securitybusiness
Compliance Assessment
Conduct regulatory compliance assessments — mapping controls to frameworks (SOC 2, GDPR, HIPAA, ISO 27001), identifying gaps, and producing remediation roadmaps with evidence requirements.
complianceSOC2GDPRHIPAAISO-27001audit
Works well with agents
Works well with skills
$ npx skills add The-AI-Directory-Company/(…) --skill compliance-assessmentcompliance-assessment/
soc2-type2-readiness.md
Markdown
| 1 | # SOC 2 Type II Readiness Assessment: Vantage Analytics Platform |
| 2 | |
| 3 | - **Assessment date**: 2025-09-15 |
| 4 | - **Framework**: SOC 2 Type II (Trust Services Criteria — Security, Availability, Confidentiality) |
| 5 | - **Scope**: Vantage Analytics SaaS platform, AWS production environment, CI/CD pipeline |
| 6 | - **Audit window target**: March 1 – August 31, 2026 (6-month observation period) |
| 7 | - **Driver**: Enterprise customer requirement (Meridian Financial, $840K ARR deal blocked pending SOC 2 report) |
| 8 | - **Stakeholders**: @elena (CISO), @raj (Engineering VP), @nina (Legal), @tom (CEO — exec sponsor) |
| 9 | |
| 10 | --- |
| 11 | |
| 12 | ## Scope Boundary |
| 13 | |
| 14 | **In Scope:** |
| 15 | - Systems: Vantage API (ECS), PostgreSQL (RDS), Redis (ElastiCache), S3 data lake, CloudFront CDN |
| 16 | - Data types: Customer PII (names, emails), analytics data, API credentials, audit logs |
| 17 | - Teams: Engineering (12), DevOps (3), Support (4), HR (2) |
| 18 | - Environments: Production, staging, CI/CD (GitHub Actions) |
| 19 | - Third parties: AWS, Datadog, PagerDuty, GitHub, Slack, Google Workspace, Stripe |
| 20 | |
| 21 | **Out of Scope:** |
| 22 | - Marketing website (static site, no customer data) |
| 23 | - Internal Notion workspace (no customer data after policy enforcement) |
| 24 | - Development local environments (no production data access) |
| 25 | |
| 26 | --- |
| 27 | |
| 28 | ## Control Mapping |
| 29 | |
| 30 | | Requirement | SOC 2 Ref | Current Control | Status | Gap | |
| 31 | |-------------|-----------|-----------------|--------|-----| |
| 32 | | Unique user identification | CC6.1 | Google Workspace SSO via SAML | Compliant | None | |
| 33 | | MFA for all access | CC6.1 | Google Workspace enforces MFA | Compliant | None | |
| 34 | | Quarterly access reviews | CC6.2 | None | Gap | No review process | |
| 35 | | Terminated user deprovisioning | CC6.3 | Manual, ad-hoc | Partial | No SLA, no audit trail | |
| 36 | | Encryption at rest | CC6.7 | RDS/S3 AES-256 encryption enabled | Compliant | None | |
| 37 | | Encryption in transit | CC6.7 | TLS 1.2+ enforced on all endpoints | Compliant | None | |
| 38 | | Audit logging | CC7.2 | Application logs in Datadog (30-day retention) | Partial | Retention too short; no tamper protection | |
| 39 | | Intrusion detection | CC7.2 | AWS GuardDuty enabled | Compliant | None | |
| 40 | | Incident response plan | CC7.3 | Informal PagerDuty escalation | Partial | No documented plan or post-incident process | |
| 41 | | Change management | CC8.1 | PR reviews required; no deploy approval | Partial | No segregation of duties for deploys | |
| 42 | | System monitoring | CC7.2 | Datadog APM + alerts | Compliant | None | |
| 43 | | Backup and recovery | A1.2 | Nightly RDS snapshots, 7-day retention | Partial | No tested restore procedure | |
| 44 | | Vendor risk management | CC9.2 | None | Gap | No vendor inventory or assessments | |
| 45 | | Security awareness training | CC1.4 | None | Gap | No training program | |
| 46 | | Data retention policy | C1.2 | None | Gap | No documented retention schedule | |
| 47 | |
| 48 | --- |
| 49 | |
| 50 | ## Gap Analysis |
| 51 | |
| 52 | ``` |
| 53 | Gap ID: GAP-001 |
| 54 | Control Area: Access Control |
| 55 | Requirement: Quarterly access reviews (CC6.2) |
| 56 | Current State: No periodic review of user access; stale accounts discovered ad-hoc |
| 57 | Risk Level: High |
| 58 | Remediation: Implement quarterly access review using Google Workspace admin reports |
| 59 | Evidence Needed: Review completion records, revocation tickets, manager sign-offs |
| 60 | Estimated Effort: 2 weeks to implement tooling, 4 hours/quarter ongoing |
| 61 | ``` |
| 62 | |
| 63 | ``` |
| 64 | Gap ID: GAP-002 |
| 65 | Control Area: Access Control |
| 66 | Requirement: Timely offboarding with audit trail (CC6.3) |
| 67 | Current State: Manual Slack-based offboarding, no SLA, no evidence |
| 68 | Risk Level: High |
| 69 | Remediation: Create offboarding checklist; deprovision within 24 hours; log to ticketing system |
| 70 | Evidence Needed: Offboarding tickets with timestamps, access removal confirmations |
| 71 | Estimated Effort: 1 week to document process, ongoing per departure |
| 72 | ``` |
| 73 | |
| 74 | ``` |
| 75 | Gap ID: GAP-003 |
| 76 | Control Area: Logging and Monitoring |
| 77 | Requirement: Tamper-proof audit logs with 1-year retention (CC7.2) |
| 78 | Current State: Datadog logs at 30-day retention, mutable |
| 79 | Risk Level: High |
| 80 | Remediation: Ship audit logs to S3 with Object Lock (WORM); extend retention to 13 months |
| 81 | Evidence Needed: S3 bucket policy, Object Lock configuration, log completeness checks |
| 82 | Estimated Effort: 3 weeks |
| 83 | ``` |
| 84 | |
| 85 | ``` |
| 86 | Gap ID: GAP-004 |
| 87 | Control Area: Incident Response |
| 88 | Requirement: Documented incident response plan (CC7.3) |
| 89 | Current State: PagerDuty routing exists but no written plan, roles, or post-incident process |
| 90 | Risk Level: Medium |
| 91 | Remediation: Write IR plan covering detection, triage, escalation, communication, post-incident review |
| 92 | Evidence Needed: IR plan document, incident records, postmortem reports |
| 93 | Estimated Effort: 2 weeks to draft and approve |
| 94 | ``` |
| 95 | |
| 96 | ``` |
| 97 | Gap ID: GAP-005 |
| 98 | Control Area: Change Management |
| 99 | Requirement: Segregation of duties for production deploys (CC8.1) |
| 100 | Current State: Any engineer with repo access can merge and deploy |
| 101 | Risk Level: Medium |
| 102 | Remediation: Require PR approval from non-author; restrict deploy pipeline to lead/devops approval |
| 103 | Evidence Needed: Branch protection rules, deploy approval logs |
| 104 | Estimated Effort: 1 week |
| 105 | ``` |
| 106 | |
| 107 | ``` |
| 108 | Gap ID: GAP-006 |
| 109 | Control Area: Vendor Management |
| 110 | Requirement: Vendor risk assessments (CC9.2) |
| 111 | Current State: No vendor inventory; no review of subprocessor security posture |
| 112 | Risk Level: High |
| 113 | Remediation: Build vendor inventory; collect SOC 2 reports from critical vendors; review annually |
| 114 | Evidence Needed: Vendor register, SOC 2 reports or security questionnaires, review records |
| 115 | Estimated Effort: 4 weeks for initial inventory and collection |
| 116 | ``` |
| 117 | |
| 118 | ``` |
| 119 | Gap ID: GAP-007 |
| 120 | Control Area: HR Security |
| 121 | Requirement: Security awareness training (CC1.4) |
| 122 | Current State: No training program exists |
| 123 | Risk Level: Medium |
| 124 | Remediation: Implement annual security training with phishing simulation; track completion |
| 125 | Evidence Needed: Training completion records, quiz scores, phishing simulation results |
| 126 | Estimated Effort: 2 weeks to select vendor and deploy; annual renewal |
| 127 | ``` |
| 128 | |
| 129 | ``` |
| 130 | Gap ID: GAP-008 |
| 131 | Control Area: Data Protection |
| 132 | Requirement: Data retention and disposal policy (C1.2) |
| 133 | Current State: No documented retention schedule; customer data retained indefinitely |
| 134 | Risk Level: Medium |
| 135 | Remediation: Define retention periods per data type; implement automated deletion for expired data |
| 136 | Evidence Needed: Retention policy document, deletion job logs, audit of data stores |
| 137 | Estimated Effort: 3 weeks |
| 138 | ``` |
| 139 | |
| 140 | --- |
| 141 | |
| 142 | ## Remediation Roadmap |
| 143 | |
| 144 | ### Phase 1: Critical and High Gaps (0-30 days) — Deadline: October 15, 2025 |
| 145 | |
| 146 | | Gap | Action | Owner | Deliverable | |
| 147 | |-----|--------|-------|-------------| |
| 148 | | GAP-001 | Implement quarterly access review process | @raj | First review completed with records | |
| 149 | | GAP-002 | Create offboarding SLA and checklist | @nina | Offboarding policy + 2 completed examples | |
| 150 | | GAP-003 | Ship audit logs to S3 with Object Lock | @devops-lead | S3 bucket with WORM, log pipeline verified | |
| 151 | | GAP-006 | Build vendor inventory and collect SOC 2 reports | @elena | Vendor register with risk tiers | |
| 152 | |
| 153 | ### Phase 2: Medium Gaps (30-90 days) — Deadline: December 15, 2025 |
| 154 | |
| 155 | | Gap | Action | Owner | Deliverable | |
| 156 | |-----|--------|-------|-------------| |
| 157 | | GAP-004 | Write and approve incident response plan | @elena | IR plan document, tabletop exercise completed | |
| 158 | | GAP-005 | Enforce deploy approval gates | @devops-lead | Branch protection + deploy pipeline configs | |
| 159 | | GAP-007 | Launch security awareness training | @nina | Training vendor selected, first session completed | |
| 160 | | GAP-008 | Define data retention policy and automate deletion | @raj | Policy document, deletion job in production | |
| 161 | |
| 162 | ### Phase 3: Evidence Accumulation (December 2025 – February 2026) |
| 163 | |
| 164 | All controls must be operational by December 2025 to accumulate 3+ months of evidence before the March 2026 audit window opens. During this phase: run the first two quarterly access reviews, collect incident response records, gather deploy approval logs, and verify log retention integrity. |
| 165 | |
| 166 | ### Audit Window: March 1 – August 31, 2026 |
| 167 | |
| 168 | Controls must remain consistently operational throughout. Any control failure during the observation period will appear as an exception in the Type II report. |
| 169 |