security-compliance

Security & Compliance Expert

Core Principles

1. Defense in Depth

Apply multiple layers of security controls so that if one fails, others provide protection. Never rely on a single security mechanism.

2. Zero Trust Architecture

Never trust, always verify. Assume breach and verify every access request regardless of location or network.

3. Least Privilege

Grant the minimum access necessary for users and systems to perform their functions. Regularly review and revoke unused permissions.

4. Security by Design

Integrate security requirements from the earliest stages of system design, not as an afterthought.

5. Continuous Monitoring

Implement ongoing monitoring and alerting to detect anomalies and security events in real-time.

6. Risk-Based Approach

Prioritize security efforts based on risk assessment, focusing resources on the most critical assets and likely threats.

7. Compliance as Foundation

Use compliance frameworks as a baseline, but go beyond minimum requirements to achieve actual security.

8. Incident Readiness

Prepare for security incidents through planning, testing, and regular tabletop exercises. Assume compromise will occur.

---

Security & Compliance Lifecycle

Phase 1: Assess & Plan

Objective: Understand current security posture and compliance requirements

Activities:

• Conduct security assessments and gap analysis
• Identify compliance requirements (SOC2, ISO27001, GDPR, HIPAA, PCI-DSS)
• Perform risk assessments and threat modeling
• Define security policies and standards
• Establish security governance structure
• Create security roadmap with prioritized initiatives

Deliverables:

• Risk register with prioritized risks
• Compliance gap analysis report
• Security architecture documentation
• Security policies and procedures
• Security roadmap and budget

Phase 2: Design & Architect

Objective: Design secure systems and architectures

Activities:

• Design defense-in-depth architectures
• Implement Zero Trust network architecture
• Design identity and access management (IAM) systems
• Architect data protection and encryption solutions
• Design secure CI/CD pipelines
• Create threat models for applications and systems
• Define security controls and compensating controls

Deliverables:

• Security architecture diagrams
• Threat models (STRIDE, PASTA, or attack trees)
• Data flow diagrams with security boundaries
• Encryption and key management design
• IAM design with RBAC/ABAC models
• Security control matrix

Phase 3: Implement & Harden

Objective: Deploy security controls and harden systems

Activities:

• Implement security controls (preventive, detective, corrective)
• Configure security tools (SIEM, EDR, CASB, WAF, IDS/IPS)
• Harden operating systems and applications
• Implement encryption at rest and in transit
• Deploy multi-factor authentication (MFA)
• Configure logging and monitoring
• Implement data loss prevention (DLP)
• Set up vulnerability management program

Deliverables:

• Hardening baselines and configuration standards
• Deployed security tools and controls
• Encryption implementation
• MFA deployment
• Security monitoring dashboards
• Vulnerability management procedures

Phase 4: Monitor & Detect

Objective: Continuously monitor for threats and anomalies

Activities:

• Monitor security logs and events (SIEM)
• Analyze security alerts and anomalies
• Conduct threat hunting
• Perform vulnerability scanning and penetration testing
• Monitor compliance controls
• Track security metrics and KPIs
• Review access logs and privileged account activity
• Analyze threat intelligence feeds

Deliverables:

• Security operations center (SOC) runbooks
• Alert triage and escalation procedures
• Threat hunting playbooks
• Vulnerability scan reports
• Penetration test reports
• Security metrics dashboard
• Compliance monitoring reports

Phase 5: Respond & Recover

Objective: Respond to security incidents and recover operations

Activities:

• Execute incident response plan
• Contain and eradicate threats
• Perform forensic analysis
• Recover affected systems
• Conduct post-incident reviews
• Update security controls based on lessons learned
• Report incidents to stakeholders and regulators
• Improve detection rules and response procedures

Deliverables:

• Incident response reports
• Forensic analysis findings
• Root cause analysis
• Remediation plans
• Updated incident response playbooks
• Regulatory breach notifications (if required)
• Post-incident review and recommendations

Phase 6: Audit & Improve

Objective: Validate compliance and continuously improve security

Activities:

• Conduct internal audits
• Prepare for external audits (SOC2, ISO27001)
• Perform compliance assessments
• Review and update security policies
• Conduct security training and awareness programs
• Perform tabletop exercises and disaster recovery drills
• Update risk assessments
• Implement security improvements

Deliverables:

• Audit reports (internal and external)
• SOC2 Type II report
• ISO27001 certification
• Compliance attestations
• Updated policies and procedures
• Training completion metrics
• Tabletop exercise results
• Continuous improvement plan

---

Decision Frameworks

1. Risk Assessment Framework

When to use: Evaluating security risks and prioritizing mitigation efforts

Process:

1. Identify Assets
   - What systems, data, and services need protection?
   - What is the business value of each asset?
   - Who are the asset owners?

2. Identify Threats
   - What threat actors might target these assets? (nation-state, cybercriminals, insiders)
   - What are their motivations? (financial gain, espionage, disruption)
   - What are current threat trends?

3. Identify Vulnerabilities
   - What weaknesses exist in systems or processes?
   - What security controls are missing or ineffective?
   - What are known CVEs affecting your systems?

4. Calculate Risk
   Risk = Likelihood × Impact

   Likelihood scale (1-5):
   1 = Rare (< 5% chance in 1 year)
   2 = Unlikely (5-25%)
   3 = Possible (25-50%)
   4 = Likely (50-75%)
   5 = Almost Certain (> 75%)

   Impact scale (1-5):
   1 = Minimal (< $10K loss, no data breach)
   2 = Minor ($10K-$100K, limited data exposure)
   3 = Moderate ($100K-$1M, significant data breach)
   4 = Major ($1M-$10M, extensive data breach, regulatory fines)
   5 = Catastrophic (> $10M, business-threatening)

   Risk Score = Likelihood × Impact (max 25)

5. Prioritize Risks
   - Critical: Risk score 15-25 (immediate action)
   - High: Risk score 10-14 (action within 30 days)
   - Medium: Risk score 5-9 (action within 90 days)
   - Low: Risk score 1-4 (monitor and accept)

6. Determine Risk Response
   - Mitigate: Implement controls to reduce risk
   - Accept: Document acceptance if risk is within tolerance
   - Transfer: Use insurance or third-party services
   - Avoid: Eliminate the activity that creates risk

Output: Risk register with prioritized risks and mitigation plans

2. Security Control Selection

When to use: Choosing appropriate security controls for identified risks

Framework: Use NIST CSF categories or CIS Controls

NIST CSF Functions:
1. Identify (ID)
   - Asset Management
   - Risk Assessment
   - Governance

2. Protect (PR)
   - Access Control
   - Data Security
   - Protective Technology

3. Detect (DE)
   - Anomalies and Events
   - Security Monitoring
   - Detection Processes

4. Respond (RS)
   - Response Planning
   - Communications
   - Analysis and Mitigation

5. Recover (RC)
   - Recovery Planning
   - Improvements
   - Communications

Control Types:
- Preventive: Stop incidents before they occur (MFA, firewalls, encryption)
- Detective: Identify incidents when they occur (SIEM, IDS, log monitoring)
- Corrective: Fix issues after detection (patching, incident response)
- Deterrent: Discourage attackers (security policies, warnings)
- Compensating: Alternative controls when primary controls aren't feasible

Selection Criteria:
1. Does it address the identified risk?
2. Is it cost-effective? (Control cost < Risk value)
3. Is it technically feasible?
4. Does it meet compliance requirements?
5. Can we maintain and monitor it?

3. Compliance Framework Selection

When to use: Determining which compliance frameworks to implement

Decision Tree:

What type of organization are you?

├─ SaaS/Cloud Service Provider
│  ├─ Selling to enterprises? → SOC2 Type II (required)
│  ├─ International customers? → ISO27001 (strongly recommended)
│  ├─ Handling health data? → HIPAA + HITRUST
│  └─ Handling payment cards? → PCI-DSS

├─ Healthcare Provider/Payer
│  ├─ U.S.-based → HIPAA (required)
│  ├─ International → HIPAA + GDPR
│  └─ Plus: HITRUST for comprehensive framework

├─ Financial Services
│  ├─ U.S. banks → GLBA, SOX (if public)
│  ├─ Payment processing → PCI-DSS (required)
│  ├─ International → ISO27001, local regulations
│  └─ Plus: NIST CSF for framework

├─ E-commerce/Retail
│  ├─ Accept credit cards → PCI-DSS (required)
│  ├─ EU customers → GDPR (required)
│  ├─ California customers → CCPA
│  └─ B2B sales → SOC2 Type II

└─ General Enterprise
   ├─ Selling to enterprises → SOC2 Type II
   ├─ Want broad recognition → ISO27001
   ├─ Government contracts → FedRAMP, NIST 800-53
   └─ Industry-specific → Check sector regulations

Multi-Framework Strategy:
- Start with: SOC2 or ISO27001 (choose one as foundation)
- Add: Data privacy regulations (GDPR, CCPA) as needed
- Layer on: Industry-specific requirements

4. Incident Severity Classification

When to use: Triaging and responding to security incidents

Severity Levels:

P0 - Critical (Immediate Response)
- Active breach with data exfiltration occurring
- Ransomware encryption in progress
- Complete system outage of critical services
- Unauthorized access to production databases
- Response: Engage CIRT immediately, 

---

*Content truncated.*