implementing-compliance

Implement and maintain compliance with SOC 2, HIPAA, PCI-DSS, and GDPR using unified control mapping, policy-as-code enforcement, and automated evidence collection. Use when building systems requiring regulatory compliance, implementing security controls across multiple frameworks, or automating audit preparation.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "implementing-compliance" with this command: npx skills add ancoleman/ai-design-components/ancoleman-ai-design-components-implementing-compliance

Compliance Frameworks

Implement continuous compliance with major regulatory frameworks through unified control mapping, policy-as-code enforcement, and automated evidence collection.

Purpose

Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%.

When to Use

Invoke when:

  • Building SaaS products requiring SOC 2 Type II for enterprise sales
  • Handling healthcare data (PHI) requiring HIPAA compliance
  • Processing payment cards requiring PCI-DSS validation
  • Serving EU residents and processing personal data under GDPR
  • Implementing security controls that satisfy multiple compliance frameworks
  • Automating compliance evidence collection and audit preparation
  • Enforcing compliance policies in CI/CD pipelines

Framework Selection

Tier 1: Trust & Security Certifications

SOC 2 Type II

  • Audience: SaaS vendors, cloud service providers
  • When required: Enterprise B2B sales, handling customer data
  • Timeline: 6-12 month observation period
  • 2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure

ISO 27001

  • Audience: Global enterprises
  • When required: International business, government contracts
  • Timeline: 3-6 month certification, annual surveillance

Tier 2: Industry-Specific Regulations

HIPAA (Healthcare)

  • Audience: Healthcare providers, health tech handling PHI
  • When required: Processing Protected Health Information
  • 2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments

PCI-DSS 4.0 (Payment Card Industry)

  • Audience: Merchants, payment processors
  • When required: Processing, storing, transmitting cardholder data
  • Effective: April 1, 2025 (mandatory)
  • Key changes: Client-side security, 12-char passwords, enhanced MFA

Tier 3: Privacy Regulations

GDPR (EU Privacy)

  • Audience: Organizations processing EU residents' data
  • When required: EU customers/users (extraterritorial)
  • 2025 updates: 48-hour breach reporting, 6% revenue fines, AI transparency

CCPA/CPRA (California Privacy)

  • Audience: Businesses serving California residents
  • When required: Revenue >$25M, or 100K+ CA residents, or 50%+ revenue from data sales

For detailed framework requirements, see references/soc2-controls.md, references/hipaa-safeguards.md, references/pci-dss-requirements.md, and references/gdpr-articles.md.

Universal Control Implementation

Unified Control Strategy

Implement controls once, map to multiple frameworks. Reduces effort by 60-80%.

Implementation Priority:

  1. Encryption (ENC-001, ENC-002): AES-256 at rest, TLS 1.3 in transit
  2. Access Control (MFA-001, RBAC-001): MFA, RBAC, least privilege
  3. Audit Logging (LOG-001): Centralized, immutable, 7-year retention
  4. Monitoring (MON-001): SIEM, intrusion detection, alerting
  5. Incident Response (IR-001): Detection, escalation, breach notification

Control Categories

Identity & Access:

  • Multi-factor authentication for privileged access
  • Role-based access control with least privilege
  • Quarterly access reviews
  • Password policy: 12+ characters, complexity

Data Protection:

  • Encryption: AES-256 (rest), TLS 1.3 (transit)
  • Data classification and tagging
  • Retention policies aligned with regulations
  • Data minimization

Logging & Monitoring:

  • Centralized audit logging (all auth and data access)
  • 7-year retention (satisfies all frameworks)
  • Immutable storage (S3 Object Lock)
  • Real-time alerting

Network Security:

  • Network segmentation and VPC isolation
  • Firewalls with deny-by-default
  • Intrusion detection/prevention
  • Regular vulnerability scanning

Incident Response:

  • Documented incident response plan
  • Automated detection and alerting
  • Breach notification: HIPAA 60d, GDPR 48h, SOC 2 72h, PCI-DSS immediate

Business Continuity:

  • Automated backups with defined RPO/RTO
  • Multi-region disaster recovery
  • Regular failover testing

For complete control implementations, see references/control-mapping-matrix.md.

Compliance as Code

Policy Enforcement with OPA

Enforce compliance policies in CI/CD before infrastructure deployment.

Architecture:

Git Push → Terraform Plan → JSON → OPA Evaluation
                                    ├─► Pass → Deploy
                                    └─► Fail → Block

Example: Encryption Policy

Enforce encryption requirements (SOC 2 CC6.1, HIPAA §164.312(a)(2)(iv), PCI-DSS Req 3.4):

See examples/opa-policies/encryption.rego for complete implementation.

CI/CD Integration:

terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
opa eval --data policies/ --input tfplan.json 'data.compliance.main.deny'

For complete CI/CD patterns, see references/cicd-integration.md.

Static Analysis with Checkov

Scan IaC with built-in compliance framework support:

checkov -d ./terraform \
  --check SOC2 --check HIPAA --check PCI --check GDPR \
  --output cli --output json

Create custom policies for organization-specific requirements. See examples/checkov-policies/ for examples.

Automated Testing

Integrate compliance validation into test suites:

def test_s3_encrypted(terraform_plan):
    """SOC2:CC6.1, HIPAA:164.312(a)(2)(iv)"""
    buckets = get_resources(terraform_plan, "aws_s3_bucket")
    encrypted = get_encryption_configs(terraform_plan)
    assert all_buckets_encrypted(buckets, encrypted)

def test_opa_policies():
    result = subprocess.run(["opa", "eval", "--data", "policies/",
        "--input", "tfplan.json", "data.compliance.main.deny"])
    assert not json.loads(result.stdout)

For complete test patterns, see references/compliance-testing.md.

Technical Control Implementations

Encryption at Rest

Standards: AES-256, managed KMS, automatic rotation

AWS Example:

resource "aws_kms_key" "data" {
  enable_key_rotation = true
  tags = { Compliance = "ENC-001" }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.data.arn
    }
  }
}

resource "aws_db_instance" "main" {
  storage_encrypted = true
  kms_key_id       = aws_kms_key.data.arn
}

For complete encryption implementations including Azure and GCP, see references/encryption-implementations.md.

Encryption in Transit

Standards: TLS 1.3 (TLS 1.2 minimum), strong ciphers, HSTS

ALB Example:

resource "aws_lb_listener" "https" {
  port       = 443
  protocol   = "HTTPS"
  ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}

Multi-Factor Authentication

Standards: TOTP, hardware tokens, biometric for privileged access

AWS IAM Enforcement:

resource "aws_iam_policy" "require_mfa" {
  policy = jsonencode({
    Statement = [{
      Effect = "Deny"
      NotAction = ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"]
      Resource = "*"
      Condition = {
        BoolIfExists = { "aws:MultiFactorAuthPresent" = "false" }
      }
    }]
  })
}

For application-level MFA (TOTP), see examples/mfa-implementation.py.

Role-Based Access Control

Standards: Least privilege, job function-based roles, quarterly reviews

Kubernetes Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: development
rules:
- apiGroups: ["", "apps"]
  resources: ["pods", "deployments", "services"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]  # Read-only

For complete RBAC patterns including AWS IAM and OPA policies, see references/access-control-patterns.md.

Audit Logging

Standards: Structured JSON, 7-year retention, immutable storage

Required Events: Authentication, authorization, data access, administrative actions, security events

Python Example:

class AuditLogger:
    def log_event(self, event_type, user_id, resource_type,
                  resource_id, action, result, ip_address):
        audit_event = {
            "timestamp": datetime.utcnow().isoformat() + "Z",
            "event_type": event_type.value,
            "user_id": user_id,
            "action": action,
            "result": result,
            "resource": {"type": resource_type, "id": resource_id},
            "source": {"ip": ip_address}
        }
        self.logger.info(json.dumps(audit_event))

Log Retention:

resource "aws_cloudwatch_log_group" "audit" {
  retention_in_days = 2555  # 7 years
  kms_key_id        = aws_kms_key.logs.arn
}

resource "aws_s3_bucket_object_lock_configuration" "audit" {
  bucket = aws_s3_bucket.audit_logs.id
  rule {
    default_retention { mode = "COMPLIANCE"; years = 7 }
  }
}

For complete audit logging patterns including HIPAA PHI access logging, see references/audit-logging-patterns.md.

Evidence Collection Automation

Continuous Monitoring

Automate evidence collection for continuous compliance validation.

Architecture:

AWS Config → EventBridge → Lambda → S3 (Evidence)
                                   → DynamoDB (Status)

Evidence Collection:

class EvidenceCollector:
    def collect_encryption_evidence(self):
        evidence = {
            "control_id": "ENC-001",
            "frameworks": ["SOC2-CC6.1", "HIPAA-164.312(a)(2)(iv)"],
            "timestamp": datetime.utcnow().isoformat(),
            "status": "PASS",
            "findings": []
        }
        # Check S3, RDS, EBS encryption status
        # Document findings
        return evidence

For complete evidence collector, see examples/evidence-collection/evidence_collector.py.

Audit Report Generation

Generate compliance reports automatically:

class AuditReportGenerator:
    def generate_soc2_report(self, start_date, end_date):
        controls = self.get_control_status("SOC2")
        return {
            "framework": "SOC 2 Type II",
            "compliance_score": self.calculate_score(controls),
            "trust_services_criteria": {...},
            "controls": self.format_controls(controls)
        }

For complete report generator, see examples/evidence-collection/report_generator.py.

Control Mapping Matrix

Unified control mapping across frameworks:

ControlSOC 2HIPAAPCI-DSSGDPRISO 27001
MFACC6.1§164.312(d)Req 8.3Art 32A.9.4.2
Encryption at RestCC6.1§164.312(a)(2)(iv)Req 3.4Art 32A.10.1.1
Encryption in TransitCC6.1§164.312(e)(1)Req 4.1Art 32A.13.1.1
Audit LoggingCC7.2§164.312(b)Req 10.2Art 30A.12.4.1
Access ReviewsCC6.1§164.308(a)(3)(ii)(C)Req 8.2.4Art 32A.9.2.5
Vulnerability ScanningCC7.1§164.308(a)(8)Req 11.2Art 32A.12.6.1
Incident ResponseCC7.3§164.308(a)(6)Req 12.10Art 33A.16.1.1

Strategy: Implement once with proper tagging, map to all applicable frameworks.

For complete control mapping with 45+ controls, see references/control-mapping-matrix.md.

Breach Notification Requirements

Framework-Specific Timelines:

  • HIPAA: 60 days to HHS and affected individuals
  • GDPR: 48 hours to supervisory authority (2025 update)
  • SOC 2: 72 hours to affected customers
  • PCI-DSS: Immediate to payment brands

Required Elements:

  • Description of incident and data involved
  • Estimated number of affected individuals
  • Steps taken to mitigate harm
  • Contact information for questions
  • Remediation actions and timeline

For incident response templates, see references/incident-response-templates.md.

Vendor Management

Business Associate Agreements (HIPAA):

  • Required for all vendors handling PHI
  • Specify permitted uses and disclosures
  • Require appropriate safeguards
  • Annual review and renewal

Data Processing Agreements (GDPR):

  • Required for all vendors processing personal data
  • Process only on controller instructions
  • Implement appropriate technical measures
  • Sub-processor approval required

Assessment Process:

  1. Risk classification by data access level
  2. Security questionnaire evaluation
  3. BAA/DPA execution
  4. SOC 2 report collection (≤90 days old)
  5. Annual re-assessment

For vendor management templates, see references/vendor-management.md.

Tools & Libraries

Policy as Code:

  • Open Policy Agent (OPA): General-purpose policy engine
  • Checkov: IaC security scanning with compliance frameworks
  • tfsec: Terraform security scanner
  • Trivy: Container and IaC scanner

Compliance Automation:

  • AWS Config: AWS resource compliance monitoring
  • Cloud Custodian: Multi-cloud compliance automation
  • Drata/Vanta/Secureframe: Continuous compliance platforms

For tool selection guidance, see references/tool-recommendations.md.

Integration with Other Skills

Related Skills:

  • security-hardening: Technical security control implementation
  • secret-management: Secrets handling per HIPAA/PCI-DSS
  • infrastructure-as-code: IaC implementing compliance controls
  • kubernetes-operations: K8s RBAC, network policies
  • building-ci-pipelines: Policy enforcement in CI/CD
  • siem-logging: Audit logging and monitoring
  • incident-management: Incident response procedures

Quick Reference

Implementation Checklist:

  • Identify applicable frameworks
  • Implement encryption (AES-256, TLS 1.3)
  • Configure MFA for privileged access
  • Implement RBAC with least privilege
  • Set up audit logging (7-year retention)
  • Configure security monitoring/alerting
  • Create incident response plan
  • Execute vendor agreements (BAAs, DPAs)
  • Implement policy-as-code (OPA, Checkov)
  • Automate evidence collection
  • Conduct quarterly access reviews
  • Perform annual risk assessments

Common Mistakes:

  • Treating compliance as one-time project vs continuous process
  • Implementing per-framework vs unified controls
  • Manual evidence collection vs automation
  • Insufficient log retention (<7 years)
  • Missing MFA enforcement
  • Not encrypting backups/logs
  • Inadequate vendor due diligence

References

Framework Details:

  • references/soc2-controls.md - SOC 2 TSC control catalog
  • references/hipaa-safeguards.md - HIPAA safeguards
  • references/pci-dss-requirements.md - PCI-DSS 4.0 requirements
  • references/gdpr-articles.md - GDPR key articles

Implementation Patterns:

  • references/control-mapping-matrix.md - Unified control mapping
  • references/encryption-implementations.md - Encryption patterns
  • references/access-control-patterns.md - MFA, RBAC implementations
  • references/audit-logging-patterns.md - Logging requirements
  • references/incident-response-templates.md - IR procedures

Automation:

  • references/cicd-integration.md - OPA/Checkov CI/CD integration
  • references/compliance-testing.md - Automated test patterns
  • references/vendor-management.md - Vendor assessment templates
  • references/tool-recommendations.md - Tool selection guide

Code Examples:

  • examples/opa-policies/ - OPA policy examples
  • examples/terraform/ - Terraform control implementations
  • examples/evidence-collection/ - Evidence automation
  • examples/mfa-implementation.py - TOTP MFA implementation

Consult qualified legal counsel and auditors for legal interpretation and audit preparation.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security-hardening

No summary provided by upstream source.

Repository SourceNeeds Review
-54
ancoleman
Security

architecting-security

No summary provided by upstream source.

Repository SourceNeeds Review
-19
ancoleman
General

creating-dashboards

No summary provided by upstream source.

Repository SourceNeeds Review
-180
ancoleman