원클릭으로
isms-compliance
ISMS policy alignment and compliance verification for Hack23 AB security standards (ISO 27001, NIST CSF 2.0, CIS Controls v8.1)
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
ISMS policy alignment and compliance verification for Hack23 AB security standards (ISO 27001, NIST CSF 2.0, CIS Controls v8.1)
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | isms-compliance |
| description | ISMS policy alignment and compliance verification for Hack23 AB security standards (ISO 27001, NIST CSF 2.0, CIS Controls v8.1) |
| license | MIT |
This skill applies when:
All security practices in this repository align with Hack23 AB's Information Security Management System (ISMS) implementing ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1.
/**
* MCP tool input validation service
*
* ISMS Policy: SC-002 (Secure Coding Standards)
* - Implements input validation for all MCP tool parameters
* - Sanitizes user-provided search queries and filters
* - Prevents injection attacks and data exfiltration
*
* Compliance: ISO 27001:2022 A.8.3, NIST CSF PR.DS-5, CIS Control 4.1
*/
export class InputValidationService {
private readonly MAX_QUERY_LENGTH = 200;
private readonly ALLOWED_CHARS = /^[a-zA-Z0-9\s\-_.]+$/;
/**
* Validates and sanitizes search query parameters
* Throws ValidationError if input is malformed or malicious
*/
validateSearchQuery(query: string): string {
if (typeof query !== 'string') {
throw new ValidationError('Query must be a string');
}
if (query.length > this.MAX_QUERY_LENGTH) {
throw new ValidationError(`Query exceeds maximum length of ${this.MAX_QUERY_LENGTH}`);
}
if (!this.ALLOWED_CHARS.test(query)) {
throw new ValidationError('Query contains invalid characters');
}
return query.trim();
}
}
## Security Architecture
### Authentication & Authorization
- **Policy**: [Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md)
- **Implementation**: API key authentication with rate limiting
- **Compliance**: ISO 27001:2022 A.5.15, NIST CSF PR.AC-1
### Data Protection
- **Policy**: [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) + [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md)
- **Encryption**: TLS 1.3 for all API communications
- **Compliance**: ISO 27001:2022 A.8.24, NIST CSF PR.DS-1
### Input Validation
- **Policy**: [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)
- **Implementation**: Zod whitelist validation for all inputs
- **Compliance**: OWASP API Security Top 10 (API1:2023)
/**
* Validate and sanitize European Parliament document ID
* ISMS Policy: SC-002 (Secure Coding Standards)
* Compliance: OWASP Top 10 (A03:2021 - Injection)
*/
export function validateDocumentId(id: string): string {
if (typeof id !== 'string') {
throw new ValidationError('Document ID must be a string');
}
// European Parliament document IDs follow format: EP-YYYYMMDD-NNNNN
const documentIdPattern = /^EP-\d{8}-\d{5}$/;
if (!documentIdPattern.test(id)) {
throw new ValidationError('Invalid document ID format');
}
return id;
}
{
"scripts": {
"preinstall": "npm audit --audit-level=moderate",
"test:security": "npm audit && npm run test:licenses",
"test:licenses": "license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause;ISC'",
"prepare": "npm run build && npm run test:security"
}
}
/**
* Rate limiting middleware for MCP tool requests
* ISMS Policy: AC-002 (Access Control Policy - Rate Limiting)
* Prevents abuse and DoS attacks
* Compliance: NIST CSF PR.AC-4, CIS Control 13.3
*/
export class RateLimiter {
private readonly requests: Map<string, number[]> = new Map();
private readonly MAX_REQUESTS = 100;
private readonly WINDOW_MS = 15 * 60 * 1000; // 15 minutes
async checkLimit(clientId: string): Promise<void> {
const now = Date.now();
const clientRequests = this.requests.get(clientId) || [];
// Remove requests outside the window
const recentRequests = clientRequests.filter(
timestamp => now - timestamp < this.WINDOW_MS
);
if (recentRequests.length >= this.MAX_REQUESTS) {
const oldestRequest = Math.min(...recentRequests);
const retryAfter = Math.ceil((oldestRequest + this.WINDOW_MS - now) / 1000);
throw new RateLimitError(
`Rate limit exceeded. Try again in ${retryAfter} seconds.`,
retryAfter
);
}
recentRequests.push(now);
this.requests.set(clientId, recentRequests);
}
}
// Bad: No security policy reference or documentation
export class ApiService {
async queryDocuments(query: string) {
// Implementation without security context
return fetch(`/api/search?q=${query}`); // Potential injection!
}
}
// Bad: Insufficient validation, no policy reference
function validateInput(input: string): boolean {
return input.length > 0; // Too permissive!
}
// Bad: Directly using unvalidated input
async function search(query: string): Promise<Results> {
// No validation or sanitization - XSS/injection vulnerability
return await db.query(`SELECT * FROM docs WHERE title LIKE '%${query}%'`);
}
// Bad: No audit logging of security events
async function handleToolRequest(request: ToolRequest): Promise<ToolResponse> {
try {
return await processRequest(request);
// No logging of successful requests
} catch (error) {
return { error: error.message };
// No logging of failed requests or security violations
}
}
// Bad: No rate limiting allows abuse
export async function searchDocuments(query: SearchQuery): Promise<Results> {
// Anyone can make unlimited requests
return await europeanParliamentApi.search(query);
}
npm audit - Dependency vulnerability scanninglicense-checker - License compliance verificationC4 architecture model, security architecture, Mermaid diagrams, SECURITY_ARCHITECTURE.md, and comprehensive documentation per Hack23 Secure Development Policy
AI-augmented development controls, GitHub Copilot governance, LLM security, AI-generated code review per Hack23 Secure Development Policy
EU AI Act compliance, OWASP LLM security, responsible AI practices for parliamentary data and MCP server applications
Enforce code quality with ESLint, TypeScript strict mode, Knip unused detection, and quality gates for MCP servers
ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
Contribution process with PR workflow, code review standards, commit conventions, and open source best practices