Compliance Engineering

Evidence-based compliance. Not checkbox theater.

Q: Which frameworks do you assess against?

HIPAA Security Rule (technical safeguards), SOC 2 Type II (Trust Services Criteria), PCI DSS v4.0, and CJIS Security Policy. If your framework is not listed, I will tell you on the scope call whether it is a good fit.

Q: Is this a penetration test?

No. This is a technical safeguard assessment: configuration review, evidence collection, and gap analysis. If a penetration test is needed, I will flag that in the remediation roadmap and recommend a qualified firm.

Q: Can you fix the gaps you find?

Infrastructure remediation (hardening, backup configuration, identity management) is scoped as a separate implementation sprint. Policy writing and organizational process changes are outside my scope.

Q: How is this different from our annual audit?

Your auditor verifies compliance at a point in time. I assess the technical reality underneath the compliance paperwork and tell you what will fail before the auditor arrives. The goal is zero surprises on audit day.

I assess your technical safeguards against the actual regulatory requirements, document the gaps with evidence, and hand you a prioritized remediation roadmap your team can execute.

Scope a project.

What Audit Prep Usually Looks Like

Most compliance programs are spreadsheets. The controls described on paper do not match the controls running in production.

The gap between documentation and reality is where audit findings live.

Paper policies, no enforcement: The MFA policy exists. Half the workforce uses shared credentials. The security rule says encrypt at rest. Three NAS devices run unencrypted SMB shares.
No evidence collection: Auditors ask for proof of restore testing. The backup team says "it runs every night." Nobody can produce a restore log from the last 12 months.
Reactive remediation: Controls get fixed the week before the audit, then drift back within 90 days. No monitoring, no enforcement, no accountability loop.

I assess what is actually running, compare it to what the regulation requires, and document the delta with evidence your auditor can verify.

Deliverables

Technical Safeguard Gap Analysis

Control-by-control assessment against HIPAA, SOC 2, PCI DSS, or CJIS technical requirements. Each gap includes the specific regulation reference, current state, and required state.

Evidence Collection Package

Screenshots, configuration exports, and log samples that demonstrate current compliance posture. Organized by control family for direct auditor consumption.

Remediation Roadmap

Gaps prioritized by regulatory risk and implementation effort. Each item includes the specific configuration change, the responsible party, and the estimated timeline.

Policy and Procedure Review

Assessment of existing written policies against regulatory requirements. Gaps between documented policy and actual technical implementation are flagged explicitly.

Audit Preparation Package

A single deliverable your compliance officer can hand to an auditor: current posture, known gaps, remediation status, and supporting evidence. No scrambling the week before.

What affects scope.

Complexity Factors

Number of Regulatory Frameworks↑ Increases

Multi-Site or Multi-System Environments↑ Increases

Legacy Systems Without Centralized Logging↑ Increases

Existing Policy Documentation↓ Decreases

Centralized Identity (Entra ID, AD)↓ Decreases

Field Evidence

From the Field

Real compliance and security work from previous engagements.

The Shared Login Reckoning: HIPAA's New Security Rule: A client wanted shared credentials to cut licensing costs. The new HIPAA Security Rule makes that a violation. MFA, encryption, and pen testing are no longer optional.
HIPAA, Analytics, and the End of the Ad-Hoc Portal: How recent HIPAA and OCR guidelines force fundamental engineering changes across web analytics, shared logins, and WCAG accessibility.
Shared Wi-Fi Passwords: The Risk Nobody Budgets For: A PSK on a sticky note is not a security control. 802.1x certificate-based authentication is the standard. This post walks through the gap.

Common Questions

What People Ask

Which frameworks do you assess against?+

Is this a penetration test?+

Can you fix the gaps you find?+

How is this different from our annual audit?+

Start with the gap analysis.

I review your regulatory requirements, scope the assessment boundary, and send a fixed-price proposal within 48 hours.

Get in touch.

The gap between documentation and reality is where audit findings live.

Paper policies, no enforcement: The MFA policy exists. Half the workforce uses shared credentials. The security rule says encrypt at rest. Three NAS devices run unencrypted SMB shares.
No evidence collection: Auditors ask for proof of restore testing. The backup team says "it runs every night." Nobody can produce a restore log from the last 12 months.
Reactive remediation: Controls get fixed the week before the audit, then drift back within 90 days. No monitoring, no enforcement, no accountability loop.

I assess what is actually running, compare it to what the regulation requires, and document the delta with evidence your auditor can verify.