Senior Secops
Map SOC 2, PCI-DSS, HIPAA, and GDPR controls and audit prep when a solo builder needs enterprise-ready compliance documentation.
Overview
Senior SecOps is an agent skill most often used in Ship (also Operate) that guides SOC 2, PCI-DSS, HIPAA, and GDPR compliance requirements, checklists, and audit preparation for solo builders.
Install
npx skills add https://github.com/alirezarezvani/claude-skills --skill senior-secopsWhat is this skill?
- Covers SOC 2 Type II trust service criteria with security control checklists (CC1–CC3 and beyond)
- Reference sections for PCI-DSS, HIPAA, and GDPR requirements
- Compliance automation and audit-preparation guidance
- Markdown-ready control checklists for policies, training, and incident tracking
- SOC 2 Type II maps to five trust service criteria (Security, Availability, Processing Integrity, Confidentiality, Privac
- Security controls checklist spans CC1 (Control Environment), CC2 (Communication), CC3 (Risk Assessment) and related CC d
Adoption & trust: 768 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping B2B SaaS but lack a structured map of which compliance controls and audit evidence you still need.
Who is it for?
Indie SaaS founders pursuing SOC 2 or handling payment, health, or EU personal data who want agent-assisted control documentation.
Skip if: Teams that only need generic OWASP app hardening with no compliance framework—not a replacement for lawyers, auditors, or certified GRC tooling.
When should I use this skill?
You need SOC 2, PCI-DSS, HIPAA, or GDPR requirements, control checklists, compliance automation, or audit preparation guidance.
What do I get? / Deliverables
You get framework-specific control checklists and audit-prep framing your agent can turn into documented policies, gap lists, and remediation plans.
- Framework-aligned control checklists in markdown
- Gap-oriented audit preparation notes and automation pointers
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security and compliance gates belong on the shelf before launch and customer contracts, even though controls are maintained in production. Subphase security is where access controls, encryption, monitoring, and trust-criteria checklists are applied before shipping to regulated or B2B buyers.
Where it fits
Shape enterprise tier copy and security appendix before quoting regulated customers.
Walk CC1–CC3 style control checklists before enabling production access and monitoring.
Align incident reporting and SLA language with trust criteria before go-live.
Maintain annual training and incident-tracking evidence for ongoing SOC 2 operations.
How it compares
Use as a procedural compliance playbook rather than a one-off security linter or generic code review skill.
Common Questions / FAQ
Who is senior-secops for?
Solo builders and small teams shipping SaaS or APIs who must answer enterprise security reviews or prepare for SOC 2, PCI, HIPAA, or GDPR without a full-time compliance officer.
When should I use senior-secops?
During Ship security work when scoping launch controls; during Validate pricing when enterprise deals require trust criteria; and during Operate when maintaining policies, training evidence, and audit readiness.
Is senior-secops safe to install?
Treat it like any third-party skill: review the Security Audits panel on this Prism page and skim SKILL.md before granting broad agent permissions.
SKILL.md
READMESKILL.md - Senior Secops
# Compliance Requirements Reference Comprehensive guide for SOC 2, PCI-DSS, HIPAA, and GDPR compliance requirements. --- ## Table of Contents - [SOC 2 Type II](#soc-2-type-ii) - [PCI-DSS](#pci-dss) - [HIPAA](#hipaa) - [GDPR](#gdpr) - [Compliance Automation](#compliance-automation) - [Audit Preparation](#audit-preparation) --- ## SOC 2 Type II ### Trust Service Criteria | Criteria | Description | Key Controls | |----------|-------------|--------------| | Security | Protection against unauthorized access | Access controls, encryption, monitoring | | Availability | System uptime and performance | SLAs, redundancy, disaster recovery | | Processing Integrity | Accurate and complete processing | Data validation, error handling | | Confidentiality | Protection of confidential information | Encryption, access controls | | Privacy | Personal information handling | Consent, data minimization | ### Security Controls Checklist ```markdown ## SOC 2 Security Controls ### CC1: Control Environment - [ ] Security policies documented and approved - [ ] Organizational structure defined - [ ] Security roles and responsibilities assigned - [ ] Background checks performed on employees - [ ] Security awareness training completed annually ### CC2: Communication and Information - [ ] Security policies communicated to employees - [ ] Security incidents reported and tracked - [ ] External communications about security controls - [ ] Service level agreements documented ### CC3: Risk Assessment - [ ] Annual risk assessment performed - [ ] Risk register maintained - [ ] Risk treatment plans documented - [ ] Vendor risk assessments completed - [ ] Business impact analysis current ### CC4: Monitoring Activities - [ ] Security monitoring implemented - [ ] Log aggregation and analysis - [ ] Vulnerability scanning (weekly) - [ ] Penetration testing (annual) - [ ] Security metrics reviewed monthly ### CC5: Control Activities - [ ] Access control policies enforced - [ ] MFA enabled for all users - [ ] Password policy enforced (12+ chars) - [ ] Access reviews (quarterly) - [ ] Least privilege principle applied ### CC6: Logical and Physical Access - [ ] Identity management system - [ ] Role-based access control - [ ] Physical access controls - [ ] Network segmentation - [ ] Data center security ### CC7: System Operations - [ ] Change management process - [ ] Incident management process - [ ] Problem management process - [ ] Capacity management - [ ] Backup and recovery tested ### CC8: Change Management - [ ] Change control board - [ ] Change approval workflow - [ ] Testing requirements documented - [ ] Rollback procedures - [ ] Emergency change process ### CC9: Risk Mitigation - [ ] Insurance coverage - [ ] Business continuity plan - [ ] Disaster recovery plan tested - [ ] Vendor management program ``` ### Evidence Collection ```python def collect_soc2_evidence(period_start: str, period_end: str) -> dict: """ Collect evidence for SOC 2 audit period. Returns dictionary organized by Trust Service Criteria. """ evidence = { 'period': {'start': period_start, 'end': period_end}, 'security': { 'access_reviews': get_access_reviews(period_start, period_end), 'vulnerability_scans': get_vulnerability_reports(period_start, period_end), 'penetration_tests': get_pentest_reports(period_start, period_end), 'security_incidents': get_incident_reports(period_start, period_end), 'training_records': get_training_completion(period_start, period_end), }, 'availability': { 'uptime_reports': get_uptime_metrics(period_start, period_end), 'incident_reports': get_availability_incidents(period_start, period_end), 'dr_tests': get_dr_test_results(period_start, period_end), 'backup_tests': get_backup_test_results(period_start, period_end), }, 'processing_integrity': { 'data_validation_logs