moai-security-compliance
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesemoai-security-compliance: Regulatory Compliance & Audit Logging
moai-security-compliance:监管合规与审计日志
GDPR, HIPAA, SOC 2, ISO 27001, PCI DSS Compliance Framework
Trust Score: 9.9/10 | Version: 4.0.0 | Enterprise Mode | Last Updated: 2025-11-12
Trust Score: 9.9/10 | Version: 4.0.0 | Enterprise Mode | Last Updated: 2025-11-12
GDPR、HIPAA、SOC 2、ISO 27001、PCI DSS合规框架
信任评分:9.9/10 | 版本:4.0.0 | 企业模式 | 最后更新:2025-11-12
信任评分:9.9/10 | 版本:4.0.0 | 企业模式 | 最后更新:2025-11-12
Overview
概述
Comprehensive regulatory compliance framework for GDPR, HIPAA, SOC 2, ISO 27001, and PCI DSS. Covers audit logging, data classification, retention policies, and evidence collection for regulatory audits. 2025 trend: 83-85% of enterprises now require SOC 2 compliance from vendors.
When to use this Skill:
- Implementing GDPR compliance (EU data protection)
- HIPAA PHI protection (healthcare)
- SOC 2 audit preparation (security & availability)
- ISO 27001 information security
- PCI DSS payment card security
- Building audit trails for regulatory proof
- GDPR right-to-erasure implementation
适用于GDPR、HIPAA、SOC 2、ISO 27001和PCI DSS的全面监管合规框架,涵盖审计日志、数据分类、留存策略和监管审计的证据收集。2025年趋势:目前83-85%的企业要求供应商符合SOC 2合规标准。
何时使用该Skill:
- 实现GDPR合规(欧盟数据保护)
- HIPAA PHI保护(医疗行业)
- SOC 2审计筹备(安全与可用性)
- ISO 27001信息安全合规
- PCI DSS支付卡安全合规
- 搭建监管举证用的审计追踪链路
- 实现GDPR被遗忘权功能
Level 1: Foundations
第1级:基础
Regulatory Framework Overview
监管框架概述
GDPR (EU):
├─ Scope: Any organization processing EU citizen data
├─ Key: Right-to-erasure, data portability, consent
├─ Penalties: Up to EUR 20 million or 4% revenue
└─ Focus: Privacy & data protection
HIPAA (USA):
├─ Scope: Healthcare providers, insurers, PHI handlers
├─ Key: Confidentiality, integrity, availability (CIA triad)
├─ Penalties: Up to USD 1.5 million per violation
└─ Focus: Patient health information security
SOC 2 (USA):
├─ Scope: Service organizations (any industry)
├─ Key: Security, availability, processing integrity, confidentiality, privacy
├─ Type I: Design of controls at point in time
├─ Type II: Operating effectiveness over 6-12 months
└─ Note: Not legally required, but customer-demanded
ISO 27001 (International):
├─ Scope: Information security management
├─ Key: 114 controls across 4 domains
├─ Requires: Annual audit, continuous monitoring
└─ Focus: Systematic security approach
PCI DSS (Payment cards):
├─ Scope: Any organization handling payment card data
├─ Key: Cardholder data protection (CHD)
├─ Compliance: Annual assessment
└─ Levels: 1-4 based on transaction volumeGDPR (欧盟):
├─ 适用范围:任何处理欧盟公民数据的组织
├─ 核心要求:被遗忘权、数据可携权、用户同意
├─ 处罚力度:最高2000万欧元或年营收的4%
└─ 关注重点:隐私与数据保护
HIPAA (美国):
├─ 适用范围:医疗服务提供者、保险公司、PHI处理方
├─ 核心要求:保密性、完整性、可用性(CIA三元组)
├─ 处罚力度:单次违规最高罚款150万美元
└─ 关注重点:患者健康信息安全
SOC 2 (美国):
├─ 适用范围:服务类组织(全行业适用)
├─ 核心要求:安全、可用性、处理完整性、保密性、隐私
├─ Type I:特定时间点的控制措施设计有效性
├─ Type II:6-12个月周期内的控制措施运行有效性
└─ 备注:无法律强制要求,但属于客户普遍要求的资质
ISO 27001 (国际通用):
├─ 适用范围:信息安全管理体系
├─ 核心要求:覆盖4个领域的114项控制措施
├─ 要求:年度审计、持续监控
└─ 关注重点:体系化的安全管理方法
PCI DSS (支付卡行业):
├─ 适用范围:任何处理支付卡数据的组织
├─ 核心要求:持卡人数据(CHD)保护
├─ 合规要求:年度评估
└─ 等级:根据交易体量分为1-4级Data Classification
数据分类
javascript
class DataClassifier {
classify(data) {
// Classify data for compliance purposes
if (this.isPII(data)) return 'SENSITIVE';
if (this.isPHI(data)) return 'RESTRICTED';
if (this.isPaymentData(data)) return 'CONFIDENTIAL';
if (this.isPublicData(data)) return 'PUBLIC';
return 'INTERNAL';
}
isPII(data) {
// Personal Identifiable Information
return /(\d{3}-\d{2}-\d{4}|email|phone|address)/.test(JSON.stringify(data));
}
isPHI(data) {
// Protected Health Information (HIPAA)
return /(diagnosis|medication|patient|medical_record)/.test(JSON.stringify(data));
}
isPaymentData(data) {
// Credit card, bank account (PCI DSS)
return /(\d{16}|\d{9}|BIC|IBAN)/.test(JSON.stringify(data));
}
isPublicData(data) {
// Explicitly marked as public
return data.classification === 'PUBLIC';
}
}javascript
class DataClassifier {
classify(data) {
// Classify data for compliance purposes
if (this.isPII(data)) return 'SENSITIVE';
if (this.isPHI(data)) return 'RESTRICTED';
if (this.isPaymentData(data)) return 'CONFIDENTIAL';
if (this.isPublicData(data)) return 'PUBLIC';
return 'INTERNAL';
}
isPII(data) {
// Personal Identifiable Information
return /(\d{3}-\d{2}-\d{4}|email|phone|address)/.test(JSON.stringify(data));
}
isPHI(data) {
// Protected Health Information (HIPAA)
return /(diagnosis|medication|patient|medical_record)/.test(JSON.stringify(data));
}
isPaymentData(data) {
// Credit card, bank account (PCI DSS)
return /(\d{16}|\d{9}|BIC|IBAN)/.test(JSON.stringify(data));
}
isPublicData(data) {
// Explicitly marked as public
return data.classification === 'PUBLIC';
}
}Level 2: Core Patterns
第2级:核心模式
Pattern 1: Winston-Based Audit Logging
模式1:基于Winston的审计日志
javascript
const winston = require('winston');
const Transport = require('winston-transport');
class AuditLogger {
constructor(config) {
this.config = config;
this.logger = this.createLogger();
}
createLogger() {
return winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }),
winston.format.json(),
// Custom format for audit logging
winston.format.printf(({ timestamp, level, message, ...meta }) => ({
timestamp,
level,
message,
...meta,
// Add compliance fields
compliance_tags: ['audit_trail'],
data_classification: 'SENSITIVE',
retention_days: 2555, // 7 years (GDPR default)
}))
),
transports: [
// File storage (tamper-proof)
new winston.transports.File({
filename: './logs/audit.log',
maxsize: 5242880, // 5MB
maxFiles: 5,
tailable: true,
options: { flags: 'a', mode: 0o640 }, // Read-only for security
}),
// Database storage (queryable)
new DatabaseTransport({
collection: 'audit_logs',
db: this.config.db,
}),
// Cloud storage (immutable)
new S3Transport({
bucket: 'audit-logs',
prefix: `${new Date().getFullYear()}`,
}),
],
});
}
logUserAccess(userId, action, resource, result) {
this.logger.info('User action', {
userId,
action,
resource,
result,
timestamp: new Date().toISOString(),
ip_address: this.getIpAddress(),
user_agent: this.getUserAgent(),
compliance: {
gdpr: true,
soc2: true,
hipaa: true,
},
});
}
logDataAccess(userId, dataType, action, timestamp) {
this.logger.info('Data access', {
userId,
dataType,
action,
timestamp,
classification: this.classifyData(dataType),
retention_until: this.calculateRetention(dataType),
});
}
logSecurityEvent(severity, eventType, details) {
this.logger.warn('Security event', {
severity,
eventType,
details,
timestamp: new Date().toISOString(),
action_required: severity >= 'HIGH',
});
}
classifyData(dataType) {
const classifications = {
'health_record': 'RESTRICTED', // HIPAA
'payment_card': 'CONFIDENTIAL', // PCI DSS
'social_security': 'SENSITIVE', // GDPR
'user_email': 'SENSITIVE', // GDPR
};
return classifications[dataType] || 'INTERNAL';
}
calculateRetention(dataType) {
const retentionDays = {
'audit_log': 2555, // 7 years (GDPR)
'payment_log': 2555, // 7 years (PCI DSS)
'access_log': 365, // 1 year (SOC 2)
};
const days = retentionDays[dataType] || 90;
const date = new Date();
date.setDate(date.getDate() + days);
return date.toISOString();
}
}
// Custom Winston transport for database
class DatabaseTransport extends Transport {
constructor(opts) {
super(opts);
this.db = opts.db;
this.collection = opts.collection;
}
log(info, callback) {
setImmediate(() => {
this.db.collection(this.collection).insertOne({
...info,
_id: new ObjectId(),
timestamp: new Date(),
});
});
if (callback) {
callback();
}
}
}javascript
const winston = require('winston');
const Transport = require('winston-transport');
class AuditLogger {
constructor(config) {
this.config = config;
this.logger = this.createLogger();
}
createLogger() {
return winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }),
winston.format.json(),
// Custom format for audit logging
winston.format.printf(({ timestamp, level, message, ...meta }) => ({
timestamp,
level,
message,
...meta,
// Add compliance fields
compliance_tags: ['audit_trail'],
data_classification: 'SENSITIVE',
retention_days: 2555, // 7 years (GDPR default)
}))
),
transports: [
// File storage (tamper-proof)
new winston.transports.File({
filename: './logs/audit.log',
maxsize: 5242880, // 5MB
maxFiles: 5,
tailable: true,
options: { flags: 'a', mode: 0o640 }, // Read-only for security
}),
// Database storage (queryable)
new DatabaseTransport({
collection: 'audit_logs',
db: this.config.db,
}),
// Cloud storage (immutable)
new S3Transport({
bucket: 'audit-logs',
prefix: `${new Date().getFullYear()}`,
}),
],
});
}
logUserAccess(userId, action, resource, result) {
this.logger.info('User action', {
userId,
action,
resource,
result,
timestamp: new Date().toISOString(),
ip_address: this.getIpAddress(),
user_agent: this.getUserAgent(),
compliance: {
gdpr: true,
soc2: true,
hipaa: true,
},
});
}
logDataAccess(userId, dataType, action, timestamp) {
this.logger.info('Data access', {
userId,
dataType,
action,
timestamp,
classification: this.classifyData(dataType),
retention_until: this.calculateRetention(dataType),
});
}
logSecurityEvent(severity, eventType, details) {
this.logger.warn('Security event', {
severity,
eventType,
details,
timestamp: new Date().toISOString(),
action_required: severity >= 'HIGH',
});
}
classifyData(dataType) {
const classifications = {
'health_record': 'RESTRICTED', // HIPAA
'payment_card': 'CONFIDENTIAL', // PCI DSS
'social_security': 'SENSITIVE', // GDPR
'user_email': 'SENSITIVE', // GDPR
};
return classifications[dataType] || 'INTERNAL';
}
calculateRetention(dataType) {
const retentionDays = {
'audit_log': 2555, // 7 years (GDPR)
'payment_log': 2555, // 7 years (PCI DSS)
'access_log': 365, // 1 year (SOC 2)
};
const days = retentionDays[dataType] || 90;
const date = new Date();
date.setDate(date.getDate() + days);
return date.toISOString();
}
}
// Custom Winston transport for database
class DatabaseTransport extends Transport {
constructor(opts) {
super(opts);
this.db = opts.db;
this.collection = opts.collection;
}
log(info, callback) {
setImmediate(() => {
this.db.collection(this.collection).insertOne({
...info,
_id: new ObjectId(),
timestamp: new Date(),
});
});
if (callback) {
callback();
}
}
}Pattern 2: Data Retention & Erasure (GDPR Right-to-Erasure)
模式2:数据留存与删除(GDPR被遗忘权)
javascript
class DataRetentionManager {
constructor(db) {
this.db = db;
}
// Schedule automatic retention-based deletion
scheduleRetention() {
// Run daily
cron.schedule('0 2 * * *', async () => {
console.log('Running retention cleanup');
await this.deleteExpiredData();
await this.archiveOldLogs();
});
}
async deleteExpiredData() {
const now = new Date();
// GDPR: Delete personal data when retention expires
const expiredUsers = await this.db.users.find({
deletion_scheduled_at: { $lt: now },
deleted: false,
});
for (const user of expiredUsers) {
await this.eraseUserData(user.id);
}
}
async eraseUserData(userId) {
const user = await this.db.users.findById(userId);
// 1. Delete all personal data
await this.db.users.deleteOne({ _id: userId });
await this.db.user_profiles.deleteMany({ userId });
await this.db.user_preferences.deleteMany({ userId });
// 2. Anonymize audit logs (keep for compliance)
await this.db.audit_logs.updateMany(
{ userId },
{
$set: {
userId: null,
userName: '[REDACTED]',
anonymized: true,
anonymized_at: new Date(),
},
}
);
// 3. Log the erasure
await this.db.erasure_logs.insertOne({
userId,
erasedAt: new Date(),
reason: 'GDPR right-to-erasure',
dataErased: [
'user_profile',
'preferences',
'settings',
],
});
console.log(`User ${userId} data erased per GDPR request`);
}
async archiveOldLogs() {
// Archive logs older than 1 year to cold storage
const oneYearAgo = new Date();
oneYearAgo.setFullYear(oneYearAgo.getFullYear() - 1);
const oldLogs = await this.db.audit_logs.find({
timestamp: { $lt: oneYearAgo },
archived: false,
});
for (const log of oldLogs) {
// Compress and upload to S3 Glacier
await this.archiveToS3(log);
// Mark as archived in database
await this.db.audit_logs.updateOne(
{ _id: log._id },
{ $set: { archived: true } }
);
}
}
async requestErasure(userId) {
// User initiates GDPR right-to-erasure
await this.db.users.updateOne(
{ _id: userId },
{
$set: {
deletion_requested_at: new Date(),
deletion_scheduled_at: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
},
}
);
// Send confirmation email
await sendEmail({
to: user.email,
subject: 'Data Erasure Request Confirmed',
body: 'Your data will be permanently deleted within 30 days.',
});
}
}javascript
class DataRetentionManager {
constructor(db) {
this.db = db;
}
// Schedule automatic retention-based deletion
scheduleRetention() {
// Run daily
cron.schedule('0 2 * * *', async () => {
console.log('Running retention cleanup');
await this.deleteExpiredData();
await this.archiveOldLogs();
});
}
async deleteExpiredData() {
const now = new Date();
// GDPR: Delete personal data when retention expires
const expiredUsers = await this.db.users.find({
deletion_scheduled_at: { $lt: now },
deleted: false,
});
for (const user of expiredUsers) {
await this.eraseUserData(user.id);
}
}
async eraseUserData(userId) {
const user = await this.db.users.findById(userId);
// 1. Delete all personal data
await this.db.users.deleteOne({ _id: userId });
await this.db.user_profiles.deleteMany({ userId });
await this.db.user_preferences.deleteMany({ userId });
// 2. Anonymize audit logs (keep for compliance)
await this.db.audit_logs.updateMany(
{ userId },
{
$set: {
userId: null,
userName: '[REDACTED]',
anonymized: true,
anonymized_at: new Date(),
},
}
);
// 3. Log the erasure
await this.db.erasure_logs.insertOne({
userId,
erasedAt: new Date(),
reason: 'GDPR right-to-erasure',
dataErased: [
'user_profile',
'preferences',
'settings',
],
});
console.log(`User ${userId} data erased per GDPR request`);
}
async archiveOldLogs() {
// Archive logs older than 1 year to cold storage
const oneYearAgo = new Date();
oneYearAgo.setFullYear(oneYearAgo.getFullYear() - 1);
const oldLogs = await this.db.audit_logs.find({
timestamp: { $lt: oneYearAgo },
archived: false,
});
for (const log of oldLogs) {
// Compress and upload to S3 Glacier
await this.archiveToS3(log);
// Mark as archived in database
await this.db.audit_logs.updateOne(
{ _id: log._id },
{ $set: { archived: true } }
);
}
}
async requestErasure(userId) {
// User initiates GDPR right-to-erasure
await this.db.users.updateOne(
{ _id: userId },
{
$set: {
deletion_requested_at: new Date(),
deletion_scheduled_at: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
},
}
);
// Send confirmation email
await sendEmail({
to: user.email,
subject: 'Data Erasure Request Confirmed',
body: 'Your data will be permanently deleted within 30 days.',
});
}
}Pattern 3: SOC 2 Evidence Collection
模式3:SOC 2证据收集
javascript
class SOC2EvidenceCollector {
constructor() {
this.evidence = [];
}
// Collect evidence for SOC 2 Type II audit
async collectEvidence() {
// CC (Change Control)
await this.collectChangeControlEvidence();
// AC (Access Control)
await this.collectAccessControlEvidence();
// CA (Cryptography)
await this.collectCryptographyEvidence();
// IL (Incident & Logging)
await this.collectIncidentLoggingEvidence();
return this.generateAuditReport();
}
async collectAccessControlEvidence() {
const evidence = {
access_policies: await fs.readFile('./policies/access-control.md'),
mfa_enabled: await this.checkMFAStatus(),
privileged_access_logs: await this.queryAuditLogs({
action: 'privileged_access',
days: 90,
}),
access_reviews: await this.getMonthlyAccessReviews(),
user_provisioning_logs: await this.getProvisioningLogs(),
};
this.evidence.push({
domain: 'ACCESS_CONTROL',
timestamp: new Date(),
evidence,
});
}
async collectChangeControlEvidence() {
const evidence = {
code_deployment_logs: await this.getDeploymentLogs(),
approval_chain: await this.getChangeApprovals(),
testing_results: await this.getTestResults(),
rollback_procedures: await fs.readFile('./procedures/rollback.md'),
deployment_frequency: await this.calculateDeploymentFrequency(),
};
this.evidence.push({
domain: 'CHANGE_CONTROL',
timestamp: new Date(),
evidence,
});
}
generateAuditReport() {
return {
auditType: 'SOC 2 Type II',
period: {
start: this.auditStartDate,
end: this.auditEndDate,
},
evidence: this.evidence,
summary: this.generateSummary(),
};
}
}javascript
class SOC2EvidenceCollector {
constructor() {
this.evidence = [];
}
// Collect evidence for SOC 2 Type II audit
async collectEvidence() {
// CC (Change Control)
await this.collectChangeControlEvidence();
// AC (Access Control)
await this.collectAccessControlEvidence();
// CA (Cryptography)
await this.collectCryptographyEvidence();
// IL (Incident & Logging)
await this.collectIncidentLoggingEvidence();
return this.generateAuditReport();
}
async collectAccessControlEvidence() {
const evidence = {
access_policies: await fs.readFile('./policies/access-control.md'),
mfa_enabled: await this.checkMFAStatus(),
privileged_access_logs: await this.queryAuditLogs({
action: 'privileged_access',
days: 90,
}),
access_reviews: await this.getMonthlyAccessReviews(),
user_provisioning_logs: await this.getProvisioningLogs(),
};
this.evidence.push({
domain: 'ACCESS_CONTROL',
timestamp: new Date(),
evidence,
});
}
async collectChangeControlEvidence() {
const evidence = {
code_deployment_logs: await this.getDeploymentLogs(),
approval_chain: await this.getChangeApprovals(),
testing_results: await this.getTestResults(),
rollback_procedures: await fs.readFile('./procedures/rollback.md'),
deployment_frequency: await this.calculateDeploymentFrequency(),
};
this.evidence.push({
domain: 'CHANGE_CONTROL',
timestamp: new Date(),
evidence,
});
}
generateAuditReport() {
return {
auditType: 'SOC 2 Type II',
period: {
start: this.auditStartDate,
end: this.auditEndDate,
},
evidence: this.evidence,
summary: this.generateSummary(),
};
}
}Level 3: Advanced
第3级:进阶
Advanced: Drata Integration (Automated Compliance)
进阶:Drata集成(自动化合规)
javascript
const { DrataClient } = require('drata-api');
class AutomatedComplianceMonitoring {
constructor(apiKey) {
this.drata = new DrataClient(apiKey);
}
// Automatically collect evidence for Drata audits
async syncComplianceEvidence() {
const frameworks = ['SOC2', 'GDPR', 'HIPAA', 'ISO27001'];
for (const framework of frameworks) {
const evidence = await this.collectFrameworkEvidence(framework);
await this.drata.uploadEvidence(framework, evidence);
}
}
async collectFrameworkEvidence(framework) {
// Query system for framework-specific evidence
// Push to Drata for audit preparation
const controlsMapping = {
'SOC2': this.soC2Controls,
'GDPR': this.gdprControls,
'HIPAA': this.hipaaControls,
};
return controlsMapping[framework];
}
get soC2Controls() {
return {
'CC6.1': this.getSecurityIncidentLogs(),
'CC6.2': this.getIncidentResponseLogs(),
'CC7.2': this.getSystemMonitoringLogs(),
'A1.2': this.getAccessReviewLogs(),
};
}
}javascript
const { DrataClient } = require('drata-api');
class AutomatedComplianceMonitoring {
constructor(apiKey) {
this.drata = new DrataClient(apiKey);
}
// Automatically collect evidence for Drata audits
async syncComplianceEvidence() {
const frameworks = ['SOC2', 'GDPR', 'HIPAA', 'ISO27001'];
for (const framework of frameworks) {
const evidence = await this.collectFrameworkEvidence(framework);
await this.drata.uploadEvidence(framework, evidence);
}
}
async collectFrameworkEvidence(framework) {
// Query system for framework-specific evidence
// Push to Drata for audit preparation
const controlsMapping = {
'SOC2': this.soC2Controls,
'GDPR': this.gdprControls,
'HIPAA': this.hipaaControls,
};
return controlsMapping[framework];
}
get soC2Controls() {
return {
'CC6.1': this.getSecurityIncidentLogs(),
'CC6.2': this.getIncidentResponseLogs(),
'CC7.2': this.getSystemMonitoringLogs(),
'A1.2': this.getAccessReviewLogs(),
};
}
}Checklist
检查清单
- Data classification system implemented
- Audit logging to file, database, and cloud
- GDPR right-to-erasure process working
- Retention policies scheduled and tested
- Access logs collected and retained
- Change control logs for deployments
- SOC 2 evidence collection automated
- Drata integration for audit readiness
- HIPAA BAA signed if processing PHI
- PCI DSS self-assessment annual review
- 已实现数据分类系统
- 审计日志已同步到文件、数据库和云端
- GDPR被遗忘权流程可正常运行
- 留存策略已定时调度并完成测试
- 访问日志已收集并留存
- 已留存部署相关的变更控制日志
- SOC 2证据收集已自动化
- 已完成Drata集成支持审计就绪
- 若处理PHI已签署HIPAA BAA协议
- 每年完成PCI DSS自我评估复审
Quick Reference
快速参考
| Regulation | Key Focus | Retention |
|---|---|---|
| GDPR | Privacy | 7 years (after processing ends) |
| HIPAA | Health Info | 6 years |
| SOC 2 | Security | 6-12 months (audit period) |
| ISO 27001 | InfoSec | 3 years |
| PCI DSS | Payment Cards | 1 year minimum |
| 监管规定 | 核心重点 | 留存期限 |
|---|---|---|
| GDPR | 隐私保护 | 7年(数据处理结束后) |
| HIPAA | 健康信息安全 | 6年 |
| SOC 2 | 安全管控 | 6-12个月(审计周期内) |
| ISO 27001 | 信息安全 | 3年 |
| PCI DSS | 支付卡安全 | 最低1年 |