Compliance Frameworks

1Understand Compliance Frameworks

Learn the key differences and requirements of major frameworks.

2SOC 2 Implementation

Implement SOC 2 Type II compliance - most common for SaaS companies.

# SOC 2 Trust Service Criteria (TSC)

# CC6.1 - Logical and Physical Access Controls
# Evidence: Access control policies, MFA configuration
cat > /policies/access-control.md << 'EOF'
# Access Control Policy

## Principle of Least Privilege
All users are granted minimum permissions necessary for their role.

## MFA Requirements
- All remote access requires MFA
- Administrative access requires hardware tokens
- Service accounts use certificate-based auth

## Access Reviews
- Quarterly access reviews for all users
- Monthly reviews for privileged accounts
- Immediate revocation on termination
EOF

# CC6.6 - Security Events Monitoring
# Evidence: SIEM configuration, alert logs
# Configure centralized logging
sudo apt install -y rsyslog
cat > /etc/rsyslog.d/50-compliance.conf << 'EOF'
# Forward all logs to SIEM
*.* @siem.internal:514
& stop
EOF
sudo systemctl restart rsyslog

# CC6.7 - Anomaly Detection
# Evidence: IDS/IPS configuration, threat detection logs
# Install and configure Wazuh (SIEM)
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor -o /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update && sudo apt install -y wazuh-manager

# CC7.2 - System Monitoring
# Evidence: Monitoring dashboards, alert configurations
# Set up Prometheus alerting for compliance
cat > /etc/prometheus/rules/compliance.yml << 'EOF'
groups:
- name: compliance
  rules:
  - alert: BackupFailed
    expr: backup_last_success_timestamp < now() - 86400
    annotations:
      summary: "Backup not completed in 24 hours"
      compliance: "CC8.1 - Recovery procedures"
  - alert: UnpatchedCritical
    expr: package_vulnerability_critical > 0
    annotations:
      summary: "Critical vulnerabilities not patched"
      compliance: "CC6.8 - Vulnerability management"
EOF

3ISO 27001 ISMS Setup

Implement Information Security Management System per ISO 27001.

# ISO 27001 Implementation Steps

# Step 1: Define Scope
cat > /policies/iso27001-scope.md << 'EOF'
# ISMS Scope Statement

## In Scope
- All production IT systems
- Development and staging environments
- Cloud infrastructure (AWS)
- Employee devices accessing company data
- Third-party service providers with data access

## Out of Scope
- Personal devices not accessing company data
- Marketing website (static content only)
- HR systems (separate certification)

## Business Justification
This scope covers all systems processing customer data
and supporting core business operations.
EOF

# Step 2: Risk Assessment
cat > /scripts/risk-assessment.sh << 'EOF'
#!/bin/bash
# Automated risk assessment script

echo "=== Asset Inventory ==="
# Collect asset information
invent -R /var/www > /compliance/assets/webserver.txt
docker ps -a > /compliance/assets/containers.txt
aws ec2 describe-instances > /compliance/assets/ec2.json

echo "=== Vulnerability Scan ==="
# Run vulnerability scan
nmap -sV -sC --script vuln 10.0.0.0/24 > /compliance/vulns/network-scan.txt
trivy image --severity HIGH,CRITICAL myapp:latest > /compliance/vulns/container-scan.txt

echo "=== Configuration Review ==="
# Check security configurations
lynis audit system > /compliance/config/lynis-report.txt
cis-cat scan > /compliance/config/cis-report.txt

echo "=== Access Review ==="
# Document current access
getent passwd > /compliance/access/users.txt
sudo -l > /compliance/access/sudo-rights.txt
aws iam list-attached-user-policies > /compliance/access/iam-policies.json

echo "Risk assessment complete. Review /compliance/"
EOF
chmod +x /scripts/risk-assessment.sh

# Step 3: Statement of Applicability (SoA)
cat > /policies/iso27001-soa.md << 'EOF'
# Statement of Applicability

## Annex A Controls

### A.5 Organization Controls
- [x] A.5.1 Policies for information security (Implemented)
- [x] A.5.7 Threat intelligence (Implemented)
- [ ] A.5.15 Supplier relationships (Not applicable - no critical suppliers)

### A.6 People Controls
- [x] A.6.1 Screening (Implemented - background checks)
- [x] A.6.2 Awareness training (Implemented - quarterly)
- [x] A.6.3 Disciplinary process (Implemented - HR policy)

### A.7 Physical Controls
- [x] A.7.1 Secure areas (Implemented - datacenter)
- [x] A.7.2 Equipment (Implemented - asset tracking)
- [ ] A.7.4 Clean desk (Partial - remote work exception)

### A.8 Technological Controls
- [x] A.8.1 User endpoint devices (Implemented)
- [x] A.8.2 Management of technical vulnerabilities (Implemented)
- [x] A.8.9 Network security (Implemented)
- [x] A.8.10 Information deletion (Implemented)
EOF

4Automated Evidence Collection

Build automated evidence collection for continuous compliance.

#!/usr/bin/env python3
"""
Automated Evidence Collection for Compliance Audits
Collects, validates, and stores evidence for SOC 2, ISO 27001, NIST
"""

import boto3
import subprocess
import json
from datetime import datetime, timedelta
from pathlib import Path

class ComplianceEvidence:
    def __init__(self):
        self.s3 = boto3.client('s3')
        self.bucket = 'company-compliance-evidence'
        self.date = datetime.now().strftime('%Y-%m-%d')
        
    def collect_access_controls(self):
        """CC6.1 - Logical and physical access controls"""
        evidence = {
            'control': 'CC6.1',
            'framework': 'SOC 2',
            'collected_at': datetime.utcnow().isoformat(),
            'evidence': {}
        }
        
        # MFA status for all users
        evidence['evidence']['mfa_status'] = []
        # In real implementation, query your IAM provider
        
        # Active sessions
        evidence['evidence']['active_sessions'] = subprocess.check_output(
            'who', text=True
        )
        
        # Recent logins
        evidence['evidence']['recent_logins'] = subprocess.check_output(
            'last -20', text=True
        )
        
        return self._store_evidence('access-controls', evidence)
    
    def collect_backup_evidence(self):
        """CC8.1 - Recovery procedures"""
        evidence = {
            'control': 'CC8.1',
            'framework': 'SOC 2',
            'collected_at': datetime.utcnow().isoformat(),
            'evidence': {}
        }
        
        # List recent backups
        response = self.s3.list_objects_v2(
            Bucket=self.bucket,
            Prefix=f'backups/{self.date}'
        )
        
        evidence['evidence']['recent_backups'] = [
            obj['Key'] for obj in response.get('Contents', [])
        ]
        
        # Backup verification
        evidence['evidence']['last_verification'] = '2026-03-28'  # From backup log
        
        return self._store_evidence('backups', evidence)
    
    def collect_patch_evidence(self):
        """CC6.8 - Vulnerability management"""
        evidence = {
            'control': 'CC6.8',
            'framework': 'SOC 2',
            'collected_at': datetime.utcnow().isoformat(),
            'evidence': {}
        }
        
        # System packages
        evidence['evidence']['packages'] = subprocess.check_output(
            'dpkg -l | grep -v "^ii lib" | head -50', 
            shell=True, text=True
        )
        
        # Available updates
        evidence['evidence']['updates_available'] = subprocess.check_output(
            'apt list --upgradable 2>/dev/null | wc -l',
            shell=True, text=True
        )
        
        return self._store_evidence('patching', evidence)
    
    def collect_encryption_evidence(self):
        """A.10.1 - Cryptography (ISO 27001)"""
        evidence = {
            'control': 'A.10.1',
            'framework': 'ISO 27001',
            'collected_at': datetime.utcnow().isoformat(),
            'evidence': {}
        }
        
        # EBS encryption status
        evidence['evidence']['ebs_encryption'] = 'enabled'
        
        # RDS encryption
        evidence['evidence']['rds_encryption'] = 'enabled'
        
        # S3 bucket encryption
        evidence['evidence']['s3_encryption'] = 'AES256'
        
        # TLS versions
        evidence['evidence']['tls_versions'] = ['TLS 1.2', 'TLS 1.3']
        
        return self._store_evidence('encryption', evidence)
    
    def _store_evidence(self, category, evidence):
        """Store evidence in immutable S3 bucket"""
        key = f'{self.date}/{category}.json'
        self.s3.put_object(
            Bucket=self.bucket,
            Key=key,
            Body=json.dumps(evidence, indent=2),
            ServerSideEncryption='AES256',
            StorageClass='STANDARD_IA'
        )
        return f's3://{self.bucket}/{key}'

# Run evidence collection
if __name__ == '__main__':
    collector = ComplianceEvidence()
    
    print("Collecting compliance evidence...")
    print(f"Access controls: {collector.collect_access_controls()}")
    print(f"Backup evidence: {collector.collect_backup_evidence()}")
    print(f"Patch evidence: {collector.collect_patch_evidence()}")
    print(f"Encryption evidence: {collector.collect_encryption_evidence()}")
    print("Evidence collection complete!")

5Audit Preparation

Prepare for compliance audits with proper documentation.

# Audit Preparation Checklist

cat > /compliance/audit-preparation.md << 'EOF'
# Audit Preparation Checklist

## 30 Days Before Audit
- [ ] Complete self-assessment against all controls
- [ ] Gather evidence for all controls
- [ ] Review and update all policies
- [ ] Conduct access review for all systems
- [ ] Verify all backups are current
- [ ] Test disaster recovery procedures
- [ ] Review third-party vendor assessments
- [ ] Schedule pre-audit meeting with auditor

## 14 Days Before Audit
- [ ] Finalize evidence package
- [ ] Create evidence index/mapping document
- [ ] Prepare system demonstrations
- [ ] Brief all staff on audit process
- [ ] Verify all documentation is signed/dated
- [ ] Review open findings from previous audits
- [ ] Prepare remediation evidence for prior findings

## 7 Days Before Audit
- [ ] Final evidence review
- [ ] Confirm auditor access to systems
- [ ] Prepare conference room for audit meetings
- [ ] Create audit contact list
- [ ] Test all evidence links/access
- [ ] Prepare executive summary

## Audit Week
- [ ] Daily standup with audit team
- [ ] Designated single point of contact
- [ ] Real-time evidence requests handling
- [ ] Daily progress tracking
- [ ] Issue log maintenance
EOF

# Evidence Index Template
cat > /compliance/evidence-index.md << 'EOF'
# Evidence Index

## Security Controls (CC6)

| Control | Description | Evidence Location | Status |
|---------|-------------|-------------------|--------|
| CC6.1 | Access Controls | s3://compliance/2026-03/access-controls.json | ✓ |
| CC6.2 | New Users | /policies/onboarding.md + HR records | ✓ |
| CC6.3 | Removed Users | /scripts/offboarding.md + termination log | ✓ |
| CC6.4 | Privileged Access | /compliance/access/sudo-rights.txt | ✓ |
| CC6.5 | Vendor Access | /vendors/access-requests/ | ✓ |
| CC6.6 | Security Events | Wazuh dashboard + alert logs | ✓ |
| CC6.7 | Anomaly Detection | IDS/IPS configuration + logs | ✓ |
| CC6.8 | Vulnerability Mgmt | Trivy reports + patch logs | ✓ |

## Operations Controls (CC7)

| Control | Description | Evidence Location | Status |
|---------|-------------|-------------------|--------|
| CC7.1 | Change Management | Git commit history + deployment logs | ✓ |
| CC7.2 | Monitoring | Prometheus + Grafana dashboards | ✓ |
| CC7.3 | Risk Identification | Risk register + assessment reports | ✓ |
| CC7.4 | Fraud Prevention | Internal controls + audit logs | ✓ |
EOF

6Continuous Compliance

Implement continuous compliance monitoring and automation.

# Continuous Compliance Dashboard

# Set up compliance monitoring with Open Policy Agent (OPA)
cat > /policies/compliance.rego << 'EOF'
package compliance

import future.keywords.in

# SOC 2 CC6.1 - MFA Required
mfa_enabled[user] {
  user.mfa_enabled == true
}

mfa_violation[user] {
  not mfa_enabled[user]
  user.role != "service-account"
}

# CC6.8 - Critical patches within 7 days
patch_compliant[package] {
  package.vulnerability_severity == "critical"
  package.patched_days_ago <= 7
}

patch_violation[package] {
  not patch_compliant[package]
  package.vulnerability_severity == "critical"
}

# CC7.1 - Change management approval
change_approved[change] {
  change.approved_by != null
  change.approval_count >= 2
}

change_violation[change] {
  not change_approved[change]
  change.environment == "production"
}

# Main compliance check
compliant {
  not mfa_violation[_]
  not patch_violation[_]
  not change_violation[_]
}

violation_count {
  count(mfa_violation) + count(patch_violation) + count(change_violation)
}
EOF

# Automated compliance check script
cat > /scripts/compliance-check.sh << 'EOF'
#!/bin/bash
# Daily compliance check

DATE=$(date +%Y-%m-%d)
REPORT="/compliance/reports/daily-${DATE}.json"

echo "Starting compliance check..."

# Check MFA status
MFA_STATUS=$(opa eval --input /data/users.json 'compliance.mfa_violation' | jq 'length')

# Check patch status
PATCH_STATUS=$(opa eval --input /data/packages.json 'compliance.patch_violation' | jq 'length')

# Check change approvals
CHANGE_STATUS=$(opa eval --input /data/changes.json 'compliance.change_violation' | jq 'length')

# Generate report
cat > "$REPORT" << REPORT
{
  "date": "$DATE",
  "violations": {
    "mfa": $MFA_STATUS,
    "patches": $PATCH_STATUS,
    "changes": $CHANGE_STATUS
  },
  "compliant": $([ $MFA_STATUS -eq 0 ] && [ $PATCH_STATUS -eq 0 ] && [ $CHANGE_STATUS -eq 0 ] && echo "true" || echo "false")
}
REPORT

# Alert if violations found
if [ "$MFA_STATUS" -gt 0 ] || [ "$PATCH_STATUS" -gt 0 ] || [ "$CHANGE_STATUS" -gt 0 ]; then
  curl -X POST -H "Content-Type: application/json" \
    -d "{\"text\":\"🚨 Compliance violations detected! MFA: $MFA_STATUS, Patches: $PATCH_STATUS, Changes: $CHANGE_STATUS\"}" \
    $SLACK_WEBHOOK_URL
fi

echo "Compliance check complete. Report: $REPORT"
EOF
chmod +x /scripts/compliance-check.sh

# Add to cron for daily execution
echo "0 6 * * * /scripts/compliance-check.sh" | crontab -
EOF

# Compliance dashboard with Grafana
cat > /grafana/compliance-dashboard.json << 'EOF'
{
  "dashboard": {
    "title": "Compliance Monitoring",
    "panels": [
      {
        "title": "SOC 2 Control Status",
        "type": "stat",
        "targets": [{
          "expr": "sum(compliance_control_status{framework=\"SOC2\"})"
        }]
      },
      {
        "title": "Evidence Collection Status",
        "type": "gauge",
        "targets": [{
          "expr": "sum(evidence_collected) / sum(evidence_required) * 100"
        }]
      },
      {
        "title": "Open Violations by Control",
        "type": "bargauge",
        "targets": [{
          "expr": "compliance_violations_by_control"
        }]
      }
    ]
  }
}
EOF