Compliance Frameworks

Implement continuous compliance with major regulatory frameworks through unified control mapping, policy-as-code enforcement, and automated evidence collection.

Purpose

Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%.

When to Use

Invoke when:

• Building SaaS products requiring SOC 2 Type II for enterprise sales
• Handling healthcare data (PHI) requiring HIPAA compliance
• Processing payment cards requiring PCI-DSS validation
• Serving EU residents and processing personal data under GDPR
• Implementing security controls that satisfy multiple compliance frameworks
• Automating compliance evidence collection and audit preparation
• Enforcing compliance policies in CI/CD pipelines

Framework Selection

Tier 1: Trust & Security Certifications

SOC 2 Type II

• Audience: SaaS vendors, cloud service providers
• When required: Enterprise B2B sales, handling customer data
• Timeline: 6-12 month observation period
• 2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure

ISO 27001

• Audience: Global enterprises
• When required: International business, government contracts
• Timeline: 3-6 month certification, annual surveillance

Tier 2: Industry-Specific Regulations

HIPAA (Healthcare)

• Audience: Healthcare providers, health tech handling PHI
• When required: Processing Protected Health Information
• 2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments

PCI-DSS 4.0 (Payment Card Industry)

• Audience: Merchants, payment processors
• When required: Processing, storing, transmitting cardholder data
• Effective: April 1, 2025 (mandatory)
• Key changes: Client-side security, 12-char passwords, enhanced MFA

Tier 3: Privacy Regulations

GDPR (EU Privacy)

• Audience: Organizations processing EU residents' data
• When required: EU customers/users (extraterritorial)
• 2025 updates: 48-hour breach reporting, 6% revenue fines, AI transparency

CCPA/CPRA (California Privacy)

• Audience: Businesses serving California residents
• When required: Revenue >$25M, or 100K+ CA residents, or 50%+ revenue from data sales

For detailed framework requirements, see references/soc2-controls.md, references/hipaa-safeguards.md, references/pci-dss-requirements.md, and references/gdpr-articles.md.

Universal Control Implementation

Unified Control Strategy

Implement controls once, map to multiple frameworks. Reduces effort by 60-80%.

Implementation Priority:

1. Encryption (ENC-001, ENC-002): AES-256 at rest, TLS 1.3 in transit
2. Access Control (MFA-001, RBAC-001): MFA, RBAC, least privilege
3. Audit Logging (LOG-001): Centralized, immutable, 7-year retention
4. Monitoring (MON-001): SIEM, intrusion detection, alerting
5. Incident Response (IR-001): Detection, escalation, breach notification

Control Categories

Identity & Access:

• Multi-factor authentication for privileged access
• Role-based access control with least privilege
• Quarterly access reviews
• Password policy: 12+ characters, complexity

Data Protection:

• Encryption: AES-256 (rest), TLS 1.3 (transit)
• Data classification and tagging
• Retention policies aligned with regulations
• Data minimization

Logging & Monitoring:

• Centralized audit logging (all auth and data access)
• 7-year retention (satisfies all frameworks)
• Immutable storage (S3 Object Lock)
• Real-time alerting

Network Security:

• Network segmentation and VPC isolation
• Firewalls with deny-by-default
• Intrusion detection/prevention
• Regular vulnerability scanning

Incident Response:

• Documented incident response plan
• Automated detection and alerting
• Breach notification: HIPAA 60d, GDPR 48h, SOC 2 72h, PCI-DSS immediate

Business Continuity:

• Automated backups with defined RPO/RTO
• Multi-region disaster recovery
• Regular failover testing

For complete control implementations, see references/control-mapping-matrix.md.

Compliance as Code

Policy Enforcement with OPA

Enforce compliance policies in CI/CD before infrastructure deployment.

Architecture:

Git Push → Terraform Plan → JSON → OPA Evaluation
                                    ├─► Pass → Deploy
                                    └─► Fail → Block

Example: Encryption Policy

Enforce encryption requirements (SOC 2 CC6.1, HIPAA §164.312(a)(2)(iv), PCI-DSS Req 3.4):

See examples/opa-policies/encryption.rego for complete implementation.

CI/CD Integration:

terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
opa eval --data policies/ --input tfplan.json 'data.compliance.main.deny'

For complete CI/CD patterns, see references/cicd-integration.md.

Static Analysis with Checkov

Scan IaC with built-in compliance framework support:

checkov -d ./terraform \
  --check SOC2 --check HIPAA --check PCI --check GDPR \
  --output cli --output json

Create custom policies for organization-specific requirements. See examples/checkov-policies/ for examples.

Automated Testing

Integrate compliance validation into test suites:

def test_s3_encrypted(terraform_plan):
    """SOC2:CC6.1, HIPAA:164.312(a)(2)(iv)"""
    buckets = get_resources(terraform_plan, "aws_s3_bucket")
    encrypted = get_encryption_configs(terraform_plan)
    assert all_buckets_encrypted(buckets, encrypted)

def test_opa_policies():
    result = subprocess.run(["opa", "eval", "--data", "policies/",
        "--input", "tfplan.json", "data.compliance.main.deny"])
    assert not json.loads(result.stdout)

For complete test patterns, see references/compliance-testing.md.

Technical Control Implementations

Encryption at Rest

Standards: AES-256, managed KMS, automatic rotation

AWS Example:

resource "aws_kms_key" "data" {
  enable_key_rotation = true
  tags = { Compliance = "ENC-001" }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.data.arn
    }
  }
}

resource "aws_db_instance" "main" {
  storage_encrypted = true
  kms_key_id       = aws_kms_key.data.arn
}

For complete encryption implementations including Azure and GCP, see references/encryption-implementations.md.

Encryption in Transit

Standards: TLS 1.3 (TLS 1.2 minimum), strong ciphers, HSTS

ALB Example:

resource "aws_lb_listener" "https" {
  port       = 443
  protocol   = "HTTPS"
  ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}

Multi-Factor Authentication

Standards: TOTP, hardware tokens, biometric for privileged access

AWS IAM Enforcement:

resource "aws_iam_policy" "require_mfa" {
  policy = jsonencode({
    Statement = [{
      Effect = "Deny"
      NotAction = ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"]
      Resource = "*"
      Condition = {
        BoolIfExists = { "aws:MultiFactorAuthPresent" = "false" }
      }
    }]
  })
}

For application-level MFA (TOTP), see examples/mfa-implementation.py.

Role-Based Access Control

Standards: Least privilege, job function-based roles, quarterly reviews

Kubernetes Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: development
rules:
- apiGroups: ["", "apps"]
  resources: ["pods", "deployments", "services"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]  # Read-only

For complete RBAC pat