陌讯skills聚合平台

compliance-auditor

📁 404kidwiz/claude-supercode-skills 📅 Jan 24, 2026
31
总安装量
31
周安装量
#6518
全站排名
安装命令
npx skills add https://github.com/404kidwiz/claude-supercode-skills --skill compliance-auditor

Agent 安装分布

claude-code 25
opencode 23
cursor 21
windsurf 19
codex 18

Skill 文档

Compliance Auditor Skill

Purpose

Provides regulatory compliance auditing expertise specializing in SOC2, HIPAA, GDPR, and industry-specific compliance frameworks. Conducts gap analysis, evidence collection, control assessments, and remediation guidance to ensure organizations meet regulatory requirements and security standards.

When to Use

  • Conducting SOC 2 Type I & II audits
  • Ensuring HIPAA compliance for healthcare systems
  • Implementing GDPR data privacy requirements
  • Preparing for PCI DSS assessments
  • Mapping compliance requirements to organizational controls
  • Performing gap analysis and remediation planning

Overview

Expert in regulatory compliance auditing, specializing in SOC2, HIPAA, GDPR, and industry-specific compliance frameworks with gap analysis and remediation guidance.

Compliance Frameworks

Financial & Business Compliance

  • SOC 2 Type I & II – Service Organization Control reporting
  • SOX – Sarbanes-Oxley Act compliance
  • PCI DSS – Payment Card Industry Data Security Standard
  • GLBA – Gramm-Leach-Bliley Act

Healthcare Compliance

  • HIPAA – Health Insurance Portability and Accountability Act
  • HITECH – Health Information Technology for Economic and Clinical Health
  • HITECH – Omnibus Rule provisions
  • 21 CFR Part 11 – Electronic signatures and records

Data Privacy & Protection

  • GDPR – General Data Protection Regulation (EU)
  • CCPA/CPRA – California Consumer Privacy Act/Privacy Rights Act
  • PIPEDA – Personal Information Protection and Electronic Documents Act
  • LGPD – Lei Geral de Proteção de Dados (Brazil)

Industry-Specific Standards

  • ISO 27001 – Information Security Management
  • ISO 27701 – Privacy Information Management
  • NIST Cybersecurity Framework – Critical infrastructure
  • CMMC – Cybersecurity Maturity Model Certification

Core Audit Competencies

Evidence Collection & Analysis

# Example patterns for compliance evidence
grep -r "audit" config/ --include="*.json" --include="*.yml" --include="*.properties"
grep -r "access" policies/ --include="*.md" --include="*.txt" --include="*.doc"
grep -r "retention" procedures/ --include="*.md" --include="*.pdf"

Control Assessment

  • Design effectiveness evaluation
  • Operating effectiveness testing
  • Control gap identification
  • Remediation timeline development
  • Continuous monitoring implementation

Documentation Review

  • Policy and procedure analysis
  • Evidence collection validation
  • Risk assessment methodology review
  • Incident response documentation
  • Third-party assessment reports

Audit Methodology

Planning & Scoping

  • Compliance requirement mapping
  • Risk-based approach development
  • Sampling methodology design
  • Stakeholder interviews
  • Documentation requests

Fieldwork Execution

  • Control testing procedures
  • Evidence collection protocols
  • Process walk-throughs
  • System configuration reviews
  • Staff competency validation

Reporting & Findings

  • Gap analysis documentation
  • Risk rating assignments
  • Remediation recommendations
  • Implementation roadmaps
  • Executive summary preparation

Specific Compliance Areas

SOC 2 Trust Services Criteria

  • Security – System protection against unauthorized access
  • Availability – System availability for operation and use
  • Processing Integrity – System processing completeness and accuracy
  • Confidentiality – Information protection from unauthorized disclosure
  • Privacy – Personal information collection and use controls

HIPAA Administrative Safeguards

  • Security officer designation
  • Workforce security procedures
  • Information access management
  • Security awareness and training
  • Security incident procedures

GDPR Data Protection Requirements

  • Lawfulness of processing
  • Purpose limitation principles
  • Data minimization practices
  • Accuracy maintenance procedures
  • Storage limitation implementations

Audit Scenarios

Cloud Service Provider Assessment

  • AWS/Azure/GCP security configurations
  • Multi-tenancy isolation controls
  • Data encryption verification
  • Service provider due diligence
  • Subprocessor management

Software Development Lifecycle

  • Secure coding practices
  • Change management procedures
  • Code review processes
  • Security testing integration
  • DevSecOps pipeline compliance

Third-Party Risk Management

  • Vendor assessment procedures
  • Contract compliance verification
  • Service level agreement monitoring
  • Data processing agreement review
  • Supply chain security validation

Deliverables

Compliance Reports

  • Comprehensive audit findings
  • Gap analysis with remediation plans
  • Control effectiveness ratings
  • Risk mitigation strategies
  • Compliance dashboard development

Skill-Specific Scripts and References

Available Compliance Auditor Scripts

Located in scripts/ directory:

  • check_gdpr.py – GDPR compliance checking (data minimization, consent, right to erasure)
  • validate_hipaa.py – HIPAA validation (PHI protection, audit controls)
  • collect_soc2_evidence.py – SOC 2 evidence collection (Security, Availability, Processing Integrity, Confidentiality, Privacy)
  • scan_pci_dss.py – PCI DSS scanning (cardholder data, encryption standards)
  • validate_nist.py – NIST controls validation (CSF, SP 800-53)
  • assess_iso27001.py – ISO 27001 assessment (ISMS controls)
  • generate_report.py – Compliance report generation

Available Compliance Auditor References

Located in references/ directory:

  • gdpr_requirements.md – GDPR requirements and compliance checks
  • hipaa_guidelines.md – HIPAA guidelines and controls
  • soc2_controls.md – SOC 2 Type 2 examination criteria and controls
  • pci_dss_standard.md – PCI DSS v4.0 requirements and compliance checklist
  • nist_controls.md – NIST Cybersecurity Framework and SP 800-53 controls
  • iso27001_mapping.md – ISO 27001 control mapping and implementation guidance

Script Usage Examples

# GDPR compliance check
python3 scripts/check_gdpr.py . --config config/compliance.yaml --output gdpr_report.json

# HIPAA validation
python3 scripts/validate_hipaa.py . --format text

# SOC 2 evidence collection
python3 scripts/collect_soc2_evidence.py . --framework SOC2_Type2 --output soc2_evidence/

# PCI DSS scanning
python3 scripts/scan_pci_dss.py . --scan_level full

# NIST controls validation
python3 scripts/validate_nist.py . --framework CSF

# ISO 27001 assessment
python3 scripts/assess_iso27001.py . --controls annex_a --output iso_report.md

# Generate compliance report
python3 scripts/generate_report.py --evidence evidence/ --compliance SOC2 --output compliance_report.md

Configuration Files

Create config/compliance.yaml for script configuration:

compliance_auditing:
  audit_scope: '.'
  frameworks: ['SOC2', 'GDPR', 'HIPAA', 'PCI_DSS', 'ISO27001', 'NIST']
  
  check_gdpr:
    data_minimization: true
    consent_management: true
    right_to_erasure: true
    data_portability: true
    
  validate_hipaa:
    phi_protection: true
    audit_controls: true
    administrative_safeguards: true
    physical_safeguards: true
    technical_safeguards: true
    
  collect_soc2_evidence:
    trust_services_criteria: ['security', 'availability', 'processing_integrity', 'confidentiality', 'privacy']
    common_criteria: true
    
  scan_pci_dss:
    scan_level: 'full'
    cardholder_data_scope: true
    encryption_standards: true
    
  validate_nist:
    framework: 'CSF'
    control_baselines: ['low', 'moderate', 'high']
    
  assess_iso27001:
    controls: 'annex_a'
    isms_controls: true
    
  generate_report:
    report_format: 'markdown'
    include_recommendations: true
    include_roadmap: true

Policy & Procedure Templates

  • Security policy frameworks
  • Incident response procedures
  • Data classification guidelines
  • Access management policies
  • Business continuity plans

Training Materials

  • Compliance awareness programs
  • Role-specific security training
  • Incident response tabletop exercises
  • Privacy best practices guides
  • Regulatory change management

Continuous Compliance

  • Automated compliance monitoring
  • Regulatory change tracking
  • Control effectiveness testing
  • Risk assessment updates
  • Compliance management systems integration

Industry Expertise

  • Healthcare providers and payers
  • Financial services institutions
  • SaaS and technology companies
  • Government contractors
  • Educational institutions

Examples

Example 1: SOC 2 Type II Preparation for SaaS Startup

Scenario: A growing SaaS company preparing for their first SOC 2 Type II audit needs to implement controls and collect evidence for the Security and Availability trust services criteria.

Audit Preparation Approach:

  1. Gap Analysis: Compared current practices against SOC 2 trust services criteria
  2. Control Implementation: Deployed access management, encryption, and monitoring controls
  3. Evidence Collection: Automated collection of logs, configurations, and access reviews
  4. Remediation: Addressed 23 gaps identified in initial assessment

Key Controls Implemented:

  • Multi-factor authentication for all system access
  • Automated log retention and security monitoring
  • Encrypted data at rest and in transit (TLS 1.3, AES-256)
  • Incident response procedures with documented evidence
  • Vendor management program with security assessments

Audit Result: Passed with 2 minor observations (no material findings)

Example 2: HIPAA Compliance for Healthcare Application

Scenario: A healthcare technology company needs to ensure their patient portal meets HIPAA requirements for PHI protection.

Compliance Assessment:

  1. PHI Inventory: Mapped all locations where PHI is stored, processed, or transmitted
  2. Technical Controls: Evaluated encryption, access controls, and audit logging
  3. Administrative Safeguards: Reviewed policies, procedures, and workforce training
  4. Business Associate Agreements: Audited all third-party relationships

Critical Findings and Remediation:

  • Unencrypted database backups → Implemented TDE and encrypted backup storage
  • Excessive user access → Deployed role-based access control (RBAC)
  • Missing audit logs → Integrated CloudTrail and database audit logging
  • Outdated BAA with vendor → Negotiated updated BAA with current requirements

Outcome: Achieved full HIPAA compliance within 90 days

Example 3: GDPR Data Privacy Implementation

Scenario: An e-commerce company expanding to EU markets needs to implement GDPR compliance for customer data processing.

Privacy Implementation:

  1. Data Mapping: Documented all personal data flows across the organization
  2. Consent Management: Implemented cookie consent and preference management
  3. Data Subject Rights: Built automated processes for access, deletion, and portability requests
  4. Data Retention: Defined and implemented retention schedules

Implementation Components:

  • Privacy-by-design architecture review
  • Consent management platform integration
  • Data subject request (DSR) automation workflow
  • International data transfer mechanisms (Standard Contractual Clauses)
  • Privacy impact assessment (PIA) process

Measurable Outcomes:

  • Consent capture rate: 98% (up from 45%)
  • DSR response time: 5 days average (regulatory requirement: 30 days)
  • Data breach notification process tested quarterly
  • Privacy training completion: 100% of employees

Best Practices

Audit Preparation

  • Start Early: Begin compliance efforts 6-12 months before audit
  • Gap Analysis First: Understand where you stand before planning remediation
  • Phased Approach: Address highest-risk gaps first
  • Evidence Automation: Collect evidence continuously, not just before audit
  • Management Buy-In: Ensure leadership understands compliance requirements

Control Framework

  • Risk-Based Controls: Implement controls based on risk assessment findings
  • Defense in Depth: Multiple layers of controls for critical areas
  • Least Privilege: Grant minimum access required for each role
  • Change Management: Document and review all control changes
  • Continuous Monitoring: Implement automated control effectiveness testing

Documentation Excellence

  • Clear Policies: Write policies that are understandable and actionable
  • Procedure Documentation: Detail how policies are implemented operationally
  • Evidence Artifacts: Maintain comprehensive evidence of control operation
  • Traceability: Link controls to requirements and risks
  • Version Control: Track policy changes over time

Third-Party Management

  • Due Diligence: Assess security posture before engagement
  • Contract Requirements: Include security requirements in contracts
  • Ongoing Monitoring: Reassess vendors periodically
  • Incident Coordination: Establish breach notification procedures
  • Exit Planning: Define data handling at relationship end

Regulatory Updates

  • Track Changes: Monitor regulatory developments in your industry
  • Impact Assessment: Evaluate how changes affect current compliance
  • Proactive Adaptation: Update controls before enforcement deadlines
  • Industry Collaboration: Participate in industry compliance groups
  • Expert Consultation: Engage specialists for complex requirements

Anti-Patterns

Audit Process Anti-Patterns

  • Checkbox Compliance: Treating compliance as a form-filling exercise – focus on actual security outcomes
  • Point-in-Time Snapshots: Assessing controls only at audit time – implement continuous compliance monitoring
  • Evidence Fabrication: Creating evidence rather than demonstrating real controls – build genuine compliance programs
  • Scope Shrinking: Minimizing audit scope to reduce findings – address root causes instead of hiding problems

Control Implementation Anti-Patterns

  • Paper Controls: Policies that exist only in documentation – implement technical enforcement mechanisms
  • Over-Complex Controls: Controls so complex they cannot be operationalized – balance security with operability
  • Control Redundancy: Implementing overlapping controls without coordination – map and rationalize control portfolio
  • Control Gaps: Leaving security domains uncovered – maintain comprehensive control coverage

Evidence Collection Anti-Patterns

  • Last Minute Rush: Collecting evidence only when auditors arrive – automate continuous evidence collection
  • Incomplete Evidence: Providing partial evidence that raises more questions – ensure comprehensive documentation
  • Outdated Evidence: Using evidence from outdated systems or processes – maintain current evidence artifacts
  • Inaccessible Evidence: Evidence that cannot be located or produced – organize and index evidence systematically

Remediation Anti-Patterns

  • Temporary Fixes: Applying bandages instead of solving root causes – implement permanent solutions
  • Finding Chasing: Prioritizing based on audit severity rather than risk – assess actual risk impact
  • Remediation Debt: Accumulating findings without resolution – maintain remediation backlog with timelines
  • Siloed Remediation: Fixing findings in isolation without systemic improvement – identify patterns and prevent recurrence
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。