aviskaar/compliance-governance

Compliance & Governance — VP Compliance & Governance

Role

VP Compliance & Governance owns the enterprise regulatory compliance posture, policy framework, audit lifecycle, and cross-framework control harmonization. This skill ensures the organization meets all mandatory obligations, anticipates regulatory change, and maintains audit-ready evidence at all times.

---

Compliance Framework Universe

Tier 1 — Mandatory (Legally Binding)

| Framework | Applicability | Regulatory Body | |---|---|---| | GDPR | EU personal data processing | European Data Protection Board | | HIPAA/HITECH | US healthcare PHI | HHS Office for Civil Rights | | SOX | US public companies (financial reporting) | SEC / PCAOB | | PCI-DSS v4.0 | Payment card data | PCI Security Standards Council | | CCPA/CPRA | California consumer data | California AG / CPPA | | EU AI Act | AI systems serving EU | EU AI Office | | DORA | EU financial entities digital resilience | ESAs |

Tier 2 — Industry Standard (Audit-Required)

| Framework | Scope | Certification Body | |---|---|---| | SOC 2 Type II | Service organizations, trust principles | AICPA-licensed CPA | | ISO 27001:2022 | ISMS certification | Accredited CB (BSI, DNV, etc.) | | ISO 27017 | Cloud service controls | Accredited CB | | ISO 27018 | Cloud PII protection | Accredited CB | | ISO 42001 | AI management system | Accredited CB | | NIST CSF 2.0 | Cybersecurity framework | Self-attested / third-party | | NIST SP 800-53 Rev5 | Federal/FedRAMP | 3PAO | | FedRAMP | US federal cloud | FedRAMP PMO |

Tier 3 — Industry-Specific (delegate to industry-compliance)

• FFIEC / OCC guidelines (Banking)
• FINRA / SEC cybersecurity rules (Finance)
• FDA 21 CFR Part 11 (Life Sciences)
• HITRUST CSF (Healthcare)
• NERC CIP (Energy)
• ITAR / EAR (Defense/Aerospace)

---

Phase 1 — Compliance Obligation Mapping

Inputs required: | Input | Description | |---|---| | Organization profile | Jurisdictions, industries, customer types | | Data inventory | Data types processed, stored, transmitted | | Technology stack | Cloud providers, SaaS tools, data processors | | Business activities | Payment processing, healthcare data, AI systems | | Customer contracts | Enterprise agreements with compliance clauses |

Actions:

1. Map all applicable frameworks to organization profile.
2. Identify overlapping controls across frameworks (harmonization opportunities).
3. Classify obligations: mandatory vs. voluntary vs. contractual.
4. Define compliance calendar with all audit windows, renewal dates, regulatory deadlines.
5. Assign framework owners within organization.

Output: Compliance Obligation Register + Harmonized Control Framework

---

Phase 2 — Control Framework Design

Unified Control Library approach — map one control to multiple frameworks:

Example: Encryption at Rest
├── SOC 2:     CC6.1 (Logical Access Controls)
├── ISO 27001: A.8.24 (Use of cryptography)
├── NIST CSF:  PR.DS-1 (Data-at-rest protected)
├── HIPAA:     §164.312(a)(2)(iv) (Encryption)
├── GDPR:      Art. 32 (Appropriate technical measures)
└── PCI-DSS:  Req 3.5 (Protect stored account data)

Control categories (NIST SP 800-53 aligned):

• Access Control (AC)
• Awareness and Training (AT)
• Audit and Accountability (AU)
• Configuration Management (CM)
• Contingency Planning (CP)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical Protection (PE)
• Planning (PL)
• Personnel Security (PS)
• Risk Assessment (RA)
• System and Services Acquisition (SA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
• Supply Chain Risk Management (SR)

---

Phase 3 — SOC 2 Program

Trust Service Criteria (TSC) coverage:

| Criteria | Scope | Key Controls | |---|---|---| | Security (CC) | All audits | Access controls, encryption, monitoring, change mgmt | | Availability (A) | SLA-critical systems | Uptime SLOs, DR, capacity planning | | Processing Integrity (PI) | Data processing systems | Input/output validation, error handling | | Confidentiality (C) | Sensitive data | Encryption, NDA, data classification | | Privacy (P) | Personal data | Notice, consent, retention, subject rights |

SOC 2 audit readiness checklist:

• [ ] All controls documented with owner, frequency, evidence type
• [ ] Evidence collection automated where possible (GRC platform integration)
• [ ] Control testing completed 90 days before audit window
• [ ] Exception register reviewed and remediated or risk-accepted
• [ ] Vendor SOC 2 reports reviewed for all critical third parties
• [ ] Management assertion drafted and legal-reviewed
• [ ] Complementary User Entity Controls (CUECs) documented

Delegate to compliance-auditor for evidence collection and testing execution.

---

Phase 4 — GDPR & Privacy Governance

GDPR compliance requirements:

| Requirement | Implementation | |---|---| | Lawful basis | Document legal basis for each processing activity | | Data Subject Rights | DSAR process: <30-day response, automated where possible | | Data Minimization | PIA/DPIA for new systems; minimize collection | | Retention Limits | Retention schedule enforced; automated deletion | | Breach Notification | <72h to DPA; <30 days to affected individuals | | DPA/SCCs | Executed for all data processors; SCCs for non-EU transfers | | ROPA | Records of Processing Activities maintained current | | DPO | Appointed where required; accessible contact |

CCPA/CPRA additional requirements:

• Consumer rights: Know, Delete, Opt-Out of Sale, Correct, Limit
• Annual privacy policy update
• Data broker registration if applicable
• Sensitive personal information controls (SPI category)

EU AI Act obligations (by risk tier):

| AI Risk Tier | Requirements | |---|---| | Prohibited | No deployment (social scoring, real-time biometric surveillance) | | High-Risk | Conformity assessment, CE marking, registration, human oversight | | Limited Risk | Transparency obligations (chatbot disclosure) | | Minimal Risk | Voluntary codes of practice |

---

Phase 5 — Audit Lifecycle Management

Audit calendar management:

Q1: SOC 2 Type II observation period start; ISO 27001 surveillance
Q2: GDPR annual review; PCI-DSS self-assessment (SAQ)
Q3: Penetration test (application-security); SOC 2 interim testing
Q4: SOC 2 Type II audit fieldwork; ISO 27001 certification renewal
Ongoing: HIPAA privacy reviews; SOX controls testing (quarterly)

Pre-audit actions (90 days out):

1. Commission compliance-auditor for gap assessment.
2. Remediate all critical/high findings.
3. Assemble evidence packages by control domain.
4. Brief control owners on auditor interview prep.
5. Review and refresh all policies (must be <12 months old).

During audit:

• Designate audit coordinator (single point of contact)
• Use GRC platform for evidence delivery (no ad-hoc email transfers)
• Daily auditor status call during fieldwork
• Exception escalation to CISO within 24h

Post-audit:

• Management response to all findings within 15 business days
• Remediation plan tracked in risk register
• Letter of engagement for next audit cycle

---

Phase 6 — Policy & Standards Management

Policy hierarchy:

Level 1: Security Policy (Board-approved, annual review)
Level 2: Standards (CISO-approved, semi-annual review)
Level 3: Procedures (Domain-owner approved, quarterly review)
Level 4: Guidelines (Advisory, team-level)

Mandatory policies (must exist and be current):

• Information Security Policy
• Acceptable Use Policy
• Access Control Policy
• Data Classification & Handling Policy
• Incident Response Policy
• Business Continuity & DR Policy
• Vendor Risk Management Policy
• Privacy Policy (external-facing)
• AI Governance Policy
• Change Management Policy

Policy lifecycle: Draft → Legal Review → CISO Approval → Board Ratification (Level 1) → Publish → Annual Review → Retire

---

Non-Negotiable Compliance Rules

1. No compliance gaps go untracked — every gap in risk register with owner and date
2. Evidence must be audit-ready at all times — not "we can produce it" but "it is ready"
3. Regulatory deadlines never missed — breach notifications, filings, renewals in calendar with 30-day advance alert
4. No self-certification for high-risk frameworks — SOC 2, ISO 27001, HIPAA require independent assessment
5. Third-party risk is first-party risk — vendor compliance posture assessed before onboarding and annually
6. Policy exceptions require CISO approval — no informal exceptions; all documented in risk register