← Back to Blog
compliance_specialist

IT guidance for compliance clients in the Pacific Northwest

By Nina Forsythe
May 28, 2026

IT Guidance for Compliance Clients in the Pacific Northwest

I spend most of my time working with organizations that have compliance requirements they did not choose. A law firm that handles trust accounts. A medical billing company processing PHI. An auto dealership subject to FTC Safeguards. A financial services firm under state examination authority. These businesses did not wake up one morning and decide to become compliant. They woke up to a notice, a customer requirement, or a contract clause that made compliance mandatory.

The question they ask us is not whether they need to comply. They already know they do. The question is: what does that actually mean for their IT environment, and how do they prove it when someone asks?

What Compliance Actually Requires

Compliance frameworks are not about buying tools. They are about operating controls and documenting that operation. A framework like SOC 2, HIPAA, FTC Safeguards, or PCI-DSS describes outcomes: that access is restricted, that data is encrypted, that incidents are logged and reviewed. The requirement is evidence that these outcomes happen consistently, not evidence that you purchased software capable of making them happen.

I see this gap constantly. An organization buys an EDR platform and considers endpoint protection handled. But the EDR is not self-configuring. Someone has to define what gets flagged, who gets alerted, how fast incidents are reviewed. Someone has to document when those settings were applied and what exceptions exist. When an auditor asks for evidence of endpoint monitoring, they are asking for logs, policies, and records that show the control firing. A screenshot of the dashboard is a start. A thirteen-month gap between configuration and documentation is not.

Compliance posture is the distance between what your environment does and what you can prove it does. That distance is where organizations fail audits even when their actual security hygiene is decent.

What Pacific Northwest Businesses Actually Face

Washington State has exam authority over certain financial services firms. Oregon has data breach notification laws with specific timelines. Healthcare practices here operate under federal HIPAA rules but also state-level privacy standards. Auto dealerships must meet FTC Safeguards. Law firms holding client funds have bar association requirements. These are not abstract. They carry financial penalties, license risks, and reputational damage when mishandled.

The Northwest is also full of small businesses that handle sensitive data without dedicated compliance staff. A thirty-person law firm does not have a Chief Compliance Officer. A medical billing company with twelve employees does not have an internal audit team. What they have is someone in operations who also handles compliance, usually without formal training, and that person is expected to answer examiner questions when they arrive.

When we work with these organizations, the first conversation is about what currently exists versus what an examiner would accept. Exists means: implemented, monitored, and documented with dates and responsible parties. Accept means: evidence that would survive scrutiny from someone trained to find gaps.

The Work That Fills the Gap

We start with an inventory of controls. Not what should exist. What does exist, how it operates, who owns it, and where the documentation lives. MFA status across all systems. Backup schedules and the last documented restore test. Access review records. Logging configuration and retention. Patch management cadence. Incident response contact lists.

Then we map those controls to the framework the organization is subject to. If it is HIPAA, we map to administrative, physical, and technical safeguards. If it is FTC Safeguards, we map to the nine required elements. The map shows where controls are present, where they are partial, and where they are absent.

Partial is common. MFA exists but is not enforced universally. Backups run nightly but have not been tested in fourteen months. Access reviews are supposed to be quarterly but the last review was nine months ago. Partial controls do not survive audits. They survive until someone asks for proof of operation, and then they collapse.

The work is making partial controls complete and documenting them as such. Enforcing MFA everywhere. Testing a restore and recording the results. Running the overdue access review and noting who was removed. Updating policies to match what actually happens rather than what was intended two years ago.

This is not consulting theater. It is operational work. It requires someone with access to the environment and authority to make changes. That is where TCG sits. We are in the systems. We implement the controls. We generate the evidence. We hand the organization a posture they can defend when the inquiry letter arrives.

What You Decide Now

If you are subject to a compliance framework, the question is not whether you will be examined. The question is whether you will have defensible evidence when that examination happens. The gap between good intentions and documented operation is where failures occur.

We work with Pacific Northwest businesses to close that gap before the examiner shows up. If you want an assessment of where your current posture sits and what it would take to make it defensible, contact The Craftwork Group at craftworkgrp.com. We will tell you what you have, what you need, and what the work actually involves.