--- name: security-compliance description: Manage security compliance frameworks, continuous monitoring, evidence collection, and audit preparation for SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS. Use when mapping controls, running compliance scans, collecting audit evidence, preparing for audits, monitoring compliance posture, or enforcing security baselines. Triggers on phrases like "compliance scan", "SOC 2 audit", "ISO 27001", "compliance monitoring", "audit prep", "security baseline", "control mapping", "evidence collection". --- # Security Compliance & Audit Management Maintain continuous compliance with security frameworks and streamline audit preparation through automation. ## Workflow ### 1. Compliance Framework Mapping 1. **Framework selection and scoping**: - Identify applicable frameworks: SOC 2 Type I/II, ISO 27001, HIPAA, GDPR, PCI-DSS, CCPA - Define trust services criteria scope (Security, Availability, Confidentiality, Processing Integrity, Privacy) - Map each framework control to technical and procedural requirements - Assign control owners (engineering, security, HR, legal) 2. **Control implementation plan**: - Create control register documenting each control, owner, evidence type, and test frequency - Prioritize controls by risk severity and audit timeline - Define automated vs manual control testing approach - Establish control testing cadence: continuous (automated), quarterly, annually 3. **Policy documentation**: - Draft and maintain security policies: Access Control, Incident Response, Data Classification, Acceptable Use, Remote Work, Vendor Risk - Version control all policies; annual review cycle - Employee acknowledgment tracking for mandatory policies - Align policies with framework requirements (cross-reference control IDs) ### 2. Continuous Compliance Monitoring 1. **Automated control testing**: - Deploy compliance monitoring agents across infrastructure - Automated checks: encryption status, MFA enforcement, password complexity, patch compliance, backup verification - Configuration drift detection against security baselines - Real-time compliance score dashboards per framework 2. **Vulnerability and risk tracking**: - Continuous vulnerability scanning aligned with compliance requirements - Track remediation SLAs: Critical (7 days), High (14 days), Medium (30 days), Low (90 days) - Risk acceptance workflow: documented risk acceptance with expiry date - Risk register maintenance with quarterly review 3. **Access and identity compliance**: - Quarterly access certification campaigns - Automated user access reviews (UAR) with manager approval workflow - Service account and privileged access review - Termination access revocation tracking (within 1 hour) ### 3. Evidence Collection & Management 1. **Automated evidence gathering**: - Auto-collect evidence: screenshots, configuration exports, logs, scan results, policy documents - Timestamp and cryptographically sign all evidence - Organize evidence by control domain and framework - Version control evidence artifacts 2. **Evidence retention management**: - Define retention periods by evidence type and framework requirement - Automated archival of expired evidence - Ensure evidence availability for audit window (typically 12-month observation period) - Backup evidence repository with integrity verification 3. **Evidence gap identification**: - Weekly gap analysis: controls missing evidence or evidence outdated - Alert control owners of upcoming evidence deadlines - Track evidence completeness percentage - Pre-audit readiness score (target: >95% evidence coverage) ### 4. Audit Preparation & Execution 1. **Pre-audit readiness assessment**: - Internal audit 30 days before external audit - Gap analysis against framework requirements - Remediation sprint for open findings - Mock audit with simulated auditor questions - Evidence package organization and accessibility check 2. **Audit execution support**: - Assign audit liaison to field auditor questions within 24 hours - Provide evidence packages organized by control domain - Track auditor requests and response SLA - Daily audit standup to review progress and issues - Escalation process for challenging auditor findings 3. **Post-audit management**: - Review and validate all audit findings - Dispute inaccurate findings with supporting evidence - Develop remediation plans for valid findings (with deadlines) - Track remediation progress to closure - Update controls and processes based on lessons learned ### 5. Configuration Compliance & Hardening 1. **Security baseline enforcement**: - Define CIS benchmarks for OS, databases, cloud services - Automated configuration scanning (weekly minimum) - Auto-remediation for common drift (file permissions, service configurations) - Manual remediation workflow for complex drift 2. **Network security compliance**: - Firewall rule review and optimization (quarterly) - Network segmentation validation - Encryption in transit verification (TLS 1.2+ enforcement) - DMZ and perimeter security validation 3. **Cloud security posture management**: - CSPM scanning across all cloud accounts - CIS benchmark compliance for cloud services - Public access detection and remediation - Encryption at rest verification ## Templates & Frameworks ### Control Register Template ``` CONTROL REGISTER — SOC 2 2025 =============================== CC6.1 — Logical and Physical Access Controls Owner: Security Team Evidence Type: Automated scan results, access logs Test Frequency: Continuous Current Status: ✓ Compliant Last Tested: 2025-04-15 Evidence Location: /evidence/soc2/cc6.1/ CC7.2 — System Monitoring Owner: Infrastructure Team Evidence Type: Monitoring screenshots, alert logs Test Frequency: Quarterly Current Status: ✓ Compliant Last Tested: 2025-04-01 Evidence Location: /evidence/soc2/cc7.2/ CC8.1 — Change Management Owner: DevOps Team Evidence Type: Change tickets, approval records, rollback logs Test Frequency: Quarterly Current Status: ⚠ Partial — 2 changes lacked formal approval Last Tested: 2025-04-01 Evidence Location: /evidence/soc2/cc8.1/ ``` ### Audit Readiness Checklist ``` PRE-AUDIT READINESS — [Framework, Audit Date] ============================================== POLICIES AND PROCEDURES: [ ] All required policies documented and versioned [ ] Annual policy review completed [ ] Employee acknowledgment records current [ ] Policy cross-reference to control IDs complete TECHNICAL CONTROLS: [ ] Latest vulnerability scan completed (within 14 days) [ ] Critical/High vulnerabilities remediated or accepted with documentation [ ] Encryption verification scan passed [ ] MFA enforcement confirmed across all systems [ ] Patch compliance at 95%+ for critical patches ACCESS MANAGEMENT: [ ] Quarterly access certification completed [ ] No orphaned accounts [ ] Privileged access review current [ ] Termination process tested and documented INCIDENT MANAGEMENT: [ ] Incident response plan tested (within 12 months) [ ] All incidents from audit period documented and closed [ ] Post-incident reviews completed [ ] Security awareness training records current EVIDENCE PACKAGE: [ ] Evidence coverage > 95% [ ] All evidence timestamped and accessible [ ] Control owner contacts current [ ] Mock audit completed — findings remediated ``` ## Integration Points - Compliance automation platforms (Vanta, Drata, Secureframe): Continuous monitoring, evidence collection - Vulnerability scanners (Qualys, Tenable, Rapid7): Security scanning, compliance checks - SIEM/SOAR (Splunk, Sentinel, QRadar): Log collection, security monitoring - Cloud security (AWS Security Hub, Azure Security Center, GCP Security Command Center): Cloud compliance - ITSM platforms (ServiceNow, Jira): Change management, incident records - Identity platforms (Okta, Azure AD, CyberArk): Access reviews, privileged access - GRC platforms (ServiceNow GRC, RSA Archer): Risk management, policy management - HRIS (Workday, BambooHR): Employee onboarding/offboarding, training records ## Edge Cases - **Multi-framework audits**: Map shared controls across frameworks to minimize duplicate evidence collection; maintain unified control register - **Remote/distributed audits**: Ensure evidence accessible via secure portal; prepare for virtual auditor walkthroughs - **Material change during audit period**: Document and assess impact on compliance; may require scope adjustment or extension - **Failed audit findings**: Prioritize remediation by severity; implement compensating controls where technical fix requires extended timeline - **Regulatory changes**: Monitor framework updates (e.g., SOC 2 2026 revisions); impact assessment within 30 days of update announcement ## Output ### Compliance Dashboard ``` COMPLIANCE STATUS — April 2025 =============================== FRAMEWORK SCORES: SOC 2 Type II: 94% compliant (47/50 controls ✓) ISO 27001: 91% compliant (82/90 controls ✓) HIPAA: 96% compliant (24/25 controls ✓) GDPR: 89% compliant (17/19 controls ✓) EVIDENCE STATUS: Total controls requiring evidence: 127 Evidence collected: 122 (96%) Evidence overdue: 3 Next evidence due: May 1 (CC7.2 — System Monitoring) OPEN FINDINGS: 🔴 1 Critical: Unpatched server in production (SLA: 7 days — overdue 2 days) ⚠ 3 High: Access certifications pending for Engineering team ✓ 7 Medium: All within remediation SLA AUDIT CALENDAR: SOC 2 Type II Audit: June 1-15, 2025 (ready: 92%) ISO 27001 Surveillance: August 2025 (ready: 88%) HIPAA Annual Review: October 2025 ``` ## Trigger Phrases "compliance scan", "SOC 2", "ISO 27001", "HIPAA compliance", "GDPR audit", "PCI-DSS", "audit preparation", "control mapping", "evidence collection", "compliance monitoring", "security baseline", "CIS benchmark", "configuration drift", "audit finding", "remediation plan", "access certification", "compliance dashboard", "framework mapping", "risk register"