gnx/ETB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ETB/ETB-API/compliance_governance/Documentations/COMPLIANCE_GOVERNANCE_API.md
Iliyan Angelov 6b247e5b9f Updates
2025-09-19 11:58:53 +03:00

14 KiB
Raw Permalink Blame History

Compliance & Governance API Documentation

Overview

The Compliance & Governance module provides comprehensive functionality for managing regulatory compliance, evidence collection, retention policies, and export capabilities for auditors and regulators. This module supports major compliance frameworks including GDPR, HIPAA, SOX, and ISO 27001.

Features

  • Regulatory Frameworks: Manage compliance frameworks (GDPR, HIPAA, SOX, ISO 27001)
  • Compliance Requirements: Track individual compliance requirements and their status
  • Regulatory Workflows: Define and execute compliance workflows
  • Evidence Collection: Collect and manage evidence linked to incidents
  • Retention Policies: Implement data retention policies with auto-archive/delete
  • Export APIs: Generate exports for regulators and auditors
  • Compliance Reports: Create and manage compliance assessment reports
  • Legal Holds: Manage legal holds to prevent data deletion

API Endpoints

Base URL

/api/compliance/

Regulatory Frameworks

List Frameworks

GET /api/compliance/frameworks/

Query Parameters:

  • framework_type: Filter by framework type (GDPR, HIPAA, SOX, ISO27001, etc.)
  • is_active: Filter by active status (true/false)
  • effective_date_after: Filter frameworks effective after date
  • effective_date_before: Filter frameworks effective before date
  • search: Search in name, description, regions, or sectors

Response:

{
  "count": 4,
  "next": null,
  "previous": null,
  "results": [
    {
      "id": "uuid",
      "name": "GDPR Compliance Framework",
      "framework_type": "GDPR",
      "framework_type_display": "General Data Protection Regulation",
      "version": "1.0",
      "description": "GDPR compliance framework...",
      "applicable_regions": ["EU", "EEA", "UK"],
      "industry_sectors": ["Technology", "Healthcare"],
      "is_active": true,
      "effective_date": "2018-05-25",
      "review_date": "2024-05-25",
      "requirements_count": 12,
      "created_at": "2024-01-01T00:00:00Z",
      "updated_at": "2024-01-01T00:00:00Z"
    }
  ]
}

Get Framework Details

GET /api/compliance/frameworks/{id}/

Get Framework Requirements

GET /api/compliance/frameworks/{id}/requirements/

Query Parameters:

  • compliance_status: Filter by compliance status
  • priority: Filter by priority level

Get Framework Compliance Summary

GET /api/compliance/frameworks/{id}/compliance_summary/

Response:

{
  "total_requirements": 12,
  "compliant": 8,
  "partially_compliant": 2,
  "non_compliant": 1,
  "not_assessed": 1,
  "implemented": 10,
  "overdue_assessments": 2,
  "compliance_percentage": 80.0
}

Compliance Requirements

List Requirements

GET /api/compliance/requirements/

Query Parameters:

  • framework: Filter by framework ID
  • compliance_status: Filter by compliance status
  • requirement_type: Filter by requirement type
  • priority: Filter by priority level
  • is_implemented: Filter by implementation status
  • assigned_to: Filter by assigned user
  • overdue: Filter overdue assessments (true/false)
  • search: Search in title, description, or requirement ID

Update Compliance Status

POST /api/compliance/requirements/{id}/update_status/

Request Body:

{
  "compliance_status": "COMPLIANT"
}

Schedule Assessment

POST /api/compliance/requirements/{id}/schedule_assessment/

Request Body:

{
  "assessment_date": "2024-06-01"
}

Regulatory Workflows

List Workflows

GET /api/compliance/workflows/

Query Parameters:

  • workflow_type: Filter by workflow type
  • status: Filter by workflow status
  • is_template: Filter templates (true/false)
  • applicable_frameworks: Filter by framework ID
  • search: Search in name or description

Create Workflow Instance

POST /api/compliance/workflows/{id}/create_instance/

Request Body:

{
  "title": "GDPR Breach Response - Incident #12345",
  "description": "Response to data breach incident",
  "related_incident": "incident-uuid",
  "assigned_to": "user-uuid",
  "due_date": "2024-02-01T00:00:00Z"
}

Workflow Instances

List Workflow Instances

GET /api/compliance/workflow-instances/

Query Parameters:

  • workflow: Filter by workflow ID
  • status: Filter by instance status
  • assigned_to: Filter by assigned user
  • related_incident: Filter by related incident
  • overdue: Filter overdue instances (true/false)
  • search: Search in title, description, or current step

Advance Workflow Step

POST /api/compliance/workflow-instances/{id}/advance_step/

Request Body:

{
  "next_step": "assess",
  "step_data": {
    "risk_level": "HIGH",
    "affected_records": 1000
  }
}

Assign Stakeholder

POST /api/compliance/workflow-instances/{id}/assign_stakeholder/

Request Body:

{
  "stakeholder_id": "user-uuid"
}

Evidence Collection

List Evidence

GET /api/compliance/evidence/

Query Parameters:

  • incident: Filter by incident ID
  • evidence_type: Filter by evidence type
  • status: Filter by evidence status
  • collected_by: Filter by collector
  • compliance_requirement: Filter by requirement ID
  • search: Search in title, description, or notes

Add Custody Record

POST /api/compliance/evidence/{id}/add_custody_record/

Request Body:

{
  "action": "TRANSFERRED",
  "notes": "Transferred to legal team for review"
}

Verify Evidence

POST /api/compliance/evidence/{id}/verify_evidence/

Request Body:

{
  "verification_notes": "Evidence verified and authenticated"
}

Retention Policies

List Retention Policies

GET /api/compliance/retention-policies/

Query Parameters:

  • policy_type: Filter by policy type
  • is_active: Filter by active status
  • applicable_frameworks: Filter by framework ID
  • search: Search in name or description

Export Requests

List Export Requests

GET /api/compliance/export-requests/

Query Parameters:

  • request_type: Filter by request type
  • status: Filter by request status
  • requester_email: Filter by requester email
  • overdue: Filter overdue requests (true/false)
  • search: Search in title, description, or requester info

Approve Export Request

POST /api/compliance/export-requests/{id}/approve/

Request Body:

{
  "approval_notes": "Approved for regulatory submission"
}

Execute Export Request

POST /api/compliance/export-requests/{id}/execute/

Compliance Reports

List Compliance Reports

GET /api/compliance/reports/

Query Parameters:

  • framework: Filter by framework ID
  • report_type: Filter by report type
  • status: Filter by report status
  • prepared_by: Filter by preparer
  • search: Search in title, description, or summary

Legal Holds

List Legal Holds

GET /api/compliance/legal-holds/

Query Parameters:

  • status: Filter by hold status
  • active: Filter active holds (true/false)
  • search: Search in case name, number, or description

Add Incident to Legal Hold

POST /api/compliance/legal-holds/{id}/add_incident/

Request Body:

{
  "incident_id": "incident-uuid"
}

Add Evidence to Legal Hold

POST /api/compliance/legal-holds/{id}/add_evidence/

Request Body:

{
  "evidence_id": "evidence-uuid"
}

Data Models

Regulatory Framework

  • id: UUID primary key
  • name: Framework name
  • framework_type: Type (GDPR, HIPAA, SOX, ISO27001, etc.)
  • version: Framework version
  • description: Framework description
  • applicable_regions: List of applicable regions
  • industry_sectors: List of applicable sectors
  • compliance_requirements: List of requirements
  • is_active: Active status
  • effective_date: Effective date
  • review_date: Review date

Compliance Requirement

  • id: UUID primary key
  • framework: Related framework
  • requirement_id: Unique identifier within framework
  • title: Requirement title
  • description: Requirement description
  • requirement_type: Type (TECHNICAL, ADMINISTRATIVE, etc.)
  • priority: Priority level (CRITICAL, HIGH, MEDIUM, LOW)
  • compliance_status: Status (COMPLIANT, PARTIALLY_COMPLIANT, etc.)
  • is_implemented: Implementation status
  • assigned_to: Assigned user
  • next_assessment_date: Next assessment date

Evidence Collection

  • id: UUID primary key
  • incident: Related incident
  • title: Evidence title
  • description: Evidence description
  • evidence_type: Type (LOG_FILE, SCREENSHOT, DOCUMENT, etc.)
  • status: Status (COLLECTED, VERIFIED, ANALYZED, etc.)
  • file_path: File path
  • file_hash: SHA-256 hash for integrity
  • collected_by: Collector user
  • custody_chain: Chain of custody records
  • retention_period: Retention period

Retention Policy

  • id: UUID primary key
  • name: Policy name
  • policy_type: Type (INCIDENT_DATA, AUDIT_LOGS, etc.)
  • retention_period: Retention period value
  • retention_unit: Unit (DAYS, WEEKS, MONTHS, YEARS)
  • auto_archive: Auto-archive flag
  • auto_delete: Auto-delete flag
  • data_classification_levels: Applicable classification levels
  • incident_categories: Applicable incident categories
  • legal_hold_override: Legal hold override flag

Export Request

  • id: UUID primary key
  • title: Request title
  • request_type: Type (REGULATORY, AUDIT, LEGAL, INTERNAL)
  • status: Status (PENDING, APPROVED, IN_PROGRESS, etc.)
  • requester_name: Requester name
  • requester_organization: Requester organization
  • requester_email: Requester email
  • data_scope: Scope of data to export
  • date_range_start: Start date for data
  • date_range_end: End date for data
  • export_format: Export format (JSON, CSV, XML, PDF)
  • include_evidence: Include evidence flag
  • include_audit_trails: Include audit trails flag
  • redaction_required: Redaction required flag

Authentication

All API endpoints require authentication. Use one of the following methods:

  1. Token Authentication: Include Authorization: Token <your-token> header
  2. Session Authentication: Use Django session authentication
  3. SSO Authentication: Use configured SSO providers

Permissions

The API uses role-based access control (RBAC) with the following permission levels:

  • View: Read-only access to compliance data
  • Edit: Modify compliance data
  • Admin: Full administrative access
  • Auditor: Special access for audit and export functions

Error Handling

The API returns standard HTTP status codes:

  • 200: Success
  • 201: Created
  • 400: Bad Request
  • 401: Unauthorized
  • 403: Forbidden
  • 404: Not Found
  • 500: Internal Server Error

Error responses include detailed error messages:

{
  "error": "Invalid compliance status",
  "details": "Status must be one of: COMPLIANT, PARTIALLY_COMPLIANT, NON_COMPLIANT, NOT_ASSESSED"
}

Rate Limiting

API requests are rate-limited to prevent abuse:

  • Authenticated users: 1000 requests per hour
  • Unauthenticated users: 100 requests per hour

Pagination

List endpoints support pagination:

  • page: Page number (default: 1)
  • page_size: Items per page (default: 20, max: 100)

Filtering and Search

Most list endpoints support filtering and search:

  • Exact filters: Use field names with exact values
  • Date ranges: Use _after and _before suffixes
  • Search: Use search parameter for text search across multiple fields

Examples

Creating a GDPR Compliance Framework

curl -X POST "https://api.example.com/api/compliance/frameworks/" \
  -H "Authorization: Token your-token" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "GDPR Compliance Framework",
    "framework_type": "GDPR",
    "version": "1.0",
    "description": "GDPR compliance framework for EU data protection",
    "applicable_regions": ["EU", "EEA", "UK"],
    "industry_sectors": ["Technology", "Healthcare"],
    "is_active": true,
    "effective_date": "2018-05-25"
  }'

Creating an Export Request

curl -X POST "https://api.example.com/api/compliance/export-requests/" \
  -H "Authorization: Token your-token" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "GDPR Data Export Request",
    "description": "Export of personal data for regulatory review",
    "request_type": "REGULATORY",
    "requester_name": "John Doe",
    "requester_organization": "EU Data Protection Authority",
    "requester_email": "john.doe@dpa.eu",
    "data_scope": {
      "incidents": true,
      "evidence": true,
      "audit_trails": true
    },
    "date_range_start": "2023-01-01T00:00:00Z",
    "date_range_end": "2023-12-31T23:59:59Z",
    "export_format": "JSON",
    "include_evidence": true,
    "include_audit_trails": true,
    "redaction_required": false
  }'

Updating Compliance Status

curl -X POST "https://api.example.com/api/compliance/requirements/uuid/update_status/" \
  -H "Authorization: Token your-token" \
  -H "Content-Type: application/json" \
  -d '{
    "compliance_status": "COMPLIANT"
  }'

Integration with Other Modules

The Compliance & Governance module integrates with:

  • Incident Intelligence: Links evidence and workflows to incidents
  • Security: Uses data classification and user permissions
  • Automation Orchestration: Triggers compliance workflows
  • SLA & On-Call: Manages compliance deadlines and escalations

Setup and Configuration

  1. Install the module: Add compliance_governance to INSTALLED_APPS
  2. Run migrations: python manage.py migrate
  3. Create sample data: python manage.py setup_compliance_governance
  4. Configure frameworks: Set up your specific compliance frameworks
  5. Define workflows: Create regulatory workflows for your processes
  6. Set retention policies: Configure data retention policies

Support

For technical support or questions about the Compliance & Governance API:

  • Documentation: Check this documentation and inline API docs
  • Admin Interface: Use Django admin for data management
  • Logs: Check application logs for detailed error information
  • Support Team: Contact your system administrator