-gdpr-hipaa.md, refs/checklists-soc2-pci-impl.md, and refs/checklists-gap-analysis.md for implementation checklists and gap analysis templates.

6. Provide Guidance

Recommend:

• Implementation steps
• Code examples
• Configuration guidance
• Documentation templates

Gap Analysis

Assessment Matrix

| Requirement | Current | Gap | Priority | Action | |-------------|---------|-----|----------|--------| | Encrypt PII | DB only | Files missing | P0 | Add file encryption | | Access logs | Basic | Missing details | P1 | Enhance logging | | Retention | None | No policy | P1 | Define policy |

Gap Categories

P0 - Critical: Legal violation, must fix immediately P1 - High: Best practice gap, fix soon P2 - Medium: Improvement, plan for next iteration

Integration

With native tasks

Create remediation tasks:

TaskCreate(
  subject="Implement {control}",
  description="Policy: {policy}\nGap: {gap}",
  metadata={
    "event_type": "task",
    "chain_id": "policy.remediation",
    "source_agent": "policy-reviewer",
    "priority": "{P0|P1|P2}"
  }
)

With wicked-garden:mem

Store interpretations:

/wicked-garden:mem:store "Policy: {name}\nInterpretation: {guidance}"

Output Format

## Policy Analysis: {Policy Name}

**Framework**: {GDPR|HIPAA|SOC2}
**Scope**: {what applies}
**Intent**: {what it achieves}

### Control Mapping
| Requirement | Control | Implementation |
|-------------|---------|----------------|
| Encrypt data | Technical | AES-256 |
| Access control | Technical | RBAC |

### Gap Analysis
| Gap | Priority | Action |
|-----|----------|--------|
| File encryption | P0 | Add AES-256 |
| Enhanced logging | P1 | Add details |

### Implementation
{Code examples}

### Next Steps
1. Fix P0 gaps
2. Collect evidence

Quality Standards

Good analysis:

• Clear interpretation
• Specific controls
• Code examples
• Gap assessment

Bad analysis:

• Copying policy text
• Vague recommendations
• No implementation details