Security & Compliance Expert
A comprehensive skill pack for security professionals implementing defense-in-depth security architectures, achieving compliance with industry frameworks, conducting threat modeling and risk assessments, managing security operations and incident response, and embedding security throughout the SDLC.
Overview
This skill pack provides frameworks, methodologies, tools, and best practices for:
- Security Architecture: Zero Trust, defense in depth, network segmentation, cloud security
- Compliance: SOC 2, ISO 27001, GDPR, HIPAA, PCI-DSS, FedRAMP
- Threat Modeling & Risk Assessment: STRIDE, PASTA, attack trees, quantitative/qualitative risk analysis
- Security Operations: SOC operations, SIEM, incident response, threat hunting
- Application Security: OWASP Top 10, secure SDLC, DevSecOps, API security
Quick Start
For New Security Professionals
Getting Started Checklist:
- Read SKILL.md for core principles and lifecycle
- Review security-architecture.md for foundational concepts
- Study compliance-frameworks.md for your industry
- Practice with risk calculator:
python scripts/risk_calculator.py --interactive
First 30 Days:
- Week 1: Learn security fundamentals and core principles
- Week 2: Understand your organization's compliance requirements
- Week 3: Shadow SOC operations and incident response
- Week 4: Conduct first risk assessment using provided tools
For Experienced Security Professionals
Quick Reference:
- Security Operations: SOC playbooks, SIEM use cases, IR procedures
- Threat Modeling: STRIDE methodology, attack trees, vulnerability scoring
- Application Security: Secure coding, OWASP Top 10, DevSecOps pipeline
Common Tasks:
- Risk assessment:
python scripts/risk_calculator.py risks.csv - Vulnerability prioritization:
python scripts/vuln_prioritizer.py vulnerabilities.csv - Incident response: Use incident-response-template.md
File Structure
security-compliance/
├── SKILL.md # Core security frameworks and workflows
├── README.md # This file
├── reference/
│ ├── security-architecture.md # Zero Trust, defense in depth, cloud security
│ ├── compliance-frameworks.md # SOC2, ISO27001, GDPR, HIPAA, PCI-DSS
│ ├── threat-modeling-risk.md # Threat modeling, risk assessment, vulnerability management
│ ├── security-operations.md # SOC operations, SIEM, incident response
│ └── application-security.md # Secure SDLC, OWASP Top 10, DevSecOps
├── scripts/
│ ├── risk_calculator.py # Risk assessment calculator (quantitative & qualitative)
│ └── vuln_prioritizer.py # Vulnerability prioritization tool
└── examples/
├── risks.csv # Sample risk data
├── vulnerabilities.csv # Sample vulnerability data
├── incident-response-template.md # Complete incident response report template
└── soc2-control-example.md # SOC 2 control documentation example
Common Scenarios
Scenario 1: Conducting a Risk Assessment
Situation: You need to assess cybersecurity risks for your organization and create a risk register.
Steps:
- Review risk assessment methodology in threat-modeling-risk.md
- Create CSV file with your risks (use risks.csv as template)
- Run risk calculator:
python scripts/risk_calculator.py risks.csv --output risk_report.csv - Review report and prioritize high-risk items
- Create risk mitigation plans for Critical and High risks
- Present findings to leadership using summary statistics
Expected Outcome: Comprehensive risk register with quantitative ALE calculations and qualitative risk levels, enabling data-driven prioritization of security investments.
Scenario 2: Achieving SOC 2 Type II Compliance
Situation: Your SaaS company needs SOC 2 Type II certification to close enterprise deals.
Steps:
- Read SOC 2 section in compliance-frameworks.md
- Follow 6-month readiness roadmap:
- Months 6-4: Scoping, gap assessment, policy development
- Months 4-2: Control implementation, evidence preparation
- Months 2-0: Observation period, audit execution
- Use soc2-control-example.md as template for documenting controls
- Implement automated evidence collection (Python scripts provided in examples)
- Conduct mock audit 1 month before real audit
- Work with auditor during field work
Expected Outcome: SOC 2 Type II report within 6-8 months, enabling enterprise sales.
Scenario 3: Responding to a Security Incident
Situation: Your SOC detected ransomware on multiple systems.
Steps:
- Follow incident response lifecycle in security-operations.md
- Use IR playbook for ransomware (included in security-operations.md)
- Document everything using incident-response-template.md
- Execute response:
- Preparation: Activate CIRT, establish communication channels
- Detection: Determine scope (number of systems infected)
- Containment: Isolate affected systems, disable VPN
- Eradication: Remove malware, close vulnerability
- Recovery: Restore from offline backups, verify integrity
- Post-Incident: Conduct review, implement improvements
- Assess breach notification requirements (GDPR, state laws)
- Conduct post-incident review within 5 days
Expected Outcome: Contained incident with minimal data loss, documented response for audit trail, actionable improvements to prevent recurrence.
Scenario 4: Prioritizing Vulnerability Remediation
Situation: Vulnerability scan identified 500+ vulnerabilities across your infrastructure. You need to prioritize patching.
Steps:
- Export vulnerabilities to CSV (use vulnerabilities.csv as template)
- Add business context:
- Asset criticality (1-5)
- Exposure (internet_facing, internal, isolated)
- Data sensitivity (highly_confidential, confidential, public)
- Exploit availability and active exploitation
- Compensating controls
- Run vulnerability prioritizer:
python scripts/vuln_prioritizer.py vulnerabilities.csv --output prioritized.csv - Review prioritized list (P0 = Critical, P1 = High, P2 = Medium, P3 = Low)
- Create remediation tickets with SLA:
- P0: Patch within 24-48 hours
- P1: Patch within 7 days
- P2: Patch within 30 days
- P3: Patch within 90 days
- Track remediation progress
Expected Outcome: Focused remediation efforts on highest-risk vulnerabilities, reducing critical exposures within days instead of months.
Scenario 5: Implementing Zero Trust Architecture
Situation: Your organization is moving to cloud and wants to implement Zero Trust.
Steps:
- Read Zero Trust section in security-architecture.md
- Follow Zero Trust implementation roadmap:
- Phase 1 (Months 1-3): Foundation - Strong IAM, MFA everywhere, asset inventory, logging
- Phase 2 (Months 4-6): Visibility - Map data flows, deploy EDR, implement UEBA
- Phase 3 (Months 7-9): Segmentation - Micro-segmentation, security zones, application-layer controls
- Phase 4 (Months 10-12): Automation - Automated policy enforcement, SOAR, threat intelligence
- Phase 5 (Ongoing): Optimization - Continuous policy refinement, threat hunting
- Implement three tenets:
- Verify explicitly (MFA, device posture, context)
- Use least privilege (JIT access, RBAC)
- Assume breach (monitor continuously, segment)
- Deploy technology stack:
- Identity: Okta, Azure AD
- Network: Micro-segmentation, ZTNA
- Endpoint: EDR, device compliance
- Data: Encryption, DLP
Expected Outcome: Zero Trust architecture reducing blast radius of breaches, enabling secure remote work, improving compliance posture.
Python Scripts
Risk Calculator
Calculate risk scores using both qualitative (risk matrix) and quantitative (ALE) methodologies.
Features:
- Quantitative: Single Loss Expectancy (SLE), Annualized Loss Expectancy (ALE)
- Qualitative: Risk matrix (Likelihood × Impact), risk levels (Critical/High/Medium/Low)
- Cost-benefit analysis for security controls
- Interactive mode for one-off assessments
- CSV batch processing
Usage:
# Interactive mode
python scripts/risk_calculator.py --interactive
# Process CSV file
python scripts/risk_calculator.py examples/risks.csv
# Generate report
python scripts/risk_calculator.py risks.csv --output risk_report.csv
Sample Output:
Risk Assessment Summary
============================================================
Total Risks: 15
Total ALE: $3,250,000
Risk Level Distribution:
Critical: 3
High: 5
Medium: 4
Low: 3
Top 5 Risks by ALE:
Ransomware Attack on Production Infrastructure: $900,000
Data Breach - Customer PII Exposure: $800,000
Cloud Misconfiguration Exposure: $700,000
...
Vulnerability Prioritizer
Prioritize vulnerabilities based on CVSS score combined with business context.
Features:
- Enhanced CVSS scoring with business context
- Factors: Asset criticality, exposure, data sensitivity, exploitability, compensating controls
- Priority levels (P0-P3) with SLA recommendations
- Rationale generation for prioritization decisions
- Filter by priority level
Usage:
# Interactive mode
python scripts/vuln_prioritizer.py --interactive
# Process CSV file
python scripts/vuln_prioritizer.py examples/vulnerabilities.csv
# Generate report
python scripts/vuln_prioritizer.py vulnerabilities.csv --output prioritized.csv
# Filter critical only
python scripts/vuln_prioritizer.py vulnerabilities.csv --filter-level P0
Sample Output:
Vulnerability Summary
============================================================
Total Vulnerabilities: 15
Priority Distribution:
P0: 2
P1: 5
P2: 5
P3: 3
Exploitability:
Public exploits available: 11
Active exploitation: 4
Top Prioritized Vulnerabilities
CVE ID System CVSS Priority Level Due Date
------------------------------------------------------------------------------------------
CVE-2021-44228 prod-web-01.company.com 10.0 30.00 P0 2025-01-11
CVE-2024-66666 vcenter.company.com 9.8 29.40 P0 2025-01-10
...
Best Practices
Security Architecture
- Design with security from the start (shift-left)
- Apply defense in depth - multiple security layers
- Implement Zero Trust: verify explicitly, use least privilege, assume breach
- Segment networks to limit lateral movement
- Encrypt data at rest and in transit with strong algorithms
Compliance
- Treat compliance as continuous, not one-time certification
- Map controls across frameworks to maximize efficiency
- Automate evidence collection where possible
- Maintain compliance calendar for deadlines
- Document everything - if it's not documented, it doesn't exist
Risk Management
- Conduct risk assessments at least annually
- Use both qualitative (risk matrix) and quantitative (ALE) methods
- Focus on business impact, not just technical severity
- Accept risk explicitly when mitigation isn't cost-effective
- Track risk remediation with clear ownership and deadlines
Security Operations
- Centralize logging with SIEM for correlation
- Tune alerts to reduce false positives (<20% target)
- Maintain incident response plan and test it (tabletop exercises)
- Measure metrics: MTTD, MTTR, MTTC, MTTR
- Conduct proactive threat hunting regularly
Application Security
- Integrate security into CI/CD pipeline (DevSecOps)
- Use SAST, DAST, and SCA scanning
- Follow OWASP Top 10 guidelines
- Conduct security code reviews for critical changes
- Never store secrets in code - use secrets manager
Integration with Other Skills
With DevOps/Platform Engineering
- Embed security in CI/CD pipelines (SAST, DAST, SCA, container scanning)
- Implement Infrastructure as Code (IaC) security scanning
- Automate security testing and compliance checks
- Coordinate on incident response for production issues
- Share responsibility for cloud security
With Enterprise Architecture
- Align security architecture with enterprise architecture
- Participate in architecture review boards
- Define security reference architectures and patterns
- Ensure security requirements in architecture standards
- Design secure integration patterns for systems
With IT Operations
- Coordinate on patch management and change control
- Collaborate on monitoring, logging, and alerting
- Joint incident response (security + operational)
- Align on backup/disaster recovery procedures
- Manage privileged access together
With Product Management
- Provide security requirements for new features
- Participate in threat modeling for new products
- Balance security with user experience
- Advise on privacy and compliance implications
- Support security as product differentiator
With Legal/Privacy
- Coordinate on data privacy regulations (GDPR, CCPA)
- Collaborate on breach notification requirements
- Review vendor contracts for security terms
- Support privacy impact assessments (DPIA)
- Align on data retention and deletion policies
Key Frameworks Reference
NIST Cybersecurity Framework (CSF)
Functions: Identify → Protect → Detect → Respond → Recover Best for: General organizations, government contractors Maturity: Tier 1 (Partial) to Tier 4 (Adaptive)
CIS Critical Security Controls
Structure: 18 controls, 3 Implementation Groups Best for: Practical, prioritized implementation Focus: Defend against common attack patterns
ISO/IEC 27001
Structure: ISMS with 14 domains, 93 controls (2022 version) Best for: International recognition, formal certification Process: Plan → Do → Check → Act
SOC 2 Type II
Criteria: Security (required) + Availability, Confidentiality, Processing Integrity, Privacy (optional) Best for: SaaS companies, cloud service providers Audit: 3-12 month observation period
OWASP Top 10 (2021)
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
Metrics & KPIs
Risk Management
- Number of critical/high risks open
- Risk remediation time (mean)
- Compliance control effectiveness rate
Vulnerability Management
- Mean time to patch (MTTP) by severity
- Vulnerability backlog (by severity)
- Patch compliance rate
Security Operations
- Mean time to detect (MTTD)
- Mean time to respond (MTTR)
- Mean time to contain (MTTC)
- False positive rate (target <20%)
Incident Response
- Number of incidents by severity
- Incident recurrence rate
- SLA compliance rate
Application Security
- Vulnerabilities found per 1000 lines of code
- Security defects escaping to production
- SAST/DAST scan coverage
Additional Resources
Training & Certifications
- CISSP (Certified Information Systems Security Professional)
- CISM (Certified Information Security Manager)
- CEH (Certified Ethical Hacker)
- OSCP (Offensive Security Certified Professional)
- CCSP (Certified Cloud Security Professional)
- Security+ (CompTIA)
Communities
- OWASP (Open Web Application Security Project)
- SANS Reading Room
- r/netsec, r/AskNetsec (Reddit)
- Information Security Stack Exchange
- Local ISACA and ISC² chapters
Tools
- SIEM: Splunk, Elastic Security, Microsoft Sentinel
- EDR: CrowdStrike, SentinelOne, Microsoft Defender
- Vulnerability Scanning: Tenable, Qualys, Rapid7
- SAST/DAST: Snyk, Veracode, Checkmarx, SonarQube
- Cloud Security: Wiz, Prisma Cloud, Orca Security
Contributing
This skill pack is continuously updated based on evolving threats, new regulations, and industry best practices. Contributions and feedback are welcome.
License
This skill pack is provided for educational and professional development purposes.