Compliance and Audit | Cybersecurity Policy

Slide 1 of 14 | CSP-W3-01 | Week 3

Compliance and
Audit

PCI DSS • SOC 2 • FedRAMP • HITRUST CSF • Audit Lifecycle

Your organization just closed a $40M government contract that requires FedRAMP Moderate authorization. Your payment processing system handles 6 million card transactions per year, mandating PCI DSS Level 1 compliance. Your SaaS customers are demanding SOC 2 Type II reports before renewing. Compliance is not optional -- it is the cost of doing business. But passing an audit and being secure are two different things. This deck examines the major compliance frameworks, what auditors actually look for, and how to build a culture where compliance is a byproduct of good security -- not a checkbox exercise.

14 Slides CSP-W3-01 Week 3 CIS2208 -- Cybersecurity Policy

Slide 2 of 14

Compliance vs Security

Compliance is the floor, not the ceiling. A compliant organization can still be breached. A secure organization may not yet be compliant.

What Compliance Gives You

A structured baseline of controls. Third-party validation. Legal liability reduction (due diligence defense). Customer trust signals. Regulatory permission to operate. Compliance frameworks encode decades of lessons learned into actionable control sets that apply broadly across industries.

Where Compliance Falls Short

Point-in-time assessments cannot capture continuous risk. Frameworks lag behind emerging threats by 2-4 years. Checkbox culture rewards documentation over effectiveness. Equifax was ISO 27001 certified. Target was PCI DSS compliant. Capital One passed multiple audits. All were breached.

The Core Distinction

Compliance asks: "Do you meet the minimum standard?" Security asks: "Can you withstand the actual threat?" Organizations that treat compliance as the goal rather than the floor will always be one audit cycle behind the adversary. The frameworks exist to establish a baseline -- what you build above that baseline determines your actual risk posture.

Slide 3 of 14

PCI DSS 4.0 -- Payment Card Security

The Payment Card Industry Data Security Standard applies to any entity that stores, processes, or transmits cardholder data.

SAQ vs ROC

Self-Assessment Questionnaires (SAQ) are for smaller merchants who self-validate. There are 9 SAQ types based on how you handle card data. Reports on Compliance (ROC) require an on-site assessment by a Qualified Security Assessor (QSA). Level 1 merchants and service providers must undergo annual ROC assessments.

QSA Role

Qualified Security Assessors are certified by the PCI SSC to conduct on-site assessments. They validate that controls are implemented, not just documented. QSAs test configurations, review logs, interview personnel, and observe processes. Their report goes to the acquiring bank and card brands.

What Changed in 4.0

PCI DSS 4.0 (March 2024 mandatory) introduced the Customized Approach, allowing organizations to meet control objectives through alternative methods. Added requirements for MFA everywhere, targeted risk analysis, and enhanced authentication. Shifts from prescriptive rules to outcome-based security.

Slide 4 of 14

SOC 2 -- Trust Service Criteria

SOC 2, developed by AICPA, evaluates service organizations against five Trust Service Criteria. It is the de facto standard for SaaS vendors.

Type I vs Type II

Type I evaluates the design of controls at a specific point in time -- a snapshot. Type II evaluates both the design and operating effectiveness of controls over a period (typically 6-12 months). Type II is far more valuable because it demonstrates controls actually work consistently, not just that they exist on paper. Most enterprise customers require Type II.

The Five Criteria

Security (mandatory) -- protection against unauthorized access. Availability -- system is operational per SLAs. Processing Integrity -- processing is complete, valid, accurate, timely. Confidentiality -- information designated confidential is protected. Privacy -- personal information is collected, used, retained, and disclosed properly.

Market Reality

SOC 2 has become a de facto requirement for B2B SaaS. Enterprise procurement teams will not sign contracts without a current SOC 2 Type II report. The report is issued by a CPA firm, not a security firm -- this is an accounting standard (SSAE 18), which is why it carries trust in board rooms. A SOC 2 gap can stall a deal worth millions.

Slide 5 of 14

FedRAMP -- Federal Authorization

The Federal Risk and Authorization Management Program standardizes security assessment for cloud products used by U.S. federal agencies.

JAB vs Agency Path

The Joint Authorization Board (JAB) issues a Provisional ATO (P-ATO) that any agency can leverage. The Agency path means a single sponsoring agency issues the ATO. JAB P-ATO is harder to get but more reusable. Most CSPs now pursue the Agency path first for speed, then seek JAB P-ATO for broader market access.

3PAO Assessment

Third Party Assessment Organizations (3PAOs) are accredited by FedRAMP to perform independent security assessments. They test every control in the System Security Plan (SSP), produce a Security Assessment Report (SAR), and identify findings. 3PAO independence is critical -- they cannot also be the consultant who helped you prepare.

Cost and Timeline

FedRAMP authorization typically costs $1M-$3M and takes 12-18 months for initial authorization. Continuous monitoring adds $200K-$500K annually. The investment is justified by access to the federal market ($100B+ in cloud spending). Once authorized, the "do once, use many" model reduces redundant assessments across agencies.

Slide 6 of 14

HITRUST CSF -- Unified Framework

The HITRUST Common Security Framework harmonizes requirements from HIPAA, PCI DSS, ISO 27001, NIST, and more into a single certifiable framework.

Why HITRUST Exists

Healthcare organizations must comply with HIPAA, but HIPAA has no certification process -- you simply attest. HITRUST created a prescriptive, certifiable framework that maps HIPAA requirements to testable controls. It has since expanded beyond healthcare to include mappings to 50+ authoritative sources including PCI DSS, SOC 2, and NIST CSF.

Assessment Types

e1 Assessment -- essential, focused evaluation (~44 controls) for lower-risk organizations. 1-year validity. i1 Assessment -- implemented, broader coverage (~182 controls) for moderate assurance. 1-year validity. r2 Assessment -- the gold standard, risk-based (~400+ controls), 2-year validity with interim assessment.

Certification Process

An authorized HITRUST External Assessor conducts the evaluation. Evidence is submitted to HITRUST's Assurance Intelligence Engine for quality review. HITRUST (not the assessor) issues the certification. This centralized quality control differentiates HITRUST from frameworks where the assessor has final authority.

Cross-Framework Mapping

HITRUST's greatest value is control harmonization. A single HITRUST r2 assessment can satisfy requirements for HIPAA, PCI DSS, SOC 2, NIST 800-53, ISO 27001, GDPR, and state privacy laws simultaneously. This "assess once, report many" approach reduces audit fatigue for organizations with multiple compliance obligations.

Cost-Benefit Reality

HITRUST r2 certification costs $150K-$500K+ including assessor fees and HITRUST licensing. Timeline is 6-12 months. The investment pays off for organizations that face 3+ overlapping frameworks -- replacing multiple separate audits with one comprehensive assessment. For organizations with only one compliance obligation, it may be overkill.

Industry Adoption

HITRUST is dominant in healthcare (required by most major health plans and hospital systems for business associates), gaining traction in finance and government. Over 80% of U.S. hospitals and health plans require HITRUST certification from their vendors. If your organization handles protected health information, HITRUST r2 is effectively mandatory.

Slide 7 of 14

The Audit Lifecycle

Every compliance audit follows a structured lifecycle regardless of framework. Understanding the phases eliminates surprises.

1. Planning

Define the audit scope, objectives, and criteria (which framework, which controls). Identify key contacts and schedule interviews. Request initial documentation (policies, network diagrams, asset inventories). Set the timeline. A well-scoped audit prevents scope creep and wasted effort on both sides.

2. Fieldwork

The auditor tests controls through evidence collection: reviewing configurations, examining logs, conducting interviews, observing processes, and sampling transactions. This is the most time-intensive phase. The organization must produce evidence that controls are designed correctly (Type I) and operating effectively (Type II).

3. Reporting

The auditor issues formal findings categorized by severity (critical, high, medium, low). A management response is required for each finding. The final report includes the auditor's opinion, detailed findings, and recommendations. For SOC 2, this becomes the official report shared with customers.

4. Remediation

The organization addresses each finding with corrective actions. Critical and high findings typically require remediation within 30-90 days. A Plan of Action and Milestones (POA&M) tracks remediation progress. Each fix must be documented with evidence showing the control is now effective.

5. Follow-Up

The auditor retests remediated findings to confirm they are resolved. Lessons learned are captured to improve processes for the next audit cycle. Unresolved findings carry forward. The cycle then restarts -- continuous compliance means the next audit's planning begins as follow-up concludes.

Slide 8 of 14

Audit Evidence: What Auditors Want

Auditors do not accept assertions. They require verifiable evidence across multiple categories to validate every control.

Policies & Procedures

Written documentation that defines what the organization should do. Includes information security policies, acceptable use policies, incident response plans, change management procedures. Must be current (reviewed within 12 months), approved by management, and communicated to personnel. A policy that exists but is not followed is worse than no policy.

Configurations & Screenshots

Technical proof that controls are implemented: firewall rules, access control lists, encryption settings, MFA configurations, group policy objects. Auditors want to see the actual settings, not a description of them. Screenshots with timestamps, configuration exports, or live demonstrations during fieldwork.

Logs & Audit Trails

Evidence that controls are operating over time: access logs, change management tickets, vulnerability scan reports, patch deployment records, incident tickets. Logs must be tamper-resistant, centrally collected, and retained per policy (typically 90 days minimum, 1 year for most frameworks). Gaps in logging are automatic findings.

Interviews

Auditors interview personnel at multiple levels to verify that people understand their responsibilities and that processes described in documentation match reality. They will interview system administrators about patch procedures, security analysts about incident response, and executives about risk management oversight. Inconsistent answers between documentation and interviews generate findings.

Observation

The auditor directly observes processes in action: watching an incident response drill, observing physical security controls (badge readers, locked server rooms), or watching a change management review meeting. Observation is the highest-quality evidence because it cannot be fabricated. It confirms that processes work in practice, not just on paper.

Slide 9 of 14

Common Findings and Remediation

The same findings appear in audit after audit, across industries and frameworks. These are the gaps that auditors find most frequently.

Access Control Gaps

Finding: Excessive privileges, orphaned accounts, shared credentials, missing MFA on privileged accounts, no periodic access reviews.
Remediation: Implement least-privilege access model. Quarterly access reviews. Automated deprovisioning tied to HR termination process. MFA for all admin and remote access. Eliminate shared accounts entirely.

Logging Failures

Finding: Incomplete log collection, logs not centralized, insufficient retention, no alerting on critical events, log tampering possible.
Remediation: Deploy centralized SIEM. Define required log sources (auth, admin, change, access). Set retention to framework minimum (90 days active, 1 year archive). Implement integrity monitoring. Alert on failed logins, privilege escalation, configuration changes.

Patch Management

Finding: Critical patches not applied within SLA (typically 30 days), no patching process documentation, no testing before deployment, incomplete asset inventory means unpatched systems exist unknown.
Remediation: Formal patch management policy with severity-based SLAs. Automated patch deployment with testing environment. Complete asset inventory with vulnerability scanning coverage validation.

Encryption Gaps

Finding: Data at rest not encrypted, deprecated TLS versions (1.0/1.1) in use, weak cipher suites, missing certificate management, encryption keys stored alongside encrypted data.
Remediation: Encrypt all sensitive data at rest (AES-256). Enforce TLS 1.2+ with strong cipher suites. Implement proper key management (HSM or KMS). Certificate lifecycle automation. Deprecate all weak protocols.

Pattern Recognition

These four finding categories appear in over 70% of audit reports regardless of framework. Organizations that proactively address access control, logging, patching, and encryption before an audit begins will eliminate the majority of potential findings. The remaining findings tend to be documentation gaps -- policies that do not exist, are outdated, or do not match operational reality.

Slide 10 of 14

Continuous Compliance

Point-in-time audits are snapshots. Continuous compliance means controls are monitored, tested, and validated in real time -- not just during audit season.

GRC Platforms

Governance, Risk, and Compliance (GRC) tools like ServiceNow GRC, Archer, Drata, Vanta, and Anecdotes centralize control management, evidence collection, and risk tracking. They map controls to multiple frameworks simultaneously, eliminating redundant work. Modern GRC platforms integrate with cloud APIs to pull evidence automatically.

Automated Control Testing

Instead of manually screenshotting configurations during audit season, automated tools continuously verify controls: Is MFA enabled? Are logs flowing to SIEM? Are patches applied within SLA? Are access reviews completed? Automation transforms compliance from a periodic fire drill into a continuous state visible on a dashboard.

Real-Time Dashboards

Executive-facing dashboards show compliance posture at any moment: percent of controls passing, open findings by severity, risk heat maps, and framework-specific readiness scores. When a control drifts out of compliance, the dashboard turns red immediately -- not 6 months later during the next audit. This visibility drives accountability.

Slide 11 of 14

The Cost of Non-Compliance

Non-compliance is not free. The financial, operational, and reputational consequences compound rapidly.

Regulatory Fines

GDPR: Up to 4% of global annual revenue or 20M EUR. HIPAA: $100 -- $50,000 per violation, up to $1.5M per year per category. PCI DSS: $5,000 -- $100,000 per month of non-compliance from card brands. SOX: $5M fine and up to 20 years imprisonment for officers who certify false financial statements. These are not theoretical -- Meta paid $1.3B (GDPR), Equifax paid $575M (multiple), Anthem paid $16M (HIPAA).

Business Impact

Lost contracts: Enterprise customers require compliance certifications before signing. No SOC 2 = no deal. Insurance: Cyber insurance premiums increase 200-300% after a breach; some carriers deny coverage entirely for non-compliant organizations. Market value: Stock prices drop an average of 7.5% after a disclosed breach, with sustained depression for 2+ years.

Reputational Damage

Customer trust erodes with each breach headline. 65% of consumers lose trust in a company after a data breach (IBM). Brand recovery takes 3-5 years on average. Some brands never recover -- TalkTalk lost 100,000 customers immediately after their 2015 breach and was eventually acquired at a fraction of its pre-breach valuation.

Legal Exposure

Class-action lawsuits follow every major breach. T-Mobile paid $350M to settle (2021 breach). Capital One paid $190M. Legal costs extend for years beyond the breach itself. Directors and officers face personal liability if they failed to exercise due care -- compliance frameworks provide a due diligence defense.

Operational Disruption

Post-breach incident response diverts the entire security team for months. Forensic investigations cost $100-$800 per hour. Mandatory breach notification requires notifying every affected individual. Regulatory investigations consume executive time. Some organizations face operational shutdown orders until compliance is demonstrated.

Slide 12 of 14

Building an Audit-Ready Culture

Audit readiness is not a project with an end date. It is an organizational discipline embedded in how work gets done every day.

Documentation Discipline

Every policy must be written, approved, versioned, and reviewed annually. Every procedure must be documented with enough detail that someone unfamiliar could follow it. Document retention policies define how long each evidence type is kept. If it is not documented, it did not happen -- this is the auditor's default assumption.

Change Management

All changes to production systems must go through a formal change management process: request, approval, testing, implementation, verification. Emergency changes get retroactive documentation within 24-48 hours. Change advisory boards (CABs) review significant changes. The change log becomes audit evidence that controls were followed.

Evidence Retention

Audit evidence must be systematically collected and retained before the auditor asks for it. Automate evidence collection where possible: scheduled configuration exports, automated access review workflows, ticket system retention policies. A centralized evidence repository (GRC tool or organized file structure) eliminates the frantic scramble during audit season.

Executive Sponsorship

Compliance programs that report to the CISO or CTO alone will fail. Effective programs have board-level visibility, dedicated budget, and executive champions who model compliance behavior. When the CEO skips security training, the message to every employee is that compliance is optional. Tone at the top determines culture at the bottom.

Continuous Improvement

After each audit cycle, conduct a retrospective: What findings were unexpected? What evidence took too long to produce? Which processes need automation? Track finding trends across audit cycles -- repeat findings indicate a systemic problem, not an isolated gap. Mature organizations close findings faster each cycle and reduce total findings year over year.

The Cultural Shift

Organizations that treat compliance as a separate activity from daily operations will always struggle with audits. The goal is to make compliance invisible -- baked into change management tickets, embedded in deployment pipelines, automated in configuration management. When compliance is how you work (not extra work), audits become a formality rather than a crisis.

Slide 13 of 14

Key Takeaways

Compliance and Audit -- the essential concepts from this presentation.

01 Compliance is the floor, not the ceiling. Frameworks provide a baseline of controls. Real security requires going beyond the minimum. Compliant organizations get breached regularly.

02 PCI DSS 4.0 governs payment card security with 12 requirements across 4 merchant levels. Level 1 requires a QSA-led ROC; smaller merchants self-assess via SAQ. Version 4.0 shifts toward outcome-based security.

03 SOC 2 evaluates service organizations against 5 Trust Service Criteria. Security is mandatory. Type II (operating effectiveness over time) is the market standard for SaaS vendor assurance.

04 FedRAMP is required for cloud services used by federal agencies. Three impact levels (Low/Moderate/High). Authorization costs $1M-$3M and takes 12-18 months. Continuous monitoring is mandatory post-authorization.

05 HITRUST CSF unifies 50+ frameworks into one certifiable assessment. Dominant in healthcare. The r2 assessment is the gold standard. "Assess once, report many" reduces audit fatigue.

06 Audits follow a lifecycle: Planning, Fieldwork, Reporting, Remediation, Follow-Up. Evidence comes in five forms: policies, configurations, logs, interviews, and observation.

07 The top four findings across all audits: access control gaps, logging failures, patch management deficiencies, and encryption weaknesses. Fixing these proactively eliminates 70%+ of audit findings.

08 Continuous compliance through GRC platforms, automated control testing, and real-time dashboards transforms compliance from a periodic fire drill into a sustained organizational state.

09 Non-compliance costs dwarf compliance costs. Regulatory fines, breach costs, lost business, legal exposure, and reputational damage make the ROI of compliance programs overwhelming.

10 Audit-ready culture requires documentation discipline, formal change management, evidence retention, executive sponsorship, and continuous improvement. Compliance must be how you work, not extra work.

Slide 14 of 14 | CSP-W3-01 | Week 3

Compliance and
Audit

Compliance and Audit -- 14 slides

PCI DSS 4.0 • SOC 2 • FedRAMP • HITRUST CSF • Audit Lifecycle • Evidence Types • Common Findings • Continuous Compliance • Cost of Non-Compliance • Audit-Ready Culture

CIS2208 Cybersecurity Policy Week 3