--- name: implementing-compliance description: Implement and maintain compliance with SOC 2, HIPAA, PCI-DSS, and GDPR using unified control mapping, policy-as-code enforcement, and automated evidence collection. Use when building systems requiring regulatory compliance, implementing security controls across multiple frameworks, or automating audit preparation. --- # Compliance Frameworks Implement continuous compliance with major regulatory frameworks through unified control mapping, policy-as-code enforcement, and automated evidence collection. ## Purpose Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%. ## When to Use Invoke when: - Building SaaS products requiring SOC 2 Type II for enterprise sales - Handling healthcare data (PHI) requiring HIPAA compliance - Processing payment cards requiring PCI-DSS validation - Serving EU residents and processing personal data under GDPR - Implementing security controls that satisfy multiple compliance frameworks - Automating compliance evidence collection and audit preparation - Enforcing compliance policies in CI/CD pipelines ## Framework Selection ### Tier 1: Trust & Security Certifications **SOC 2 Type II** - Audience: SaaS vendors, cloud service providers - When required: Enterprise B2B sales, handling customer data - Timeline: 6-12 month observation period - 2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure **ISO 27001** - Audience: Global enterprises - When required: International business, government contracts - Timeline: 3-6 month certification, annual surveillance ### Tier 2: Industry-Specific Regulations **HIPAA (Healthcare)** - Audience: Healthcare providers, health tech handling PHI - When required: Processing Protected Health Information - 2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments **PCI-DSS 4.0 (Payment Card Industry)** - Audience: Merchants, payment processors - When required: Processing, storing, transmitting cardholder data - Effective: April 1, 2025 (mandatory) - Key changes: Client-side security, 12-char passwords, enhanced MFA ### Tier 3: Privacy Regulations **GDPR (EU Privacy)** - Audience: Organizations processing EU residents' data - When required: EU customers/users (extraterritorial) - 2025 updates: 48-hour breach reporting, 6% revenue fines, AI transparency **CCPA/CPRA (California Privacy)** - Audience: Businesses serving California residents - When required: Revenue >$25M, or 100K+ CA residents, or 50%+ revenue from data sales For detailed framework requirements, see references/soc2-controls.md, references/hipaa-safeguards.md, references/pci-dss-requirements.md, and references/gdpr-articles.md. ## Universal Control Implementation ### Unified Control Strategy Implement controls once, map to multiple frameworks. Reduces effort by 60-80%. **Implementation Priority:** 1. **Encryption** (ENC-001, ENC-002): AES-256 at rest, TLS 1.3 in transit 2. **Access Control** (MFA-001, RBAC-001): MFA, RBAC, least privilege 3. **Audit Logging** (LOG-001): Centralized, immutable, 7-year retention 4. **Monitoring** (MON-001): SIEM, intrusion detection, alerting 5. **Incident Response** (IR-001): Detection, escalation, breach notification ### Control Categories **Identity & Access:** - Multi-factor authentication for privileged access - Role-based access control with least privilege - Quarterly access reviews - Password policy: 12+ characters, complexity **Data Protection:** - Encryption: AES-256 (rest), TLS 1.3 (transit) - Data classification and tagging - Retention policies aligned with regulations - Data minimization **Logging & Monitoring:** - Centralized audit logging (all auth and data access) - 7-year retention (satisfies all frameworks) - Immutable storage (S3 Object Lock) - Real-time alerting **Network Security:** - Network segmentation and VPC isolation - Firewalls with deny-by-default - Intrusion detection/prevention - Regular vulnerability scanning **Incident Response:** - Documented incident response plan - Automated detection and alerting - Breach notification: HIPAA 60d, GDPR 48h, SOC 2 72h, PCI-DSS immediate **Business Continuity:** - Automated backups with defined RPO/RTO - Multi-region disaster recovery - Regular failover testing For complete control implementations, see references/control-mapping-matrix.md. ## Compliance as Code ### Policy Enforcement with OPA Enforce compliance policies in CI/CD before infrastructure deployment. **Architecture:** ``` Git Push → Terraform Plan → JSON → OPA Evaluation ├─► Pass → Deploy └─► Fail → Block ``` **Example: Encryption Policy** Enforce encryption requirements (SOC 2 CC6.1, HIPAA §164.312(a)(2)(iv), PCI-DSS Req 3.4): See examples/opa-policies/encryption.rego for complete implementation. **CI/CD Integration:** ```bash terraform plan -out=tfplan.binary terraform show -json tfplan.binary > tfplan.json opa eval --data policies/ --input tfplan.json 'data.compliance.main.deny' ``` For complete CI/CD patterns, see references/cicd-integration.md. ### Static Analysis with Checkov Scan IaC with built-in compliance framework support: ```bash checkov -d ./terraform \ --check SOC2 --check HIPAA --check PCI --check GDPR \ --output cli --output json ``` Create custom policies for organization-specific requirements. See examples/checkov-policies/ for examples. ### Automated Testing Integrate compliance validation into test suites: ```python def test_s3_encrypted(terraform_plan): """SOC2:CC6.1, HIPAA:164.312(a)(2)(iv)""" buckets = get_resources(terraform_plan, "aws_s3_bucket") encrypted = get_encryption_configs(terraform_plan) assert all_buckets_encrypted(buckets, encrypted) def test_opa_policies(): result = subprocess.run(["opa", "eval", "--data", "policies/", "--input", "tfplan.json", "data.compliance.main.deny"]) assert not json.loads(result.stdout) ``` For complete test patterns, see references/compliance-testing.md. ## Technical Control Implementations ### Encryption at Rest **Standards:** AES-256, managed KMS, automatic rotation **AWS Example:** ```hcl resource "aws_kms_key" "data" { enable_key_rotation = true tags = { Compliance = "ENC-001" } } resource "aws_s3_bucket_server_side_encryption_configuration" "data" { bucket = aws_s3_bucket.data.id rule { apply_server_side_encryption_by_default { sse_algorithm = "aws:kms" kms_master_key_id = aws_kms_key.data.arn } } } resource "aws_db_instance" "main" { storage_encrypted = true kms_key_id = aws_kms_key.data.arn } ``` For complete encryption implementations including Azure and GCP, see references/encryption-implementations.md. ### Encryption in Transit **Standards:** TLS 1.3 (TLS 1.2 minimum), strong ciphers, HSTS **ALB Example:** ```hcl resource "aws_lb_listener" "https" { port = 443 protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" } ``` ### Multi-Factor Authentication **Standards:** TOTP, hardware tokens, biometric for privileged access **AWS IAM Enforcement:** ```hcl resource "aws_iam_policy" "require_mfa" { policy = jsonencode({ Statement = [{ Effect = "Deny" NotAction = ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"] Resource = "*" Condition = { BoolIfExists = { "aws:MultiFactorAuthPresent" = "false" } } }] }) } ``` For application-level MFA (TOTP), see examples/mfa-implementation.py. ### Role-Based Access Control **Standards:** Least privilege, job function-based roles, quarterly reviews **Kubernetes Example:** ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: developer namespace: development rules: - apiGroups: ["", "apps"] resources: ["pods", "deployments", "services"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] # Read-only ``` For complete RBAC patterns including AWS IAM and OPA policies, see references/access-control-patterns.md. ### Audit Logging **Standards:** Structured JSON, 7-year retention, immutable storage **Required Events:** Authentication, authorization, data access, administrative actions, security events **Python Example:** ```python class AuditLogger: def log_event(self, event_type, user_id, resource_type, resource_id, action, result, ip_address): audit_event = { "timestamp": datetime.utcnow().isoformat() + "Z", "event_type": event_type.value, "user_id": user_id, "action": action, "result": result, "resource": {"type": resource_type, "id": resource_id}, "source": {"ip": ip_address} } self.logger.info(json.dumps(audit_event)) ``` **Log Retention:** ```hcl resource "aws_cloudwatch_log_group" "audit" { retention_in_days = 2555 # 7 years kms_key_id = aws_kms_key.logs.arn } resource "aws_s3_bucket_object_lock_configuration" "audit" { bucket = aws_s3_bucket.audit_logs.id rule { default_retention { mode = "COMPLIANCE"; years = 7 } } } ``` For complete audit logging patterns including HIPAA PHI access logging, see references/audit-logging-patterns.md. ## Evidence Collection Automation ### Continuous Monitoring Automate evidence collection for continuous compliance validation. **Architecture:** ``` AWS Config → EventBridge → Lambda → S3 (Evidence) → DynamoDB (Status) ``` **Evidence Collection:** ```python class EvidenceCollector: def collect_encryption_evidence(self): evidence = { "control_id": "ENC-001", "frameworks": ["SOC2-CC6.1", "HIPAA-164.312(a)(2)(iv)"], "timestamp": datetime.utcnow().isoformat(), "status": "PASS", "findings": [] } # Check S3, RDS, EBS encryption status # Document findings return evidence ``` For complete evidence collector, see examples/evidence-collection/evidence_collector.py. ### Audit Report Generation Generate compliance reports automatically: ```python class AuditReportGenerator: def generate_soc2_report(self, start_date, end_date): controls = self.get_control_status("SOC2") return { "framework": "SOC 2 Type II", "compliance_score": self.calculate_score(controls), "trust_services_criteria": {...}, "controls": self.format_controls(controls) } ``` For complete report generator, see examples/evidence-collection/report_generator.py. ## Control Mapping Matrix Unified control mapping across frameworks: | Control | SOC 2 | HIPAA | PCI-DSS | GDPR | ISO 27001 | |---------|-------|-------|---------|------|-----------| | MFA | CC6.1 | §164.312(d) | Req 8.3 | Art 32 | A.9.4.2 | | Encryption at Rest | CC6.1 | §164.312(a)(2)(iv) | Req 3.4 | Art 32 | A.10.1.1 | | Encryption in Transit | CC6.1 | §164.312(e)(1) | Req 4.1 | Art 32 | A.13.1.1 | | Audit Logging | CC7.2 | §164.312(b) | Req 10.2 | Art 30 | A.12.4.1 | | Access Reviews | CC6.1 | §164.308(a)(3)(ii)(C) | Req 8.2.4 | Art 32 | A.9.2.5 | | Vulnerability Scanning | CC7.1 | §164.308(a)(8) | Req 11.2 | Art 32 | A.12.6.1 | | Incident Response | CC7.3 | §164.308(a)(6) | Req 12.10 | Art 33 | A.16.1.1 | **Strategy:** Implement once with proper tagging, map to all applicable frameworks. For complete control mapping with 45+ controls, see references/control-mapping-matrix.md. ## Breach Notification Requirements **Framework-Specific Timelines:** - HIPAA: 60 days to HHS and affected individuals - GDPR: 48 hours to supervisory authority (2025 update) - SOC 2: 72 hours to affected customers - PCI-DSS: Immediate to payment brands **Required Elements:** - Description of incident and data involved - Estimated number of affected individuals - Steps taken to mitigate harm - Contact information for questions - Remediation actions and timeline For incident response templates, see references/incident-response-templates.md. ## Vendor Management **Business Associate Agreements (HIPAA):** - Required for all vendors handling PHI - Specify permitted uses and disclosures - Require appropriate safeguards - Annual review and renewal **Data Processing Agreements (GDPR):** - Required for all vendors processing personal data - Process only on controller instructions - Implement appropriate technical measures - Sub-processor approval required **Assessment Process:** 1. Risk classification by data access level 2. Security questionnaire evaluation 3. BAA/DPA execution 4. SOC 2 report collection (≤90 days old) 5. Annual re-assessment For vendor management templates, see references/vendor-management.md. ## Tools & Libraries **Policy as Code:** - Open Policy Agent (OPA): General-purpose policy engine - Checkov: IaC security scanning with compliance frameworks - tfsec: Terraform security scanner - Trivy: Container and IaC scanner **Compliance Automation:** - AWS Config: AWS resource compliance monitoring - Cloud Custodian: Multi-cloud compliance automation - Drata/Vanta/Secureframe: Continuous compliance platforms For tool selection guidance, see references/tool-recommendations.md. ## Integration with Other Skills **Related Skills:** - `security-hardening`: Technical security control implementation - `secret-management`: Secrets handling per HIPAA/PCI-DSS - `infrastructure-as-code`: IaC implementing compliance controls - `kubernetes-operations`: K8s RBAC, network policies - `building-ci-pipelines`: Policy enforcement in CI/CD - `siem-logging`: Audit logging and monitoring - `incident-management`: Incident response procedures ## Quick Reference **Implementation Checklist:** - [ ] Identify applicable frameworks - [ ] Implement encryption (AES-256, TLS 1.3) - [ ] Configure MFA for privileged access - [ ] Implement RBAC with least privilege - [ ] Set up audit logging (7-year retention) - [ ] Configure security monitoring/alerting - [ ] Create incident response plan - [ ] Execute vendor agreements (BAAs, DPAs) - [ ] Implement policy-as-code (OPA, Checkov) - [ ] Automate evidence collection - [ ] Conduct quarterly access reviews - [ ] Perform annual risk assessments **Common Mistakes:** - Treating compliance as one-time project vs continuous process - Implementing per-framework vs unified controls - Manual evidence collection vs automation - Insufficient log retention (<7 years) - Missing MFA enforcement - Not encrypting backups/logs - Inadequate vendor due diligence ## References **Framework Details:** - references/soc2-controls.md - SOC 2 TSC control catalog - references/hipaa-safeguards.md - HIPAA safeguards - references/pci-dss-requirements.md - PCI-DSS 4.0 requirements - references/gdpr-articles.md - GDPR key articles **Implementation Patterns:** - references/control-mapping-matrix.md - Unified control mapping - references/encryption-implementations.md - Encryption patterns - references/access-control-patterns.md - MFA, RBAC implementations - references/audit-logging-patterns.md - Logging requirements - references/incident-response-templates.md - IR procedures **Automation:** - references/cicd-integration.md - OPA/Checkov CI/CD integration - references/compliance-testing.md - Automated test patterns - references/vendor-management.md - Vendor assessment templates - references/tool-recommendations.md - Tool selection guide **Code Examples:** - examples/opa-policies/ - OPA policy examples - examples/terraform/ - Terraform control implementations - examples/evidence-collection/ - Evidence automation - examples/mfa-implementation.py - TOTP MFA implementation Consult qualified legal counsel and auditors for legal interpretation and audit preparation.