🛡️ Methodology Checklist
- Identify applicable standards: PCI-DSS, HIPAA, NIST, ISO 27001, SOC 2
- Map findings to relevant control failures
- Note compensating controls where present
- Flag compliance-critical findings separately from general security findings
- Align remediation timelines with compliance deadlines
- Provide compliance-specific language in finding remediation sections
🎯 Operational Context
Think Dumber First: Compliance ≠ Security. A PCI-DSS compliant network can still be trivially compromised. Know which standard applies before scoping: card data → PCI-DSS; health records → HIPAA; cloud SaaS → SOC 2; federal systems → NIST 800-53. Map every finding to the relevant control number in your report.
When you land here: Compliance-driven assessment. Identify applicable standard from data types handled. Map scope to required control domains. Test against control requirements. Report: compliance gap = control number + finding description + risk + remediation. Separate compliance gaps from pure security findings.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
| (No CLI commands — framework reference) |
🔬 Deep Dive & Workflow
Compliance Standards
| Standard | Focus | Scan Requirements |
|---|---|---|
| PCI DSS | Credit cards (banks, online stores) | Internal + external scanning required; CDE segmentation |
| HIPAA | Patient data (healthcare) | Risk assessment required; vuln scanning not explicitly mandated |
| FISMA | Government operations | Vulnerability management program required; CIA focus |
| ISO 27001 | General InfoSec management | Quarterly external + internal scans; ISMS focus |
Compliance = minimum requirement, not end goal. Drive program by organization’s Risk Appetite, not just audit checkbox.
Penetration Testing Standards
| Standard | Scope | Phases |
|---|---|---|
| PTES | General-purpose | Pre-engagement → Recon → Threat Modeling → Vuln Analysis → Exploitation → Post-Exploitation → Reporting |
| OSSTMM | Operational security, 5 channels | Human, Physical, Wireless, Telecom, Data Networks |
| NIST | Federal engagements | Planning → Discovery → Attack → Reporting |
| OWASP WSTG | Web + mobile applications | ”Gold Standard” for web app testing |
Rules of Engagement (RoE) Checklist
- Signed contract — legal authorization
- Defined scope — what is allowed vs. off-limits
- Minimal harm — no password changes, no service crashes
- Evidence collection — screenshots of folder names, NOT full file downloads (avoid PII/PHI exfil)
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Client doesn’t know which standard applies | Unclear regulatory environment | Ask about data types: payment cards → PCI-DSS; health info → HIPAA; cloud SaaS → SOC 2; recommend compliance officer involvement |
| Finding is valid but outside compliance scope | Out-of-scope for current audit | Document as advisory finding; note it doesn’t affect compliance attestation; client should address separately |
| Standard requirement interpretation ambiguous | Vague control language | Reference official guidance (PCI-DSS Information Supplements, NIST SP 800-53 control descriptions); err conservative when uncertain |
| Compliance passed but security posture remains poor | Compliance minimum doesn’t equal security | Clearly separate compliance attestation from security assessment conclusions; both need separate sections in report |
| Client requests specific compliance report format | Non-standard output needed | Download official templates from PCI Security Council, HHS, or NIST; avoid creating ad-hoc formats that may miss required elements |
📝 Reporting Trigger
Finding Title: (Compliance gaps reported as: Standard Reference [e.g., PCI-DSS Req 6.3.3], Gap Description, Risk Level, Remediation. Each non-compliant control = one finding. Include compliance pass/fail summary table at start of report. Separate compliance findings from pure security findings.)