IT compliance posture Pacific Northwest

IT Compliance Posture for Pacific Northwest SMBs

By Nina Forsythe · The Craftwork Group · Published 2026-06-11

Your compliance posture is not your policy binder. It is the operating reality those policies are supposed to describe, and the evidence trail that proves it. For organizations in the Pacific Northwest navigating layered frameworks, that distinction is the one that matters under scrutiny.

What does IT compliance actually require beyond having a policy?

I am not a compliance officer. I am not a lawyer. I am not an auditor. What I am is a specialist who works with organizations that have compliance obligations and need their IT infrastructure to support those obligations with evidence, not aspiration. Doing this work since the late 1990s, the pattern I keep seeing has not changed much: organizations that address compliance by acquiring documents, and then are surprised when documents are not enough.

What compliance frameworks actually require is a documented control environment with evidence that controls operate as described. Here is what that looks like in practice:

Access reviews. Documented evidence that you review user permissions on schedule, that you revoke access for terminated employees within a defined window, and that elevated privileges are justified and time-limited.
Backup verification. Documented evidence that backups complete, that restores are tested, and that backup data is encrypted.
Incident response. Documented evidence that you can detect anomalous activity, that you have a communication plan, and that the plan has been tested.
Vendor management. Documented evidence that vendors are assessed for security posture before you grant them access to systems or data.

Policy documents describe these controls. They are not evidence that the controls run.

What compliance frameworks apply to businesses in the Pacific Northwest?

The Pacific Northwest has a layered compliance landscape. Washington's My Health My Data Act took effect in March 2024. Oregon passed its own consumer privacy law in 2023. If you handle health information, HIPAA applies regardless of your location. Financial services firms face FTC Safeguards. Card processors face PCI DSS. If you store California resident data, and most businesses operating in this region do, CCPA applies on top of all of that. These frameworks do not replace each other. They layer.

Most organizations I see have addressed this by acquiring policy documents. A HIPAA policy from several years back. A Safeguards policy written by a vendor who no longer answers their calls. A PCI self-assessment questionnaire completed once and filed. That is documentation of intent. It is not evidence of control implementation.

How is a security control different from a security policy?

The distinction is precise and it matters. A written policy that says "we encrypt data in transit" is a statement. A TLS certificate with a valid chain and enforced cipher suites is a control. A screenshot showing rejected connection attempts using deprecated protocols is evidence. The regulator wants to see the control and the evidence. The policy is what you reference to explain why the control exists.

I keep seeing organizations that believe they are compliant because they run Microsoft 365 or Google Workspace. Those platforms provide controls. They do not provide compliance. MFA is available in both. That does not mean it is enforced for all users. Conditional access policies exist. That does not mean they are configured to block risky sign-ins. Audit logs are generated. That does not mean anyone reviews them or would recognize abnormal activity. Platform capability is not the same as implemented posture.

What does the gap between policy and evidence look like when pressure arrives?

Imagine a firm that has a business associate agreement with a billing vendor. The agreement states the vendor will encrypt data at rest. The vendor does not. A device is stolen. During the breach review, encryption is discovered to have never been enabled. The agreement described a control that was not implemented. That is the pattern I keep seeing. A gap that is invisible until something stresses it, and by then the cost of finding it has already changed.

Most gaps I see are not about missing technology. The firewall exists but there is no change log. Backups run but there is no test log. Access is provisioned but there is no review log. Those are fixable problems. What is not fixable is discovering the gap during an audit or after an incident.

What does building a defensible compliance posture actually involve?

What I do is build the evidence trail so an organization can defend its posture when questioned. That means configuring controls, documenting their operation, creating processes to review and test them, and maintaining records of those activities. It means implementing endpoint protection and then demonstrating that it detects threats. It means enforcing MFA and then showing that authentication attempts without it are blocked. It means running vulnerability scans and then showing that identified findings are remediated within policy windows. The work is operational, not theoretical.

You can learn more about how we approach this at our services page.

Where does your organization actually stand?

The question is not whether you have policies. The question is whether you can demonstrate control operation with evidence that would survive scrutiny. If you cannot answer that with confidence, you have a gap. The decision is whether to close it before the next inquiry or after.

If you want to know what your evidence trail looks like right now, reach out at /#contact and we will walk through it with you.