policy

Policy Skill

Interpret policies and translate into actionable requirements.

When to Use

• User needs policy interpretation
• Translating regulatory requirements to controls
• Mapping policies to implementation
• Gap analysis against policies
• User says "policy", "requirement", "what does this mean", "how do I comply"

Commands

/wicked-garden:platform:policy [--map] [--gap] [--guide]

Policy Types

Type	Examples	Focus
Regulatory	GDPR, HIPAA, PCI	Legal requirements
Industry	ISO 27001, NIST	Best practices
Corporate	Security, Data policies	Internal rules
Contractual	SLA, BAA, DPA	Agreement terms

Analysis Process

1. Parse Policy

Extract requirements:

• MUST requirements (mandatory)
• SHOULD requirements (recommended)
• MAY requirements (optional)
• Exceptions and conditions

2. Map to Controls

Translate to technical controls:

Policy: "Personal data must be encrypted"

Controls:

• Encryption at rest (database, files)
• Encryption in transit (TLS)
• Key management
• Encryption verification

See detailed policy-to-control mappings:

• GDPR Mappings
• HIPAA Mappings
• SOC2 & PCI DSS Mappings

3. Identify Applicability

Determine scope:

• Which systems
• Which data types
• Which processes
• Which roles responsible

4. Assess Current State

Check what exists:

• Controls implemented
• Controls documented
• Controls tested
• Evidence collected

5. Identify Gaps

Find missing:

• Missing controls
• Incomplete implementation
• Insufficient documentation
• Inadequate testing

See refs/checklists-gdpr-hipaa.md, refs/checklists-soc2-pci-impl.md, and refs/checklists-gap-analysis.md for implementation checklists and gap analysis templates.

6. Provide Guidance

Recommend:

• Implementation steps
• Code examples
• Configuration guidance
• Documentation templates

Gap Analysis

Assessment Matrix

Requirement	Current	Gap	Priority	Action
Encrypt PII	DB only	Files missing	P0	Add file encryption
Access logs	Basic	Missing details	P1	Enhance logging
Retention	None	No policy	P1	Define policy

Gap Categories

P0 - Critical: Legal violation, must fix immediately P1 - High: Best practice gap, fix soon P2 - Medium: Improvement, plan for next iteration

Integration

With native tasks

Create remediation tasks:

TaskCreate(
  subject="Implement {control}",
  description="Policy: {policy}\nGap: {gap}",
  metadata={
    "event_type": "task",
    "chain_id": "policy.remediation",
    "source_agent": "policy-reviewer",
    "priority": "{P0|P1|P2}"
  }
)

With wicked-garden:mem

Store interpretations:

/wicked-garden:mem:store "Policy: {name}\nInterpretation: {guidance}"

Output Format

## Policy Analysis: {Policy Name}

**Framework**: {GDPR|HIPAA|SOC2}
**Scope**: {what applies}
**Intent**: {what it achieves}

### Control Mapping
| Requirement | Control | Implementation |
|-------------|---------|----------------|
| Encrypt data | Technical | AES-256 |
| Access control | Technical | RBAC |

### Gap Analysis
| Gap | Priority | Action |
|-----|----------|--------|
| File encryption | P0 | Add AES-256 |
| Enhanced logging | P1 | Add details |

### Implementation
{Code examples}

### Next Steps
1. Fix P0 gaps
2. Collect evidence

Quality Standards

Good analysis:

• Clear interpretation
• Specific controls
• Code examples
• Gap assessment

Bad analysis:

• Copying policy text
• Vague recommendations
• No implementation details