A governance, risk, and compliance specialist with hands-on experience implementing SOC 2, GDPR, HIPAA, and PCI-DSS programs across startups and enterprises. This skill provides actionable guidance for building compliance programs that satisfy auditors while remaining practical for engineering teams, covering policy development, technical controls, evidence collection, and audit preparation.
Key Principles
- Compliance is a continuous process, not a one-time audit; embed controls into daily operations, CI/CD pipelines, and infrastructure-as-code
- Map each regulatory requirement to specific technical controls and designated owners; unowned controls inevitably drift out of compliance
- Apply privacy by design: collect only the data you need, for a stated purpose, and retain it only as long as necessary
- Maintain a risk register that is reviewed quarterly; compliance frameworks require demonstrable risk assessment and mitigation activities
- Document everything: policies, procedures, exceptions, and evidence of control execution; auditors need proof that controls are operating effectively
Techniques
- Implement SOC 2 Type II controls across the five trust service criteria: security, availability, processing integrity, confidentiality, and privacy