Compliance Frameworks

The Compliance page in PAM-Pro lets you select a compliance framework, auto-configure your default policy baseline to meet that framework's requirements, manage your WORM audit retention settings, export audit evidence packages, and review your Key Protection Level.

Compliance page showing framework selection cards, Security and Data Retention panel, Evidence Export panel, and Key Protection Level panel

Available Frameworks

PAM-Pro supports four compliance frameworks, each mapping its technical controls to the relevant regulatory requirements:

  • NIST 800-53 - National Institute of Standards and Technology Security and Privacy Controls for Information Systems. 5 controls mapped (AC-6, IA-2, AU-2, AU-12, SI-12).
  • SOC 2 Type II - Service Organization Control 2 - Trust Services Criteria for Security, Availability, and Confidentiality. 4 controls mapped. This is the Active framework in the screenshot above.
  • HIPAA - Health Insurance Portability and Accountability Act - Safeguards for Protected Health Information (PHI). 4 controls mapped.
  • PCI-DSS v4.0 - Payment Card Industry Data Security Standard - Requirements for organizations that handle cardholder data. 4 controls mapped.

Enabling a Framework

Click a framework card to activate it. When a framework is activated:

  1. The card is highlighted with an Active badge.
  2. PAM-Pro automatically adjusts your Global Default Policy to match the framework's baseline requirements - including rotation frequency, access window restrictions, and approval requirements.
  3. The evidence export bundle will be labeled with the active framework for auditor submissions.
Note: Enabling a framework modifies your Global Default Policy settings. Review the updated policy in Governance › Policies after activation to confirm the baseline matches your environment's needs before going live.

Security and Data Retention

The left panel on the Compliance page controls your WORM audit retention settings.

  • Compliance Governance - Shows whether immutability is active (UNLOCKED means the retention period can still be extended; once set, it cannot be shortened).
  • WORM Retention Period - Adjustable slider from 1 day (default) to 365 days. Use the Standardize Policy button to apply the retention period recommended by your active framework.
Compliance Guardrail: Retention periods can only be extended. Reductions are prohibited by the Azure Management SDK to maintain audit integrity.

Evidence Export

The centre panel generates a compliance evidence package for third-party auditors (SOC2/ISO Auditor Briefs). The export includes:

  • Standardized Audit Trail - Certified data from the audit-log container with tamper-evident hashing.
  • System Configuration Snapshot - Proof of MFA, JIT, and WORM settings at the time of export.

Click Export SOC2 Security Brief to generate the evidence PDF. The export is timestamped and labeled as Evidence-Grade for auditor submission. The Security Scoreboard results are also included in the export package.

Key Protection Level

The right panel shows your current cryptographic key backing tier:

  • FIPS 140-2 Level 1 - Default. Software-protected keys in Azure Key Vault Standard. Suitable for most enterprise deployments.
  • FIPS 140-3 Level 3 - Available via the HSM Add-on. Hardware-protected keys with full tamper-resistance. Required for federal, defense, and highest-assurance healthcare environments. Contact your administrator or visit the pricing page to enable HSM-backed key storage.

© 2026 Huntoso LLC. All rights reserved.

Contact Support