Technical Compliance, Privacy & Security
1. Overview & Mandate
Business Unit Purpose Technical Compliance, Privacy & Security is responsible for defining, maintaining, and governing MorgueBoard®’s technical security posture and compliance readiness. This business unit ensures that the platform meets enterprise healthcare expectations for data protection, risk management, and auditability while enabling—not blocking—product development and delivery.
Mandate Statement Technical Compliance, Privacy & Security exists to protect customer data, reduce organizational risk, and maintain regulatory and contractual trust through clear standards, proactive risk management, and continuous compliance readiness.
Primary Accountability Owner
- Primary: Technical Compliance & Security Owner (Nic Bavetta)
- Supporting: Engineering, Operations, Legal
- Fractional / External: Security & Compliance Advisory Partners (e.g., SOC 2 / audit support)
2. Core Functions & Responsibilities
Core Functions
- Security architecture and control definition
- HIPAA technical safeguards governance
- SOC 2 readiness, maintenance, and evidence oversight
- Vulnerability management and penetration testing coordination
- Incident response planning and coordination
- Technical vendor risk assessment
- Security policy and standards management
Explicit Responsibilities
- Define technical security and privacy standards for the platform
- Own scope, posture, and readiness for SOC 2 and similar audits
- Establish vulnerability management and remediation expectations
- Coordinate and document penetration testing and security assessments
- Oversee incident response processes and post-incident reviews
- Partner with Engineering to embed security-by-design practices
- Maintain security documentation and audit evidence
Explicit Non-Responsibilities
- Engineering implementation or delivery execution
- Product roadmap ownership or prioritization
- Clinical or operational compliance interpretation
- Contract negotiation or legal interpretation
3. Fractional & Embedded Capability Partners
This section documents ongoing fractional or embedded partners that function as extensions of this business unit. These partners provide executional capability for defined scopes while internal ownership and accountability remain with MorgueBoard LLC.
| Partner | Capability Provided | Engagement Type | Accountability Boundary | Primary Engagement Contact | Notes |
|---|---|---|---|---|---|
| Genius GRC | SOC 2 program execution, audit readiness support, evidence management, and compliance advisory | Fractional / Embedded | Execution support only; compliance accountability retained internally | Eric Shoemaker, CISSP — Advisory CISO / Owner | Ongoing, annual engagement required to maintain SOC 2 posture |
| Advantage Partners | Independent SOC 2 audit execution and attestation | Independent Audit Partner | Independent assurance only; no execution or advisory authority | SOC 2 Engagement Lead (per audit engagement) | Annual SOC 2 Type II audits; recurring audit partner |
4. Decision Rights & Authority Boundaries
Important Context The decision rights outlined in this section are intentionally high-level and directional. Formal, binding authority, escalation paths, and governance mechanisms are defined in the company’s Decision Rights & Governance Policy and supporting compliance documentation. In the event of conflict, formal policy prevails.
Technical Compliance, Privacy & Security Owns Decisions Regarding:
- Security and privacy standards applicable to the platform
- Compliance scope, audit posture, and risk acceptance (technical)
- Required remediation for identified security risks
- Incident classification and response requirements
Does Not Own:
- Technical implementation approaches (Engineering)
- Feature scope or prioritization (Product Management)
- Customer deployment timelines (Implementation)
- Budget approval authority (Executive Leadership / Finance)
Escalation Triggers:
- Security risks that materially impact customer trust or contractual obligations
- Conflicts between delivery timelines and security requirements
- Material audit findings or unresolved control gaps
5. Key Interfaces & Dependencies
| Interface | Nature of Interaction |
|---|---|
| Engineering / R&D | Security controls, remediation guidance, secure design alignment |
| Product Management | Early identification of compliance-impacting features |
| Operations | Policy management, tooling, and internal process alignment |
| Legal & Contract Management | Contractual security obligations and risk interpretation |
| Customer Success / Sales | Security questionnaires, trust enablement, escalations |
6. Budget Ownership & Cost Structure
Compliance & Security Budget Scope
- Security and compliance tooling
- Audit and assessment costs (e.g., SOC 2)
- Penetration testing and vulnerability scanning
- Fractional or advisory security resources
- Training related to security and compliance
Budget Ownership Model
- Technical Compliance manages spend within an approved budget
- Executive Leadership and Finance approve annual budgets and material increases
- Spend must be justified by risk reduction, audit readiness, or contractual necessity
7. General KPIs & Performance Metrics
Security Posture
- Number of open vs. remediated vulnerabilities
- Time to remediate critical findings
- Frequency and severity of security incidents
Compliance Readiness
- Audit findings by severity
- Time to close audit remediation items
- Completeness and freshness of audit evidence
Operational Enablement
- Responsiveness to security questionnaires
- Reduction in security-related delivery blockers
8. Initiatives & Goals Tracking
| Initiative / Goal | Description | Owner | Success Criteria | KPI(s) | Target Date | Status | Notes |
|---|---|---|---|---|---|---|---|
| Maintain SOC 2 Readiness | Ensure ongoing SOC 2 readiness through evidence maintenance and control validation. | Compliance | Audit-ready posture maintained without fire drills | Audit findings, evidence freshness | Ongoing | Planned | Fractional audit support expected |
| Expand SOC 2 Trust Services Criteria Coverage | Assess, plan, and implement support for additional SOC 2 Trust Services Criteria beyond Security, based on advisory guidance from Genius GRC. | Compliance | At least one additional Trust Services Criterion successfully included in SOC 2 scope, with ability to include more if feasible | Number of additional criteria added, audit outcomes | Q4 2026 | Planned | Scope and sequencing to be advised by Genius GRC; goal is a minimum, not a cap |
| Implement Geo-Redundant Failover | Design and implement geographic redundancy to support failover in the event of a regional Azure outage, addressing gaps identified in the 2025 disaster recovery tabletop exercise. | Compliance / Engineering | Geo-redundant architecture documented, tested, and approved | RTO/RPO targets met, failover test results | Q4 2026 | Planned | Requires coordination with Engineering and Azure infrastructure changes |
| Establish Azure Function App Recovery Procedures | Design and document supported recovery procedures for Azure Function Apps (Integration API, Audit API, Tenant Discovery API) running on Consumption or Elastic Premium plans. | Compliance / Engineering | Documented and tested recovery procedures for all listed services | Recovery test success rate, documented RTO | Q4 2026 | Planned | Addresses platform limitations in Azure restore capabilities |
9. Maturity Roadmap
Current State Founder-led security and compliance oversight with reliance on periodic assessments and limited continuous monitoring.
Next State Defined security standards, continuous vulnerability management, and predictable audit readiness supported by fractional expertise.
Future State Proactive, continuously monitored security and compliance program with minimal founder dependency and strong enterprise credibility.
10. Document Revision History
| Version | Date | Description of Change | Author | Approved By | Approval Date |
|---|---|---|---|---|---|
| 1.0 | 2026-01-04 | Document Creation | Nic Bavetta |