home / skills / aj-geddes / useful-ai-prompts / security-compliance-audit
This skill conducts comprehensive security compliance audits across SOC 2, GDPR, HIPAA, PCI-DSS, and ISO 27001 to prep for certification.
npx playbooks add skill aj-geddes/useful-ai-prompts --skill security-compliance-auditReview the files below or copy the command above to add this skill to your agents.
---
name: security-compliance-audit
description: Conduct comprehensive security compliance audits for SOC 2, GDPR, HIPAA, PCI-DSS, and ISO 27001. Use when preparing for certification, annual audits, or compliance validation.
---
# Security Compliance Audit
## Overview
Systematic evaluation of security controls, policies, and procedures to ensure compliance with industry standards and regulatory requirements.
## When to Use
- Annual compliance audits
- Pre-certification assessments
- Regulatory compliance validation
- Security posture evaluation
- Third-party audits
- Gap analysis
## Implementation Examples
### 1. **Automated Compliance Checker**
```python
# compliance_auditor.py
from dataclasses import dataclass, field
from typing import List, Dict
from enum import Enum
import json
from datetime import datetime
class ComplianceFramework(Enum):
SOC2 = "SOC 2"
GDPR = "GDPR"
HIPAA = "HIPAA"
PCI_DSS = "PCI-DSS"
ISO_27001 = "ISO 27001"
class ControlStatus(Enum):
COMPLIANT = "compliant"
NON_COMPLIANT = "non_compliant"
PARTIALLY_COMPLIANT = "partially_compliant"
NOT_APPLICABLE = "not_applicable"
@dataclass
class Control:
control_id: str
framework: ComplianceFramework
category: str
description: str
requirement: str
status: ControlStatus
evidence: List[str] = field(default_factory=list)
findings: List[str] = field(default_factory=list)
remediation: str = ""
owner: str = ""
due_date: str = ""
class ComplianceAuditor:
def __init__(self, framework: ComplianceFramework):
self.framework = framework
self.controls: List[Control] = []
self.load_controls()
def load_controls(self):
"""Load compliance controls for the framework"""
if self.framework == ComplianceFramework.SOC2:
self.load_soc2_controls()
elif self.framework == ComplianceFramework.GDPR:
self.load_gdpr_controls()
elif self.framework == ComplianceFramework.HIPAA:
self.load_hipaa_controls()
elif self.framework == ComplianceFramework.PCI_DSS:
self.load_pci_dss_controls()
def load_soc2_controls(self):
"""Load SOC 2 Trust Service Criteria"""
soc2_controls = [
{
'control_id': 'CC6.1',
'category': 'Logical and Physical Access Controls',
'description': 'Restrict logical access',
'requirement': 'Implement authentication and authorization mechanisms'
},
{
'control_id': 'CC6.2',
'category': 'Logical and Physical Access Controls',
'description': 'Use encryption',
'requirement': 'Encrypt data in transit and at rest'
},
{
'control_id': 'CC6.6',
'category': 'Logical and Physical Access Controls',
'description': 'Restrict physical access',
'requirement': 'Implement physical access controls'
},
{
'control_id': 'CC7.2',
'category': 'System Monitoring',
'description': 'Detect security incidents',
'requirement': 'Implement monitoring and alerting'
},
{
'control_id': 'CC7.3',
'category': 'System Monitoring',
'description': 'Evaluate security events',
'requirement': 'Review and analyze security logs'
}
]
for ctrl in soc2_controls:
self.controls.append(Control(
control_id=ctrl['control_id'],
framework=self.framework,
category=ctrl['category'],
description=ctrl['description'],
requirement=ctrl['requirement'],
status=ControlStatus.NOT_APPLICABLE
))
def load_gdpr_controls(self):
"""Load GDPR requirements"""
gdpr_controls = [
{
'control_id': 'Art.5',
'category': 'Data Processing Principles',
'description': 'Lawfulness, fairness, and transparency',
'requirement': 'Process data lawfully, fairly, and transparently'
},
{
'control_id': 'Art.15',
'category': 'Data Subject Rights',
'description': 'Right of access',
'requirement': 'Provide data subject access to their data'
},
{
'control_id': 'Art.17',
'category': 'Data Subject Rights',
'description': 'Right to erasure',
'requirement': 'Implement data deletion capabilities'
},
{
'control_id': 'Art.25',
'category': 'Data Protection by Design',
'description': 'Privacy by design and default',
'requirement': 'Implement privacy from the start'
},
{
'control_id': 'Art.32',
'category': 'Security of Processing',
'description': 'Security measures',
'requirement': 'Implement appropriate technical and organizational measures'
},
{
'control_id': 'Art.33',
'category': 'Data Breach',
'description': 'Breach notification',
'requirement': 'Notify breaches within 72 hours'
}
]
for ctrl in gdpr_controls:
self.controls.append(Control(
control_id=ctrl['control_id'],
framework=self.framework,
category=ctrl['category'],
description=ctrl['description'],
requirement=ctrl['requirement'],
status=ControlStatus.NOT_APPLICABLE
))
def load_pci_dss_controls(self):
"""Load PCI-DSS requirements"""
pci_controls = [
{
'control_id': '1.1',
'category': 'Build and Maintain Secure Network',
'description': 'Firewall configuration standards',
'requirement': 'Install and maintain firewall configuration'
},
{
'control_id': '3.4',
'category': 'Protect Cardholder Data',
'description': 'Render PAN unreadable',
'requirement': 'Encrypt cardholder data'
},
{
'control_id': '6.5',
'category': 'Maintain Vulnerability Management',
'description': 'Address common vulnerabilities',
'requirement': 'Protect against OWASP Top 10'
},
{
'control_id': '8.2',
'category': 'Implement Strong Access Control',
'description': 'Multi-factor authentication',
'requirement': 'Implement MFA for all users'
},
{
'control_id': '10.2',
'category': 'Regularly Monitor and Test Networks',
'description': 'Audit trails',
'requirement': 'Implement audit logging for all access'
}
]
for ctrl in pci_controls:
self.controls.append(Control(
control_id=ctrl['control_id'],
framework=self.framework,
category=ctrl['category'],
description=ctrl['description'],
requirement=ctrl['requirement'],
status=ControlStatus.NOT_APPLICABLE
))
def load_hipaa_controls(self):
"""Load HIPAA requirements"""
hipaa_controls = [
{
'control_id': '164.308(a)(1)',
'category': 'Administrative Safeguards',
'description': 'Security management process',
'requirement': 'Implement security management procedures'
},
{
'control_id': '164.312(a)(1)',
'category': 'Technical Safeguards',
'description': 'Access control',
'requirement': 'Implement unique user identification'
},
{
'control_id': '164.312(a)(2)(iv)',
'category': 'Technical Safeguards',
'description': 'Encryption',
'requirement': 'Encrypt ePHI at rest and in transit'
},
{
'control_id': '164.312(b)',
'category': 'Technical Safeguards',
'description': 'Audit controls',
'requirement': 'Implement audit logging mechanisms'
},
{
'control_id': '164.308(a)(6)',
'category': 'Administrative Safeguards',
'description': 'Incident response',
'requirement': 'Implement security incident procedures'
}
]
for ctrl in hipaa_controls:
self.controls.append(Control(
control_id=ctrl['control_id'],
framework=self.framework,
category=ctrl['category'],
description=ctrl['description'],
requirement=ctrl['requirement'],
status=ControlStatus.NOT_APPLICABLE
))
def assess_control(self, control_id: str, status: ControlStatus,
evidence: List[str] = None, findings: List[str] = None,
remediation: str = "", owner: str = "", due_date: str = ""):
"""Assess a specific control"""
for control in self.controls:
if control.control_id == control_id:
control.status = status
control.evidence = evidence or []
control.findings = findings or []
control.remediation = remediation
control.owner = owner
control.due_date = due_date
break
def generate_report(self) -> Dict:
"""Generate compliance audit report"""
summary = {
'compliant': 0,
'non_compliant': 0,
'partially_compliant': 0,
'not_applicable': 0
}
categories = {}
for control in self.controls:
# Update summary
summary[control.status.value] += 1
# Group by category
if control.category not in categories:
categories[control.category] = {
'controls': [],
'compliant': 0,
'non_compliant': 0
}
categories[control.category]['controls'].append({
'control_id': control.control_id,
'description': control.description,
'status': control.status.value,
'findings': control.findings,
'remediation': control.remediation
})
if control.status == ControlStatus.COMPLIANT:
categories[control.category]['compliant'] += 1
elif control.status == ControlStatus.NON_COMPLIANT:
categories[control.category]['non_compliant'] += 1
total_assessed = len([c for c in self.controls if c.status != ControlStatus.NOT_APPLICABLE])
compliance_rate = (summary['compliant'] / total_assessed * 100) if total_assessed > 0 else 0
return {
'framework': self.framework.value,
'timestamp': datetime.now().isoformat(),
'summary': summary,
'compliance_rate': f"{compliance_rate:.2f}%",
'categories': categories,
'action_items': self.get_action_items()
}
def get_action_items(self) -> List[Dict]:
"""Get prioritized action items"""
action_items = []
for control in self.controls:
if control.status in [ControlStatus.NON_COMPLIANT, ControlStatus.PARTIALLY_COMPLIANT]:
action_items.append({
'control_id': control.control_id,
'category': control.category,
'description': control.description,
'status': control.status.value,
'findings': control.findings,
'remediation': control.remediation,
'owner': control.owner,
'due_date': control.due_date
})
return sorted(action_items, key=lambda x: x['status'] == 'non_compliant', reverse=True)
def export_report(self, filename: str):
"""Export report to JSON"""
report = self.generate_report()
with open(filename, 'w') as f:
json.dump(report, f, indent=2)
print(f"Report exported to {filename}")
# Usage
if __name__ == '__main__':
# SOC 2 Audit
auditor = ComplianceAuditor(ComplianceFramework.SOC2)
# Assess controls
auditor.assess_control(
'CC6.1',
ControlStatus.COMPLIANT,
evidence=['MFA enabled', 'RBAC implemented'],
findings=[]
)
auditor.assess_control(
'CC6.2',
ControlStatus.PARTIALLY_COMPLIANT,
evidence=['TLS enabled'],
findings=['Data at rest not encrypted'],
remediation='Implement database encryption',
owner='Security Team',
due_date='2024-03-31'
)
auditor.assess_control(
'CC7.2',
ControlStatus.NON_COMPLIANT,
findings=['No security monitoring in place'],
remediation='Implement SIEM solution',
owner='Infrastructure Team',
due_date='2024-02-28'
)
# Generate report
report = auditor.generate_report()
print(f"\n=== {report['framework']} Compliance Audit ===")
print(f"Compliance Rate: {report['compliance_rate']}")
print(f"\nSummary:")
print(f" Compliant: {report['summary']['compliant']}")
print(f" Non-Compliant: {report['summary']['non_compliant']}")
print(f" Partially Compliant: {report['summary']['partially_compliant']}")
print(f"\nAction Items: {len(report['action_items'])}")
for item in report['action_items'][:5]:
print(f" - {item['control_id']}: {item['description']}")
# Export
auditor.export_report('compliance-audit-report.json')
```
### 2. **Node.js Compliance Automation**
```javascript
// compliance-automation.js
const axios = require('axios');
const fs = require('fs').promises;
class ComplianceAutomation {
constructor() {
this.checks = [];
}
// Check encryption at rest
async checkEncryptionAtRest() {
console.log('Checking encryption at rest...');
const findings = [];
// Check database encryption
// Implementation would connect to actual database
const dbEncrypted = false;
if (!dbEncrypted) {
findings.push('Database encryption not enabled');
}
return {
control: 'Encryption at Rest',
compliant: findings.length === 0,
findings
};
}
// Check encryption in transit
async checkEncryptionInTransit() {
console.log('Checking encryption in transit...');
const findings = [];
const endpoints = ['https://api.example.com'];
for (const endpoint of endpoints) {
try {
const response = await axios.get(endpoint, {
httpsAgent: new (require('https')).Agent({
rejectUnauthorized: true,
minVersion: 'TLSv1.2'
})
});
// Check TLS version and cipher
const tls = response.request.socket.getProtocol();
const cipher = response.request.socket.getCipher();
if (!tls.includes('TLSv1.2') && !tls.includes('TLSv1.3')) {
findings.push(`Weak TLS version: ${tls}`);
}
if (cipher.name.includes('DES') || cipher.name.includes('RC4')) {
findings.push(`Weak cipher: ${cipher.name}`);
}
} catch (error) {
findings.push(`TLS check failed: ${error.message}`);
}
}
return {
control: 'Encryption in Transit',
compliant: findings.length === 0,
findings
};
}
// Check access controls
async checkAccessControls() {
console.log('Checking access controls...');
const findings = [];
// Check MFA
const mfaEnabled = true; // Check actual MFA status
if (!mfaEnabled) {
findings.push('MFA not enabled for all users');
}
// Check password policy
const passwordPolicy = {
minLength: 12,
requireUppercase: true,
requireNumbers: true,
requireSpecial: true
};
if (passwordPolicy.minLength < 12) {
findings.push('Password minimum length less than 12');
}
return {
control: 'Access Controls',
compliant: findings.length === 0,
findings
};
}
// Check audit logging
async checkAuditLogging() {
console.log('Checking audit logging...');
const findings = [];
// Check log retention
const logRetentionDays = 90;
if (logRetentionDays < 90) {
findings.push('Log retention less than 90 days');
}
// Check log events
const requiredEvents = [
'authentication',
'authorization',
'data_access',
'configuration_changes'
];
const loggedEvents = ['authentication', 'authorization'];
const missingEvents = requiredEvents.filter(e => !loggedEvents.includes(e));
if (missingEvents.length > 0) {
findings.push(`Missing log events: ${missingEvents.join(', ')}`);
}
return {
control: 'Audit Logging',
compliant: findings.length === 0,
findings
};
}
async runAllChecks() {
this.checks = [
await this.checkEncryptionAtRest(),
await this.checkEncryptionInTransit(),
await this.checkAccessControls(),
await this.checkAuditLogging()
];
return this.generateReport();
}
generateReport() {
const compliant = this.checks.filter(c => c.compliant).length;
const nonCompliant = this.checks.length - compliant;
const complianceRate = (compliant / this.checks.length) * 100;
return {
timestamp: new Date().toISOString(),
summary: {
total: this.checks.length,
compliant,
nonCompliant,
complianceRate: `${complianceRate.toFixed(2)}%`
},
checks: this.checks
};
}
}
// Usage
async function main() {
const automation = new ComplianceAutomation();
const report = await automation.runAllChecks();
console.log('\n=== Compliance Report ===');
console.log(`Compliance Rate: ${report.summary.complianceRate}`);
console.log(`Compliant: ${report.summary.compliant}/${report.summary.total}`);
await fs.writeFile('compliance-report.json', JSON.stringify(report, null, 2));
}
main().catch(console.error);
```
## Best Practices
### ✅ DO
- Automate compliance checks
- Document all controls
- Maintain evidence repository
- Conduct regular audits
- Track remediation progress
- Involve stakeholders
- Keep policies updated
### ❌ DON'T
- Skip documentation
- Ignore findings
- Delay remediation
- Cherry-pick controls
- Forget evidence collection
## Compliance Frameworks
- **SOC 2**: Trust Service Criteria
- **GDPR**: Data protection
- **HIPAA**: Healthcare data
- **PCI-DSS**: Payment card data
- **ISO 27001**: Information security
- **NIST**: Cybersecurity framework
## Resources
- [SOC 2 Compliance Guide](https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html)
- [GDPR Official Text](https://gdpr-info.eu/)
- [PCI-DSS Requirements](https://www.pcisecuritystandards.org/)
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
This skill performs comprehensive security compliance audits across SOC 2, GDPR, HIPAA, PCI-DSS, and ISO 27001. It helps teams prepare for certification, validate regulatory posture, and produce prioritized remediation action items and exportable audit reports. The workflow is lightweight and automatable for repeatable annual or pre-certification assessments.
The auditor loads framework-specific control sets and tracks each control's status (compliant, non-compliant, partially compliant, or not applicable). Assessments capture evidence, findings, remediation, owner, and due date. The skill generates a summary, compliance rate, categorized control details, prioritized action items, and can export a JSON report for stakeholders.
Can I customize control sets for my organization?
Yes. Controls can be extended or modified to match organizational scope, custom processes, or additional regulatory requirements.
How are action items prioritized?
Action items are prioritized by status, with non-compliant controls surfaced first, and include owner and due date to drive remediation.