技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 491 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:1kalin/afrexai-compliance-engine
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill is an instruction-only compliance advisor whose requested resources and instructions align with its stated purpose and do not ask for unrelated credentials or install code.
目的
Name and description match the content: detailed frameworks, checklists, templates, and project plans for SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS. The skill does not request unrelated binaries, environment variables, or cloud credentials.
说明范围
SKILL.md is a large, prescriptive set of checklists, YAML templates, and procedural guidance. It expects the agent to collect organizational details (e.g., data types handled, vendor lists, PHI presence), which is appropriate for compliance work but means users should avoid pasting real sensitive data (PHI, full payment card numbers, credentials) into prompts unless they intend to share it. There are no instructions that read system files, acc…
安装机制
Instruction-only skill with no install spec and no code files. Nothing is written to disk and no external packages are pulled during install.
证书
The skill declares no required environment variables, credentials, or config paths. This is proportionate to a documentation/template-driven compliance advisor.
持久
always is false and there is no request for persistent system-level privileges or changes to other skills. The skill runs as an on-demand instruction set and does not request permanent presence.
综合结论
This skill appears to be what it claims: a set of checklists, templates, and guidance for building compliance programs. Before using it, do not paste real sensitive data (PHI, full card numbers, unredacted personal data, production credentials) into prompts — use redacted or synthetic examples. Treat any policies or templates generated as drafts: have legal, security, or certified auditors review them before relying on them for an actual audit…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Compliance & Audit Readiness Engine」。简介:Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DS…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/1kalin/afrexai-compliance-engine/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
# Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.
---
## Phase 1 — Compliance Discovery
### Framework Selection Matrix
| Framework | Who Needs It | Trigger | Timeline | Cost Range |
|-----------|-------------|---------|----------|------------|
| **SOC 2 Type I** | Any B2B SaaS | Enterprise prospect asks | 3-6 months | $20K-$80K |
| **SOC 2 Type II** | Established SaaS | After Type I, or direct | 6-12 months | $30K-$100K |
| **ISO 27001** | Global/EU-facing SaaS | EU enterprise deals | 6-12 months | $40K-$120K |
| **GDPR** | Anyone with EU users | Day 1 if EU data | 1-3 months | $5K-$30K |
| **HIPAA** | Health data handlers | Before first PHI | 3-6 months | $20K-$60K |
| **PCI DSS** | Payment processors | Before card data | 3-9 months | $15K-$50K |
| **SOX** | Public companies | IPO prep | 12-18 months | $100K-$500K |
### Readiness Assessment Brief
```yaml
company_profile:
name: ""
industry: ""
employee_count: 0
annual_revenue: ""
data_types_handled:
- PII (names, emails, addresses)
- Financial (payment cards, bank accounts)
- Health (PHI, medical records)
- Children (COPPA scope)
- Biometric
- Government/classified
customer_segments:
- SMB
- Mid-market
- Enterprise
- Government
geographic_scope:
- US only
- US + EU
- Global
current_state:
existing_frameworks: []
security_team_size: 0
has_written_policies: false
has_asset_inventory: false
has_risk_assessment: false
has_incident_response: false
has_vendor_management: false
previous_audits: []
known_gaps: []
drivers:
- Customer requirement
- Board/investor mandate
- Regulatory obligation
- Competitive advantage
- Insurance requirement
target_frameworks: []
target_date: ""
budget_range: ""
```
### Priority Decision Rules
1. **Customer asking for SOC 2?** → Start there (most requested in B2B SaaS)
2. **EU customers?** → GDPR is non-negotiable, do it alongside SOC 2
3. **Health data?** → HIPAA first, then layer SOC 2
4. **Payment data?** → PCI DSS is legally required, do immediately
5. **Multiple frameworks?** → Map common controls (40-60% overlap between SOC 2 and ISO 27001)
---
## Phase 2 — SOC 2 Deep Dive
### Trust Service Criteria (TSC)
SOC 2 is built on 5 categories. **Security** is mandatory. Others are optional but often expected.
#### CC1 — Control Environment (Foundation)
- [ ] Board/management oversight of security
- [ ] Organizational structure with clear security roles
- [ ] Code of conduct / acceptable use policy
- [ ] HR processes (background checks, onboarding, offboarding)
- [ ] Performance evaluations include security responsibilities
#### CC2 — Communication & Information
- [ ] Security policies documented and accessible to all employees
- [ ] External communication channels for security (status page, security@)
- [ ] Whistleblower / anonymous reporting mechanism
- [ ] Security awareness training program (annual + onboarding)
- [ ] System description document maintained
#### CC3 — Risk Assessment
- [ ] Annual risk assessment process documented
- [ ] Risk register maintained with likelihood × impact scoring
- [ ] Risk treatment plans for high/critical risks
- [ ] Risk appetite statement approved by management
- [ ] Changes in business/technology trigger risk re-assessment
#### CC4 — Monitoring Activities
- [ ] Continuous monitoring of controls (not just annual)
- [ ] Internal audit or self-assessment program
- [ ] Deficiency tracking and remediation
- [ ] Management review of monitoring results
- [ ] Penetration testing (annual minimum)
#### CC5 — Control Activities
- [ ] Logical access controls (RBAC, least privilege)
- [ ] Physical access controls (offices, data centers)
- [ ] Change management process
- [ ] System development lifecycle (SDLC)
- [ ] Data backup and recovery procedures
#### CC6 — Logical & Physical Access
- [ ] User provisioning and deprovisioning process
- [ ] MFA enforced on all critical systems
- [ ] Password policy (12+ chars, complexity, rotation)
- [ ] Access reviews (quarterly minimum)
- [ ] Physical access logs for sensitive areas
- [ ] Encryption at rest (AES-256) and in transit (TLS 1.2+)
- [ ] Firewall rules reviewed quarterly
- [ ] VPN or zero-trust network access
#### CC7 — System Operations
- [ ] Monitoring and alerting (uptime, errors, security events)
- [ ] Incident detection and response procedures
- [ ] Vulnerability management (scan weekly, patch critical <72h)
- [ ] Anti-malware / endpoint protection
- [ ] Capacity planning and performance monitoring
#### CC8 — Change Management
- [ ] Formal change request and approval process
- [ ] Separation of duties (dev ≠ prod deploy)
- [ ] Testing before production deployment
- [ ] Rollback procedures documented
- [ ] Emergency change process with post-hoc approval
#### CC9 — Risk Mitigation (Vendors)
- [ ] Vendor risk assessment before onboarding
- [ ] Vendor inventory with criticality ratings
- [ ] Annual vendor reviews
- [ ] BAAs / DPAs with sub-processors
- [ ] Vendor offboarding process
### Additional Criteria
**Availability (A1):**
- [ ] SLAs defined and monitored
- [ ] Disaster recovery plan tested annually
- [ ] Business continuity plan documented
- [ ] RTO/RPO defined for critical systems
- [ ] Redundancy for critical infrastructure
**Confidentiality (C1):**
- [ ] Data classification scheme (Public, Internal, Confidential, Restricted)
- [ ] Handling procedures per classification level
- [ ] Confidentiality agreements (NDA) with employees and vendors
- [ ] Data retention and disposal policies
- [ ] DLP controls for sensitive data
**Processing Integrity (PI1):**
- [ ] Input validation controls
- [ ] Processing completeness and accuracy checks
- [ ] Output reconciliation procedures
- [ ] Error handling and correction processes
**Privacy (P1):**
- [ ] Privacy notice published
- [ ] Consent mechanisms for data collection
- [ ] Data subject rights procedures (access, deletion, portability)
- [ ] Privacy impact assessments for new features
- [ ] Data breach notification procedures
### SOC 2 Project Plan (16-Week Sprint)
| Week | Phase | Key Activities |
|------|-------|---------------|
| 1-2 | **Scoping** | Define system boundaries, select TSC, choose auditor |
| 3-4 | **Gap Assessment** | Audit current state against TSC, document gaps |
| 5-6 | **Policy Writing** | Draft all required policies (see policy list below) |
| 7-8 | **Control Implementation** | Deploy technical controls, configure tools |
| 9-10 | **Process Implementation** | Establish operational processes, train team |
| 11-12 | **Evidence Collection** | Gather evidence for all controls, test internally |
| 13-14 | **Readiness Assessment** | Mock audit, remediate findings |
| 15-16 | **Type I Audit** | Auditor fieldwork, management response, report |
### Required Policy Documents
1. **Information Security Policy** — Master policy, scope, objectives
2. **Access Control Policy** — Authentication, authorization, reviews
3. **Change Management Policy** — SDLC, deployment, emergency changes
4. **Incident Response Policy** — Detection, response, notification
5. **Risk Management Policy** — Assessment methodology, treatment, appetite
6. **Data Classification Policy** — Levels, handling, retention, disposal
7. **Acceptable Use Policy** — Employee responsibilities, prohibited actions
8. **Vendor Management Policy** — Assessment, monitoring, offboarding
9. **Business Continuity / DR Policy** — Plans, testing, RTO/RPO
10. **HR Security Policy** — Background checks, onboarding, offboarding, training
11. **Encryption Policy** — Standards, key management, certificate handling
12. **Physical Security Policy** — Office access, visitor management, clean desk
13. **Logging & Monitoring Policy** — What to log, retention, alerting
14. **Password & Authentication Policy** — Standards, MFA requirements
15. **Backup & Recovery Policy** — Schedule, testing, retention
### Policy Template
```markdown
# [Policy Name]
**Version:** 1.0
**Owner:** [Name, Title]
**Approved by:** [Name, Title]
**Effective date:** [Date]
**Next review:** [Date + 1 year]
**Classification:** Internal
## 1. Purpose
[Why this policy exists — 2-3 sentences]
## 2. Scope
[Who and what this policy applies to]
## 3. Policy Statements
[Numbered, actionable requirements — not aspirational]
### 3.1 [Topic]
- SHALL [requirement]
- SHALL NOT [prohibition]
- SHOULD [recommendation]
## 4. Roles & Responsibilities
| Role | Responsibility |
|------|---------------|
| [Role] | [What they must do] |
## 5. Exceptions
[Process for requesting exceptions — who approves, how long, documentation]
## 6. Enforcement
[Consequences of non-compliance]
## 7. Definitions
[Technical terms used in the policy]
## 8. Related Documents
[Links to related policies, standards, procedures]
## 9. Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | [Date] | [Author] | Initial release |
```
---
## Phase 3 — ISO 27001 Framework
### ISMS Implementation Roadmap
#### Clause 4 — Context of the Organization
- [ ] Define ISMS scope and boundaries
- [ ] Identify interested parties and their requirements
- [ ] Determine internal and external issues
- [ ] Document scope statement
#### Clause 5 — Leadership
- [ ] Management commitment statement
- [ ] Information security policy (signed by CEO/CTO)
- [ ] Assign ISMS roles and responsibilities
- [ ] Allocate resources (budget, people, tools)
#### Clause 6 — Planning
- [ ] Risk assessment methodology (ISO 27005 or custom)
- [ ] Risk assessment execution
- [ ] Risk treatment plan
- [ ] Statement of Applicability (SoA) — map all 93 Annex A controls
- [ ] Information security objectives (measurable, time-bound)
#### Clause 7 — Support
- [ ] Determine required competencies
- [ ] Security awareness program
- [ ] Internal and external communication plan
- [ ] Document control process
#### Clause 8 — Operation
- [ ] Execute risk treatment plan
- [ ] Implement controls from SoA
- [ ] Manage operational changes
- [ ] Conduct risk assessments on changes
#### Clause 9 — Performance Evaluation
- [ ] Monitoring and measurement program
- [ ] Internal audit schedule and execution
- [ ] Management review (at least annually)
- [ ] Corrective action tracking
#### Clause 10 — Improvement
- [ ] Nonconformity and corrective action process
- [ ] Continual improvement program
- [ ] Lessons learned integration
### ISO 27001:2022 Annex A Control Categories
| Category | Controls | Key Areas |
|----------|----------|-----------|
| A.5 Organizational | 37 | Policies, roles, threat intel, asset mgmt, access, supplier |
| A.6 People | 8 | Screening, T&C, awareness, disciplinary, termination |
| A.7 Physical | 14 | Perimeters, entry, offices, monitoring, utilities, cabling |
| A.8 Technological | 34 | Endpoints, access rights, auth, malware, vuln mgmt, logging, crypto, SDLC |
### SOC 2 ↔ ISO 27001 Control Mapping (Save 40-60% effort)
| SOC 2 TSC | ISO 27001 Annex A | Overlap |
|-----------|------------------|---------|
| CC1 Control Environment | A.5.1-5.6 (Org controls) | ~80% |
| CC2 Communication | A.5.1, A.6.3 (Awareness) | ~70% |
| CC3 Risk Assessment | Clause 6.1, A.5.7 (Threat intel) | ~90% |
| CC5 Control Activities | A.8 (Technological) | ~75% |
| CC6 Access | A.5.15-5.18, A.8.1-8.5 | ~85% |
| CC7 Operations | A.8.7-8.16 (Monitoring) | ~80% |
| CC8 Change Mgmt | A.8.25-8.33 (SDLC) | ~70% |
| CC9 Vendors | A.5.19-5.23 (Supplier) | ~85% |
**Strategy:** Build for one framework, extend to the other. SOC 2 first (faster) → ISO 27001 (adds clauses 4-10 management system).
---
## Phase 4 — GDPR Compliance Program
### 12 Core Requirements
1. **Lawful Basis for Processing** — Document legal basis for each data processing activity
- Consent | Contract | Legal obligation | Vital interest | Public task | Legitimate interest
- [ ] Data processing register (Article 30)
- [ ] Legitimate Interest Assessments (LIAs) where applicable
2. **Data Subject Rights** — Respond within 30 days
- [ ] Right of access (SAR) process
- [ ] Right to rectification
- [ ] Right to erasure ("right to be forgotten")
- [ ] Right to data portability (machine-readable export)
- [ ] Right to restrict processing
- [ ] Right to object
- [ ] Automated decision-making opt-out
3. **Privacy by Design & Default** — Build privacy into products
- [ ] Privacy Impact Assessment (PIA/DPIA) template
- [ ] Data minimization review for each feature
- [ ] Default privacy settings (opt-in, not opt-out)
4. **Data Protection Officer (DPO)** — Required if:
- Public authority, OR
- Large-scale systematic monitoring, OR
- Large-scale processing of special category data
5. **Consent Management**
- [ ] Granular consent mechanisms (not bundled)
- [ ] Easy withdrawal (as easy as giving consent)
- [ ] Consent records with timestamp, version, scope
- [ ] Cookie consent banner (ePrivacy)
6. **Data Processing Agreements (DPAs)**
- [ ] DPA template for sub-processors
- [ ] Article 28 requirements checklist
- [ ] Sub-processor notification process
- [ ] Sub-processor register
7. **International Transfers**
- [ ] Transfer mechanism (SCCs, adequacy decision, BCRs)
- [ ] Transfer Impact Assessment
- [ ] Supplementary measures where needed
8. **Breach Notification**
- [ ] 72-hour notification to supervisory authority
- [ ] "Undue delay" notification to affected individuals
- [ ] Breach register with risk assessment
- [ ] Breach response team and escalation path
9. **Records of Processing Activities (ROPA)**
```yaml
processing_activity:
name: ""
purpose: ""
lawful_basis: ""
data_categories: []
data_subjects: []
recipients: []
retention_period: ""
transfers_outside_eea: false
transfer_mechanism: ""
technical_measures: []
organizational_measures: []
dpia_required: false
last_reviewed: ""
```
10. **Privacy Notice** — Must include:
- Identity of controller
- DPO contact (if applicable)
- Purposes and lawful basis
- Categories of data
- Recipients / transfers
- Retention periods
- Data subject rights
- Right to complain to supervisory authority
- Whether providing data is statutory/contractual requirement
11. **Data Retention Schedule**
| Data Type | Retention Period | Legal Basis | Disposal Method |
|-----------|-----------------|-------------|-----------------|
| Customer PII | Duration + 3 years | Contract + legitimate interest | Automated deletion |
| Employee records | Duration + 7 years | Legal obligation | Secure shred |
| Financial records | 7 years | Legal obligation | Secure shred |
| Server logs | 90 days | Legitimate interest | Automated rotation |
| Marketing consent | Until withdrawn | Consent | Database purge |
| Support tickets | 2 years after resolution | Legitimate interest | Automated deletion |
12. **Training & Awareness**
- [ ] Mandatory GDPR training for all employees (annual)
- [ ] Role-specific training (developers, support, marketing, HR)
- [ ] Training records with completion tracking
---
## Phase 5 — HIPAA Compliance (Health Data)
### HIPAA Security Rule — 3 Safeguard Categories
#### Administrative Safeguards
- [ ] Security Management Process (risk analysis, risk management)
- [ ] Assigned Security Responsibility (HIPAA Security Officer)
- [ ] Workforce Security (authorization, clearance, termination)
- [ ] Information Access Management (access authorization, establishment, modification)
- [ ] Security Awareness Training (reminders, malware, login monitoring, password mgmt)
- [ ] Security Incident Procedures (response, reporting)
- [ ] Contingency Plan (backup, DR, emergency mode, testing)
- [ ] Evaluation (periodic technical/non-technical)
- [ ] BAAs with all business associates
#### Physical Safeguards
- [ ] Facility Access Controls (contingency ops, facility security plan, access control, maintenance records)
- [ ] Workstation Use (policies, restrictions)
- [ ] Workstation Security (physical safeguards)
- [ ] Device and Media Controls (disposal, re-use, accountability, data backup)
#### Technical Safeguards
- [ ] Access Control (unique user ID, emergency access, automatic logoff, encryption)
- [ ] Audit Controls (hardware, software, procedural mechanisms)
- [ ] Integrity Controls (authentication of ePHI, transmission security)
- [ ] Person or Entity Authentication (verify identity)
- [ ] Transmission Security (integrity controls, encryption)
### HIPAA Breach Rule
- **≤500 individuals:** Annual batch notification to HHS (within 60 days of year end)
- **>500 individuals:** Notify HHS within 60 days + media notification
- **All breaches:** Notify affected individuals without unreasonable delay (≤60 days)
- **Penalties:** $100-$50,000 per violation, up to $1.5M per year per category
---
## Phase 6 — PCI DSS 4.0 (Payment Data)
### 12 Requirements Summary
| # | Requirement | Key Controls |
|---|------------|-------------|
| 1 | Install/maintain network security controls | Firewalls, network segmentation |
| 2 | Apply secure configurations | No vendor defaults, CIS benchmarks |
| 3 | Protect stored account data | Encryption, masking, key mgmt |
| 4 | Encrypt transmission over open networks | TLS 1.2+, no SSL/early TLS |
| 5 | Protect from malicious software | Anti-malware, regular updates |
| 6 | Develop secure systems | SDLC, vuln mgmt, WAF |
| 7 | Restrict access by business need | RBAC, least privilege |
| 8 | Identify users and authenticate | MFA, password standards |
| 9 | Restrict physical access | Badges, cameras, visitor logs |
| 10 | Log and monitor all access | Centralized logging, review |
| 11 | Test security regularly | Vuln scans, pen tests, IDS |
| 12 | Support security with policies | Policies, training, incident response |
### Scope Reduction Strategy
- **Use tokenization** — Replace card data with tokens (Stripe, Braintree handle PCI for you)
- **Use hosted payment pages** — Never touch raw card data (SAQ A instead of SAQ D)
- **Network segmentation** — Isolate cardholder data environment
- **Cloud provider compliance** — Leverage AWS/GCP/Azure PCI certifications
**SAQ Decision:**
- Fully outsourced (Stripe Checkout) → **SAQ A** (22 controls, simplest)
- API-based (Stripe Elements) → **SAQ A-EP** (~140 controls)
- You store/process card data → **SAQ D** (300+ controls, avoid this)
---
## Phase 7 — Compliance Tooling Stack
### Essential Tools by Category
| Category | Budget Option | Mid-Range | Enterprise |
|----------|-------------|-----------|-----------|
| GRC Platform | Notion/Sheets | Vanta, Drata | ServiceNow, OneTrust |
| Policy Mgmt | Google Docs + versioning | Vanta policies | Hyperproof |
| Vulnerability Scanning | OWASP ZAP, Trivy | Qualys, Tenable | Rapid7 |
| SIEM/Logging | ELK Stack, Wazuh | Datadog, Sumo Logic | Splunk |
| Endpoint Protection | CrowdStrike Falcon Go | SentinelOne | CrowdStrike Enterprise |
| Identity/Access | Google Workspace + Okta | JumpCloud | Azure AD P2 |
| Training | KnowBe4 Free | KnowBe4 | Proofpoint |
| Pen Testing | HackerOne Community | Cobalt | Bishop Fox |
| Backup | Native cloud backups | Veeam | Commvault |
### Automation-First Compliance
**What to automate (saves 70%+ of audit prep):**
- Evidence collection (screenshots of configs → API pulls)
- Access reviews (quarterly manual → continuous monitoring)
- Vulnerability scanning (manual → scheduled + auto-ticket)
- Policy acknowledgment (email → onboarding workflow)
- Vendor assessments (spreadsheets → intake forms with scoring)
- Training tracking (manual → LMS with auto-reminders)
### Compliance-as-Code Patterns
```
# Infrastructure compliance
- Terraform with Sentinel policies (enforce encryption, tagging)
- OPA/Rego for Kubernetes admission control
- AWS Config Rules / Azure Policy for cloud compliance
- GitHub branch protection rules as change management evidence
# Application compliance
- Automated dependency scanning in CI (Snyk, Dependabot)
- SAST in PR pipeline (Semgrep, CodeQL)
- Container scanning (Trivy, Grype)
- License compliance (FOSSA, Licensee)
```
---
## Phase 8 — Audit Preparation
### 90-Day Audit Prep Checklist
**Days 90-60: Foundation**
- [ ] Confirm audit scope with auditor
- [ ] Complete system description document
- [ ] Verify all policies are current (reviewed within 12 months)
- [ ] Confirm all employees completed security training
- [ ] Run vulnerability scan and remediate critical/high findings
- [ ] Schedule penetration test (results needed before audit)
**Days 60-30: Evidence Gathering**
- [ ] Collect evidence for each control (organized by TSC/clause)
- [ ] Access review documentation (screenshots of reviews, action items)
- [ ] Change management evidence (sample of tickets showing approval flow)
- [ ] Incident response test evidence (tabletop exercise minutes)
- [ ] DR test evidence (recovery test results, RTO achieved)
- [ ] Vendor review evidence (assessment records, DPAs)
- [ ] Risk assessment and treatment plan (current year)
- [ ] Board/management meeting minutes discussing security
**Days 30-0: Final Prep**
- [ ] Internal mock audit — walk through every control
- [ ] Remediate any mock audit findings
- [ ] Brief team on auditor interviews (what to expect, who answers what)
- [ ] Prepare management assertion letter
- [ ] Set up auditor access (read-only to evidence repository)
- [ ] Confirm all monitoring/alerting is functioning
- [ ] Verify offboarding was completed for all departed employees
### Evidence Organization
```
/compliance-evidence/
/SOC2-2026/
/CC1-control-environment/
org-chart.pdf
code-of-conduct-signed.pdf
background-check-process.pdf
/CC2-communication/
security-training-completion.csv
security-policy-acknowledgments.pdf
/CC3-risk-assessment/
risk-assessment-2026.xlsx
risk-treatment-plan.pdf
/CC6-access/
access-review-Q1.pdf
access-review-Q2.pdf
mfa-enforcement-screenshot.png
offboarding-checklist-samples/
/CC7-operations/
vulnerability-scan-reports/
pentest-report-2026.pdf
incident-log-2026.csv
/CC8-change-management/
sample-change-tickets/
deployment-pipeline-config.png
/CC9-vendors/
vendor-inventory.xlsx
vendor-assessments/
dpas-and-baas/
```
### Auditor Interview Prep
**Common questions and who should answer:**
| Question | Best Respondent | Key Points |
|----------|----------------|-----------|
| "Walk me through your risk assessment process" | CISO/Security Lead | Methodology, frequency, treatment |
| "How do you manage access to production?" | Engineering Lead | RBAC, approval flow, reviews |
| "Describe your change management process" | Engineering Lead | PR review, testing, deployment |
| "How do you handle security incidents?" | Security Lead | Detection, response, communication |
| "How do you evaluate vendors?" | Security/Procurement | Assessment, monitoring, contracts |
| "Describe your backup and recovery process" | Infrastructure Lead | Schedule, testing, RTO/RPO |
| "How do you track and remediate vulnerabilities?" | Security Lead | Scanning, SLAs, patching |
| "Walk me through employee onboarding/offboarding" | HR + IT | Checklist, timing, verification |
---
## Phase 9 — Continuous Compliance
### Monthly Compliance Dashboard
```yaml
compliance_dashboard:
month: ""
control_health:
total_controls: 0
controls_passing: 0
controls_failing: 0
controls_not_tested: 0
health_percentage: 0
action_items:
open: 0
overdue: 0
closed_this_month: 0
key_metrics:
mean_time_to_patch_critical: ""
access_reviews_completed: "X/X"
security_training_completion: ""
incidents_this_month: 0
vendor_reviews_due: 0
policies_due_for_review: 0
risk_register:
high_risks: 0
risks_without_treatment: 0
new_risks_identified: 0
upcoming:
next_pen_test: ""
next_dr_test: ""
next_audit: ""
next_access_review: ""
```
### Compliance Calendar
| Frequency | Activity |
|-----------|----------|
| **Weekly** | Review security alerts, patch critical vulln |
| **Monthly** | Control testing sample, metrics dashboard, policy exception review |
| **Quarterly** | Access reviews, vendor risk check, risk register update, tabletop exercise |
| **Semi-annual** | Vulnerability scan (external), BCP/DR test, security training refresh |
| **Annual** | Full risk assessment, penetration test, policy review cycle, SOC 2/ISO audit, security awareness training, management review |
### Compliance Debt Tracker
```yaml
compliance_debt:
- id: "CD-001"
framework: "SOC 2"
control: "CC6.1"
finding: "MFA not enforced on staging environment"
severity: "High"
identified: "2026-01-15"
owner: ""
target_remediation: "2026-02-15"
status: "In Progress"
compensating_control: "VPN + IP allowlisting"
```
### When Controls Fail
**Severity-based response:**
| Severity | Response Time | Actions |
|----------|-------------|---------|
| **Critical** | 24 hours | Immediate remediation, notify management, consider if breach occurred |
| **High** | 7 days | Remediation plan, compensating control if needed, risk acceptance by CISO |
| **Medium** | 30 days | Add to sprint, track in compliance debt |
| **Low** | 90 days | Batch with next review cycle |
---
## Phase 10 — Multi-Framework Management
### Common Control Framework (CCF)
Build controls ONCE, map to MULTIPLE frameworks:
```yaml
control:
id: "CCF-AC-001"
title: "Multi-Factor Authentication"
description: "MFA required for all access to production systems and sensitive data"
owner: "Security Team"
framework_mapping:
soc2: ["CC6.1", "CC6.6"]
iso27001: ["A.8.5"]
gdpr: ["Article 32"]
hipaa: ["§164.312(d)"]
pci_dss: ["Req 8.4"]
evidence:
- type: "Configuration screenshot"
source: "Okta MFA policy"
frequency: "Quarterly"
- type: "Access review"
source: "Okta user report"
frequency: "Quarterly"
test_procedure: "Verify MFA policy is enforced, test with non-MFA login attempt"
last_tested: ""
result: ""
next_test: ""
```
### Framework Expansion Strategy
**Year 1:** SOC 2 Type I → establishes baseline
**Year 1-2:** SOC 2 Type II → proves sustained operation
**Year 2:** + GDPR → covers EU expansion
**Year 2-3:** + ISO 27001 → international credibility
**As needed:** + HIPAA / PCI DSS → industry-specific
### Audit Fatigue Prevention
- **Single evidence repository** — collect once, map to all frameworks
- **Continuous monitoring** — evidence auto-collected, not scrambled at audit time
- **Control owner accountability** — each control has ONE owner, not "security team"
- **Compliance sprints** — 2-week sprints dedicated to compliance work, not crammed before audit
- **Auditor relationship** — same firm for multiple frameworks if possible (they know your environment)
---
## Phase 11 — Scoring & Quality
### Compliance Readiness Score (0-100)
| Dimension | Weight | Score 0-10 |
|-----------|--------|-----------|
| **Policy Coverage** — All required policies exist, reviewed, approved | 15% | |
| **Technical Controls** — Security tools deployed and configured | 20% | |
| **Process Maturity** — Operational processes followed consistently | 20% | |
| **Evidence Quality** — Complete, organized, recent evidence | 15% | |
| **Training & Awareness** — All employees trained, records maintained | 10% | |
| **Vendor Management** — All critical vendors assessed and contracted | 10% | |
| **Risk Management** — Current assessment, treatment plans, monitoring | 10% | |
**Scoring guide:**
- 0-2: Not started / major gaps
- 3-4: In progress / significant gaps
- 5-6: Partially implemented / some gaps
- 7-8: Implemented / minor improvements needed
- 9-10: Mature / audit-ready
**Interpretation:**
- **< 40:** Not ready — significant work needed (3-6 months)
- **40-60:** Getting there — focus on gaps (1-3 months)
- **60-80:** Nearly ready — polish and evidence gathering (2-6 weeks)
- **80+:** Audit-ready — schedule the audit
---
## Edge Cases & Special Situations
### Startup with Zero Compliance
- Start with **security basics** (MFA, encryption, access control, backups) before any framework
- Use a GRC platform from Day 1 (Vanta/Drata cost $10-15K/yr but save 100+ hours)
- Don't wait for perfect — "documented and improving" beats "undocumented and perfect"
- Budget $20-40K for first SOC 2 Type I (auditor + tools + time)
### Multi-Cloud / Hybrid Infrastructure
- Map shared responsibility model for each provider
- Ensure consistent controls across environments
- Consider cloud-specific compliance tools (AWS Audit Manager, Azure Compliance Manager)
- Network segmentation especially important
### Acquired Company Integration
- Conduct compliance gap assessment within 30 days of close
- Identify highest-risk gaps (access control, data handling)
- 90-day integration plan to bring to baseline
- Don't assume their compliance posture matches claims
### International (Multi-Jurisdiction)
- Map all jurisdictions where you operate or store data
- GDPR applies if you have EU *users* — not just EU office
- Data residency requirements (Russia, China, India, Brazil)
- Consider local DPA registrations
### Regulated Industries (FinTech, HealthTech)
- Layer industry regulations ON TOP of SOC 2/ISO
- FinTech: SOC 2 + PCI DSS + potentially banking regs (state MTLs, FinCEN)
- HealthTech: SOC 2 + HIPAA + potentially FDA (SaMD)
- EdTech: SOC 2 + FERPA + COPPA (if under 13)
---
## Natural Language Commands
| Command | What It Does |
|---------|-------------|
| "Assess our compliance readiness" | Run readiness assessment, score, identify gaps |
| "Create SOC 2 project plan" | Generate 16-week implementation timeline |
| "Write [policy name] policy" | Generate policy from template with your context |
| "Map controls across frameworks" | Build common control framework mapping |
| "Prepare for audit" | Generate 90-day audit prep checklist with evidence needs |
| "Review our GDPR compliance" | Check all 12 GDPR requirements against current state |
| "Score our compliance posture" | Run 7-dimension scoring rubric |
| "Generate evidence checklist" | List all evidence needed for specific framework |
| "Build vendor assessment" | Create vendor risk assessment for a specific vendor |
| "Plan framework expansion" | Recommend next framework based on business needs |
| "Track compliance debt" | Review and prioritize open compliance items |
| "Run monthly compliance review" | Update dashboard, check deadlines, identify actions |