Compliance Frameworks
Implement continuous compliance with major regulatory frameworks through unified control mapping, policy-as-code enforcement, and automated evidence collection.
Purpose
Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%.
When to Use
Invoke when:
- •Building SaaS products requiring SOC 2 Type II for enterprise sales
- •Handling healthcare data (PHI) requiring HIPAA compliance
- •Processing payment cards requiring PCI-DSS validation
- •Serving EU residents and processing personal data under GDPR
- •Implementing security controls that satisfy multiple compliance frameworks
- •Automating compliance evidence collection and audit preparation
- •Enforcing compliance policies in CI/CD pipelines
Framework Selection
Tier 1: Trust & Security Certifications
SOC 2 Type II
- •Audience: SaaS vendors, cloud service providers
- •When required: Enterprise B2B sales, handling customer data
- •Timeline: 6-12 month observation period
- •2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure
ISO 27001
- •Audience: Global enterprises
- •When required: International business, government contracts
- •Timeline: 3-6 month certification, annual surveillance
Tier 2: Industry-Specific Regulations
HIPAA (Healthcare)
- •Audience: Healthcare providers, health tech handling PHI
- •When required: Processing Protected Health Information
- •2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments
PCI-DSS 4.0 (Payment Card Industry)
- •Audience: Merchants, payment processors
- •When required: Processing, storing, transmitting cardholder data
- •Effective: April 1, 2025 (mandatory)
- •Key changes: Client-side security, 12-char passwords, enhanced MFA
Tier 3: Privacy Regulations
GDPR (EU Privacy)
- •Audience: Organizations processing EU residents' data
- •When required: EU customers/users (extraterritorial)
- •2025 updates: 48-hour breach reporting, 6% revenue fines, AI transparency
CCPA/CPRA (California Privacy)
- •Audience: Businesses serving California residents
- •When required: Revenue >$25M, or 100K+ CA residents, or 50%+ revenue from data sales
For detailed framework requirements, see references/soc2-controls.md, references/hipaa-safeguards.md, references/pci-dss-requirements.md, and references/gdpr-articles.md.
Universal Control Implementation
Unified Control Strategy
Implement controls once, map to multiple frameworks. Reduces effort by 60-80%.
Implementation Priority:
- •Encryption (ENC-001, ENC-002): AES-256 at rest, TLS 1.3 in transit
- •Access Control (MFA-001, RBAC-001): MFA, RBAC, least privilege
- •Audit Logging (LOG-001): Centralized, immutable, 7-year retention
- •Monitoring (MON-001): SIEM, intrusion detection, alerting
- •Incident Response (IR-001): Detection, escalation, breach notification
Control Categories
Identity & Access:
- •Multi-factor authentication for privileged access
- •Role-based access control with least privilege
- •Quarterly access reviews
- •Password policy: 12+ characters, complexity
Data Protection:
- •Encryption: AES-256 (rest), TLS 1.3 (transit)
- •Data classification and tagging
- •Retention policies aligned with regulations
- •Data minimization
Logging & Monitoring:
- •Centralized audit logging (all auth and data access)
- •7-year retention (satisfies all frameworks)
- •Immutable storage (S3 Object Lock)
- •Real-time alerting
Network Security:
- •Network segmentation and VPC isolation
- •Firewalls with deny-by-default
- •Intrusion detection/prevention
- •Regular vulnerability scanning
Incident Response:
- •Documented incident response plan
- •Automated detection and alerting
- •Breach notification: HIPAA 60d, GDPR 48h, SOC 2 72h, PCI-DSS immediate
Business Continuity:
- •Automated backups with defined RPO/RTO
- •Multi-region disaster recovery
- •Regular failover testing
For complete control implementations, see references/control-mapping-matrix.md.
Compliance as Code
Policy Enforcement with OPA
Enforce compliance policies in CI/CD before infrastructure deployment.
Architecture:
Git Push → Terraform Plan → JSON → OPA Evaluation
├─► Pass → Deploy
└─► Fail → Block
Example: Encryption Policy
Enforce encryption requirements (SOC 2 CC6.1, HIPAA §164.312(a)(2)(iv), PCI-DSS Req 3.4):
See examples/opa-policies/encryption.rego for complete implementation.
CI/CD Integration:
terraform plan -out=tfplan.binary terraform show -json tfplan.binary > tfplan.json opa eval --data policies/ --input tfplan.json 'data.compliance.main.deny'
For complete CI/CD patterns, see references/cicd-integration.md.
Static Analysis with Checkov
Scan IaC with built-in compliance framework support:
checkov -d ./terraform \ --check SOC2 --check HIPAA --check PCI --check GDPR \ --output cli --output json
Create custom policies for organization-specific requirements. See examples/checkov-policies/ for examples.
Automated Testing
Integrate compliance validation into test suites:
def test_s3_encrypted(terraform_plan):
"""SOC2:CC6.1, HIPAA:164.312(a)(2)(iv)"""
buckets = get_resources(terraform_plan, "aws_s3_bucket")
encrypted = get_encryption_configs(terraform_plan)
assert all_buckets_encrypted(buckets, encrypted)
def test_opa_policies():
result = subprocess.run(["opa", "eval", "--data", "policies/",
"--input", "tfplan.json", "data.compliance.main.deny"])
assert not json.loads(result.stdout)
For complete test patterns, see references/compliance-testing.md.
Technical Control Implementations
Encryption at Rest
Standards: AES-256, managed KMS, automatic rotation
AWS Example:
resource "aws_kms_key" "data" {
enable_key_rotation = true
tags = { Compliance = "ENC-001" }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
bucket = aws_s3_bucket.data.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.data.arn
}
}
}
resource "aws_db_instance" "main" {
storage_encrypted = true
kms_key_id = aws_kms_key.data.arn
}
For complete encryption implementations including Azure and GCP, see references/encryption-implementations.md.
Encryption in Transit
Standards: TLS 1.3 (TLS 1.2 minimum), strong ciphers, HSTS
ALB Example:
resource "aws_lb_listener" "https" {
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
Multi-Factor Authentication
Standards: TOTP, hardware tokens, biometric for privileged access
AWS IAM Enforcement:
resource "aws_iam_policy" "require_mfa" {
policy = jsonencode({
Statement = [{
Effect = "Deny"
NotAction = ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"]
Resource = "*"
Condition = {
BoolIfExists = { "aws:MultiFactorAuthPresent" = "false" }
}
}]
})
}
For application-level MFA (TOTP), see examples/mfa-implementation.py.
Role-Based Access Control
Standards: Least privilege, job function-based roles, quarterly reviews
Kubernetes Example:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: developer namespace: development rules: - apiGroups: ["", "apps"] resources: ["pods", "deployments", "services"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] # Read-only
For complete RBAC patterns including AWS IAM and OPA policies, see references/access-control-patterns.md.
Audit Logging
Standards: Structured JSON, 7-year retention, immutable storage
Required Events: Authentication, authorization, data access, administrative actions, security events
Python Example:
class AuditLogger:
def log_event(self, event_type, user_id, resource_type,
resource_id, action, result, ip_address):
audit_event = {
"timestamp": datetime.utcnow().isoformat() + "Z",
"event_type": event_type.value,
"user_id": user_id,
"action": action,
"result": result,
"resource": {"type": resource_type, "id": resource_id},
"source": {"ip": ip_address}
}
self.logger.info(json.dumps(audit_event))
Log Retention:
resource "aws_cloudwatch_log_group" "audit" {
retention_in_days = 2555 # 7 years
kms_key_id = aws_kms_key.logs.arn
}
resource "aws_s3_bucket_object_lock_configuration" "audit" {
bucket = aws_s3_bucket.audit_logs.id
rule {
default_retention { mode = "COMPLIANCE"; years = 7 }
}
}
For complete audit logging patterns including HIPAA PHI access logging, see references/audit-logging-patterns.md.
Evidence Collection Automation
Continuous Monitoring
Automate evidence collection for continuous compliance validation.
Architecture:
AWS Config → EventBridge → Lambda → S3 (Evidence)
→ DynamoDB (Status)
Evidence Collection:
class EvidenceCollector:
def collect_encryption_evidence(self):
evidence = {
"control_id": "ENC-001",
"frameworks": ["SOC2-CC6.1", "HIPAA-164.312(a)(2)(iv)"],
"timestamp": datetime.utcnow().isoformat(),
"status": "PASS",
"findings": []
}
# Check S3, RDS, EBS encryption status
# Document findings
return evidence
For complete evidence collector, see examples/evidence-collection/evidence_collector.py.
Audit Report Generation
Generate compliance reports automatically:
class AuditReportGenerator:
def generate_soc2_report(self, start_date, end_date):
controls = self.get_control_status("SOC2")
return {
"framework": "SOC 2 Type II",
"compliance_score": self.calculate_score(controls),
"trust_services_criteria": {...},
"controls": self.format_controls(controls)
}
For complete report generator, see examples/evidence-collection/report_generator.py.
Control Mapping Matrix
Unified control mapping across frameworks:
| Control | SOC 2 | HIPAA | PCI-DSS | GDPR | ISO 27001 |
|---|---|---|---|---|---|
| MFA | CC6.1 | §164.312(d) | Req 8.3 | Art 32 | A.9.4.2 |
| Encryption at Rest | CC6.1 | §164.312(a)(2)(iv) | Req 3.4 | Art 32 | A.10.1.1 |
| Encryption in Transit | CC6.1 | §164.312(e)(1) | Req 4.1 | Art 32 | A.13.1.1 |
| Audit Logging | CC7.2 | §164.312(b) | Req 10.2 | Art 30 | A.12.4.1 |
| Access Reviews | CC6.1 | §164.308(a)(3)(ii)(C) | Req 8.2.4 | Art 32 | A.9.2.5 |
| Vulnerability Scanning | CC7.1 | §164.308(a)(8) | Req 11.2 | Art 32 | A.12.6.1 |
| Incident Response | CC7.3 | §164.308(a)(6) | Req 12.10 | Art 33 | A.16.1.1 |
Strategy: Implement once with proper tagging, map to all applicable frameworks.
For complete control mapping with 45+ controls, see references/control-mapping-matrix.md.
Breach Notification Requirements
Framework-Specific Timelines:
- •HIPAA: 60 days to HHS and affected individuals
- •GDPR: 48 hours to supervisory authority (2025 update)
- •SOC 2: 72 hours to affected customers
- •PCI-DSS: Immediate to payment brands
Required Elements:
- •Description of incident and data involved
- •Estimated number of affected individuals
- •Steps taken to mitigate harm
- •Contact information for questions
- •Remediation actions and timeline
For incident response templates, see references/incident-response-templates.md.
Vendor Management
Business Associate Agreements (HIPAA):
- •Required for all vendors handling PHI
- •Specify permitted uses and disclosures
- •Require appropriate safeguards
- •Annual review and renewal
Data Processing Agreements (GDPR):
- •Required for all vendors processing personal data
- •Process only on controller instructions
- •Implement appropriate technical measures
- •Sub-processor approval required
Assessment Process:
- •Risk classification by data access level
- •Security questionnaire evaluation
- •BAA/DPA execution
- •SOC 2 report collection (≤90 days old)
- •Annual re-assessment
For vendor management templates, see references/vendor-management.md.
Tools & Libraries
Policy as Code:
- •Open Policy Agent (OPA): General-purpose policy engine
- •Checkov: IaC security scanning with compliance frameworks
- •tfsec: Terraform security scanner
- •Trivy: Container and IaC scanner
Compliance Automation:
- •AWS Config: AWS resource compliance monitoring
- •Cloud Custodian: Multi-cloud compliance automation
- •Drata/Vanta/Secureframe: Continuous compliance platforms
For tool selection guidance, see references/tool-recommendations.md.
Integration with Other Skills
Related Skills:
- •
security-hardening: Technical security control implementation - •
secret-management: Secrets handling per HIPAA/PCI-DSS - •
infrastructure-as-code: IaC implementing compliance controls - •
kubernetes-operations: K8s RBAC, network policies - •
building-ci-pipelines: Policy enforcement in CI/CD - •
siem-logging: Audit logging and monitoring - •
incident-management: Incident response procedures
Quick Reference
Implementation Checklist:
- • Identify applicable frameworks
- • Implement encryption (AES-256, TLS 1.3)
- • Configure MFA for privileged access
- • Implement RBAC with least privilege
- • Set up audit logging (7-year retention)
- • Configure security monitoring/alerting
- • Create incident response plan
- • Execute vendor agreements (BAAs, DPAs)
- • Implement policy-as-code (OPA, Checkov)
- • Automate evidence collection
- • Conduct quarterly access reviews
- • Perform annual risk assessments
Common Mistakes:
- •Treating compliance as one-time project vs continuous process
- •Implementing per-framework vs unified controls
- •Manual evidence collection vs automation
- •Insufficient log retention (<7 years)
- •Missing MFA enforcement
- •Not encrypting backups/logs
- •Inadequate vendor due diligence
References
Framework Details:
- •references/soc2-controls.md - SOC 2 TSC control catalog
- •references/hipaa-safeguards.md - HIPAA safeguards
- •references/pci-dss-requirements.md - PCI-DSS 4.0 requirements
- •references/gdpr-articles.md - GDPR key articles
Implementation Patterns:
- •references/control-mapping-matrix.md - Unified control mapping
- •references/encryption-implementations.md - Encryption patterns
- •references/access-control-patterns.md - MFA, RBAC implementations
- •references/audit-logging-patterns.md - Logging requirements
- •references/incident-response-templates.md - IR procedures
Automation:
- •references/cicd-integration.md - OPA/Checkov CI/CD integration
- •references/compliance-testing.md - Automated test patterns
- •references/vendor-management.md - Vendor assessment templates
- •references/tool-recommendations.md - Tool selection guide
Code Examples:
- •examples/opa-policies/ - OPA policy examples
- •examples/terraform/ - Terraform control implementations
- •examples/evidence-collection/ - Evidence automation
- •examples/mfa-implementation.py - TOTP MFA implementation
Consult qualified legal counsel and auditors for legal interpretation and audit preparation.