{ "schemaVersion": "1.0", "item": { "slug": "afrexai-compliance-engine", "name": "Compliance & Audit Readiness Engine", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-compliance-engine", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-compliance-engine", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/afrexai-compliance-engine", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-compliance-engine", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-compliance-engine" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/afrexai-compliance-engine", "agentPageUrl": "https://openagent3.xyz/skills/afrexai-compliance-engine/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-compliance-engine/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-compliance-engine/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Compliance & Audit Readiness Engine", "body": "Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed." }, { "title": "Framework Selection Matrix", "body": "FrameworkWho Needs ItTriggerTimelineCost RangeSOC 2 Type IAny B2B SaaSEnterprise prospect asks3-6 months$20K-$80KSOC 2 Type IIEstablished SaaSAfter Type I, or direct6-12 months$30K-$100KISO 27001Global/EU-facing SaaSEU enterprise deals6-12 months$40K-$120KGDPRAnyone with EU usersDay 1 if EU data1-3 months$5K-$30KHIPAAHealth data handlersBefore first PHI3-6 months$20K-$60KPCI DSSPayment processorsBefore card data3-9 months$15K-$50KSOXPublic companiesIPO prep12-18 months$100K-$500K" }, { "title": "Readiness Assessment Brief", "body": "company_profile:\n name: \"\"\n industry: \"\"\n employee_count: 0\n annual_revenue: \"\"\n data_types_handled:\n - PII (names, emails, addresses)\n - Financial (payment cards, bank accounts)\n - Health (PHI, medical records)\n - Children (COPPA scope)\n - Biometric\n - Government/classified\n customer_segments:\n - SMB\n - Mid-market\n - Enterprise\n - Government\n geographic_scope:\n - US only\n - US + EU\n - Global\n current_state:\n existing_frameworks: []\n security_team_size: 0\n has_written_policies: false\n has_asset_inventory: false\n has_risk_assessment: false\n has_incident_response: false\n has_vendor_management: false\n previous_audits: []\n known_gaps: []\n drivers:\n - Customer requirement\n - Board/investor mandate\n - Regulatory obligation\n - Competitive advantage\n - Insurance requirement\n target_frameworks: []\n target_date: \"\"\n budget_range: \"\"" }, { "title": "Priority Decision Rules", "body": "Customer asking for SOC 2? → Start there (most requested in B2B SaaS)\nEU customers? → GDPR is non-negotiable, do it alongside SOC 2\nHealth data? → HIPAA first, then layer SOC 2\nPayment data? → PCI DSS is legally required, do immediately\nMultiple frameworks? → Map common controls (40-60% overlap between SOC 2 and ISO 27001)" }, { "title": "Trust Service Criteria (TSC)", "body": "SOC 2 is built on 5 categories. Security is mandatory. Others are optional but often expected.\n\nCC1 — Control Environment (Foundation)\n\nBoard/management oversight of security\n Organizational structure with clear security roles\n Code of conduct / acceptable use policy\n HR processes (background checks, onboarding, offboarding)\n Performance evaluations include security responsibilities\n\nCC2 — Communication & Information\n\nSecurity policies documented and accessible to all employees\n External communication channels for security (status page, security@)\n Whistleblower / anonymous reporting mechanism\n Security awareness training program (annual + onboarding)\n System description document maintained\n\nCC3 — Risk Assessment\n\nAnnual risk assessment process documented\n Risk register maintained with likelihood × impact scoring\n Risk treatment plans for high/critical risks\n Risk appetite statement approved by management\n Changes in business/technology trigger risk re-assessment\n\nCC4 — Monitoring Activities\n\nContinuous monitoring of controls (not just annual)\n Internal audit or self-assessment program\n Deficiency tracking and remediation\n Management review of monitoring results\n Penetration testing (annual minimum)\n\nCC5 — Control Activities\n\nLogical access controls (RBAC, least privilege)\n Physical access controls (offices, data centers)\n Change management process\n System development lifecycle (SDLC)\n Data backup and recovery procedures\n\nCC6 — Logical & Physical Access\n\nUser provisioning and deprovisioning process\n MFA enforced on all critical systems\n Password policy (12+ chars, complexity, rotation)\n Access reviews (quarterly minimum)\n Physical access logs for sensitive areas\n Encryption at rest (AES-256) and in transit (TLS 1.2+)\n Firewall rules reviewed quarterly\n VPN or zero-trust network access\n\nCC7 — System Operations\n\nMonitoring and alerting (uptime, errors, security events)\n Incident detection and response procedures\n Vulnerability management (scan weekly, patch critical <72h)\n Anti-malware / endpoint protection\n Capacity planning and performance monitoring\n\nCC8 — Change Management\n\nFormal change request and approval process\n Separation of duties (dev ≠ prod deploy)\n Testing before production deployment\n Rollback procedures documented\n Emergency change process with post-hoc approval\n\nCC9 — Risk Mitigation (Vendors)\n\nVendor risk assessment before onboarding\n Vendor inventory with criticality ratings\n Annual vendor reviews\n BAAs / DPAs with sub-processors\n Vendor offboarding process" }, { "title": "Additional Criteria", "body": "Availability (A1):\n\nSLAs defined and monitored\n Disaster recovery plan tested annually\n Business continuity plan documented\n RTO/RPO defined for critical systems\n Redundancy for critical infrastructure\n\nConfidentiality (C1):\n\nData classification scheme (Public, Internal, Confidential, Restricted)\n Handling procedures per classification level\n Confidentiality agreements (NDA) with employees and vendors\n Data retention and disposal policies\n DLP controls for sensitive data\n\nProcessing Integrity (PI1):\n\nInput validation controls\n Processing completeness and accuracy checks\n Output reconciliation procedures\n Error handling and correction processes\n\nPrivacy (P1):\n\nPrivacy notice published\n Consent mechanisms for data collection\n Data subject rights procedures (access, deletion, portability)\n Privacy impact assessments for new features\n Data breach notification procedures" }, { "title": "SOC 2 Project Plan (16-Week Sprint)", "body": "WeekPhaseKey Activities1-2ScopingDefine system boundaries, select TSC, choose auditor3-4Gap AssessmentAudit current state against TSC, document gaps5-6Policy WritingDraft all required policies (see policy list below)7-8Control ImplementationDeploy technical controls, configure tools9-10Process ImplementationEstablish operational processes, train team11-12Evidence CollectionGather evidence for all controls, test internally13-14Readiness AssessmentMock audit, remediate findings15-16Type I AuditAuditor fieldwork, management response, report" }, { "title": "Required Policy Documents", "body": "Information Security Policy — Master policy, scope, objectives\nAccess Control Policy — Authentication, authorization, reviews\nChange Management Policy — SDLC, deployment, emergency changes\nIncident Response Policy — Detection, response, notification\nRisk Management Policy — Assessment methodology, treatment, appetite\nData Classification Policy — Levels, handling, retention, disposal\nAcceptable Use Policy — Employee responsibilities, prohibited actions\nVendor Management Policy — Assessment, monitoring, offboarding\nBusiness Continuity / DR Policy — Plans, testing, RTO/RPO\nHR Security Policy — Background checks, onboarding, offboarding, training\nEncryption Policy — Standards, key management, certificate handling\nPhysical Security Policy — Office access, visitor management, clean desk\nLogging & Monitoring Policy — What to log, retention, alerting\nPassword & Authentication Policy — Standards, MFA requirements\nBackup & Recovery Policy — Schedule, testing, retention" }, { "title": "Policy Template", "body": "# [Policy Name]\n\n**Version:** 1.0\n**Owner:** [Name, Title]\n**Approved by:** [Name, Title]\n**Effective date:** [Date]\n**Next review:** [Date + 1 year]\n**Classification:** Internal\n\n## 1. Purpose\n[Why this policy exists — 2-3 sentences]\n\n## 2. Scope\n[Who and what this policy applies to]\n\n## 3. Policy Statements\n[Numbered, actionable requirements — not aspirational]\n\n### 3.1 [Topic]\n- SHALL [requirement]\n- SHALL NOT [prohibition]\n- SHOULD [recommendation]\n\n## 4. Roles & Responsibilities\n| Role | Responsibility |\n|------|---------------|\n| [Role] | [What they must do] |\n\n## 5. Exceptions\n[Process for requesting exceptions — who approves, how long, documentation]\n\n## 6. Enforcement\n[Consequences of non-compliance]\n\n## 7. Definitions\n[Technical terms used in the policy]\n\n## 8. Related Documents\n[Links to related policies, standards, procedures]\n\n## 9. Revision History\n| Version | Date | Author | Changes |\n|---------|------|--------|---------|\n| 1.0 | [Date] | [Author] | Initial release |" }, { "title": "ISMS Implementation Roadmap", "body": "Clause 4 — Context of the Organization\n\nDefine ISMS scope and boundaries\n Identify interested parties and their requirements\n Determine internal and external issues\n Document scope statement\n\nClause 5 — Leadership\n\nManagement commitment statement\n Information security policy (signed by CEO/CTO)\n Assign ISMS roles and responsibilities\n Allocate resources (budget, people, tools)\n\nClause 6 — Planning\n\nRisk assessment methodology (ISO 27005 or custom)\n Risk assessment execution\n Risk treatment plan\n Statement of Applicability (SoA) — map all 93 Annex A controls\n Information security objectives (measurable, time-bound)\n\nClause 7 — Support\n\nDetermine required competencies\n Security awareness program\n Internal and external communication plan\n Document control process\n\nClause 8 — Operation\n\nExecute risk treatment plan\n Implement controls from SoA\n Manage operational changes\n Conduct risk assessments on changes\n\nClause 9 — Performance Evaluation\n\nMonitoring and measurement program\n Internal audit schedule and execution\n Management review (at least annually)\n Corrective action tracking\n\nClause 10 — Improvement\n\nNonconformity and corrective action process\n Continual improvement program\n Lessons learned integration" }, { "title": "ISO 27001:2022 Annex A Control Categories", "body": "CategoryControlsKey AreasA.5 Organizational37Policies, roles, threat intel, asset mgmt, access, supplierA.6 People8Screening, T&C, awareness, disciplinary, terminationA.7 Physical14Perimeters, entry, offices, monitoring, utilities, cablingA.8 Technological34Endpoints, access rights, auth, malware, vuln mgmt, logging, crypto, SDLC" }, { "title": "SOC 2 ↔ ISO 27001 Control Mapping (Save 40-60% effort)", "body": "SOC 2 TSCISO 27001 Annex AOverlapCC1 Control EnvironmentA.5.1-5.6 (Org controls)~80%CC2 CommunicationA.5.1, A.6.3 (Awareness)~70%CC3 Risk AssessmentClause 6.1, A.5.7 (Threat intel)~90%CC5 Control ActivitiesA.8 (Technological)~75%CC6 AccessA.5.15-5.18, A.8.1-8.5~85%CC7 OperationsA.8.7-8.16 (Monitoring)~80%CC8 Change MgmtA.8.25-8.33 (SDLC)~70%CC9 VendorsA.5.19-5.23 (Supplier)~85%\n\nStrategy: Build for one framework, extend to the other. SOC 2 first (faster) → ISO 27001 (adds clauses 4-10 management system)." }, { "title": "12 Core Requirements", "body": "Lawful Basis for Processing — Document legal basis for each data processing activity\n\nConsent | Contract | Legal obligation | Vital interest | Public task | Legitimate interest\n Data processing register (Article 30)\n Legitimate Interest Assessments (LIAs) where applicable\n\n\n\nData Subject Rights — Respond within 30 days\n\n Right of access (SAR) process\n Right to rectification\n Right to erasure (\"right to be forgotten\")\n Right to data portability (machine-readable export)\n Right to restrict processing\n Right to object\n Automated decision-making opt-out\n\n\n\nPrivacy by Design & Default — Build privacy into products\n\n Privacy Impact Assessment (PIA/DPIA) template\n Data minimization review for each feature\n Default privacy settings (opt-in, not opt-out)\n\n\n\nData Protection Officer (DPO) — Required if:\n\nPublic authority, OR\nLarge-scale systematic monitoring, OR\nLarge-scale processing of special category data\n\n\n\nConsent Management\n\n Granular consent mechanisms (not bundled)\n Easy withdrawal (as easy as giving consent)\n Consent records with timestamp, version, scope\n Cookie consent banner (ePrivacy)\n\n\n\nData Processing Agreements (DPAs)\n\n DPA template for sub-processors\n Article 28 requirements checklist\n Sub-processor notification process\n Sub-processor register\n\n\n\nInternational Transfers\n\n Transfer mechanism (SCCs, adequacy decision, BCRs)\n Transfer Impact Assessment\n Supplementary measures where needed\n\n\n\nBreach Notification\n\n 72-hour notification to supervisory authority\n \"Undue delay\" notification to affected individuals\n Breach register with risk assessment\n Breach response team and escalation path\n\n\n\nRecords of Processing Activities (ROPA)\n\nprocessing_activity:\n name: \"\"\n purpose: \"\"\n lawful_basis: \"\"\n data_categories: []\n data_subjects: []\n recipients: []\n retention_period: \"\"\n transfers_outside_eea: false\n transfer_mechanism: \"\"\n technical_measures: []\n organizational_measures: []\n dpia_required: false\n last_reviewed: \"\"\n\nPrivacy Notice — Must include:\n\nIdentity of controller\nDPO contact (if applicable)\nPurposes and lawful basis\nCategories of data\nRecipients / transfers\nRetention periods\nData subject rights\nRight to complain to supervisory authority\nWhether providing data is statutory/contractual requirement\n\n\n\nData Retention Schedule\n\nData TypeRetention PeriodLegal BasisDisposal MethodCustomer PIIDuration + 3 yearsContract + legitimate interestAutomated deletionEmployee recordsDuration + 7 yearsLegal obligationSecure shredFinancial records7 yearsLegal obligationSecure shredServer logs90 daysLegitimate interestAutomated rotationMarketing consentUntil withdrawnConsentDatabase purgeSupport tickets2 years after resolutionLegitimate interestAutomated deletion\n\nTraining & Awareness\n\n Mandatory GDPR training for all employees (annual)\n Role-specific training (developers, support, marketing, HR)\n Training records with completion tracking" }, { "title": "HIPAA Security Rule — 3 Safeguard Categories", "body": "Administrative Safeguards\n\nSecurity Management Process (risk analysis, risk management)\n Assigned Security Responsibility (HIPAA Security Officer)\n Workforce Security (authorization, clearance, termination)\n Information Access Management (access authorization, establishment, modification)\n Security Awareness Training (reminders, malware, login monitoring, password mgmt)\n Security Incident Procedures (response, reporting)\n Contingency Plan (backup, DR, emergency mode, testing)\n Evaluation (periodic technical/non-technical)\n BAAs with all business associates\n\nPhysical Safeguards\n\nFacility Access Controls (contingency ops, facility security plan, access control, maintenance records)\n Workstation Use (policies, restrictions)\n Workstation Security (physical safeguards)\n Device and Media Controls (disposal, re-use, accountability, data backup)\n\nTechnical Safeguards\n\nAccess Control (unique user ID, emergency access, automatic logoff, encryption)\n Audit Controls (hardware, software, procedural mechanisms)\n Integrity Controls (authentication of ePHI, transmission security)\n Person or Entity Authentication (verify identity)\n Transmission Security (integrity controls, encryption)" }, { "title": "HIPAA Breach Rule", "body": "≤500 individuals: Annual batch notification to HHS (within 60 days of year end)\n>500 individuals: Notify HHS within 60 days + media notification\nAll breaches: Notify affected individuals without unreasonable delay (≤60 days)\nPenalties: $100-$50,000 per violation, up to $1.5M per year per category" }, { "title": "12 Requirements Summary", "body": "#RequirementKey Controls1Install/maintain network security controlsFirewalls, network segmentation2Apply secure configurationsNo vendor defaults, CIS benchmarks3Protect stored account dataEncryption, masking, key mgmt4Encrypt transmission over open networksTLS 1.2+, no SSL/early TLS5Protect from malicious softwareAnti-malware, regular updates6Develop secure systemsSDLC, vuln mgmt, WAF7Restrict access by business needRBAC, least privilege8Identify users and authenticateMFA, password standards9Restrict physical accessBadges, cameras, visitor logs10Log and monitor all accessCentralized logging, review11Test security regularlyVuln scans, pen tests, IDS12Support security with policiesPolicies, training, incident response" }, { "title": "Scope Reduction Strategy", "body": "Use tokenization — Replace card data with tokens (Stripe, Braintree handle PCI for you)\nUse hosted payment pages — Never touch raw card data (SAQ A instead of SAQ D)\nNetwork segmentation — Isolate cardholder data environment\nCloud provider compliance — Leverage AWS/GCP/Azure PCI certifications\n\nSAQ Decision:\n\nFully outsourced (Stripe Checkout) → SAQ A (22 controls, simplest)\nAPI-based (Stripe Elements) → SAQ A-EP (~140 controls)\nYou store/process card data → SAQ D (300+ controls, avoid this)" }, { "title": "Essential Tools by Category", "body": "CategoryBudget OptionMid-RangeEnterpriseGRC PlatformNotion/SheetsVanta, DrataServiceNow, OneTrustPolicy MgmtGoogle Docs + versioningVanta policiesHyperproofVulnerability ScanningOWASP ZAP, TrivyQualys, TenableRapid7SIEM/LoggingELK Stack, WazuhDatadog, Sumo LogicSplunkEndpoint ProtectionCrowdStrike Falcon GoSentinelOneCrowdStrike EnterpriseIdentity/AccessGoogle Workspace + OktaJumpCloudAzure AD P2TrainingKnowBe4 FreeKnowBe4ProofpointPen TestingHackerOne CommunityCobaltBishop FoxBackupNative cloud backupsVeeamCommvault" }, { "title": "Automation-First Compliance", "body": "What to automate (saves 70%+ of audit prep):\n\nEvidence collection (screenshots of configs → API pulls)\nAccess reviews (quarterly manual → continuous monitoring)\nVulnerability scanning (manual → scheduled + auto-ticket)\nPolicy acknowledgment (email → onboarding workflow)\nVendor assessments (spreadsheets → intake forms with scoring)\nTraining tracking (manual → LMS with auto-reminders)" }, { "title": "Compliance-as-Code Patterns", "body": "# Infrastructure compliance\n- Terraform with Sentinel policies (enforce encryption, tagging)\n- OPA/Rego for Kubernetes admission control\n- AWS Config Rules / Azure Policy for cloud compliance\n- GitHub branch protection rules as change management evidence\n\n# Application compliance\n- Automated dependency scanning in CI (Snyk, Dependabot)\n- SAST in PR pipeline (Semgrep, CodeQL)\n- Container scanning (Trivy, Grype)\n- License compliance (FOSSA, Licensee)" }, { "title": "90-Day Audit Prep Checklist", "body": "Days 90-60: Foundation\n\nConfirm audit scope with auditor\n Complete system description document\n Verify all policies are current (reviewed within 12 months)\n Confirm all employees completed security training\n Run vulnerability scan and remediate critical/high findings\n Schedule penetration test (results needed before audit)\n\nDays 60-30: Evidence Gathering\n\nCollect evidence for each control (organized by TSC/clause)\n Access review documentation (screenshots of reviews, action items)\n Change management evidence (sample of tickets showing approval flow)\n Incident response test evidence (tabletop exercise minutes)\n DR test evidence (recovery test results, RTO achieved)\n Vendor review evidence (assessment records, DPAs)\n Risk assessment and treatment plan (current year)\n Board/management meeting minutes discussing security\n\nDays 30-0: Final Prep\n\nInternal mock audit — walk through every control\n Remediate any mock audit findings\n Brief team on auditor interviews (what to expect, who answers what)\n Prepare management assertion letter\n Set up auditor access (read-only to evidence repository)\n Confirm all monitoring/alerting is functioning\n Verify offboarding was completed for all departed employees" }, { "title": "Evidence Organization", "body": "/compliance-evidence/\n /SOC2-2026/\n /CC1-control-environment/\n org-chart.pdf\n code-of-conduct-signed.pdf\n background-check-process.pdf\n /CC2-communication/\n security-training-completion.csv\n security-policy-acknowledgments.pdf\n /CC3-risk-assessment/\n risk-assessment-2026.xlsx\n risk-treatment-plan.pdf\n /CC6-access/\n access-review-Q1.pdf\n access-review-Q2.pdf\n mfa-enforcement-screenshot.png\n offboarding-checklist-samples/\n /CC7-operations/\n vulnerability-scan-reports/\n pentest-report-2026.pdf\n incident-log-2026.csv\n /CC8-change-management/\n sample-change-tickets/\n deployment-pipeline-config.png\n /CC9-vendors/\n vendor-inventory.xlsx\n vendor-assessments/\n dpas-and-baas/" }, { "title": "Auditor Interview Prep", "body": "Common questions and who should answer:\n\nQuestionBest RespondentKey Points\"Walk me through your risk assessment process\"CISO/Security LeadMethodology, frequency, treatment\"How do you manage access to production?\"Engineering LeadRBAC, approval flow, reviews\"Describe your change management process\"Engineering LeadPR review, testing, deployment\"How do you handle security incidents?\"Security LeadDetection, response, communication\"How do you evaluate vendors?\"Security/ProcurementAssessment, monitoring, contracts\"Describe your backup and recovery process\"Infrastructure LeadSchedule, testing, RTO/RPO\"How do you track and remediate vulnerabilities?\"Security LeadScanning, SLAs, patching\"Walk me through employee onboarding/offboarding\"HR + ITChecklist, timing, verification" }, { "title": "Monthly Compliance Dashboard", "body": "compliance_dashboard:\n month: \"\"\n \n control_health:\n total_controls: 0\n controls_passing: 0\n controls_failing: 0\n controls_not_tested: 0\n health_percentage: 0\n \n action_items:\n open: 0\n overdue: 0\n closed_this_month: 0\n \n key_metrics:\n mean_time_to_patch_critical: \"\"\n access_reviews_completed: \"X/X\"\n security_training_completion: \"\"\n incidents_this_month: 0\n vendor_reviews_due: 0\n policies_due_for_review: 0\n \n risk_register:\n high_risks: 0\n risks_without_treatment: 0\n new_risks_identified: 0\n \n upcoming:\n next_pen_test: \"\"\n next_dr_test: \"\"\n next_audit: \"\"\n next_access_review: \"\"" }, { "title": "Compliance Calendar", "body": "FrequencyActivityWeeklyReview security alerts, patch critical vullnMonthlyControl testing sample, metrics dashboard, policy exception reviewQuarterlyAccess reviews, vendor risk check, risk register update, tabletop exerciseSemi-annualVulnerability scan (external), BCP/DR test, security training refreshAnnualFull risk assessment, penetration test, policy review cycle, SOC 2/ISO audit, security awareness training, management review" }, { "title": "Compliance Debt Tracker", "body": "compliance_debt:\n - id: \"CD-001\"\n framework: \"SOC 2\"\n control: \"CC6.1\"\n finding: \"MFA not enforced on staging environment\"\n severity: \"High\"\n identified: \"2026-01-15\"\n owner: \"\"\n target_remediation: \"2026-02-15\"\n status: \"In Progress\"\n compensating_control: \"VPN + IP allowlisting\"" }, { "title": "When Controls Fail", "body": "Severity-based response:\n\nSeverityResponse TimeActionsCritical24 hoursImmediate remediation, notify management, consider if breach occurredHigh7 daysRemediation plan, compensating control if needed, risk acceptance by CISOMedium30 daysAdd to sprint, track in compliance debtLow90 daysBatch with next review cycle" }, { "title": "Common Control Framework (CCF)", "body": "Build controls ONCE, map to MULTIPLE frameworks:\n\ncontrol:\n id: \"CCF-AC-001\"\n title: \"Multi-Factor Authentication\"\n description: \"MFA required for all access to production systems and sensitive data\"\n owner: \"Security Team\"\n \n framework_mapping:\n soc2: [\"CC6.1\", \"CC6.6\"]\n iso27001: [\"A.8.5\"]\n gdpr: [\"Article 32\"]\n hipaa: [\"§164.312(d)\"]\n pci_dss: [\"Req 8.4\"]\n \n evidence:\n - type: \"Configuration screenshot\"\n source: \"Okta MFA policy\"\n frequency: \"Quarterly\"\n - type: \"Access review\"\n source: \"Okta user report\"\n frequency: \"Quarterly\"\n \n test_procedure: \"Verify MFA policy is enforced, test with non-MFA login attempt\"\n last_tested: \"\"\n result: \"\"\n next_test: \"\"" }, { "title": "Framework Expansion Strategy", "body": "Year 1: SOC 2 Type I → establishes baseline\nYear 1-2: SOC 2 Type II → proves sustained operation\nYear 2: + GDPR → covers EU expansion\nYear 2-3: + ISO 27001 → international credibility\nAs needed: + HIPAA / PCI DSS → industry-specific" }, { "title": "Audit Fatigue Prevention", "body": "Single evidence repository — collect once, map to all frameworks\nContinuous monitoring — evidence auto-collected, not scrambled at audit time\nControl owner accountability — each control has ONE owner, not \"security team\"\nCompliance sprints — 2-week sprints dedicated to compliance work, not crammed before audit\nAuditor relationship — same firm for multiple frameworks if possible (they know your environment)" }, { "title": "Compliance Readiness Score (0-100)", "body": "DimensionWeightScore 0-10Policy Coverage — All required policies exist, reviewed, approved15%Technical Controls — Security tools deployed and configured20%Process Maturity — Operational processes followed consistently20%Evidence Quality — Complete, organized, recent evidence15%Training & Awareness — All employees trained, records maintained10%Vendor Management — All critical vendors assessed and contracted10%Risk Management — Current assessment, treatment plans, monitoring10%\n\nScoring guide:\n\n0-2: Not started / major gaps\n3-4: In progress / significant gaps\n5-6: Partially implemented / some gaps\n7-8: Implemented / minor improvements needed\n9-10: Mature / audit-ready\n\nInterpretation:\n\n< 40: Not ready — significant work needed (3-6 months)\n40-60: Getting there — focus on gaps (1-3 months)\n60-80: Nearly ready — polish and evidence gathering (2-6 weeks)\n80+: Audit-ready — schedule the audit" }, { "title": "Startup with Zero Compliance", "body": "Start with security basics (MFA, encryption, access control, backups) before any framework\nUse a GRC platform from Day 1 (Vanta/Drata cost $10-15K/yr but save 100+ hours)\nDon't wait for perfect — \"documented and improving\" beats \"undocumented and perfect\"\nBudget $20-40K for first SOC 2 Type I (auditor + tools + time)" }, { "title": "Multi-Cloud / Hybrid Infrastructure", "body": "Map shared responsibility model for each provider\nEnsure consistent controls across environments\nConsider cloud-specific compliance tools (AWS Audit Manager, Azure Compliance Manager)\nNetwork segmentation especially important" }, { "title": "Acquired Company Integration", "body": "Conduct compliance gap assessment within 30 days of close\nIdentify highest-risk gaps (access control, data handling)\n90-day integration plan to bring to baseline\nDon't assume their compliance posture matches claims" }, { "title": "International (Multi-Jurisdiction)", "body": "Map all jurisdictions where you operate or store data\nGDPR applies if you have EU users — not just EU office\nData residency requirements (Russia, China, India, Brazil)\nConsider local DPA registrations" }, { "title": "Regulated Industries (FinTech, HealthTech)", "body": "Layer industry regulations ON TOP of SOC 2/ISO\nFinTech: SOC 2 + PCI DSS + potentially banking regs (state MTLs, FinCEN)\nHealthTech: SOC 2 + HIPAA + potentially FDA (SaMD)\nEdTech: SOC 2 + FERPA + COPPA (if under 13)" }, { "title": "Natural Language Commands", "body": "CommandWhat It Does\"Assess our compliance readiness\"Run readiness assessment, score, identify gaps\"Create SOC 2 project plan\"Generate 16-week implementation timeline\"Write [policy name] policy\"Generate policy from template with your context\"Map controls across frameworks\"Build common control framework mapping\"Prepare for audit\"Generate 90-day audit prep checklist with evidence needs\"Review our GDPR compliance\"Check all 12 GDPR requirements against current state\"Score our compliance posture\"Run 7-dimension scoring rubric\"Generate evidence checklist\"List all evidence needed for specific framework\"Build vendor assessment\"Create vendor risk assessment for a specific vendor\"Plan framework expansion\"Recommend next framework based on business needs\"Track compliance debt\"Review and prioritize open compliance items\"Run monthly compliance review\"Update dashboard, check deadlines, identify actions" } ], "body": "Compliance & Audit Readiness Engine\n\nYour AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.\n\nPhase 1 — Compliance Discovery\nFramework Selection Matrix\nFramework\tWho Needs It\tTrigger\tTimeline\tCost Range\nSOC 2 Type I\tAny B2B SaaS\tEnterprise prospect asks\t3-6 months\t$20K-$80K\nSOC 2 Type II\tEstablished SaaS\tAfter Type I, or direct\t6-12 months\t$30K-$100K\nISO 27001\tGlobal/EU-facing SaaS\tEU enterprise deals\t6-12 months\t$40K-$120K\nGDPR\tAnyone with EU users\tDay 1 if EU data\t1-3 months\t$5K-$30K\nHIPAA\tHealth data handlers\tBefore first PHI\t3-6 months\t$20K-$60K\nPCI DSS\tPayment processors\tBefore card data\t3-9 months\t$15K-$50K\nSOX\tPublic companies\tIPO prep\t12-18 months\t$100K-$500K\nReadiness Assessment Brief\ncompany_profile:\n name: \"\"\n industry: \"\"\n employee_count: 0\n annual_revenue: \"\"\n data_types_handled:\n - PII (names, emails, addresses)\n - Financial (payment cards, bank accounts)\n - Health (PHI, medical records)\n - Children (COPPA scope)\n - Biometric\n - Government/classified\n customer_segments:\n - SMB\n - Mid-market\n - Enterprise\n - Government\n geographic_scope:\n - US only\n - US + EU\n - Global\n current_state:\n existing_frameworks: []\n security_team_size: 0\n has_written_policies: false\n has_asset_inventory: false\n has_risk_assessment: false\n has_incident_response: false\n has_vendor_management: false\n previous_audits: []\n known_gaps: []\n drivers:\n - Customer requirement\n - Board/investor mandate\n - Regulatory obligation\n - Competitive advantage\n - Insurance requirement\n target_frameworks: []\n target_date: \"\"\n budget_range: \"\"\n\nPriority Decision Rules\nCustomer asking for SOC 2? → Start there (most requested in B2B SaaS)\nEU customers? → GDPR is non-negotiable, do it alongside SOC 2\nHealth data? → HIPAA first, then layer SOC 2\nPayment data? → PCI DSS is legally required, do immediately\nMultiple frameworks? → Map common controls (40-60% overlap between SOC 2 and ISO 27001)\nPhase 2 — SOC 2 Deep Dive\nTrust Service Criteria (TSC)\n\nSOC 2 is built on 5 categories. Security is mandatory. Others are optional but often expected.\n\nCC1 — Control Environment (Foundation)\n Board/management oversight of security\n Organizational structure with clear security roles\n Code of conduct / acceptable use policy\n HR processes (background checks, onboarding, offboarding)\n Performance evaluations include security responsibilities\nCC2 — Communication & Information\n Security policies documented and accessible to all employees\n External communication channels for security (status page, security@)\n Whistleblower / anonymous reporting mechanism\n Security awareness training program (annual + onboarding)\n System description document maintained\nCC3 — Risk Assessment\n Annual risk assessment process documented\n Risk register maintained with likelihood × impact scoring\n Risk treatment plans for high/critical risks\n Risk appetite statement approved by management\n Changes in business/technology trigger risk re-assessment\nCC4 — Monitoring Activities\n Continuous monitoring of controls (not just annual)\n Internal audit or self-assessment program\n Deficiency tracking and remediation\n Management review of monitoring results\n Penetration testing (annual minimum)\nCC5 — Control Activities\n Logical access controls (RBAC, least privilege)\n Physical access controls (offices, data centers)\n Change management process\n System development lifecycle (SDLC)\n Data backup and recovery procedures\nCC6 — Logical & Physical Access\n User provisioning and deprovisioning process\n MFA enforced on all critical systems\n Password policy (12+ chars, complexity, rotation)\n Access reviews (quarterly minimum)\n Physical access logs for sensitive areas\n Encryption at rest (AES-256) and in transit (TLS 1.2+)\n Firewall rules reviewed quarterly\n VPN or zero-trust network access\nCC7 — System Operations\n Monitoring and alerting (uptime, errors, security events)\n Incident detection and response procedures\n Vulnerability management (scan weekly, patch critical <72h)\n Anti-malware / endpoint protection\n Capacity planning and performance monitoring\nCC8 — Change Management\n Formal change request and approval process\n Separation of duties (dev ≠ prod deploy)\n Testing before production deployment\n Rollback procedures documented\n Emergency change process with post-hoc approval\nCC9 — Risk Mitigation (Vendors)\n Vendor risk assessment before onboarding\n Vendor inventory with criticality ratings\n Annual vendor reviews\n BAAs / DPAs with sub-processors\n Vendor offboarding process\nAdditional Criteria\n\nAvailability (A1):\n\n SLAs defined and monitored\n Disaster recovery plan tested annually\n Business continuity plan documented\n RTO/RPO defined for critical systems\n Redundancy for critical infrastructure\n\nConfidentiality (C1):\n\n Data classification scheme (Public, Internal, Confidential, Restricted)\n Handling procedures per classification level\n Confidentiality agreements (NDA) with employees and vendors\n Data retention and disposal policies\n DLP controls for sensitive data\n\nProcessing Integrity (PI1):\n\n Input validation controls\n Processing completeness and accuracy checks\n Output reconciliation procedures\n Error handling and correction processes\n\nPrivacy (P1):\n\n Privacy notice published\n Consent mechanisms for data collection\n Data subject rights procedures (access, deletion, portability)\n Privacy impact assessments for new features\n Data breach notification procedures\nSOC 2 Project Plan (16-Week Sprint)\nWeek\tPhase\tKey Activities\n1-2\tScoping\tDefine system boundaries, select TSC, choose auditor\n3-4\tGap Assessment\tAudit current state against TSC, document gaps\n5-6\tPolicy Writing\tDraft all required policies (see policy list below)\n7-8\tControl Implementation\tDeploy technical controls, configure tools\n9-10\tProcess Implementation\tEstablish operational processes, train team\n11-12\tEvidence Collection\tGather evidence for all controls, test internally\n13-14\tReadiness Assessment\tMock audit, remediate findings\n15-16\tType I Audit\tAuditor fieldwork, management response, report\nRequired Policy Documents\nInformation Security Policy — Master policy, scope, objectives\nAccess Control Policy — Authentication, authorization, reviews\nChange Management Policy — SDLC, deployment, emergency changes\nIncident Response Policy — Detection, response, notification\nRisk Management Policy — Assessment methodology, treatment, appetite\nData Classification Policy — Levels, handling, retention, disposal\nAcceptable Use Policy — Employee responsibilities, prohibited actions\nVendor Management Policy — Assessment, monitoring, offboarding\nBusiness Continuity / DR Policy — Plans, testing, RTO/RPO\nHR Security Policy — Background checks, onboarding, offboarding, training\nEncryption Policy — Standards, key management, certificate handling\nPhysical Security Policy — Office access, visitor management, clean desk\nLogging & Monitoring Policy — What to log, retention, alerting\nPassword & Authentication Policy — Standards, MFA requirements\nBackup & Recovery Policy — Schedule, testing, retention\nPolicy Template\n# [Policy Name]\n\n**Version:** 1.0\n**Owner:** [Name, Title]\n**Approved by:** [Name, Title]\n**Effective date:** [Date]\n**Next review:** [Date + 1 year]\n**Classification:** Internal\n\n## 1. Purpose\n[Why this policy exists — 2-3 sentences]\n\n## 2. Scope\n[Who and what this policy applies to]\n\n## 3. Policy Statements\n[Numbered, actionable requirements — not aspirational]\n\n### 3.1 [Topic]\n- SHALL [requirement]\n- SHALL NOT [prohibition]\n- SHOULD [recommendation]\n\n## 4. Roles & Responsibilities\n| Role | Responsibility |\n|------|---------------|\n| [Role] | [What they must do] |\n\n## 5. Exceptions\n[Process for requesting exceptions — who approves, how long, documentation]\n\n## 6. Enforcement\n[Consequences of non-compliance]\n\n## 7. Definitions\n[Technical terms used in the policy]\n\n## 8. Related Documents\n[Links to related policies, standards, procedures]\n\n## 9. Revision History\n| Version | Date | Author | Changes |\n|---------|------|--------|---------|\n| 1.0 | [Date] | [Author] | Initial release |\n\nPhase 3 — ISO 27001 Framework\nISMS Implementation Roadmap\nClause 4 — Context of the Organization\n Define ISMS scope and boundaries\n Identify interested parties and their requirements\n Determine internal and external issues\n Document scope statement\nClause 5 — Leadership\n Management commitment statement\n Information security policy (signed by CEO/CTO)\n Assign ISMS roles and responsibilities\n Allocate resources (budget, people, tools)\nClause 6 — Planning\n Risk assessment methodology (ISO 27005 or custom)\n Risk assessment execution\n Risk treatment plan\n Statement of Applicability (SoA) — map all 93 Annex A controls\n Information security objectives (measurable, time-bound)\nClause 7 — Support\n Determine required competencies\n Security awareness program\n Internal and external communication plan\n Document control process\nClause 8 — Operation\n Execute risk treatment plan\n Implement controls from SoA\n Manage operational changes\n Conduct risk assessments on changes\nClause 9 — Performance Evaluation\n Monitoring and measurement program\n Internal audit schedule and execution\n Management review (at least annually)\n Corrective action tracking\nClause 10 — Improvement\n Nonconformity and corrective action process\n Continual improvement program\n Lessons learned integration\nISO 27001:2022 Annex A Control Categories\nCategory\tControls\tKey Areas\nA.5 Organizational\t37\tPolicies, roles, threat intel, asset mgmt, access, supplier\nA.6 People\t8\tScreening, T&C, awareness, disciplinary, termination\nA.7 Physical\t14\tPerimeters, entry, offices, monitoring, utilities, cabling\nA.8 Technological\t34\tEndpoints, access rights, auth, malware, vuln mgmt, logging, crypto, SDLC\nSOC 2 ↔ ISO 27001 Control Mapping (Save 40-60% effort)\nSOC 2 TSC\tISO 27001 Annex A\tOverlap\nCC1 Control Environment\tA.5.1-5.6 (Org controls)\t~80%\nCC2 Communication\tA.5.1, A.6.3 (Awareness)\t~70%\nCC3 Risk Assessment\tClause 6.1, A.5.7 (Threat intel)\t~90%\nCC5 Control Activities\tA.8 (Technological)\t~75%\nCC6 Access\tA.5.15-5.18, A.8.1-8.5\t~85%\nCC7 Operations\tA.8.7-8.16 (Monitoring)\t~80%\nCC8 Change Mgmt\tA.8.25-8.33 (SDLC)\t~70%\nCC9 Vendors\tA.5.19-5.23 (Supplier)\t~85%\n\nStrategy: Build for one framework, extend to the other. SOC 2 first (faster) → ISO 27001 (adds clauses 4-10 management system).\n\nPhase 4 — GDPR Compliance Program\n12 Core Requirements\n\nLawful Basis for Processing — Document legal basis for each data processing activity\n\nConsent | Contract | Legal obligation | Vital interest | Public task | Legitimate interest\n Data processing register (Article 30)\n Legitimate Interest Assessments (LIAs) where applicable\n\nData Subject Rights — Respond within 30 days\n\n Right of access (SAR) process\n Right to rectification\n Right to erasure (\"right to be forgotten\")\n Right to data portability (machine-readable export)\n Right to restrict processing\n Right to object\n Automated decision-making opt-out\n\nPrivacy by Design & Default — Build privacy into products\n\n Privacy Impact Assessment (PIA/DPIA) template\n Data minimization review for each feature\n Default privacy settings (opt-in, not opt-out)\n\nData Protection Officer (DPO) — Required if:\n\nPublic authority, OR\nLarge-scale systematic monitoring, OR\nLarge-scale processing of special category data\n\nConsent Management\n\n Granular consent mechanisms (not bundled)\n Easy withdrawal (as easy as giving consent)\n Consent records with timestamp, version, scope\n Cookie consent banner (ePrivacy)\n\nData Processing Agreements (DPAs)\n\n DPA template for sub-processors\n Article 28 requirements checklist\n Sub-processor notification process\n Sub-processor register\n\nInternational Transfers\n\n Transfer mechanism (SCCs, adequacy decision, BCRs)\n Transfer Impact Assessment\n Supplementary measures where needed\n\nBreach Notification\n\n 72-hour notification to supervisory authority\n \"Undue delay\" notification to affected individuals\n Breach register with risk assessment\n Breach response team and escalation path\n\nRecords of Processing Activities (ROPA)\n\nprocessing_activity:\n name: \"\"\n purpose: \"\"\n lawful_basis: \"\"\n data_categories: []\n data_subjects: []\n recipients: []\n retention_period: \"\"\n transfers_outside_eea: false\n transfer_mechanism: \"\"\n technical_measures: []\n organizational_measures: []\n dpia_required: false\n last_reviewed: \"\"\n\n\nPrivacy Notice — Must include:\n\nIdentity of controller\nDPO contact (if applicable)\nPurposes and lawful basis\nCategories of data\nRecipients / transfers\nRetention periods\nData subject rights\nRight to complain to supervisory authority\nWhether providing data is statutory/contractual requirement\n\nData Retention Schedule\n\nData Type\tRetention Period\tLegal Basis\tDisposal Method\nCustomer PII\tDuration + 3 years\tContract + legitimate interest\tAutomated deletion\nEmployee records\tDuration + 7 years\tLegal obligation\tSecure shred\nFinancial records\t7 years\tLegal obligation\tSecure shred\nServer logs\t90 days\tLegitimate interest\tAutomated rotation\nMarketing consent\tUntil withdrawn\tConsent\tDatabase purge\nSupport tickets\t2 years after resolution\tLegitimate interest\tAutomated deletion\nTraining & Awareness\n Mandatory GDPR training for all employees (annual)\n Role-specific training (developers, support, marketing, HR)\n Training records with completion tracking\nPhase 5 — HIPAA Compliance (Health Data)\nHIPAA Security Rule — 3 Safeguard Categories\nAdministrative Safeguards\n Security Management Process (risk analysis, risk management)\n Assigned Security Responsibility (HIPAA Security Officer)\n Workforce Security (authorization, clearance, termination)\n Information Access Management (access authorization, establishment, modification)\n Security Awareness Training (reminders, malware, login monitoring, password mgmt)\n Security Incident Procedures (response, reporting)\n Contingency Plan (backup, DR, emergency mode, testing)\n Evaluation (periodic technical/non-technical)\n BAAs with all business associates\nPhysical Safeguards\n Facility Access Controls (contingency ops, facility security plan, access control, maintenance records)\n Workstation Use (policies, restrictions)\n Workstation Security (physical safeguards)\n Device and Media Controls (disposal, re-use, accountability, data backup)\nTechnical Safeguards\n Access Control (unique user ID, emergency access, automatic logoff, encryption)\n Audit Controls (hardware, software, procedural mechanisms)\n Integrity Controls (authentication of ePHI, transmission security)\n Person or Entity Authentication (verify identity)\n Transmission Security (integrity controls, encryption)\nHIPAA Breach Rule\n≤500 individuals: Annual batch notification to HHS (within 60 days of year end)\n>500 individuals: Notify HHS within 60 days + media notification\nAll breaches: Notify affected individuals without unreasonable delay (≤60 days)\nPenalties: $100-$50,000 per violation, up to $1.5M per year per category\nPhase 6 — PCI DSS 4.0 (Payment Data)\n12 Requirements Summary\n#\tRequirement\tKey Controls\n1\tInstall/maintain network security controls\tFirewalls, network segmentation\n2\tApply secure configurations\tNo vendor defaults, CIS benchmarks\n3\tProtect stored account data\tEncryption, masking, key mgmt\n4\tEncrypt transmission over open networks\tTLS 1.2+, no SSL/early TLS\n5\tProtect from malicious software\tAnti-malware, regular updates\n6\tDevelop secure systems\tSDLC, vuln mgmt, WAF\n7\tRestrict access by business need\tRBAC, least privilege\n8\tIdentify users and authenticate\tMFA, password standards\n9\tRestrict physical access\tBadges, cameras, visitor logs\n10\tLog and monitor all access\tCentralized logging, review\n11\tTest security regularly\tVuln scans, pen tests, IDS\n12\tSupport security with policies\tPolicies, training, incident response\nScope Reduction Strategy\nUse tokenization — Replace card data with tokens (Stripe, Braintree handle PCI for you)\nUse hosted payment pages — Never touch raw card data (SAQ A instead of SAQ D)\nNetwork segmentation — Isolate cardholder data environment\nCloud provider compliance — Leverage AWS/GCP/Azure PCI certifications\n\nSAQ Decision:\n\nFully outsourced (Stripe Checkout) → SAQ A (22 controls, simplest)\nAPI-based (Stripe Elements) → SAQ A-EP (~140 controls)\nYou store/process card data → SAQ D (300+ controls, avoid this)\nPhase 7 — Compliance Tooling Stack\nEssential Tools by Category\nCategory\tBudget Option\tMid-Range\tEnterprise\nGRC Platform\tNotion/Sheets\tVanta, Drata\tServiceNow, OneTrust\nPolicy Mgmt\tGoogle Docs + versioning\tVanta policies\tHyperproof\nVulnerability Scanning\tOWASP ZAP, Trivy\tQualys, Tenable\tRapid7\nSIEM/Logging\tELK Stack, Wazuh\tDatadog, Sumo Logic\tSplunk\nEndpoint Protection\tCrowdStrike Falcon Go\tSentinelOne\tCrowdStrike Enterprise\nIdentity/Access\tGoogle Workspace + Okta\tJumpCloud\tAzure AD P2\nTraining\tKnowBe4 Free\tKnowBe4\tProofpoint\nPen Testing\tHackerOne Community\tCobalt\tBishop Fox\nBackup\tNative cloud backups\tVeeam\tCommvault\nAutomation-First Compliance\n\nWhat to automate (saves 70%+ of audit prep):\n\nEvidence collection (screenshots of configs → API pulls)\nAccess reviews (quarterly manual → continuous monitoring)\nVulnerability scanning (manual → scheduled + auto-ticket)\nPolicy acknowledgment (email → onboarding workflow)\nVendor assessments (spreadsheets → intake forms with scoring)\nTraining tracking (manual → LMS with auto-reminders)\nCompliance-as-Code Patterns\n# Infrastructure compliance\n- Terraform with Sentinel policies (enforce encryption, tagging)\n- OPA/Rego for Kubernetes admission control\n- AWS Config Rules / Azure Policy for cloud compliance\n- GitHub branch protection rules as change management evidence\n\n# Application compliance\n- Automated dependency scanning in CI (Snyk, Dependabot)\n- SAST in PR pipeline (Semgrep, CodeQL)\n- Container scanning (Trivy, Grype)\n- License compliance (FOSSA, Licensee)\n\nPhase 8 — Audit Preparation\n90-Day Audit Prep Checklist\n\nDays 90-60: Foundation\n\n Confirm audit scope with auditor\n Complete system description document\n Verify all policies are current (reviewed within 12 months)\n Confirm all employees completed security training\n Run vulnerability scan and remediate critical/high findings\n Schedule penetration test (results needed before audit)\n\nDays 60-30: Evidence Gathering\n\n Collect evidence for each control (organized by TSC/clause)\n Access review documentation (screenshots of reviews, action items)\n Change management evidence (sample of tickets showing approval flow)\n Incident response test evidence (tabletop exercise minutes)\n DR test evidence (recovery test results, RTO achieved)\n Vendor review evidence (assessment records, DPAs)\n Risk assessment and treatment plan (current year)\n Board/management meeting minutes discussing security\n\nDays 30-0: Final Prep\n\n Internal mock audit — walk through every control\n Remediate any mock audit findings\n Brief team on auditor interviews (what to expect, who answers what)\n Prepare management assertion letter\n Set up auditor access (read-only to evidence repository)\n Confirm all monitoring/alerting is functioning\n Verify offboarding was completed for all departed employees\nEvidence Organization\n/compliance-evidence/\n /SOC2-2026/\n /CC1-control-environment/\n org-chart.pdf\n code-of-conduct-signed.pdf\n background-check-process.pdf\n /CC2-communication/\n security-training-completion.csv\n security-policy-acknowledgments.pdf\n /CC3-risk-assessment/\n risk-assessment-2026.xlsx\n risk-treatment-plan.pdf\n /CC6-access/\n access-review-Q1.pdf\n access-review-Q2.pdf\n mfa-enforcement-screenshot.png\n offboarding-checklist-samples/\n /CC7-operations/\n vulnerability-scan-reports/\n pentest-report-2026.pdf\n incident-log-2026.csv\n /CC8-change-management/\n sample-change-tickets/\n deployment-pipeline-config.png\n /CC9-vendors/\n vendor-inventory.xlsx\n vendor-assessments/\n dpas-and-baas/\n\nAuditor Interview Prep\n\nCommon questions and who should answer:\n\nQuestion\tBest Respondent\tKey Points\n\"Walk me through your risk assessment process\"\tCISO/Security Lead\tMethodology, frequency, treatment\n\"How do you manage access to production?\"\tEngineering Lead\tRBAC, approval flow, reviews\n\"Describe your change management process\"\tEngineering Lead\tPR review, testing, deployment\n\"How do you handle security incidents?\"\tSecurity Lead\tDetection, response, communication\n\"How do you evaluate vendors?\"\tSecurity/Procurement\tAssessment, monitoring, contracts\n\"Describe your backup and recovery process\"\tInfrastructure Lead\tSchedule, testing, RTO/RPO\n\"How do you track and remediate vulnerabilities?\"\tSecurity Lead\tScanning, SLAs, patching\n\"Walk me through employee onboarding/offboarding\"\tHR + IT\tChecklist, timing, verification\nPhase 9 — Continuous Compliance\nMonthly Compliance Dashboard\ncompliance_dashboard:\n month: \"\"\n \n control_health:\n total_controls: 0\n controls_passing: 0\n controls_failing: 0\n controls_not_tested: 0\n health_percentage: 0\n \n action_items:\n open: 0\n overdue: 0\n closed_this_month: 0\n \n key_metrics:\n mean_time_to_patch_critical: \"\"\n access_reviews_completed: \"X/X\"\n security_training_completion: \"\"\n incidents_this_month: 0\n vendor_reviews_due: 0\n policies_due_for_review: 0\n \n risk_register:\n high_risks: 0\n risks_without_treatment: 0\n new_risks_identified: 0\n \n upcoming:\n next_pen_test: \"\"\n next_dr_test: \"\"\n next_audit: \"\"\n next_access_review: \"\"\n\nCompliance Calendar\nFrequency\tActivity\nWeekly\tReview security alerts, patch critical vulln\nMonthly\tControl testing sample, metrics dashboard, policy exception review\nQuarterly\tAccess reviews, vendor risk check, risk register update, tabletop exercise\nSemi-annual\tVulnerability scan (external), BCP/DR test, security training refresh\nAnnual\tFull risk assessment, penetration test, policy review cycle, SOC 2/ISO audit, security awareness training, management review\nCompliance Debt Tracker\ncompliance_debt:\n - id: \"CD-001\"\n framework: \"SOC 2\"\n control: \"CC6.1\"\n finding: \"MFA not enforced on staging environment\"\n severity: \"High\"\n identified: \"2026-01-15\"\n owner: \"\"\n target_remediation: \"2026-02-15\"\n status: \"In Progress\"\n compensating_control: \"VPN + IP allowlisting\"\n\nWhen Controls Fail\n\nSeverity-based response:\n\nSeverity\tResponse Time\tActions\nCritical\t24 hours\tImmediate remediation, notify management, consider if breach occurred\nHigh\t7 days\tRemediation plan, compensating control if needed, risk acceptance by CISO\nMedium\t30 days\tAdd to sprint, track in compliance debt\nLow\t90 days\tBatch with next review cycle\nPhase 10 — Multi-Framework Management\nCommon Control Framework (CCF)\n\nBuild controls ONCE, map to MULTIPLE frameworks:\n\ncontrol:\n id: \"CCF-AC-001\"\n title: \"Multi-Factor Authentication\"\n description: \"MFA required for all access to production systems and sensitive data\"\n owner: \"Security Team\"\n \n framework_mapping:\n soc2: [\"CC6.1\", \"CC6.6\"]\n iso27001: [\"A.8.5\"]\n gdpr: [\"Article 32\"]\n hipaa: [\"§164.312(d)\"]\n pci_dss: [\"Req 8.4\"]\n \n evidence:\n - type: \"Configuration screenshot\"\n source: \"Okta MFA policy\"\n frequency: \"Quarterly\"\n - type: \"Access review\"\n source: \"Okta user report\"\n frequency: \"Quarterly\"\n \n test_procedure: \"Verify MFA policy is enforced, test with non-MFA login attempt\"\n last_tested: \"\"\n result: \"\"\n next_test: \"\"\n\nFramework Expansion Strategy\n\nYear 1: SOC 2 Type I → establishes baseline Year 1-2: SOC 2 Type II → proves sustained operation Year 2: + GDPR → covers EU expansion Year 2-3: + ISO 27001 → international credibility As needed: + HIPAA / PCI DSS → industry-specific\n\nAudit Fatigue Prevention\nSingle evidence repository — collect once, map to all frameworks\nContinuous monitoring — evidence auto-collected, not scrambled at audit time\nControl owner accountability — each control has ONE owner, not \"security team\"\nCompliance sprints — 2-week sprints dedicated to compliance work, not crammed before audit\nAuditor relationship — same firm for multiple frameworks if possible (they know your environment)\nPhase 11 — Scoring & Quality\nCompliance Readiness Score (0-100)\nDimension\tWeight\tScore 0-10\nPolicy Coverage — All required policies exist, reviewed, approved\t15%\t\nTechnical Controls — Security tools deployed and configured\t20%\t\nProcess Maturity — Operational processes followed consistently\t20%\t\nEvidence Quality — Complete, organized, recent evidence\t15%\t\nTraining & Awareness — All employees trained, records maintained\t10%\t\nVendor Management — All critical vendors assessed and contracted\t10%\t\nRisk Management — Current assessment, treatment plans, monitoring\t10%\t\n\nScoring guide:\n\n0-2: Not started / major gaps\n3-4: In progress / significant gaps\n5-6: Partially implemented / some gaps\n7-8: Implemented / minor improvements needed\n9-10: Mature / audit-ready\n\nInterpretation:\n\n< 40: Not ready — significant work needed (3-6 months)\n40-60: Getting there — focus on gaps (1-3 months)\n60-80: Nearly ready — polish and evidence gathering (2-6 weeks)\n80+: Audit-ready — schedule the audit\nEdge Cases & Special Situations\nStartup with Zero Compliance\nStart with security basics (MFA, encryption, access control, backups) before any framework\nUse a GRC platform from Day 1 (Vanta/Drata cost $10-15K/yr but save 100+ hours)\nDon't wait for perfect — \"documented and improving\" beats \"undocumented and perfect\"\nBudget $20-40K for first SOC 2 Type I (auditor + tools + time)\nMulti-Cloud / Hybrid Infrastructure\nMap shared responsibility model for each provider\nEnsure consistent controls across environments\nConsider cloud-specific compliance tools (AWS Audit Manager, Azure Compliance Manager)\nNetwork segmentation especially important\nAcquired Company Integration\nConduct compliance gap assessment within 30 days of close\nIdentify highest-risk gaps (access control, data handling)\n90-day integration plan to bring to baseline\nDon't assume their compliance posture matches claims\nInternational (Multi-Jurisdiction)\nMap all jurisdictions where you operate or store data\nGDPR applies if you have EU users — not just EU office\nData residency requirements (Russia, China, India, Brazil)\nConsider local DPA registrations\nRegulated Industries (FinTech, HealthTech)\nLayer industry regulations ON TOP of SOC 2/ISO\nFinTech: SOC 2 + PCI DSS + potentially banking regs (state MTLs, FinCEN)\nHealthTech: SOC 2 + HIPAA + potentially FDA (SaMD)\nEdTech: SOC 2 + FERPA + COPPA (if under 13)\nNatural Language Commands\nCommand\tWhat It Does\n\"Assess our compliance readiness\"\tRun readiness assessment, score, identify gaps\n\"Create SOC 2 project plan\"\tGenerate 16-week implementation timeline\n\"Write [policy name] policy\"\tGenerate policy from template with your context\n\"Map controls across frameworks\"\tBuild common control framework mapping\n\"Prepare for audit\"\tGenerate 90-day audit prep checklist with evidence needs\n\"Review our GDPR compliance\"\tCheck all 12 GDPR requirements against current state\n\"Score our compliance posture\"\tRun 7-dimension scoring rubric\n\"Generate evidence checklist\"\tList all evidence needed for specific framework\n\"Build vendor assessment\"\tCreate vendor risk assessment for a specific vendor\n\"Plan framework expansion\"\tRecommend next framework based on business needs\n\"Track compliance debt\"\tReview and prioritize open compliance items\n\"Run monthly compliance review\"\tUpdate dashboard, check deadlines, identify actions" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/1kalin/afrexai-compliance-engine", "publisherUrl": "https://clawhub.ai/1kalin/afrexai-compliance-engine", "owner": "1kalin", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-compliance-engine", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-compliance-engine", "agentUrl": "https://openagent3.xyz/skills/afrexai-compliance-engine/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-compliance-engine/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-compliance-engine/agent.md" } }