implementing-compliance

# Compliance Frameworks

Implement continuous compliance with major regulatory frameworks through unified control mapping, policy-as-code enforcement, and automated evidence collection.

## Purpose

Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%.

## When to Use

Invoke when:
- Building SaaS products requiring SOC 2 Type II for enterprise sales
- Handling healthcare data (PHI) requiring HIPAA compliance
- Processing payment cards requiring PCI-DSS validation
- Serving EU residents and processing personal data under GDPR
- Implementing security controls that satisfy multiple compliance frameworks
- Automating compliance evidence collection and audit preparation
- Enforcing compliance policies in CI/CD pipelines

## Framework Selection

### Tier 1: Trust & Security Certifications

**SOC 2 Type II**
- Audience: SaaS vendors, cloud service providers
- When required: Enterprise B2B sales, handling customer data
- Timeline: 6-12 month observation period
- 2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure

**ISO 27001**
- Audience: Global enterprises
- When required: International business, government contracts
- Timeline: 3-6 month certification, annual surveillance

### Tier 2: Industry-Specific Regulations

**HIPAA (Healthcare)**
- Audience: Healthcare providers, health tech handling PHI
- When required: Processing Protected Health Information
- 2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments

**PCI-DSS 4.0 (Payment Card Industry)**
- Audience: Merchants, payment processors
- When required: Processing, storing, transmitting cardholder data
- Effective: April 1, 2025 (mandatory)
- Key changes: Client-side security, 12-char passwords, enhanced MFA

### Tier 3: Privacy Regulations

**GDPR (EU Privacy)**
- Audience: Organizations processing EU residents' data
- When required: EU customers/users (extraterritorial)
- 2025 updates: 48-hour breach reporting, 6% revenue fines, AI transparency

**CCPA/CPRA (California Privacy)**
- Audience: Businesses serving California residents
- When required: Revenue >$25M, or 100K+ CA residents, or 50%+ revenue from data sales

For detailed framework requirements, see references/soc2-controls.md, references/hipaa-safeguards.md, references/pci-dss-requirements.md, and references/gdpr-articles.md.

## Universal Control Implementation

### Unified Control Strategy

Implement controls once, map to multiple frameworks. Reduces effort by 60-80%.

**Implementation Priority:**
1. **Encryption** (ENC-001, ENC-002): AES-256 at rest, TLS 1.3 in transit
2. **Access Control** (MFA-001, RBAC-001): MFA, RBAC, least privilege
3. **Audit Logging** (LOG-001): Centralized, immutable, 7-year retention
4. **Monitoring** (MON-001): SIEM, intrusion detection, alerting
5. **Incident Response** (IR-001): Detection, escalation, breach notification

### Control Categories

**Identity & Access:**
- Multi-factor authentication for privileged access
- Role-based access control with least privilege
- Quarterly access reviews
- Password policy: 12+ characters, complexity

**Data Protection:**
- Encryption: AES-256 (rest), TLS 1.3 (transit)
- Data classification and tagging
- Retention policies aligned with regulations
- Data minimization

**Logging & Monitoring:**
- Centralized audit logging (all auth and data access)
- 7-year retention (satisfies all frameworks)
- Immutable storage (S3 Object Lock)
- Real-time alerting

**Network Security:**
- Network segmentation and VPC isolation
- Firewalls with deny-by-default
- Intrusion detection/prevention
- Regular vulnerability scanning

**Incident Response:**
- Documented incident response plan
- Automated detection and alerting
- Breach notification: HIPAA 60d, GDPR 48h, SOC 2 72h, PCI-DSS immediate

**Business Continuity:**
- Automated backups with defined RPO/RTO
- Multi-region disaster recovery
- Regular failover testing

For complete control implementations, see references/control-mapping-matrix.md.

## Compliance as Code

### Policy Enforcement with OPA

Enforce compliance policies in CI/CD before infrastructure deployment.

**Architecture:**
```
Git Push → Terraform Plan → JSON → OPA Evaluation
                                    ├─► Pass → Deploy
                                    └─► Fail → Block
```

**Example: Encryption Policy**

Enforce encryption requirements (SOC 2 CC6.1, HIPAA §164.312(a)(2)(iv), PCI-DSS Req 3.4):

See examples/opa-policies/encryption.rego for complete implementation.

**CI/CD Integration:**
```bash
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
opa eval --data policies/ --input tfplan.json 'data.compliance.main.deny'
```

For complete CI/CD patterns, see references/cicd-integration.md.

### Static Analysis with Checkov

Scan IaC with built-in compliance framework support:

```bash
checkov -d ./terraform \
  --check SOC2 --check HIPAA --check PCI --check GDPR \
  --output cli --output json
```

Create custom policies for organization-specific requirements. See examples/checkov-policies/ for examples.

### Automated Testing

Integrate compliance validation into test suites:

```python
def test_s3_encrypted(terraform_plan):
    """SOC2:CC6.1, HIPAA:164.312(a)(2)(iv)"""
    buckets = get_resources(terraform_plan, "aws_s3_bucket")
    encrypted = get_encryption_configs(terraform_plan)
    assert all_buckets_encrypted(buckets, encrypted)

def test_opa_policies():
    result = subprocess.run(["opa", "eval", "--data", "policies/",
        "--input", "tfplan.json", "data.compliance.main.deny"])
    assert not json.loads(result.stdout)
```

For complete test patterns, see references/compliance-testing.md.

##