compliance
Compliance
Common Frameworks
GDPR (General Data Protection Regulation)
EU data protection regulation.
Key Requirements:
- Lawful basis for processing
- Data minimization
- Right to erasure
- Data portability
- Breach notification (72 hours)
- Privacy by design
HIPAA (Health Insurance Portability and Accountability Act)
US healthcare data protection.
Key Requirements:
- Access controls
- Audit controls
- Integrity controls
- Transmission security
- Business Associate Agreements
PCI-DSS (Payment Card Industry Data Security Standard)
Payment card data protection.
Key Requirements:
- Network segmentation
- Encryption of cardholder data
- Access restrictions
- Regular testing
- Security policies
SOC 2 (Service Organization Control 2)
Trust service criteria.
Principles:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
Common Controls
Access Control
- [ ] Unique user IDs
- [ ] Strong authentication
- [ ] Role-based access
- [ ] Regular access reviews
- [ ] Termination procedures
Data Protection
- [ ] Encryption at rest
- [ ] Encryption in transit
- [ ] Key management
- [ ] Data classification
- [ ] Retention policies
Audit & Monitoring
- [ ] Audit logging enabled
- [ ] Log retention (1+ year)
- [ ] Regular log review
- [ ] Alerting on anomalies
- [ ] Incident response plan
Documentation
- [ ] Security policies
- [ ] Procedures documented
- [ ] Evidence collection
- [ ] Regular reviews
- [ ] Training records
Compliance Checklist
| Control | GDPR | HIPAA | PCI | SOC2 |
|---|---|---|---|---|
| Encryption | Yes | Yes | Yes | Yes |
| Access Control | Yes | Yes | Yes | Yes |
| Audit Logging | Yes | Yes | Yes | Yes |
| Breach Notification | Yes | Yes | Yes | Yes |
| Risk Assessment | Yes | Yes | Yes | Yes |
More from nguyenhuuca/assessment
requirements-analysis
Analyze and refine product requirements. Use when clarifying scope, identifying gaps, or validating requirements. Covers requirement types and analysis techniques.
16security-review
Conduct security code reviews. Use when reviewing code for vulnerabilities, assessing security posture, or auditing applications. Covers security review checklist.
13identity-access
Implement identity and access management. Use when designing authentication, authorization, or user management. Covers OAuth2, OIDC, and RBAC.
12execution-roadmaps
Create execution roadmaps for projects. Use when planning multi-phase projects or feature rollouts. Covers phased delivery and milestone planning.
12cloud-native-patterns
Apply cloud-native architecture patterns. Use when designing for scalability, resilience, or cloud deployment. Covers microservices, containers, and distributed systems.
12agile-methodology
Apply agile development practices. Use when planning sprints, running ceremonies, or improving team processes. Covers Scrum, Kanban, and agile principles.
12