메뉴
Generate compliance checklists for SOC2, HIPAA, PCI-DSS, and GDPR with gap analysis and remediation priorities.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Identify at-risk customer accounts by analyzing usage patterns, engagement signals, and support history to generate churn risk scores and intervention recommendations.
Analyze NPS, CSAT, and qualitative customer feedback to extract themes, identify trends, and generate actionable insight reports.
Write clear, searchable help center articles and FAQ entries based on support data, product documentation, and common customer questions.
Design structured customer onboarding workflows with phased checklists, email templates, success milestones, and ownership assignments.
Classify, prioritize, and route incoming support tickets by extracting intent and entities, assigning severity, and generating initial responses.
Create and manage budgets with variance analysis and departmental allocation
| name | compliance-checklist-generation |
| description | Generate compliance checklists for SOC2, HIPAA, PCI-DSS, and GDPR with gap analysis and remediation priorities. |
| license | MIT |
| metadata | {"author":"community","version":"1.0"} |
Create structured, actionable compliance checklists for major regulatory frameworks including SOC2, HIPAA, PCI-DSS, and GDPR. This skill maps controls to requirements, assesses readiness against each control, identifies gaps, and produces prioritized remediation plans. Output includes status tracking, evidence requirements, and effort estimates for each control item.
Identify Applicable Frameworks — Determine which compliance frameworks apply based on the business type, data handled, customer requirements, and geographic reach. A healthcare SaaS needs HIPAA. A company processing credit cards needs PCI-DSS. Enterprise B2B SaaS customers almost universally request SOC2. Serving EU users triggers GDPR. Multiple frameworks often overlap — identify shared controls to reduce duplicate effort.
Map Controls to Requirements — Break each framework into its constituent control categories and individual requirements. For SOC2, map across the five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). For HIPAA, cover Administrative, Physical, and Technical Safeguards. For PCI-DSS, address all 12 requirement families. For GDPR, map to Articles 5-49 covering principles, rights, and obligations.
Assess Current State — For each control, evaluate the current implementation status: Implemented (evidence exists), Partially Implemented (control exists but has gaps), Not Implemented (no control in place), or Not Applicable (with documented justification). Where possible, reference existing documentation, tool configurations, or process artifacts as evidence.
Generate Checklist with Status and Gaps — Produce a structured checklist organized by control category, with each item showing: the requirement description, current status, evidence needed, gap description (if any), and remediation effort estimate (hours/days). Include a summary dashboard showing overall readiness percentage per category.
Prioritize Remediation — Rank gaps by a combination of risk severity, audit impact, implementation effort, and shared coverage across frameworks. Quick wins (high impact, low effort) should be prioritized first. Group related remediation items that can be addressed together, such as implementing a single logging solution that satisfies SOC2, HIPAA, and PCI-DSS log requirements simultaneously.
Specify which framework(s) you need, your business type, current security posture, and any upcoming audit deadlines. The more context about existing controls, the more accurate the gap analysis.
Example prompt:
Generate a SOC2 Type II readiness checklist for our Series A startup. We're a B2B SaaS running on AWS. We use GitHub for code, Datadog for monitoring, and have about 20 employees. We need to be audit-ready in 6 months.
Input: 20-person B2B SaaS startup on AWS. Uses GitHub, Datadog, Google Workspace, Slack. No formal security program yet. SOC2 audit in 6 months.
Output:
Readiness Summary: 34% ready (estimated)
| Category | Controls | Implemented | Partial | Missing | Readiness |
|---|---|---|---|---|---|
| Access Control | 12 | 3 | 4 | 5 | 28% |
| Change Management | 8 | 5 | 2 | 1 | 63% |
| Incident Response | 6 | 0 | 1 | 5 | 8% |
| Risk Assessment | 5 | 0 | 0 | 5 | 0% |
| Monitoring & Logging | 7 | 4 | 2 | 1 | 57% |
| Vendor Management | 4 | 0 | 1 | 3 | 13% |
| HR & Security Awareness | 6 | 1 | 2 | 3 | 17% |
Sample Controls (Access Control category):
| # | Requirement | Status | Evidence Needed | Gap / Action | Effort |
|---|---|---|---|---|---|
| AC-1 | MFA enforced for all production systems | Partial | AWS IAM policy screenshots, IdP config | MFA enabled for AWS console but not for SSH access to EC2 instances. Enable MFA for all access paths. | 2 days |
| AC-2 | Role-based access control with least privilege | Missing | IAM role definitions, access matrix | No formal RBAC model. Define roles, map to AWS IAM policies, GitHub teams, and Google Workspace groups. | 5 days |
| AC-3 | Quarterly access reviews | Missing | Access review records, approval logs | No process exists. Implement quarterly reviews of all system access with manager sign-off. Tool recommendation: Vanta or Drata for automated tracking. | 3 days |
| AC-4 | Offboarding removes access within 24 hours | Partial | Offboarding checklist, deprovisioning logs | Ad hoc process exists but not documented. Formalize checklist covering all systems, automate via identity provider where possible. | 2 days |
Priority Remediation (Month 1): Risk assessment (required foundation for all other controls), MFA enforcement across all systems, formal access control policy document, incident response plan draft.
Input: EU-based e-commerce site selling consumer electronics. Collects name, address, email, payment data, browsing behavior. Uses Google Analytics, Meta Pixel, Mailchimp for email marketing. Ships to all EU countries.
Output:
Readiness Summary: 42% ready (estimated)
| GDPR Area | Requirements | Met | Gaps | Readiness |
|---|---|---|---|---|
| Lawful Basis & Consent | 8 | 3 | 5 | 38% |
| Data Subject Rights | 7 | 2 | 5 | 29% |
| Data Processing Records | 4 | 1 | 3 | 25% |
| International Transfers | 3 | 1 | 2 | 33% |
| Security Measures | 6 | 4 | 2 | 67% |
| Breach Notification | 3 | 1 | 2 | 33% |
| DPO & Governance | 4 | 2 | 2 | 50% |
Sample Controls (Data Subject Rights):
| # | Requirement | Status | Gap / Action | Effort |
|---|---|---|---|---|
| DSR-1 | Right of access (Art. 15) — respond within 30 days | Missing | No automated process to compile all data held about a user. Implement data export from database, Google Analytics, Mailchimp. Build internal tool or use privacy management platform. | 5 days |
| DSR-2 | Right to erasure (Art. 17) — delete on request | Partial | Can delete from main database but not from analytics, backups, or Mailchimp. Map all data stores and implement deletion cascade across all systems. | 4 days |
| DSR-3 | Right to portability (Art. 20) — machine-readable export | Missing | No export functionality. Build JSON/CSV export endpoint for user data. | 3 days |
| DSR-4 | Cookie consent with granular opt-in | Partial | Cookie banner exists but uses pre-ticked boxes (non-compliant). Replace with compliant CMP (e.g., Cookiebot, OneTrust) with granular categories and reject-all option. | 2 days |