# **Chapter 17: Governance, Risk, and Compliance (GRC)**

## Introduction: From Technical Controls to Organizational Resilience

In Chapter 16, we implemented specialized security controls for industrial systems, mobile applications, IoT devices, and blockchain networks. We secured Modbus TCP protocols with application-layer firewalls, implemented certificate pinning for mobile apps, established secure boot chains for constrained devices, and architected multi-signature wallets for immutable smart contracts. Yet technical controls, no matter how sophisticated, cannot secure an organization without governance frameworks that ensure they are consistently applied, continuously monitored, and regularly improved.

**Governance, Risk, and Compliance (GRC)** represents the organizational layer of cybersecurity—the policies, procedures, and oversight mechanisms that transform technical capabilities into sustainable security postures. While a firewall rule blocks a packet in microseconds, governance determines which traffic should be blocked, who can modify the rule, how changes are tested, and what happens when the rule fails. Governance answers: *Who decides? Who is accountable? How do we know we're doing the right things?*

This chapter navigates the frameworks that govern modern security programs. **ISO/IEC 27001:2022** provides the international standard for Information Security Management Systems (ISMS), defining how organizations establish, implement, maintain, and continually improve information security. **PCI DSS** mandates specific controls for organizations handling payment card data, with strict network segmentation and encryption requirements. **HIPAA** governs healthcare data protection in the United States, requiring audit controls and access management for Protected Health Information (PHI). **SOC 2 Type II** provides assurance to customers that service organizations maintain effective controls over security, availability, processing integrity, confidentiality, and privacy.

By the end of this chapter, you will understand how to implement risk assessment methodologies that translate technical vulnerabilities into business impact, establish control frameworks that satisfy multiple compliance regimes simultaneously, prepare for external audits with evidence packages, and build security metrics that communicate effectively to boards and executives.

---

## 17.1 ISO/IEC 27001:2022 Deep Dive: Implementing an ISMS

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). The 2022 revision updated the control structure from 14 domains to 4 themes (Organizational, People, Physical, Technological) with 93 controls.

### ISMS Implementation Roadmap

**Phase 1: Context and Leadership (Clauses 4-5)**

```python
# isms_context.py
class ISMSContext:
    """
    ISO 27001 Clause 4: Context of the Organization
    """
    
    def __init__(self, organization_name: str):
        self.organization = organization_name
        self.internal_issues = []
        self.external_issues = []
        self.interested_parties = {}
        self.scope = None
        
    def identify_internal_issues(self):
        """
        Internal issues affecting ISMS capability
        """
        self.internal_issues = [
            "Complex multi-cloud infrastructure",
            "Legacy systems without security patches",
            "Skills shortage in cloud security",
            "Rapid development cycles (CI/CD)",
            "Remote workforce expansion"
        ]
        
    def identify_external_issues(self):
        """
        External issues affecting ISMS
        """
        self.external_issues = [
            "Evolving ransomware threats",
            "GDPR and data protection regulations",
            "Supply chain vulnerabilities (Log4j, etc.)",
            "Geopolitical cyber threats",
            "Cloud provider shared responsibility model"
        ]
        
    def identify_interested_parties(self):
        """
        Clause 4.2: Interested parties and their requirements
        """
        self.interested_parties = {
            "Customers": ["Data confidentiality", "Service availability", "Privacy"],
            "Regulators": ["GDPR compliance", "ISO 27001 certification", "Audit rights"],
            "Shareholders": ["Risk management", "Incident disclosure", "Business continuity"],
            "Employees": ["Access to systems", "Security awareness training", "Clear policies"],
            "Partners": ["Secure data exchange", "Contractual security requirements"]
        }
        
    def define_scope(self):
        """
        Clause 4.3: ISMS Scope
        """
        self.scope = {
            "in_scope": [
                "Customer-facing web applications",
                "Mobile applications (iOS/Android)",
                "Cloud infrastructure (AWS, Azure)",
                "Corporate network and endpoints",
                "Third-party SaaS with customer data"
            ],
            "out_of_scope": [
                "Physical manufacturing facilities (covered by separate OT security)",
                "Public marketing website (no authentication)",
                "Employee personal devices (BYOD policy applies)"
            ],
            "interfaces": [
                "API gateway to payment processor",
                "SFTP to banking partner",
                "VPN to disaster recovery site"
            ]
        }
```

**Phase 2: Risk Assessment (Clause 6.1.2)**

```python
class ISMSRiskAssessment:
    """
    ISO 27001 Clause 6.1.2: Information Security Risk Assessment
    """
    
    def __init__(self):
        self.risk_register = []
        self.risk_matrix = self._create_risk_matrix()
        
    def _create_risk_matrix(self):
        """
        5x5 Risk Matrix: Likelihood x Impact
        """
        return {
            "likelihood": {
                1: "Rare (1 in 100 years)",
                2: "Unlikely (1 in 10 years)",
                3: "Possible (1 in 1 year)",
                4: "Likely (1 in 1 month)",
                5: "Almost Certain (1 in 1 week)"
            },
            "impact": {
                1: "Negligible (<$10k, no regulatory)",
                2: "Minor ($10k-$100k, internal)",
                3: "Moderate ($100k-$1M, customer impact)",
                4: "Major ($1M-$10M, regulatory fine)",
                5: "Catastrophic (>$10M, business failure)"
            }
        }
    
    def identify_risks(self):
        """
        Systematic identification of information security risks
        """
        risks = [
            {
                "id": "R-001",
                "category": "Confidentiality",
                "description": "Unauthorized access to customer database via compromised credentials",
                "asset": "Customer PII Database",
                "threat": "Credential stuffing attack",
                "vulnerability": "Lack of MFA on admin accounts",
                "current_controls": ["Password policy", "Audit logging"],
                "likelihood": 3,  // Possible
                "impact": 4,      // Major (GDPR fine)
                "risk_score": 12  // 3 x 4 = High
            },
            {
                "id": "R-002",
                "category": "Availability",
                "description": "Ransomware encryption of production servers",
                "asset": "Production Environment",
                "threat": "Ransomware deployment",
                "vulnerability": "Unpatched Windows servers, phishing susceptibility",
                "current_controls": ["Antivirus", "Backups"],
                "likelihood": 3,
                "impact": 5,      // Catastrophic
                "risk_score": 15 // Critical
            },
            {
                "id": "R-003",
                "category": "Integrity",
                "description": "Supply chain compromise of third-party library",
                "asset": "Application Code",
                "threat": "Malicious dependency injection",
                "vulnerability": "Unpinned dependencies, lack of SCA",
                "current_controls": ["Manual code review"],
                "likelihood": 2,
                "impact": 4,
                "risk_score": 8 // Medium
            }
        ]
        
        self.risk_register = risks
        return risks
    
    def evaluate_risk_treatment(self, risk_id: str, treatment_option: str):
        """
        ISO 27001 requires documented risk treatment decisions
        """
        risk = next(r for r in self.risk_register if r['id'] == risk_id)
        
        treatments = {
            "mitigate": {
                "description": "Implement additional controls to reduce risk",
                "residual_risk": max(1, risk['risk_score'] - 6), // Example reduction
                "actions": ["Implement MFA", "Deploy EDR", "Network segmentation"]
            },
            "transfer": {
                "description": "Transfer risk to third party (insurance)",
                "residual_risk": risk['risk_score'], // Risk remains but financial impact covered
                "actions": ["Purchase cyber insurance", "Contractual liability transfer"]
            },
            "avoid": {
                "description": "Discontinue activity causing risk",
                "residual_risk": 0,
                "actions": ["Decommission legacy system", "Outsource to SaaS provider"]
            },
            "accept": {
                "description": "Accept risk with management approval",
                "residual_risk": risk['risk_score'],
                "actions": ["Document risk acceptance", "Annual review", "Monitor indicators"]
            }
        }
        
        return treatments.get(treatment_option)
```

### Annex A Controls (ISO 27001:2022)

The 2022 revision reorganized 93 controls into 4 themes:

```python
class ISO27001_2022_Controls:
    """
    ISO 27001:2022 Annex A Controls
    Organized by 4 themes: Organizational, People, Physical, Technological
    """
    
    def __init__(self):
        self.controls = {
            # Organizational Controls (37 controls)
            "A.5": {
                "title": "Organizational Controls",
                "controls": {
                    "A.5.1": {
                        "title": "Policies for information security",
                        "description": "Management should define policies and review them regularly",
                        "implementation": "Documented ISMS policy, approved by CISO, annual review"
                    },
                    "A.5.7": {
                        "title": "Threat intelligence",
                        "description": "Information relating to threats should be collected and analyzed",
                        "implementation": "Threat intel platform (MISP), weekly threat briefings, IOC feeds"
                    },
                    "A.5.24": {
                        "title": "Information security incident management planning and preparation",
                        "description": "Organization should plan and prepare for managing information security incidents",
                        "implementation": "Incident response plan, playbooks, tabletop exercises quarterly"
                    }
                }
            },
            
            # People Controls (8 controls)
            "A.6": {
                "title": "People Controls",
                "controls": {
                    "A.6.1": {
                        "title": "Screening",
                        "description": "Background verification checks on candidates",
                        "implementation": "Background checks for privileged access roles"
                    },
                    "A.6.3": {
                        "title": "Information security awareness, education and training",
                        "description": "Personnel should receive appropriate awareness training",
                        "implementation": "Annual security training, phishing simulations monthly"
                    }
                }
            },
            
            # Physical Controls (15 controls)
            "A.7": {
                "title": "Physical Controls",
                "controls": {
                    "A.7.1": {
                        "title": "Physical security perimeters",
                        "description": "Security perimeters should be defined and used",
                        "implementation": "Data center badge access, mantraps, CCTV"
                    },
                    "A.7.5": {
                        "title": "Working in secure areas",
                        "description": "Controls for working in secure areas",
                        "implementation": "Clean desk policy, no photography, visitor escorts"
                    }
                }
            },
            
            # Technological Controls (33 controls)
            "A.8": {
                "title": "Technological Controls",
                "controls": {
                    "A.8.1": {
                        "title": "User endpoint devices",
                        "description": "Information stored on, processed by or accessible through user endpoint devices should be protected",
                        "implementation": "MDM enrollment, disk encryption, remote wipe capability"
                    },
                    "A.8.5": {
                        "title": "Secure authentication",
                        "description": "Secure authentication technologies and procedures",
                        "implementation": "MFA, passwordless authentication, SSO"
                    },
                    "A.8.9": {
                        "title": "Configuration management",
                        "description": "Configurations should be established, documented, implemented, monitored and reviewed",
                        "implementation": "Infrastructure as Code, configuration baselines, drift detection"
                    },
                    "A.8.11": {
                        "title": "Data masking",
                        "description": "Data masking should be used in accordance with the organization's topic-specific policy on access control",
                        "implementation": "Dynamic data masking in databases, tokenization"
                    },
                    "A.8.15": {
                        "title": "Logging",
                        "description": "Activities should be logged",
                        "implementation": "Centralized logging, SIEM, tamper-proof logs"
                    },
                    "A.8.23": {
                        "title": "Web filtering",
                        "description": "Access to external websites should be managed",
                        "implementation": "Proxy with content filtering, DNS filtering"
                    },
                    "A.8.24": {
                        "title": "Use of cryptography",
                        "description": "Rules for the effective use of cryptography",
                        "implementation": "Cryptographic key management, algorithm standards"
                    },
                    "A.8.28": {
                        "title": "Secure coding",
                        "description": "Secure coding principles should be applied",
                        "implementation": "SAST/DAST in CI/CD, secure coding training"
                    }
                }
            }
        }
    
    def get_control(self, control_id: str):
        """Retrieve specific control details"""
        for theme in self.controls.values():
            if control_id in theme["controls"]:
                return theme["controls"][control_id]
        return None
    
    def generate_gap_analysis(self, current_implementations: dict):
        """
        Compare current state against ISO 27001 requirements
        """
        gaps = []
        for theme_id, theme in self.controls.items():
            for control_id, control in theme["controls"].items():
                current = current_implementations.get(control_id, "Not implemented")
                if current == "Not implemented":
                    gaps.append({
                        "control": control_id,
                        "title": control["title"],
                        "priority": "High" if theme_id in ["A.5", "A.8"] else "Medium",
                        "action": f"Implement: {control['implementation']}"
                    })
        return gaps
```

### Risk Assessment Methodology (ISO 27005)

```python
class ISMSRiskAssessment:
    """
    ISO 27005 compliant risk assessment
    """
    
    def __init__(self):
        self.risk_scenarios = []
        self.treatment_plan = []
        
    def identify_risks(self, asset_inventory: list):
        """
        Identify risks based on assets, threats, and vulnerabilities
        """
        for asset in asset_inventory:
            # Identify threats to this asset
            threats = self.identify_threats(asset)
            
            for threat in threats:
                # Identify vulnerabilities that threat could exploit
                vulns = self.identify_vulnerabilities(asset, threat)
                
                for vuln in vulns:
                    risk = {
                        "risk_id": f"R-{asset['id']}-{threat['id']}",
                        "asset": asset,
                        "threat": threat,
                        "vulnerability": vuln,
                        "likelihood": self.calculate_likelihood(threat, vuln),
                        "impact": self.calculate_impact(asset, threat),
                        "current_controls": self.identify_controls(asset, threat)
                    }
                    risk["risk_level"] = self.calculate_risk_level(
                        risk["likelihood"], 
                        risk["impact"]
                    )
                    self.risk_scenarios.append(risk)
    
    def calculate_risk_level(self, likelihood: int, impact: int) -> str:
        """
        Risk matrix: 5x5 grid
        """
        risk_score = likelihood * impact
        
        if risk_score >= 20:
            return "Critical"
        elif risk_score >= 15:
            return "High"
        elif risk_score >= 8:
            return "Medium"
        else:
            return "Low"
    
    def plan_risk_treatment(self, risk_id: str, option: str):
        """
        ISO 27001 requires documented risk treatment
        """
        risk = next(r for r in self.risk_scenarios if r['risk_id'] == risk_id)
        
        treatments = {
            "mitigate": {
                "description": "Reduce likelihood or impact",
                "actions": [
                    "Implement additional controls",
                    "Increase monitoring",
                    "Redesign process"
                ],
                "residual_risk": max(1, risk['risk_level'] - 2)
            },
            "transfer": {
                "description": "Transfer to third party",
                "actions": [
                    "Cyber insurance",
                    "Outsourcing to cloud provider",
                    "Contractual liability clauses"
                ],
                "residual_risk": risk['risk_level']  # Risk remains operationally
            },
            "avoid": {
                "description": "Discontinue activity",
                "actions": [
                    "Decommission legacy system",
                    "Stop processing sensitive data",
                    "Change business process"
                ],
                "residual_risk": 0
            },
            "accept": {
                "description": "Accept with management approval",
                "actions": [
                    "Document risk acceptance",
                    "Annual review",
                    "Monitor risk indicators"
                ],
                "residual_risk": risk['risk_level']
            }
        }
        
        return treatments.get(option)
```

---

## 17.2 PCI DSS: Securing Cardholder Data Environments

The Payment Card Industry Data Security Standard (PCI DSS) v4.0 applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD).

### PCI DSS v4.0 Requirements Overview

| Requirement | Title | Key Controls |
|-------------|-------|--------------|
| **1** | Install and Maintain Network Security Controls | Firewalls, network segmentation, deny-by-default |
| **2** | Apply Secure Configurations | Hardening standards, vendor defaults changed, inventory |
| **3** | Protect Stored Account Data | Encryption, truncation, tokenization, key management |
| **4** | Protect Cardholder Data with Strong Cryptography | TLS 1.2+, cipher suites, certificate validation |
| **5** | Protect All Networks and Systems from Malicious Software | Anti-malware, whitelisting, continuous monitoring |
| **6** | Develop and Maintain Secure Systems and Software | SDLC, vulnerability management, software security patches |
| **7** | Restrict Access by Need to Know | Least privilege, role-based access, access reviews |
| **8** | Identify Users and Authenticate Access to System Components | MFA, unique IDs, password policies, session management |
| **9** | Restrict Physical Access to Cardholder Data | Facility controls, media destruction, visitor management |
| **10** | Log and Monitor All Access to System Components | Audit trails, time synchronization, log protection |
| **11** | Test Security of Systems and Networks Regularly | Vulnerability scans, penetration testing, intrusion detection |
| **12** | Support Information Security with Organizational Policies | Security policies, risk assessment, incident response |

### Network Segmentation for CDE

PCI DSS requires isolating the Cardholder Data Environment (CDE) from non-payment networks.

```yaml
# Terraform configuration for PCI DSS compliant network
# Requirement 1: Install and maintain network security controls

resource "aws_vpc" "cde_vpc" {
  cidr_block = "10.0.0.0/16"
  
  tags = {
    Name = "CDE-VPC"
    Compliance = "PCI-DSS"
    Scope = "Cardholder-Data-Environment"
  }
}

# Public subnet for web tier (DMZ) - No CHD storage
resource "aws_subnet" "web_tier" {
  vpc_id     = aws_vpc.cde_vpc.id
  cidr_block = "10.0.1.0/24"
  
  tags = {
    Name = "Web-Tier"
    Tier = "Public"
  }
}

# Private subnet for application tier - No direct internet
resource "aws_subnet" "app_tier" {
  vpc_id     = aws_vpc.cde_vpc.id
  cidr_block = "10.0.2.0/24"
  
  tags = {
    Name = "App-Tier"
    Tier = "Private"
  }
}

# Isolated subnet for database tier - CHD storage
resource "aws_subnet" "data_tier" {
  vpc_id     = aws_vpc.cde_vpc.id
  cidr_block = "10.0.3.0/24"
  
  tags = {
    Name = "Data-Tier"
    Tier = "Isolated"
    ContainsCHD = "true"
  }
}

# Security Groups - Stateful firewalls (Requirement 1.3)
resource "aws_security_group" "web_to_app" {
  name_prefix = "web-to-app-"
  vpc_id      = aws_vpc.cde_vpc.id
  
  # Only allow HTTPS from web tier to app tier
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = [aws_subnet.web_tier.cidr_block]
    description = "HTTPS from Web Tier"
  }
  
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  tags = {
    Compliance = "PCI-DSS-Req-1.3"
  }
}

resource "aws_security_group" "app_to_db" {
  name_prefix = "app-to-db-"
  vpc_id      = aws_vpc.cde_vpc.id
  
  # Database access only from app tier, specific port
  ingress {
    from_port   = 5432
    to_port     = 5432
    protocol    = "tcp"
    cidr_blocks = [aws_subnet.app_tier.cidr_block]
    description = "PostgreSQL from App Tier only"
  }
  
  tags = {
    Compliance = "PCI-DSS-Req-1.3"
    ContainsCHD = "true"
  }
}

# Network ACLs - Stateless (additional layer)
resource "aws_network_acl" "database_acl" {
  vpc_id = aws_vpc.cde_vpc.id
  
  subnet_ids = [aws_subnet.data_tier.id]
  
  # Deny all inbound except from app subnet on DB port
  ingress {
    protocol   = "tcp"
    rule_no    = 100
    action     = "allow"
    cidr_block = aws_subnet.app_tier.cidr_block
    from_port  = 5432
    to_port    = 5432
  }
  
  # Deny all other inbound
  ingress {
    protocol   = "-1"
    rule_no    = 32766
    action     = "deny"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }
  
  tags = {
    Name = "Database-ACL"
  }
}
```

### Data Protection (Requirements 3 & 4)

```python
class PCIDSSDataProtection:
    """
    PCI DSS Requirements 3 & 4: Protect stored cardholder data and 
    encrypt transmission
    """
    
    def __init__(self):
        self.encryption_key = None
        self.hsm = CloudHSM()
        
    def tokenize_pan(self, pan: str) -> str:
        """
        Requirement 3.4: Render PAN unreadable anywhere it is stored
        Using tokenization (non-reversible) instead of encryption
        """
        # Validate PAN format
        if not self.validate_luhn(pan):
            raise ValueError("Invalid PAN")
        
        # Generate random token
        token = secrets.token_hex(16)
        
        # Store mapping in secure vault (HSM-backed)
        self.hsm.store_token_mapping(
            token=token,
            pan=self.encrypt_pan_for_storage(pan),
            expiration=self.calculate_token_expiration()
        )
        
        return token
    
    def encrypt_pan_for_storage(self, pan: str) -> bytes:
        """
        Requirement 3.4.1: Strong cryptography for PAN storage
        AES-256-GCM with HSM key management
        """
        # Generate data encryption key (DEK) from HSM
        dek = self.hsm.generate_data_key(key_spec="AES_256")
        
        # Encrypt PAN
        cipher = Cipher(algorithms.AES(dek['plaintext']), modes.GCM(nonce))
        encryptor = cipher.encryptor()
        ciphertext = encryptor.update(pan.encode()) + encryptor.finalize()
        
        # Store encrypted DEK alongside ciphertext (envelope encryption)
        encrypted_dek = self.hsm.encrypt_with_master_key(dek['plaintext'])
        
        return {
            'ciphertext': ciphertext,
            'encrypted_dek': encrypted_dek,
            'tag': encryptor.tag,
            'nonce': nonce
        }
    
    def secure_transmission(self, data: bytes, endpoint: str) -> bytes:
        """
        Requirement 4.1: Strong cryptography for transmission over open networks
        TLS 1.2+ with strong cipher suites
        """
        import ssl
        import urllib.request
        
        # Enforce TLS 1.2+ only
        context = ssl.create_default_context()
        context.minimum_version = ssl.TLSVersion.TLSv1_2
        
        # Restrict to strong cipher suites (PCI DSS compliant)
        context.set_ciphers(
            'ECDHE-ECDSA-AES256-GCM-SHA384:'
            'ECDHE-RSA-AES256-GCM-SHA384:'
            'ECDHE-ECDSA-AES128-GCM-SHA256:'
            'ECDHE-RSA-AES128-GCM-SHA256'
        )
        
        # Certificate pinning validation
        context.load_verify_locations(cafile="gateway-cert.pem")
        
        request = urllib.request.Request(
            endpoint,
            data=data,
            headers={'Content-Type': 'application/json'},
            method='POST'
        )
        
        with urllib.request.urlopen(request, context=context) as response:
            return response.read()
    
    def validate_luhn(self, pan: str) -> bool:
        """Validate PAN using Luhn algorithm"""
        if not pan.isdigit():
            return False
        
        digits = [int(d) for d in pan]
        odd_digits = digits[-1::-2]
        even_digits = digits[-2::-2]
        
        checksum = sum(odd_digits)
        for d in even_digits:
            checksum += sum(divmod(d * 2, 10))
        
        return checksum % 10 == 0
```

---

## 17.3 HIPAA & Healthcare Data Security

The Health Insurance Portability and Accountability Act (HIPAA) establishes standards for protecting Protected Health Information (PHI) in the United States. The Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) specifically addresses electronic PHI (ePHI).

### HIPAA Security Rule Requirements

HIPAA requires three types of safeguards:

**Administrative Safeguards** (9 standards):
- Security Management Process (Risk Analysis, Risk Management)
- Assigned Security Responsibilities
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Evaluation
- Business Associate Contracts

**Physical Safeguards** (4 standards):
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls

**Technical Safeguards** (5 standards):
- Access Control
- Audit Controls
- Integrity
- Person or Entity Authentication
- Transmission Security

### Technical Implementation

```python
class HIPAACompliance:
    """
    HIPAA Security Rule technical implementation
    """
    
    def __init__(self):
        self.phi_access_log = []
        self.encryption_key = None
        
    def access_control_unique_user(self, user_id: str, role: str):
        """
        §164.312(a)(1): Access Control - Unique User Identification
        """
        # Assign unique ID to each user (no shared accounts)
        user = {
            "user_id": user_id,
            "role": role,
            "created": datetime.utcnow(),
            "last_access": None,
            "active": True
        }
        
        # Emergency access procedure (break-glass)
        if role == "emergency":
            user["requires_approval"] = True
            user["time_limited"] = True
            user["expiration"] = datetime.utcnow() + timedelta(hours=4)
        
        return user
    
    def audit_controls(self, action: str, user_id: str, 
                      phi_accessed: str, success: bool):
        """
        §164.312(b): Audit Controls
        Record who accessed what PHI and when
        """
        audit_entry = {
            "timestamp": datetime.utcnow().isoformat(),
            "user_id": user_id,
            "action": action,  # VIEW, MODIFY, DELETE, EXPORT
            "phi_identifier": self.hash_phi_identifier(phi_accessed),  # Hashed, not raw
            "success": success,
            "source_ip": self.get_client_ip(),
            "session_id": self.get_session_id()
        }
        
        # Tamper-evident logging (append-only)
        self.append_to_audit_chain(audit_entry)
        
        # Real-time alerting for suspicious patterns
        self.detect_anomalies(audit_entry)
        
        return audit_entry
    
    def hash_phi_identifier(self, phi: str) -> str:
        """
        Store only hashed reference to PHI in logs (not actual PHI)
        """
        return hashlib.sha256(f"HIPAA_SALT_{phi}".encode()).hexdigest()[:16]
    
    def integrity_controls(self, data: bytes) -> bytes:
        """
        §164.312(c)(1): Integrity
        Mechanism to authenticate ePHI (detect tampering)
        """
        # Digital signature or MAC
        mac = hmac.new(self.integrity_key, data, hashlib.sha256).digest()
        return data + mac
    
    def verify_integrity(self, data_with_mac: bytes) -> bytes:
        data = data_with_mac[:-32]
        provided_mac = data_with_mac[-32:]
        
        expected_mac = hmac.new(self.integrity_key, data, hashlib.sha256).digest()
        
        if not hmac.compare_digest(provided_mac, expected_mac):
            raise IntegrityError("ePHI has been tampered with")
        
        return data
    
    def person_authentication(self, user_id: str, credentials: dict):
        """
        §164.312(d): Person or Entity Authentication
        Verify that a person or entity seeking access is the one claimed
        """
        # Multi-factor authentication required
        factors_verified = 0
        
        # Factor 1: Something you know (password)
        if self.verify_password(user_id, credentials['password']):
            factors_verified += 1
        
        # Factor 2: Something you have (hardware token/phone)
        if self.verify_totp(user_id, credentials['totp']):
            factors_verified += 1
        
        # Factor 3: Something you are (biometric) - for high-risk access
        if credentials.get('biometric'):
            if self.verify_biometric(user_id, credentials['biometric']):
                factors_verified += 1
        
        if factors_verified < 2:
            self.log_failed_auth(user_id, factors_verified)
            raise AuthenticationError("Multi-factor authentication failed")
        
        return self.create_session(user_id)
    
    def transmission_security(self, data: bytes, destination: str):
        """
        §164.312(e): Transmission Security
        Integrity controls and encryption
        """
        # TLS 1.3 for transmission
        context = ssl.create_default_context()
        context.minimum_version = ssl.TLSVersion.TLSv1_3
        context.load_cert_chain(certfile="client.crt", keyfile="client.key")
        context.load_verify_locations(cafile="ca.crt")
        
        # Mutual TLS (mTLS) - both sides authenticate
        context.verify_mode = ssl.CERT_REQUIRED
        
        with socket.create_connection((destination, 443)) as sock:
            with context.wrap_socket(sock, server_hostname=destination) as ssock:
                # Verify certificate pinning
                cert = ssock.getpeercert(binary_form=True)
                if not self.verify_cert_pin(cert):
                    raise ssl.SSLError("Certificate pinning failed")
                
                ssock.sendall(data)
```

### Business Associate Agreements (BAA)

HIPAA requires contracts with Business Associates (vendors handling PHI):

```python
class BAAManagement:
    """
    Manage Business Associate Agreements
    """
    
    def generate_baa(self, business_associate: str, services: list):
        """
        Generate Business Associate Agreement per 45 CFR § 164.504(e)
        """
        baa = {
            "parties": {
                "covered_entity": "Healthcare Provider",
                "business_associate": business_associate
            },
            "permitted_uses": [
                "Perform services specified in agreement",
                "Management and administration",
                "Legal responsibilities of BA"
            ],
            "prohibited_uses": [
                "Use PHI for independent purposes",
                "Disclosure to unauthorized persons",
                "Sale of PHI"
            ],
            "safeguards_required": [
                "Implement administrative safeguards",
                "Implement physical safeguards", 
                "Implement technical safeguards",
                "Report breaches within 24 hours",
                "Ensure subcontractors agree to same restrictions"
            ],
            "termination": {
                "return_or_destroy_phi": True,
                "survival_of_provisions": ["Indemnification", "Liability"]
            }
        }
        
        return baa
    
    def assess_ba_risk(self, business_associate: str):
        """
        Due diligence before engaging Business Associate
        """
        assessment = {
            "entity": business_associate,
            "soc2_type2": self.verify_soc2(business_associate),
            "iso27001_certified": self.verify_iso27001(business_associate),
            "hipaa_compliant": self.verify_hipaa_compliance(business_associate),
            "breach_history": self.check_breach_history(business_associate),
            "subcontractors": self.list_subcontractors(business_associate),
            "data_residency": self.verify_data_locations(business_associate)
        }
        
        if not assessment["soc2_type2"] and not assessment["iso27001_certified"]:
            return {"approved": False, "reason": "Insufficient security certifications"}
        
        if assessment["breach_history"]:
            return {"approved": False, "reason": "Recent breach history"}
        
        return {"approved": True, "assessment": assessment}
```

---

## 17.4 SOC 2 Type II: Demonstrating Trust through Audits

SOC 2 (Service Organization Control 2) is an auditing standard developed by the AICPA that evaluates service organizations based on the Trust Services Criteria (TSC). Unlike ISO 27001's prescriptive controls, SOC 2 focuses on attesting that controls are designed and operating effectively.

### Trust Services Criteria Categories

1. **Security (Common Criteria)** - Protection against unauthorized access
2. **Availability** - System availability for operation and use
3. **Processing Integrity** - Complete, valid, accurate, timely processing
4. **Confidentiality** - Designated confidential information is protected
5. **Privacy** - Personal information is collected, used, retained, disclosed, and destroyed according to commitments

### SOC 2 Type II vs Type I

- **Type I**: Audit at a point in time; "Are controls designed properly?"
- **Type II**: Audit over a period (usually 6-12 months); "Are controls operating effectively?"

### Implementing SOC 2 Controls

```python
class SOC2Compliance:
    """
    SOC 2 Trust Services Criteria implementation
    """
    
    def __init__(self):
        self.evidence_repository = []
        self.control_tests = []
        
    def security_cc6_1(self):
        """
        CC6.1: Logical access security measures are implemented 
        to protect against threats from sources outside the entity
        """
        controls = {
            "firewall_rules": self.document_firewall_rules(),
            "intrusion_detection": self.configure_ids_ips(),
            "access_approval": self.implement_access_approval_workflow(),
            "authentication": self.enforce_mfa_external_access()
        }
        
        # Evidence for auditors
        self.collect_evidence("CC6.1", {
            "firewall_config": controls["firewall_rules"],
            "ids_logs": controls["intrusion_detection"],
            "access_approval_records": controls["access_approval"],
            "mfa_enrollment_stats": controls["authentication"]
        })
        
        return controls
    
    def availability_a1_2(self):
        """
        A1.2: The entity maintains a system to provide for the 
        availability of information and systems
        """
        availability_controls = {
            "monitoring": self.implement_uptime_monitoring(),
            "backups": self.configure_automated_backups(),
            "recovery_testing": self.schedule_disaster_recovery_tests(),
            "capacity_planning": self.implement_capacity_monitoring()
        }
        
        # Type II requires evidence over time
        self.collect_evidence("A1.2", {
            "uptime_metrics": availability_controls["monitoring"],
            "backup_logs": availability_controls["backups"],
            "dr_test_results": availability_controls["recovery_testing"],
            "capacity_reports": availability_controls["capacity_planning"]
        })
        
        return availability_controls
    
    def confidentiality_c1_1(self):
        """
        C1.1: The entity identifies and maintains confidential 
        information to meet the entity's objectives
        """
        confidentiality_controls = {
            "data_classification": self.implement_data_classification(),
            "encryption_at_rest": self.enforce_encryption_standards(),
            "encryption_in_transit": self.enforce_tls_requirements(),
            "access_controls": self.implement_need_to_know_access()
        }
        
        self.collect_evidence("C1.1", {
            "classification_policy": confidentiality_controls["data_classification"],
            "encryption_config": confidentiality_controls["encryption_at_rest"],
            "tls_scan_results": confidentiality_controls["encryption_in_transit"],
            "access_reviews": confidentiality_controls["access_controls"]
        })
        
        return confidentiality_controls
    
    def collect_evidence(self, control_id: str, evidence: dict):
        """
        SOC 2 Type II requires evidence that controls operated 
        effectively over the audit period
        """
        evidence_package = {
            "control_id": control_id,
            "timestamp": datetime.utcnow().isoformat(),
            "evidence_type": "Automated" if isinstance(evidence, dict) else "Manual",
            "data": evidence,
            "integrity_hash": hashlib.sha256(
                json.dumps(evidence, sort_keys=True).encode()
            ).hexdigest()
        }
        
        self.evidence_repository.append(evidence_package)
        
        # Store in tamper-evident storage (WORM - Write Once Read Many)
        self.store_worm(evidence_package)
    
    def generate_soc2_report(self, period_start: date, period_end: date):
        """
        Generate Type II report evidence package
        """
        report = {
            "period": f"{period_start} to {period_end}",
            "scope": "Security, Availability, Confidentiality",
            "controls_tested": [],
            "exceptions": []
        }
        
        for control in self.control_tests:
            control_evidence = [
                e for e in self.evidence_repository 
                if e['control_id'] == control['id'] 
                and period_start <= datetime.fromisoformat(e['timestamp']).date() <= period_end
            ]
            
            report["controls_tested"].append({
                "control_id": control['id'],
                "description": control['description'],
                "evidence_count": len(control_evidence),
                "operating_effectiveness": len(control_evidence) > 0,
                "samples": control_evidence[:3]  # Sample evidence
            })
        
        return report
```

### PCI DSS Network Segmentation Validation

```python
class PCIDSSSegmentationValidator:
    """
    Validate network segmentation for PCI DSS Requirement 1.3
    """
    
    def validate_segmentation(self, cde_subnets: list, 
                             non_cde_subnets: list) -> dict:
        """
        Verify CDE is isolated from non-CDE networks
        """
        violations = []
        
        # Test 1: No direct routes from non-CDE to CDE
        for non_cde in non_cde_subnets:
            routes = self.get_routes_from(non_cde)
            for route in routes:
                if route['destination'] in cde_subnets:
                    if not route.get('via_proxy') or not route.get('inspected'):
                        violations.append({
                            "type": "Direct route to CDE",
                            "source": non_cde,
                            "destination": route['destination'],
                            "severity": "Critical"
                        })
        
        # Test 2: CDE outbound restrictions (Req 1.3.4)
        for cde in cde_subnets:
            outbound = self.get_outbound_rules(cde)
            for rule in outbound:
                if rule['destination'] == "0.0.0.0/0" and rule['port'] == "any":
                    violations.append({
                        "type": "Unrestricted outbound from CDE",
                        "source": cde,
                        "severity": "High"
                    })
        
        # Test 3: DMZ validation (Req 1.3.6)
        dmz_hosts = self.get_dmz_hosts()
        for host in dmz_hosts:
            if self.has_direct_cde_access(host):
                violations.append({
                    "type": "DMZ host with direct CDE access",
                    "host": host,
                    "severity": "Critical"
                })
        
        return {
            "compliant": len(violations) == 0,
            "violations": violations,
            "segmentation_valid": self.verify_segmentation_effective()
        }
    
    def verify_segmentation_effective(self):
        """
        Requirement 1.3.2: Verify segmentation is working (not just configured)
        """
        # Attempt to ping from non-CDE to CDE (should fail)
        test_result = self.network_test(
            source="non-cde-workstation",
            destination="cde-database",
            protocol="tcp",
            port=5432
        )
        
        return not test_result.success  # Should be blocked
    
    def generate_segmentation_evidence(self):
        """
        Generate evidence for QSA (Qualified Security Assessor)
        """
        return {
            "network_diagrams": self.get_current_network_diagrams(),
            "firewall_rules": self.export_firewall_configs(),
            "segmentation_tests": self.run_segmentation_tests(),
            "data_flow_diagrams": self.get_cde_data_flows(),
            "timestamp": datetime.utcnow().isoformat()
        }
```

---

## 17.4 SOC 2 Type II: Demonstrating Trust through Audits

SOC 2 Type II reports provide assurance over a period of time (typically 6-12 months) that controls are designed and operating effectively. The Trust Services Criteria (TSC) form the evaluation framework.

### Trust Services Criteria Implementation

```python
class SOC2TrustServicesCriteria:
    """
    Implement controls for SOC 2 Trust Services Criteria
    """
    
    def __init__(self):
        self.criteria = {
            "CC": "Common Criteria (Security)",
            "A": "Availability",
            "C": "Confidentiality",
            "PI": "Processing Integrity",
            "P": "Privacy"
        }
        
    def common_criteria_cc6_1(self):
        """
        CC6.1: Logical access security measures are implemented 
        to protect against threats from sources outside the entity
        """
        controls = {
            "firewalls": {
                "description": "Network firewalls restrict inbound/outbound traffic",
                "implementation": "Palo Alto NGFW with deny-by-default",
                "testing": "Quarterly rule review, annual penetration test"
            },
            "intrusion_detection": {
                "description": "IDS/IPS monitors for malicious activity",
                "implementation": "Suricata with ET Pro rules",
                "testing": "Daily log review, weekly tuning"
            },
            "access_approval": {
                "description": "Logical access requires management approval",
                "implementation": "ServiceNow workflow with manager approval",
                "testing": "Monthly access review"
            }
        }
        
        return controls
    
    def availability_a1_2(self):
        """
        A1.2: The entity maintains a system to provide for the 
        availability of information and systems
        """
        return {
            "monitoring": {
                "uptime_sla": "99.99%",
                "tools": ["Datadog", "PagerDuty"],
                "metrics": ["Latency", "Error rate", "Throughput"]
            },
            "incident_response": {
                "rto": "4 hours",  # Recovery Time Objective
                "rpo": "1 hour",   # Recovery Point Objective
                "playbooks": ["Database failover", "DNS failover"]
            },
            "change_management": {
                "maintenance_windows": "Scheduled",
                "rollback_procedures": "Automated",
                "testing": "Staging environment validation"
            }
        }
    
    def generate_soc2_evidence(self, period_start: date, period_end: date):
        """
        Collect evidence for SOC 2 Type II audit
        """
        evidence = {
            "period": f"{period_start} to {period_end}",
            "control_testing": []
        }
        
        # For each control, collect samples throughout the period
        for month in self.months_in_period(period_start, period_end):
            evidence["control_testing"].append({
                "month": month,
                "access_reviews": self.get_access_review_records(month),
                "vulnerability_scans": self.get_vulnerability_scan_results(month),
                "incident_logs": self.get_incident_records(month),
                "change_tickets": self.get_change_management_records(month),
                "backup_tests": self.get_backup_verification_records(month)
            })
        
        return evidence
```

---

## 17.5 Preparing for and Managing External Audits

External audits validate compliance with frameworks like ISO 27001, PCI DSS, and SOC 2. Preparation requires systematic evidence collection and control testing.

### Audit Preparation Framework

```python
class AuditPreparation:
    """
    Prepare for external audits (ISO 27001, PCI DSS, SOC 2)
    """
    
    def __init__(self, audit_type: str, scope: list):
        self.audit_type = audit_type
        self.scope = scope
        self.evidence_locker = {}
        self.findings = []
        
    def prepare_iso27001_stage2(self):
        """
        Stage 2 audit: Effectiveness of ISMS implementation
        """
        preparation = {
            "management_review": {
                "minutes": "Q1-Q4 management review meeting minutes",
                "actions": "Closure of previous audit findings",
                "kpis": "Security metrics dashboard"
            },
            "internal_audit": {
                "program": "Annual internal audit schedule",
                "reports": "Internal audit findings and corrective actions",
                "competence": "Internal auditor qualifications"
            },
            "risk_assessment": {
                "methodology": "Risk assessment procedure",
                "register": "Current risk register with treatment plans",
                "review": "Evidence of risk review cycles"
            },
            "controls": {
                "soa": "Statement of Applicability with justifications",
                "implementation": "Evidence for all Annex A controls marked 'Yes'",
                "testing": "Control testing records"
            }
        }
        
        return preparation
    
    def prepare_pci_dss_assessment(self):
        """
        Prepare for QSA (Qualified Security Assessor) assessment
        """
        evidence_requirements = {
            "req_1": {
                "firewall_configs": "Current firewall rulesets",
                "network_diagrams": "Current CDE network diagrams with data flows",
                "segmentation_testing": "Quarterly segmentation penetration test results"
            },
            "req_2": {
                "system_configs": "Hardening standards applied to all systems",
                "change_logs": "Evidence of vendor default password changes",
                "patch_management": "30/60/90 day patch compliance reports"
            },
            "req_3": {
                "encryption_keys": "Key management procedures and custodian forms",
                "tokenization": "Tokenization architecture documentation",
                "pan_scanning": "Quarterly PAN scanning results (no unencrypted PAN)"
            },
            "req_10": {
                "audit_logs": "12 months of audit logs for all CDE systems",
                "log_review": "Daily log review evidence and procedures",
                "time_sync": "NTP configuration and time synchronization logs"
            },
            "req_11": {
                "vulnerability_scans": "Quarterly ASV scans (external)",
                "penetration_tests": "Annual penetration test (internal and external)",
                "intrusion_detection": "IDS/IPS alert review and tuning records"
            }
        }
        
        return evidence_requirements
    
    def manage_audit_evidence(self, control_id: str, evidence: dict):
        """
        Secure evidence storage with chain of custody
        """
        evidence_package = {
            "control_id": control_id,
            "uploaded": datetime.utcnow().isoformat(),
            "uploader": get_current_user(),
            "hash": hashlib.sha256(json.dumps(evidence).encode()).hexdigest(),
            "data": evidence,
            "retention": "7_years"  # Audit evidence retention
        }
        
        # Store in WORM storage (Write Once Read Many)
        self.store_in_worm(evidence_package)
        
        # Index for retrieval
        self.evidence_locker[control_id] = evidence_package
        
        return evidence_package
    
    def handle_audit_finding(self, finding: dict):
        """
        Manage audit findings and corrective action plans
        """
        finding_record = {
            "finding_id": f"AF-{datetime.now().year}-{len(self.findings)+1:03d}",
            "standard": finding['standard'],  # ISO 27001, PCI DSS, SOC 2
            "control": finding['control_id'],
            "description": finding['description'],
            "severity": finding['severity'],  # Critical, High, Medium, Low
            "status": "Open",
            "raised_by": finding['auditor'],
            "date_raised": datetime.utcnow().isoformat(),
            "corrective_action_plan": {
                "root_cause": finding.get('root_cause', 'TBD'),
                "corrective_action": finding.get('proposed_fix', 'TBD'),
                "responsible_party": finding.get('owner', 'TBD'),
                "target_date": finding.get('target_date', 'TBD'),
                "evidence_required": finding.get('evidence', 'TBD')
            }
        }
        
        self.findings.append(finding_record)
        
        # Critical findings require immediate escalation
        if finding['severity'] == 'Critical':
            self.escalate_to_management(finding_record)
            self.trigger_emergency_response(finding_record)
        
        return finding_record
    
    def generate_management_report(self):
        """
        Executive summary of compliance posture
        """
        report = {
            "generated": datetime.utcnow().isoformat(),
            "overall_compliance": self.calculate_compliance_percentage(),
            "findings_summary": {
                "total": len(self.findings),
                "critical": len([f for f in self.findings if f['severity'] == 'Critical']),
                "high": len([f for f in self.findings if f['severity'] == 'High']),
                "open": len([f for f in self.findings if f['status'] == 'Open']),
                "overdue": len([f for f in self.findings if self.is_overdue(f)])
            },
            "key_metrics": {
                "mean_time_to_remediate": self.calculate_mttr(),
                "control_effectiveness": self.assess_control_effectiveness(),
                "training_completion": self.get_training_stats()
            },
            "recommendations": self.generate_recommendations()
        }
        
        return report
```

---

## Summary and Transition to Chapter 18

In this chapter, we ascended from technical implementation to organizational governance, recognizing that sustainable security requires systematic management frameworks rather than ad-hoc technical controls. Through **ISO/IEC 27001:2022**, you learned to implement an Information Security Management System (ISMS) with the Plan-Do-Check-Act cycle, conducting risk assessments that evaluate threats against business assets and applying the 93 Annex A controls organized across organizational, people, physical, and technological themes.

**PCI DSS** demanded a specialized focus on cardholder data protection, implementing network segmentation that isolates the CDE from corporate networks, encrypting PANs with AES-256, tokenizing data where possible, and maintaining rigorous audit trails of all access to payment data. You learned that compliance is not a checkbox but a continuous process of quarterly vulnerability scans, annual penetration tests, and daily log reviews.

**HIPAA** introduced the administrative, physical, and technical safeguards required for healthcare data, emphasizing that PHI must be protected not just from external attackers but from unauthorized internal access. You implemented audit controls that track every access to patient records, transmission security for ePHI, and business associate agreements that extend compliance obligations to the entire supply chain.

**SOC 2 Type II** provided the framework for demonstrating trust to customers, requiring evidence that controls operated effectively over time rather than merely existing at a point in time. You learned to collect continuous evidence of access reviews, vulnerability management, and incident response, organizing it for auditor inspection while managing findings through corrective action plans.

However, governance frameworks and compliance audits are only effective when supported by robust security architecture. Policies requiring "defense in depth" and "zero trust" must be translated into concrete network designs, application architectures, and engineering standards. Without architectural patterns that enforce security by design, compliance becomes a paperwork exercise that fails to prevent breaches.

In **Chapter 18: Security Architecture & Engineering**, we will translate governance requirements into technical architecture. You will learn to design **Zero Trust Architecture** implementations that verify every access request regardless of network location, architect **secure network designs** with proper segmentation and DMZs, and establish **application security architectures** incorporating WAFs, RASP, and microservices security patterns. We will explore **resilience engineering** through redundancy, failover mechanisms, and chaos engineering, and establish a **security pattern library** of reusable architectural solutions. This chapter bridges the gap between the policies we established in Chapter 17 and the concrete technical implementations required to enforce them at scale.