implementing-compliance

Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%.

Invoke when:

• Building SaaS products requiring SOC 2 Type II for enterprise sales
• Handling healthcare data (PHI) requiring HIPAA compliance
• Processing payment cards requiring PCI-DSS validation
• Serving EU residents and processing personal data under GDPR
• Implementing security controls that satisfy multiple compliance frameworks
• Automating compliance evidence collection and audit preparation
• Enforcing compliance policies in CI/CD pipelines

Tier 1: Trust & Security Certifications

SOC 2 Type II

• Audience: SaaS vendors, cloud service providers
• When required: Enterprise B2B sales, handling customer data
• Timeline: 6-12 month observation period
• 2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure

ISO 27001

• Audience: Global enterprises
• When required: International business, government contracts
• Timeline: 3-6 month certification, annual surveillance

Tier 2: Industry-Specific Regulations

HIPAA (Healthcare)

• Audience: Healthcare providers, health tech handling PHI
• When required: Processing Protected Health Information
• 2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments

PCI-DSS 4.0 (Payment Card Industry)

• Audience: Merchants, payment processors
• When required: Processing, storing, transmitting cardholder data
• Effective: April 1, 2025 (mandatory)
• Key changes: Client-side security, 12-char passwords, enhanced MFA

Tier 3: Privacy Regulations

GDPR (EU Privacy)

• Audience: Organizations processing EU residents' data
• When required: EU customers/users (extraterritorial)
• 2025 updates: 48-hour breach reporting, 6% revenue fines, AI transparency

CCPA/CPRA (California Privacy)

• Audience: Businesses serving California residents
• When required: Revenue >$25M, or 100K+ CA residents, or 50%+ revenue from data sales

For detailed framework requirements, see references/soc2-controls.md, references/hipaa-safeguards.md, references/pci-dss-requirements.md, and references/gdpr-articles.md.

Unified Control Strategy

Implement controls once, map to multiple frameworks. Reduces effort by 60-80%.

Implementation Priority:

1. Encryption (ENC-001, ENC-002): AES-256 at rest, TLS 1.3 in transit
2. Access Control (MFA-001, RBAC-001): MFA, RBAC, least privilege
3. Audit Logging (LOG-001): Centralized, immutable, 7-year retention
4. Monitoring (MON-001): SIEM, intrusion detection, alerting
5. Incident Response (IR-001): Detection, escalation, breach notification

Control Categories

Identity & Access:

• Multi-factor authentication for privileged access
• Role-based access control with least privilege
• Quarterly access reviews
• Password policy: 12+ characters, complexity

Data Protection:

• Encryption: AES-256 (rest), TLS 1.3 (transit)
• Data classification and tagging
• Retention policies aligned with regulations
• Data minimization

Logging & Monitoring:

• Centralized audit logging (all auth and data access)
• 7-year retention (satisfies all frameworks)
• Immutable storage (S3 Object Lock)
• Real-time alerting

Network Security:

• Network segmentation and VPC isolation
• Firewalls with deny-by-default
• Intrusion detection/prevention
• Regular vulnerability scanning

Incident Response:

• Documented incident response plan
• Automated detection and alerting
• Breach notification: HIPAA 60d, GDPR 48h, SOC 2 72h, PCI-DSS immediate

Business Continuity:

• Automated backups with defined RPO/RTO
• Multi-region disaster recovery
• Regular failover testing

For complete control implementations, see references/control-mapping-matrix.md.

Policy Enforcement with OPA

Enforce compliance policies in CI/CD before infrastructure deployment.

Architecture:

```

Git Push → Terraform Plan → JSON → OPA Evaluation

├─► Pass → Deploy

└─► Fail → Block

```

Example: Encryption Policy

Enforce encryption requirements (SOC 2 CC6.1, HIPAA §164.312(a)(2)(iv), PCI-DSS Req 3.4):

See examples/opa-policies/encryption.rego for complete implementation.

CI/CD Integration:

```bash

terraform plan -out=tfplan.binary

terraform show -json tfplan.binary > tfplan.json

opa eval --data policies/ --input tfplan.json 'data.compliance.main.deny'

```

For complete CI/CD patterns, see references/cicd-integration.md.

Static Analysis with Checkov

Scan IaC with built-in compliance framework support:

```bash

checkov -d ./terraform \

--check SOC2 --check HIPAA --check PCI --check GDPR \

--output cli --output json

```

Create custom policies for organization-specific requirements. See examples/checkov-policies/ for examples.

Automated Testing

Integrate compliance validation into test suites:

```python

def test_s3_encrypted(terraform_plan):

"""SOC2:CC6.1, HIPAA:164.312(a)(2)(iv)"""

buckets = get_resources(terraform_plan, "aws_s3_bucket")

encrypted = get_encryption_configs(terraform_plan)

assert all_buckets_encrypted(buckets, encrypted)

def test_opa_policies():

result = subprocess.run(["opa", "eval", "--data", "policies/",

"--input", "tfplan.json", "data.compliance.main.deny"])

assert not json.loads(result.stdout)

```

For complete test patterns, see references/compliance-testing.md.

Encryption at Rest

Standards: AES-256, managed KMS, automatic rotation

AWS Example:

```hcl

resource "aws_kms_key" "data" {

enable_key_rotation = true

tags = { Compliance = "ENC-001" }

}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {

bucket = aws_s3_bucket.data.id

rule {

apply_server_side_encryption_by_default {

sse_algorithm = "aws:kms"

kms_master_key_id = aws_kms_key.data.arn

}

}

}

resource "aws_db_instance" "main" {

storage_encrypted = true

kms_key_id = aws_kms_key.data.arn

}

```

For complete encryption implementations including Azure and GCP, see references/encryption-implementations.md.

Encryption in Transit

Standards: TLS 1.3 (TLS 1.2 minimum), strong ciphers, HSTS

ALB Example:

```hcl

resource "aws_lb_listener" "https" {

port = 443

protocol = "HTTPS"

ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"

}

```

Multi-Factor Authentication

Standards: TOTP, hardware tokens, biometric for privileged access

AWS IAM Enforcement:

```hcl

resource "aws_iam_policy" "require_mfa" {

policy = jsonencode({

Statement = [{

Effect = "Deny"

NotAction = ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"]

Resource = "*"

Condition = {

BoolIfExists = { "aws:MultiFactorAuthPresent" = "false" }

}

}]

})

}

```

For application-level MFA (TOTP), see examples/mfa-implementation.py.

Role-Based Access Control

Standards: Least privilege, job function-based roles, quarterly reviews

Kubernetes Example:

```yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

name: developer

namespace: development

rules:

• apiGroups: ["", "apps"]

resources: ["pods", "deployments", "services"]

verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

• apiGroups: [""]

resources: ["secrets"]

verbs: ["get", "list"] # Read-only

```

For complete RBAC patterns including AWS IAM and OPA policies, see references/access-control-patterns.md.

Audit Logging

Standards: Structured JSON, 7-year retention, immutable storage

Required Events: Authentication, authorization, data access, administrative actions, security events

Python Example:

```python

class AuditLogger:

def log_event(self, event_type, user_id, resource_type,

resource_id, action, result, ip_address):

audit_event = {

"timestamp": datetime.utcnow().isoformat() + "Z",

"event_type": event_type.value,

"user_id": user_id,

"action": action,

"result": result,

"resource": {"type": resource_type, "id": resource_id},

"source": {"ip": ip_address}

}

self.logger.info(json.dumps(audit_event))

```

Log Retention:

```hcl

resource "aws_cloudwatch_log_group" "audit" {

retention_in_days = 2555 # 7 years

kms_key_id = aws_kms_key.logs.arn

}

resource "aws_s3_bucket_object_lock_configuration" "audit" {

bucket = aws_s3_bucket.audit_logs.id

rule {

default_retention { mode = "COMPLIANCE"; years = 7 }

}

}

```

For complete audit logging patterns including HIPAA PHI access logging, see references/audit-logging-patterns.md.

Continuous Monitoring

Automate evidence collection for continuous compliance validation.

Architecture:

```

AWS Config → EventBridge → Lambda → S3 (Evidence)

→ DynamoDB (Status)

```

Evidence Collection:

```python

class EvidenceCollector:

def collect_encryption_evidence(self):

evidence = {

"control_id": "ENC-001",

"frameworks": ["SOC2-CC6.1", "HIPAA-164.312(a)(2)(iv)"],

"timestamp": datetime.utcnow().isoformat(),

"status": "PASS",

"findings": []

}

# Check S3, RDS, EBS encryption status

# Document findings

return evidence

```

For complete evidence collector, see examples/evidence-collection/evidence_collector.py.

Audit Report Generation

Generate compliance reports automatically:

```python

class AuditReportGenerator:

def generate_soc2_report(self, start_date, end_date):

controls = self.get_control_status("SOC2")

return {

"framework": "SOC 2 Type II",

"compliance_score": self.calculate_score(controls),

"trust_services_criteria": {...},

"controls": self.format_controls(controls)

}

```

For complete report generator, see examples/evidence-collection/report_generator.py.

Unified control mapping across frameworks:

| Control | SOC 2 | HIPAA | PCI-DSS | GDPR | ISO 27001 |

|---------|-------|-------|---------|------|-----------|

| MFA | CC6.1 | §164.312(d) | Req 8.3 | Art 32 | A.9.4.2 |

| Encryption at Rest | CC6.1 | §164.312(a)(2)(iv) | Req 3.4 | Art 32 | A.10.1.1 |

| Encryption in Transit | CC6.1 | §164.312(e)(1) | Req 4.1 | Art 32 | A.13.1.1 |

| Audit Logging | CC7.2 | §164.312(b) | Req 10.2 | Art 30 | A.12.4.1 |

| Access Reviews | CC6.1 | §164.308(a)(3)(ii)(C) | Req 8.2.4 | Art 32 | A.9.2.5 |

| Vulnerability Scanning | CC7.1 | §164.308(a)(8) | Req 11.2 | Art 32 | A.12.6.1 |

| Incident Response | CC7.3 | §164.308(a)(6) | Req 12.10 | Art 33 | A.16.1.1 |

Strategy: Implement once with proper tagging, map to all applicable frameworks.

For complete control mapping with 45+ controls, see references/control-mapping-matrix.md.

Framework-Specific Timelines:

• HIPAA: 60 days to HHS and affected individuals
• GDPR: 48 hours to supervisory authority (2025 update)
• SOC 2: 72 hours to affected customers
• PCI-DSS: Immediate to payment brands

Required Elements:

• Description of incident and data involved
• Estimated number of affected individuals
• Steps taken to mitigate harm
• Contact information for questions
• Remediation actions and timeline

For incident response templates, see references/incident-response-templates.md.

Business Associate Agreements (HIPAA):

• Required for all vendors handling PHI
• Specify permitted uses and disclosures
• Require appropriate safeguards
• Annual review and renewal

Data Processing Agreements (GDPR):

• Required for all vendors processing personal data
• Process only on controller instructions
• Implement appropriate technical measures
• Sub-processor approval required

Assessment Process:

1. Risk classification by data access level
2. Security questionnaire evaluation
3. BAA/DPA execution
4. SOC 2 report collection (≤90 days old)
5. Annual re-assessment

For vendor management templates, see references/vendor-management.md.

Policy as Code:

• Open Policy Agent (OPA): General-purpose policy engine
• Checkov: IaC security scanning with compliance frameworks
• tfsec: Terraform security scanner
• Trivy: Container and IaC scanner

Compliance Automation:

• AWS Config: AWS resource compliance monitoring
• Cloud Custodian: Multi-cloud compliance automation
• Drata/Vanta/Secureframe: Continuous compliance platforms

For tool selection guidance, see references/tool-recommendations.md.

Related Skills:

• security-hardening: Technical security control implementation
• secret-management: Secrets handling per HIPAA/PCI-DSS
• infrastructure-as-code: IaC implementing compliance controls
• kubernetes-operations: K8s RBAC, network policies
• building-ci-pipelines: Policy enforcement in CI/CD
• siem-logging: Audit logging and monitoring
• incident-management: Incident response procedures

Implementation Checklist:

• [ ] Identify applicable frameworks
• [ ] Implement encryption (AES-256, TLS 1.3)
• [ ] Configure MFA for privileged access
• [ ] Implement RBAC with least privilege
• [ ] Set up audit logging (7-year retention)
• [ ] Configure security monitoring/alerting
• [ ] Create incident response plan
• [ ] Execute vendor agreements (BAAs, DPAs)
• [ ] Implement policy-as-code (OPA, Checkov)
• [ ] Automate evidence collection
• [ ] Conduct quarterly access reviews
• [ ] Perform annual risk assessments

Common Mistakes:

• Treating compliance as one-time project vs continuous process
• Implementing per-framework vs unified controls
• Manual evidence collection vs automation
• Insufficient log retention (<7 years)
• Missing MFA enforcement
• Not encrypting backups/logs
• Inadequate vendor due diligence

Framework Details:

• references/soc2-controls.md - SOC 2 TSC control catalog
• references/hipaa-safeguards.md - HIPAA safeguards
• references/pci-dss-requirements.md - PCI-DSS 4.0 requirements
• references/gdpr-articles.md - GDPR key articles

Implementation Patterns:

• references/control-mapping-matrix.md - Unified control mapping
• references/encryption-implementations.md - Encryption patterns
• references/access-control-patterns.md - MFA, RBAC implementations
• references/audit-logging-patterns.md - Logging requirements
• references/incident-response-templates.md - IR procedures

Automation:

• references/cicd-integration.md - OPA/Checkov CI/CD integration
• references/compliance-testing.md - Automated test patterns
• references/vendor-management.md - Vendor assessment templates
• references/tool-recommendations.md - Tool selection guide

Code Examples:

• examples/opa-policies/ - OPA policy examples
• examples/terraform/ - Terraform control implementations
• examples/evidence-collection/ - Evidence automation
• examples/mfa-implementation.py - TOTP MFA implementation

Consult qualified legal counsel and auditors for legal interpretation and audit preparation.