← Back to Blog
compliance_specialist

IT guidance for compliance clients in the Pacific Northwest

By Nina Forsythe
May 28, 2026

What Compliance Actually Requires from Your IT Infrastructure

A medical billing company in Portland called us last month because their largest client asked them to complete a security questionnaire. The questionnaire had 140 questions. They could answer maybe thirty of them with confidence. The rest required documentation they did not have, controls they were not sure existed, or technical configurations nobody had checked in two years. They were not noncompliant in the sense that regulators were filing actions against them. They were noncompliant in the sense that they could not prove they were doing what their contracts and their regulatory environment required them to do. That is a different problem with the same consequences.

Most compliance frameworks in use right now — HIPAA, SOC 2, FTC Safeguards, PCI-DSS, state-level data protection statutes — do not ask whether you have good intentions. They ask whether you have implemented specific controls, whether those controls are documented, and whether you can prove they operated during the period under review. That proof is what most organizations do not have when they need it.

What Regulators and Auditors Accept as Evidence

An auditor does not accept your word that backups run nightly. They accept logs that show backup completion, retention policies that are enforced in the system, and restore tests with documented outcomes. They do not accept a policy that says "access will be reviewed quarterly." They accept dated access review reports that list who reviewed what, what was changed, and who approved the change. A firewall is a control. Saying you have a firewall is not.

I am not an auditor. I do not attest compliance. What I do is build the infrastructure posture and the evidence trail so that when an auditor shows up, there is something defensible to hand them. The difference matters because most organizations treat compliance as a documentation project when it is actually an operational discipline. You cannot document your way into a compliant posture. You have to build the posture, then document that it exists.

What Northwest Organizations Get Wrong

Pacific Northwest businesses — especially the ones outside Seattle and Portland proper — tend to operate in a regulatory gray area until a customer, a partner, or a state inquiry forces the issue. Then they discover that "we've always done it this way" does not satisfy a third-party audit or a formal inquiry. Here is what that looks like in practice.

A construction firm in Bend had network segmentation. Their payment processing ran on a separate VLAN, isolated from general office traffic. That is the right design. But they had no firewall rules documenting what traffic was allowed between segments, no monitoring to confirm the segmentation was holding, and no change log showing when the segmentation was implemented. When their payment processor asked for PCI attestation, the segmentation existed but could not be proven. That is not the same as not having segmentation, but it produces the same audit outcome.

A legal practice in Spokane had encrypted laptops. BitLocker was enabled on every device. But they had no key escrow, no documented recovery process, and no list of which devices were encrypted versus which had encryption disabled during a hardware issue six months prior. When they needed SOC 2 compliance for a client contract, the control existed but the evidence did not. The auditor cannot take "we think all laptops are encrypted" as sufficient.

What Actually Closes the Gap

Closing the gap between posture and evidence requires three things. First, technical controls that are implemented correctly and enforced by the system, not by user behavior. MFA that can be bypassed is not MFA. Second, logging and monitoring that captures what the controls actually did. An antivirus policy is not evidence that malware was blocked. A quarantine log is. Third, regular reviews that generate dated, signed documentation proving the control was tested and still works.

That is table stakes. What most organizations also need and do not have: a designated person responsible for compliance infrastructure, a calendar of recurring tasks that correspond to control testing, and a secure location where evidence is stored and can be retrieved under time pressure. Compliance posture is not a project with an end date. It is an operational discipline that runs continuously, whether or not anyone is currently asking for proof.

What to Do If You Are Behind

If you are reading this because someone just asked you for documentation you do not have, you are not alone. Most organizations start compliance work in response to external pressure. That is fine. But you need to know what the actual timeline looks like to close documented gaps. Implementing MFA across an environment takes days. Implementing centralized logging takes weeks. Building an evidence repository with eighteen months of historical data takes months if that data was never captured to begin with.

Ryan Collier has worked in IT since around 1996. Our team's cumulative experience is over a hundred years. What I will tell you is this: the organizations that survive audits and regulatory inquiries without major findings are the ones that treated compliance as infrastructure work, not paperwork. Posture, not paper.

If you are operating in the Pacific Northwest and you need to build defensible compliance infrastructure, reach out to our team at craftworkgrp.com. We will tell you what you actually have, what an auditor would ask for, and what it takes to close the gap.