compliance-auditor

仓库: 404kidwiz/claude-supercode-skills
安装量: 95
排名: #8589

安装

npx skills add https://github.com/404kidwiz/claude-supercode-skills --skill compliance-auditor

Compliance Auditor Skill Purpose

Provides regulatory compliance auditing expertise specializing in SOC2, HIPAA, GDPR, and industry-specific compliance frameworks. Conducts gap analysis, evidence collection, control assessments, and remediation guidance to ensure organizations meet regulatory requirements and security standards.

When to Use Conducting SOC 2 Type I & II audits Ensuring HIPAA compliance for healthcare systems Implementing GDPR data privacy requirements Preparing for PCI DSS assessments Mapping compliance requirements to organizational controls Performing gap analysis and remediation planning Overview

Expert in regulatory compliance auditing, specializing in SOC2, HIPAA, GDPR, and industry-specific compliance frameworks with gap analysis and remediation guidance.

Compliance Frameworks Financial & Business Compliance SOC 2 Type I & II - Service Organization Control reporting SOX - Sarbanes-Oxley Act compliance PCI DSS - Payment Card Industry Data Security Standard GLBA - Gramm-Leach-Bliley Act Healthcare Compliance HIPAA - Health Insurance Portability and Accountability Act HITECH - Health Information Technology for Economic and Clinical Health HITECH - Omnibus Rule provisions 21 CFR Part 11 - Electronic signatures and records Data Privacy & Protection GDPR - General Data Protection Regulation (EU) CCPA/CPRA - California Consumer Privacy Act/Privacy Rights Act PIPEDA - Personal Information Protection and Electronic Documents Act LGPD - Lei Geral de Proteção de Dados (Brazil) Industry-Specific Standards ISO 27001 - Information Security Management ISO 27701 - Privacy Information Management NIST Cybersecurity Framework - Critical infrastructure CMMC - Cybersecurity Maturity Model Certification Core Audit Competencies Evidence Collection & Analysis

Example patterns for compliance evidence

grep -r "audit" config/ --include=".json" --include=".yml" --include=".properties" grep -r "access" policies/ --include=".md" --include=".txt" --include=".doc" grep -r "retention" procedures/ --include=".md" --include=".pdf"

Control Assessment Design effectiveness evaluation Operating effectiveness testing Control gap identification Remediation timeline development Continuous monitoring implementation Documentation Review Policy and procedure analysis Evidence collection validation Risk assessment methodology review Incident response documentation Third-party assessment reports Audit Methodology Planning & Scoping Compliance requirement mapping Risk-based approach development Sampling methodology design Stakeholder interviews Documentation requests Fieldwork Execution Control testing procedures Evidence collection protocols Process walk-throughs System configuration reviews Staff competency validation Reporting & Findings Gap analysis documentation Risk rating assignments Remediation recommendations Implementation roadmaps Executive summary preparation Specific Compliance Areas SOC 2 Trust Services Criteria Security - System protection against unauthorized access Availability - System availability for operation and use Processing Integrity - System processing completeness and accuracy Confidentiality - Information protection from unauthorized disclosure Privacy - Personal information collection and use controls HIPAA Administrative Safeguards Security officer designation Workforce security procedures Information access management Security awareness and training Security incident procedures GDPR Data Protection Requirements Lawfulness of processing Purpose limitation principles Data minimization practices Accuracy maintenance procedures Storage limitation implementations Audit Scenarios Cloud Service Provider Assessment AWS/Azure/GCP security configurations Multi-tenancy isolation controls Data encryption verification Service provider due diligence Subprocessor management Software Development Lifecycle Secure coding practices Change management procedures Code review processes Security testing integration DevSecOps pipeline compliance Third-Party Risk Management Vendor assessment procedures Contract compliance verification Service level agreement monitoring Data processing agreement review Supply chain security validation Deliverables Compliance Reports Comprehensive audit findings Gap analysis with remediation plans Control effectiveness ratings Risk mitigation strategies Compliance dashboard development Skill-Specific Scripts and References Available Compliance Auditor Scripts

Located in scripts/ directory:

check_gdpr.py - GDPR compliance checking (data minimization, consent, right to erasure) validate_hipaa.py - HIPAA validation (PHI protection, audit controls) collect_soc2_evidence.py - SOC 2 evidence collection (Security, Availability, Processing Integrity, Confidentiality, Privacy) scan_pci_dss.py - PCI DSS scanning (cardholder data, encryption standards) validate_nist.py - NIST controls validation (CSF, SP 800-53) assess_iso27001.py - ISO 27001 assessment (ISMS controls) generate_report.py - Compliance report generation Available Compliance Auditor References

Located in references/ directory:

gdpr_requirements.md - GDPR requirements and compliance checks hipaa_guidelines.md - HIPAA guidelines and controls soc2_controls.md - SOC 2 Type 2 examination criteria and controls pci_dss_standard.md - PCI DSS v4.0 requirements and compliance checklist nist_controls.md - NIST Cybersecurity Framework and SP 800-53 controls iso27001_mapping.md - ISO 27001 control mapping and implementation guidance Script Usage Examples

GDPR compliance check

python3 scripts/check_gdpr.py . --config config/compliance.yaml --output gdpr_report.json

HIPAA validation

python3 scripts/validate_hipaa.py . --format text

SOC 2 evidence collection

python3 scripts/collect_soc2_evidence.py . --framework SOC2_Type2 --output soc2_evidence/

PCI DSS scanning

python3 scripts/scan_pci_dss.py . --scan_level full

NIST controls validation

python3 scripts/validate_nist.py . --framework CSF

ISO 27001 assessment

python3 scripts/assess_iso27001.py . --controls annex_a --output iso_report.md

Generate compliance report

python3 scripts/generate_report.py --evidence evidence/ --compliance SOC2 --output compliance_report.md

Configuration Files

Create config/compliance.yaml for script configuration:

compliance_auditing: audit_scope: '.' frameworks: ['SOC2', 'GDPR', 'HIPAA', 'PCI_DSS', 'ISO27001', 'NIST']

check_gdpr: data_minimization: true consent_management: true right_to_erasure: true data_portability: true

validate_hipaa: phi_protection: true audit_controls: true administrative_safeguards: true physical_safeguards: true technical_safeguards: true

collect_soc2_evidence: trust_services_criteria: ['security', 'availability', 'processing_integrity', 'confidentiality', 'privacy'] common_criteria: true

scan_pci_dss: scan_level: 'full' cardholder_data_scope: true encryption_standards: true

validate_nist: framework: 'CSF' control_baselines: ['low', 'moderate', 'high']

assess_iso27001: controls: 'annex_a' isms_controls: true

generate_report: report_format: 'markdown' include_recommendations: true include_roadmap: true

Policy & Procedure Templates Security policy frameworks Incident response procedures Data classification guidelines Access management policies Business continuity plans Training Materials Compliance awareness programs Role-specific security training Incident response tabletop exercises Privacy best practices guides Regulatory change management Continuous Compliance Automated compliance monitoring Regulatory change tracking Control effectiveness testing Risk assessment updates Compliance management systems integration Industry Expertise Healthcare providers and payers Financial services institutions SaaS and technology companies Government contractors Educational institutions Examples Example 1: SOC 2 Type II Preparation for SaaS Startup

Scenario: A growing SaaS company preparing for their first SOC 2 Type II audit needs to implement controls and collect evidence for the Security and Availability trust services criteria.

Audit Preparation Approach:

Gap Analysis: Compared current practices against SOC 2 trust services criteria Control Implementation: Deployed access management, encryption, and monitoring controls Evidence Collection: Automated collection of logs, configurations, and access reviews Remediation: Addressed 23 gaps identified in initial assessment

Key Controls Implemented:

Multi-factor authentication for all system access Automated log retention and security monitoring Encrypted data at rest and in transit (TLS 1.3, AES-256) Incident response procedures with documented evidence Vendor management program with security assessments

Audit Result: Passed with 2 minor observations (no material findings)

Example 2: HIPAA Compliance for Healthcare Application

Scenario: A healthcare technology company needs to ensure their patient portal meets HIPAA requirements for PHI protection.

Compliance Assessment:

PHI Inventory: Mapped all locations where PHI is stored, processed, or transmitted Technical Controls: Evaluated encryption, access controls, and audit logging Administrative Safeguards: Reviewed policies, procedures, and workforce training Business Associate Agreements: Audited all third-party relationships

Critical Findings and Remediation:

Unencrypted database backups → Implemented TDE and encrypted backup storage Excessive user access → Deployed role-based access control (RBAC) Missing audit logs → Integrated CloudTrail and database audit logging Outdated BAA with vendor → Negotiated updated BAA with current requirements

Outcome: Achieved full HIPAA compliance within 90 days

Example 3: GDPR Data Privacy Implementation

Scenario: An e-commerce company expanding to EU markets needs to implement GDPR compliance for customer data processing.

Privacy Implementation:

Data Mapping: Documented all personal data flows across the organization Consent Management: Implemented cookie consent and preference management Data Subject Rights: Built automated processes for access, deletion, and portability requests Data Retention: Defined and implemented retention schedules

Implementation Components:

Privacy-by-design architecture review Consent management platform integration Data subject request (DSR) automation workflow International data transfer mechanisms (Standard Contractual Clauses) Privacy impact assessment (PIA) process

Measurable Outcomes:

Consent capture rate: 98% (up from 45%) DSR response time: 5 days average (regulatory requirement: 30 days) Data breach notification process tested quarterly Privacy training completion: 100% of employees Best Practices Audit Preparation Start Early: Begin compliance efforts 6-12 months before audit Gap Analysis First: Understand where you stand before planning remediation Phased Approach: Address highest-risk gaps first Evidence Automation: Collect evidence continuously, not just before audit Management Buy-In: Ensure leadership understands compliance requirements Control Framework Risk-Based Controls: Implement controls based on risk assessment findings Defense in Depth: Multiple layers of controls for critical areas Least Privilege: Grant minimum access required for each role Change Management: Document and review all control changes Continuous Monitoring: Implement automated control effectiveness testing Documentation Excellence Clear Policies: Write policies that are understandable and actionable Procedure Documentation: Detail how policies are implemented operationally Evidence Artifacts: Maintain comprehensive evidence of control operation Traceability: Link controls to requirements and risks Version Control: Track policy changes over time Third-Party Management Due Diligence: Assess security posture before engagement Contract Requirements: Include security requirements in contracts Ongoing Monitoring: Reassess vendors periodically Incident Coordination: Establish breach notification procedures Exit Planning: Define data handling at relationship end Regulatory Updates Track Changes: Monitor regulatory developments in your industry Impact Assessment: Evaluate how changes affect current compliance Proactive Adaptation: Update controls before enforcement deadlines Industry Collaboration: Participate in industry compliance groups Expert Consultation: Engage specialists for complex requirements Anti-Patterns Audit Process Anti-Patterns Checkbox Compliance: Treating compliance as a form-filling exercise - focus on actual security outcomes Point-in-Time Snapshots: Assessing controls only at audit time - implement continuous compliance monitoring Evidence Fabrication: Creating evidence rather than demonstrating real controls - build genuine compliance programs Scope Shrinking: Minimizing audit scope to reduce findings - address root causes instead of hiding problems Control Implementation Anti-Patterns Paper Controls: Policies that exist only in documentation - implement technical enforcement mechanisms Over-Complex Controls: Controls so complex they cannot be operationalized - balance security with operability Control Redundancy: Implementing overlapping controls without coordination - map and rationalize control portfolio Control Gaps: Leaving security domains uncovered - maintain comprehensive control coverage Evidence Collection Anti-Patterns Last Minute Rush: Collecting evidence only when auditors arrive - automate continuous evidence collection Incomplete Evidence: Providing partial evidence that raises more questions - ensure comprehensive documentation Outdated Evidence: Using evidence from outdated systems or processes - maintain current evidence artifacts Inaccessible Evidence: Evidence that cannot be located or produced - organize and index evidence systematically Remediation Anti-Patterns Temporary Fixes: Applying bandages instead of solving root causes - implement permanent solutions Finding Chasing: Prioritizing based on audit severity rather than risk - assess actual risk impact Remediation Debt: Accumulating findings without resolution - maintain remediation backlog with timelines Siloed Remediation: Fixing findings in isolation without systemic improvement - identify patterns and prevent recurrence

返回排行榜