https://runc9.github.io/In-house-grc-engineering-platform/
A data-driven GRC Engineering Platform that transforms CSV control data into automated compliance analytics and a live risk dashboard.
Shows mastery of control modeling, quantitative risk analysis, evidence automation, and GRC-as-code engineering.
CSV Inputs
โโ canonical_controls.csv
โโ framework_controls_* (ISO, NIST, SOC2)
โโ risk_register.csv
โ
Python Engine (coverage, effectiveness, mitigation, residual risk)
โ
JSON Artifacts in /dist
โ
Interactive Web Dashboard (HTML + CSS + JS)
โ
GitHub Actions โ GitHub Pages (CI/CD)
CSV โ Engine:
Canonical controls, framework mappings, implementation evidence, and risk register are ingested.
Engine โ JSON:
Python computes coverage, effectiveness, mitigation, and residual risk.
JSON โ Dashboard:
JavaScript renders charts, donuts, heatmaps, tables, and drill-downs.
CI/CD โ Pages:
GitHub Actions auto-generates artifacts and deploys the dashboard on every push.
Unified CCC model across NIST SP 800-53, ISO 27001, and SOC 2.
Coverage and gaps normalized across frameworks.
- Coverage ร confidence โ numeric coverage
- Effectiveness โ per-system and per-control scoring
Probabilistic product-of-inverses model of control strength.
Prevents unrealistic โzero riskโ outputs by applying a 5% uncertainty factor.
- Coverage bar charts
- Effectiveness bar charts
- Donut charts by domain
- Risk heatmap
- Residual risk summary
- Top risks table
- Domain drill-down
- Gap analysis (<80%)
Upload your own risk register for instant client-side preview.
Automatic build โ JSON generation โ deployment.
canonical_controls.csvframework_controls_iso.csvframework_controls_nist.csvframework_controls_soc2.csvmappings.csvimplementations.csvrisk_register.csv
compute_coverage.pycompute_effectiveness.pycompute_residual.pyrun_all.pyutils.py,load.py
Outputs:
index.htmlstyles.cssapp.js
This project demonstrates how modern teams evolve from compliance-as-checklist โ compliance-as-engineering.
Not static PDFs.
Coverage and effectiveness turn into metrics.
Residual risk uses:
likelihood ร impact ร (1 โ mitigation)
with a realistic residual risk floor to account for operational uncertainty.
Every commit regenerates risk and control analytics and redeploys the dashboard through CI/CD.
Charts, donuts, heatmaps, summaries, and drill-down tables provide a living view of the control and risk posture.
- CSV ingestion
- Data normalization
- Control mapping across frameworks
- Mitigation modeling
- Risk calculation
- Floor-adjusted residual scoring
- JSON artifact generation
- Bar chart rendering
- Donut chart rendering
- Heatmap rendering
- Control-level drill-down
- Gap detection
- Risk table generation
- CSV uploader (client-side only)
- Python environment setup
- Engine execution
- Artifact packaging
- GitHub Pages deployment
- Time-series trends (coverage/effectiveness over time)
- Multi-system architecture & comparison
- SOC2 / ISO / NIST control diffing
- Evidence ingestion from APIs
- Export to PDF/CSV reports
- โControl maturityโ scoring
- Gap alert notifications
- ServiceNow / Jira integration
This project demonstrates real GRC engineering capability:
- You can model controls, mappings, and evidence as structured data
- You can build automated compliance and risk scoring engines
- You can visualize risk posture in a way leadership can act on
- You understand CI/CD, automation, and reproducible workflows
- You can convert governance requirements into working engineering systems
This is an in-house compliance analytics platform, not a checklist tool.
https://runc9.github.io/In-house-grc-engineering-platform/
Designed and built by @Runc9 as part of a GRC Engineering/AWS Cloud Security Compliance portfolio.