Compliance Remediation Tracker
Real-time progress across SOC 2, HIPAA, and ISO 27001 compliance programs.
Last Updated: March 9, 2026
Program Summary
SOC 2 Type II
In ProgressDrata: 98% tests passed (114/116). WAF deployed, Inspector enabled, S3 lifecycle enforced. 2 remaining: formal code review process, S3 object-level logging.
HIPAA
In Progress48 controls assessed. Strong coverage with targeted remediation on remaining gaps.
ISO 27001
In Progress93 Annex A controls assessed. Governance documentation complete, operational controls in progress.
Gap Register
All 10 gaps identified during the cross-framework gap analysis. 8 verified closed against live AWS infrastructure on March 9, 2026.
| # | Severity | Gap | Framework | Remediation | Status |
|---|---|---|---|---|---|
| 1 | Critical | SSH open to 0.0.0.0/0 | SG restricted to 6 admin /32 IPs | Verified Closed | |
| 2 | Critical | DR plan untested | Execute 4-scenario DR test | Ready to Execute | |
| 3 | High | No centralized logging | 5 H33 log groups + VPC flow logs + CloudTrail active | Verified Closed | |
| 4 | High | Data retention not enforced | S3 lifecycle rules deployed (CT: 365d, access logs: 180d) | Closed | |
| 5 | High | No WAF | H33-API-WAF deployed (CommonRuleSet, SQLi, rate limit 2000/5m) | Closed | |
| 6 | Medium | MFA status unknown | Root MFA enabled, Test user has no console access | Verified Closed | |
| 7 | Medium | No CloudWatch alarms | 13 H33-specific alarms active (CPU, RDS, status, 5xx, latency) | Verified Closed | |
| 8 | Medium | No CI/CD pipeline | GitLab CI/CD design | Planned | |
| 9 | Medium | No formal change log | Change log template created | Done | |
| 10 | Medium | No vuln scanning | AWS Inspector v2 enabled (EC2 + ECR scanning) | Closed |
Phase Progress
Remediation is organized into five sequential phases. Infrastructure and security gaps are addressed first, followed by framework-specific documentation and controls.
Phase 1: Reorganize & Track
Compliance hub restructured, remediation tracker created, gap register consolidated, document inventory completed.
Phase 2: Critical Security
SSH restricted to /32 IPs, WAF deployed (H33-API-WAF), MFA verified. DR test runbook ready for execution.
Phase 3: Operations & Monitoring
13 CloudWatch alarms active, S3 lifecycle rules enforced, Inspector v2 enabled. CI/CD pipeline planned for Q2.
Phase 4: HIPAA
BAA template, PHI data flow mapping, workforce training program, access review procedures, Security Officer designation.
Phase 5: ISO 27001
ISMS scope statement, Statement of Applicability, internal audit program, management review, PDCA cycle documentation.
Documents Created
All compliance documents created or updated during the remediation program, organized by phase.
Phase 1 — Reorganize & Track
Compliance Hub Index
Central navigation page for all compliance documents, organized by framework.
Remediation Tracker
This page. Dashboard tracking all gaps, phases, and document creation progress.
Gap Analysis Register
Cross-framework gap analysis identifying 10 remediation items across SOC 2, HIPAA, ISO 27001.
Change Log Template
Standardized change management log for tracking infrastructure and application changes.
Phase 2 — Critical Security
SSH Hardening Runbook
Step-by-step security group lockdown to admin IP ranges, SSM Session Manager enablement.
WAF Deployment Guide
AWS WAF v2 configuration with managed rule groups, rate limiting, and geo-blocking.
DR Test Plan
Four-scenario disaster recovery test covering RDS failover, EC2 rebuild, S3 restore, and full-stack recovery.
Backup Verification Procedure
Automated backup validation with restore testing cadence and success criteria.
MFA Enforcement Policy
IAM credential audit procedure and mandatory MFA enrollment for all AWS and application accounts.
Phase 3 — Operations & Monitoring
CloudWatch Alarms Specification
Seven production alarms covering CPU, memory, disk, error rates, latency, and security events.
Data Retention Policy
Retention schedules for all data classes with pg_cron automation and S3 lifecycle rules.
Vulnerability Scanning SOP
AWS Inspector configuration, cargo-audit integration, and remediation SLA by severity.
CI/CD Pipeline Design
GitLab CI/CD pipeline architecture with security gates, automated testing, and deployment approvals.
Monitoring Activities
Continuous monitoring program covering infrastructure, application, and compliance metrics.
Security Event Reporting
Event classification, escalation procedures, and notification timelines.
Phase 4 — HIPAA
Minimum Necessary Standard
PHI access controls implementing the HIPAA minimum necessary requirement.
PHI Contingency Plan
Emergency operations, data backup, disaster recovery, and testing procedures for PHI systems.
Security Officer Designation
HIPAA Security Officer appointment, responsibilities, and authority documentation.
DPIA — Biometric Processing
Data Protection Impact Assessment for FHE-encrypted biometric authentication.
Data Subject Rights
Procedures for handling access, erasure, portability, and objection requests.
Phase 5 — ISO 27001
ISMS Scope Statement
ISO 27001 Clause 4.3 scope definition covering systems, boundaries, and interfaces.
Statement of Applicability
All 93 Annex A controls with applicability, implementation status, and justification.
Cloud Security Policy
AWS security architecture, shared responsibility model, and cloud-specific controls.
Secure Coding Standard
Rust and Node.js secure development guidelines, code review requirements, and dependency management.
Cardholder Data Flow
PCI DSS cardholder data environment scope, flow diagrams, and segmentation controls.
Scripts & Runbooks
Automated scripts and operational runbooks supporting the remediation program.
AWS Scripts
| Type | Script | Description |
|---|---|---|
| Script | ssh-lockdown.sh |
Restricts SSH security group ingress to designated admin CIDR blocks and enables SSM Session Manager as the primary access method. |
| Script | deploy-waf.sh |
Provisions AWS WAF v2 WebACL with AWS Managed Rules (Core, SQL injection, XSS, Bad Inputs), rate limiting at 2000 req/5min, and associates with ALB. |
| Script | cloudwatch-alarms.sh |
Creates 7 CloudWatch alarms (CPU > 80%, memory > 85%, disk > 90%, 5xx > 10/min, latency p99 > 2s, failed logins > 50/hr, unauthorized API calls) with SNS email + Slack alerting. |
| Script | enable-cloudtrail.sh |
Enables CloudTrail organization trail with S3 log delivery, log file validation, KMS encryption, and CloudWatch Logs integration. |
| Script | vuln-scan-setup.sh |
Enables AWS Inspector for EC2 and ECR scanning, configures cargo-audit in GitLab CI, and sets up finding export to SecurityHub. |
Operational Runbooks
| Type | Runbook | Description |
|---|---|---|
| Runbook | dr-test-runbook.md |
Four-scenario DR test: (1) RDS Multi-AZ failover, (2) EC2 instance rebuild from AMI, (3) S3 point-in-time restore, (4) full-stack recovery with DNS cutover. Includes success criteria and sign-off checklist. |
| Runbook | mfa-audit-runbook.md |
IAM credential report generation, identification of users without MFA, enforcement workflow, and exception handling for service accounts. |
| Runbook | data-retention-runbook.md |
pg_cron job configuration for PostgreSQL data purging, S3 lifecycle policy application, retention schedule verification, and compliance reporting. |
| Runbook | incident-response-runbook.md |
Step-by-step incident handling: detection, triage, containment, eradication, recovery, and post-incident review. Includes communication templates and escalation matrix. |
| Runbook | backup-verify-runbook.md |
Weekly automated backup verification: RDS snapshot restore to test instance, data integrity checksum, application smoke test, and cleanup. Includes PagerDuty alert on failure. |
Questions about this tracker?
Contact our Security team at security@h33.ai