Engineering for security compliance: How to prepare before the audit

Matthew Connerton
Security and privacy compliance certifications—like SOC 2 (a leading audit standard for security, availability, and confidentiality) and HITRUST (a healthcare-focused security framework) — are becoming requirements for healthcare, finance, and other high-trust industries. Waiting until audit season to start to prepare can be overwhelming.
This session shares engineering-side lessons from Encore Healthcare’s journey to SOC 2 and HITRUST readiness. Instead of a checklist of requirements, we’ll focus on designing systems, processes, and documentation so you’re always ready to provide evidence to an auditor. We’ll walk through how we integrated compliance into our SDLC, infrastructure, access control, logging, and team processes—what worked, what didn’t, and the pitfalls we wish we’d avoided.
You’ll leave with a blueprint for making security compliance part of your natural engineering workflow, not a stressful scramble.
Learning Objectives
By the end of this session, attendees will be able to:
- Apply engineering practices (SDLC, logging, IaC, access control) that generate audit-ready evidence automatically.
- Perform internal reviews (onboarding checklists, policy adherence, vendor management) that reduce last-minute compliance gaps.
- Develop a practical plan for working with consultants, clarifying ambiguous audit requests, and avoiding common pitfalls in SOC 2/HITRUST readiness.
Target Audience
- Engineering leaders and senior developers responsible for compliance-sensitive Drupal applications
- DevOps and infrastructure teams preparing for SOC 2 or HITRUST
- Technical managers balancing product delivery with compliance requirements
Prerequisites
- Familiarity with modern software development practices (version control, CI/CD, IaC)
- Experience operating Drupal or other SaaS/web applications in production
- No prior compliance experience required — this is about engineering preparation, not legal fine print
Additional Details:
- Audience level: All Attendees
- Topic: DevOps
- Room: Gaige Hall 202