Chapter 10 — Compliance & Governance

10.1 Compliance Framework Mapping

Major Compliance Frameworks

SOC 2 Type II Controls

SOC2_Controls:
  Security:
    - Access control management
    - Incident response procedures
    - Vulnerability management
    - Data encryption and protection
    - Network security monitoring

  Availability:
    - Business continuity planning
    - Disaster recovery testing
    - Performance monitoring
    - Redundancy and failover testing
    - Incident management

  Processing_Integrity:
    - Data input validation
    - Processing accuracy controls
    - Output verification
    - Error handling procedures
    - Audit trail maintenance

  Confidentiality:
    - Data classification procedures
    - Encryption implementation
    - Access restriction controls
    - Network security controls
    - Data lifecycle management

  Privacy:
    - Personal data inventory
    - Consent management
    - Data subject rights processes
    - Cross-border data transfer controls
    - Privacy notice management

ISO 27001 Annex A Controls

Domain	Key Controls	Implementation
A.5 Information Security Policies	Policy development, review, communication	Quarterly reviews, executive approval
A.6 Organization of IS	Roles and responsibilities, segregation of duties	RACI matrices, approval workflows
A.7 Human Resource Security	Screening, training, termination processes	Background checks, security awareness
A.8 Asset Management	Asset inventory, classification, acceptable use	CMDB, classification labels
A.9 Access Control	User access management, authentication, privilege management	IAM policies, MFA, access reviews
A.10 Cryptography	Key management, encryption usage	KMS, certificate management
A.11 Physical Security	Physical access control, environmental security	Data center access, equipment protection
A.12 Operations Security	Logging, monitoring, malware protection	SIEM, antivirus, patch management
A.13 Communications Security	Network security controls, information transfer	Firewalls, VPN, TLS
A.14 System Acquisition	Secure development, change management	CI/CD security, change control
A.15 Supplier Relationships	Supplier risk management, agreements	Vendor assessments, contracts
A.16 Incident Management	Incident detection, response, improvement	Incident response plan
A.17 Business Continuity	BCM planning, testing, redundancy	BCP, DR testing
A.18 Compliance	Regulatory compliance, IP protection	Legal reviews, IP protection

10.2 Automated Compliance Evidence Collection

Continuous Compliance Monitoring

Automated Evidence Collection

ComplianceAutomation:
  EvidenceCollection:
    Tools:
      - AWS Config Rules
      - Azure Policy
      - GCP Security Health Analytics
      - Custom compliance checks

    Frequency:
      - Real-time: Security configurations
      - Hourly: Access control reviews
      - Daily: Vulnerability assessments
      - Weekly: Policy compliance scans
      - Monthly: Full compliance reports

    EvidenceTypes:
      - Configuration snapshots
      - Access review logs
      - Vulnerability scan results
      - Change management records
      - Incident response documentation

Compliance as Code

CompliancePolicies:
  SOC2_Security:
    - aws_config_rule: "s3-bucket-public-write-prohibited"
      description: "S3 buckets must not allow public write access"

    - aws_config_rule: "iam-user-no-policies-check"
      description: "IAM users should not have inline policies"

    - aws_config_rule: "cloudtrail-enabled"
      description: "CloudTrail must be enabled in all regions"

  ISO27001_AccessControl:
    - azure_policy: "audit-vm-manageddisk-encryption"
      description: "VM managed disks must be encrypted"

    - azure_policy: "audit-storage-account-encryption"
      description: "Storage accounts must have encryption enabled"

  PCI_DSS:
    - gcp_policy: "require-shielded-vm"
      description: "Compute instances must use shielded VM features"

    - gcp_policy: "enforce-public-ip-disabled"
      description: "VMs should not have public IP addresses"

10.3 Governance Framework

Security Governance Structure

Security Committee Charter

SecurityGovernance:
  ExecutiveSteeringCommittee:
    Members:
      - CISO (Chair)
      - CTO
      - CFO
      - Chief Risk Officer
      - Legal Counsel
    Meetings: "Quarterly"
    Responsibilities:
      - Risk appetite approval
      - Security budget approval
      - Major incident oversight
      - Regulatory compliance oversight

  SecurityOperationsCommittee:
    Members:
      - Security Operations Manager
      - Infrastructure Lead
      - Application Security Lead
      - Compliance Officer
      - IT Audit Representative
    Meetings: "Monthly"
    Responsibilities:
      - Security metrics review
      - Incident response coordination
      - Security tooling evaluation
      - Policy development

  TechnicalWorkingGroup:
    Members:
      - Security Engineers
      - DevOps Engineers
      - Cloud Architects
      - Application Developers
    Meetings: "Bi-weekly"
    Responsibilities:
      - Security implementation
      - Tool configuration
      - Best practice development
      - Security automation

Risk Management Process

Risk Assessment Methodology

RiskAssessment:
  Scoring:
    Likelihood:
      Very_Likely: 4-5
      Likely: 3-4
      Possible: 2-3
      Unlikely: 1-2
      Very_Unlikely: 0-1

    Impact:
      Critical: 4-5
      High: 3-4
      Medium: 2-3
      Low: 1-2
      Minimal: 0-1

  RiskCalculation: "Likelihood × Impact"

  RiskLevels:
    Critical: 16-25 (Immediate action required)
    High: 9-15 (Action within 30 days)
    Medium: 4-8 (Action within 90 days)
    Low: 1-3 (Monitor and accept)

  TreatmentOptions:
    Avoid: "Eliminate the risk"
    Mitigate: "Implement controls to reduce risk"
    Transfer: "Insurance or outsourcing"
    Accept: "Risk within appetite"