compliance-testing
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompliance Testing
合规性测试
<default_to_action>
When validating regulatory compliance:
- IDENTIFY applicable regulations (GDPR, HIPAA, PCI-DSS, etc.)
- MAP requirements to testable controls
- TEST data rights (access, erasure, portability)
- VERIFY encryption and access logging
- GENERATE audit-ready reports with evidence
Quick Compliance Checklist:
- Data subject rights work (access, delete, export)
- PII is encrypted at rest and in transit
- Access to sensitive data is logged
- Consent is tracked with timestamps
- Payment card data not stored (only tokenized)
Critical Success Factors:
- Non-compliance = €20M or 4% revenue (GDPR)
- Audit trail everything
- Test continuously, not just before audits </default_to_action>
<default_to_action>
验证法规合规性时:
- 识别适用法规(GDPR、HIPAA、PCI-DSS等)
- 将要求映射到可测试的控制措施
- 测试数据权利(访问、删除、可携带性)
- 验证加密和访问日志
- 生成带证据的可用于审计的报告
快速合规检查表:
- 数据主体权利可正常使用(访问、删除、导出)
- 个人身份信息(PII)在静态存储和传输过程中均已加密
- 敏感数据的访问操作已被记录
- 同意操作已带时间戳跟踪
- 未存储支付卡数据(仅存储令牌化数据)
关键成功要素:
- 不合规将面临最高2000万欧元或全球年营业额4%的罚款(GDPR)
- 所有操作都需保留审计轨迹
- 持续测试,而非仅在审计前测试 </default_to_action>
Quick Reference Card
快速参考卡片
When to Use
适用场景
- Legal compliance requirements
- Before security audits
- Handling PII/PHI/PCI data
- Entering new markets (EU, CA, healthcare)
- 法律法规合规要求
- 安全审计前准备
- 处理PII/PHI/PCI数据
- 进入新市场(欧盟、加州、医疗健康领域)
Major Regulations
主要法规
| Regulation | Scope | Key Focus |
|---|---|---|
| GDPR | EU data | Privacy rights, consent |
| CCPA | California | Consumer data rights |
| HIPAA | Healthcare | PHI protection |
| PCI-DSS | Payments | Card data security |
| SOC2 | SaaS | Security controls |
| 法规 | 适用范围 | 核心关注点 |
|---|---|---|
| GDPR | 欧盟地区数据 | 隐私权利、用户同意 |
| CCPA | 加州地区 | 消费者数据权利 |
| HIPAA | 医疗健康领域 | 受保护健康信息(PHI)保护 |
| PCI-DSS | 支付领域 | 银行卡数据安全 |
| SOC2 | SaaS领域 | 安全控制措施 |
Penalties
处罚措施
| Regulation | Maximum Fine |
|---|---|
| GDPR | €20M or 4% revenue |
| HIPAA | $1.5M per violation |
| PCI-DSS | $100k/month |
| CCPA | $7,500 per violation |
| 法规 | 最高罚款 |
|---|---|
| GDPR | 2000万欧元或全球年营业额4% |
| HIPAA | 每次违规最高150万美元 |
| PCI-DSS | 每月最高10万美元 |
| CCPA | 每次违规最高7500美元 |
GDPR Compliance Testing
GDPR合规性测试
javascript
// Test data subject rights
test('user can request their data', async () => {
const response = await api.post('/data-export', { userId });
expect(response.status).toBe(200);
expect(response.data.downloadUrl).toBeDefined();
const data = await downloadFile(response.data.downloadUrl);
expect(data).toHaveProperty('profile');
expect(data).toHaveProperty('orders');
});
test('user can delete their account', async () => {
await api.delete(`/users/${userId}`);
// All personal data deleted
expect(await db.users.findOne({ id: userId })).toBeNull();
expect(await db.orders.find({ userId })).toHaveLength(0);
// Audit log retained (legal requirement)
expect(await db.auditLogs.find({ userId })).toBeDefined();
});
test('consent is tracked', async () => {
await api.post('/consent', {
userId, type: 'marketing', granted: true,
timestamp: new Date(), ipAddress: '192.168.1.1'
});
const consent = await db.consents.findOne({ userId, type: 'marketing' });
expect(consent.timestamp).toBeDefined();
expect(consent.ipAddress).toBeDefined();
});javascript
// Test data subject rights
test('user can request their data', async () => {
const response = await api.post('/data-export', { userId });
expect(response.status).toBe(200);
expect(response.data.downloadUrl).toBeDefined();
const data = await downloadFile(response.data.downloadUrl);
expect(data).toHaveProperty('profile');
expect(data).toHaveProperty('orders');
});
test('user can delete their account', async () => {
await api.delete(`/users/${userId}`);
// All personal data deleted
expect(await db.users.findOne({ id: userId })).toBeNull();
expect(await db.orders.find({ userId })).toHaveLength(0);
// Audit log retained (legal requirement)
expect(await db.auditLogs.find({ userId })).toBeDefined();
});
test('consent is tracked', async () => {
await api.post('/consent', {
userId, type: 'marketing', granted: true,
timestamp: new Date(), ipAddress: '192.168.1.1'
});
const consent = await db.consents.findOne({ userId, type: 'marketing' });
expect(consent.timestamp).toBeDefined();
expect(consent.ipAddress).toBeDefined();
});HIPAA Compliance Testing
HIPAA合规性测试
javascript
// Test PHI security
test('PHI is encrypted at rest', async () => {
const patient = await db.patients.create({
ssn: '123-45-6789',
medicalHistory: 'Diabetes'
});
const raw = await db.raw('SELECT * FROM patients WHERE id = ?', patient.id);
expect(raw.ssn).not.toBe('123-45-6789'); // Should be encrypted
});
test('access to PHI is logged', async () => {
await api.get('/patients/123', {
headers: { 'User-Id': 'doctor456' }
});
const auditLog = await db.auditLogs.findOne({
resourceType: 'patient',
resourceId: '123',
userId: 'doctor456'
});
expect(auditLog.action).toBe('read');
expect(auditLog.timestamp).toBeDefined();
});javascript
// Test PHI security
test('PHI is encrypted at rest', async () => {
const patient = await db.patients.create({
ssn: '123-45-6789',
medicalHistory: 'Diabetes'
});
const raw = await db.raw('SELECT * FROM patients WHERE id = ?', patient.id);
expect(raw.ssn).not.toBe('123-45-6789'); // Should be encrypted
});
test('access to PHI is logged', async () => {
await api.get('/patients/123', {
headers: { 'User-Id': 'doctor456' }
});
const auditLog = await db.auditLogs.findOne({
resourceType: 'patient',
resourceId: '123',
userId: 'doctor456'
});
expect(auditLog.action).toBe('read');
expect(auditLog.timestamp).toBeDefined();
});PCI-DSS Compliance Testing
PCI-DSS合规性测试
javascript
// Test payment card handling
test('credit card numbers not stored', async () => {
await api.post('/payment', {
cardNumber: '4242424242424242',
expiry: '12/25', cvv: '123'
});
const payment = await db.payments.findOne({ /* ... */ });
expect(payment.cardNumber).toBeUndefined();
expect(payment.last4).toBe('4242'); // Only last 4
expect(payment.tokenId).toBeDefined(); // Token from gateway
});
test('CVV never stored', async () => {
const payments = await db.raw('SELECT * FROM payments');
const hasCVV = payments.some(p =>
JSON.stringify(p).toLowerCase().includes('cvv')
);
expect(hasCVV).toBe(false);
});javascript
// Test payment card handling
test('credit card numbers not stored', async () => {
await api.post('/payment', {
cardNumber: '4242424242424242',
expiry: '12/25', cvv: '123'
});
const payment = await db.payments.findOne({ /* ... */ });
expect(payment.cardNumber).toBeUndefined();
expect(payment.last4).toBe('4242'); // Only last 4
expect(payment.tokenId).toBeDefined(); // Token from gateway
});
test('CVV never stored', async () => {
const payments = await db.raw('SELECT * FROM payments');
const hasCVV = payments.some(p =>
JSON.stringify(p).toLowerCase().includes('cvv')
);
expect(hasCVV).toBe(false);
});Agent-Driven Compliance
Agent驱动的合规性验证
typescript
// Comprehensive compliance validation
await Task("Compliance Validation", {
regulations: ['GDPR', 'PCI-DSS'],
scope: 'full-application',
generateAuditReport: true
}, "qe-security-scanner");
// Returns:
// {
// gdpr: { compliant: true, controls: 12, passed: 12 },
// pciDss: { compliant: false, controls: 8, passed: 7 },
// violations: [{ control: 'card-storage', severity: 'critical' }],
// auditReport: 'compliance-audit-2025-12-02.pdf'
// }typescript
// Comprehensive compliance validation
await Task("Compliance Validation", {
regulations: ['GDPR', 'PCI-DSS'],
scope: 'full-application',
generateAuditReport: true
}, "qe-security-scanner");
// Returns:
// {
// gdpr: { compliant: true, controls: 12, passed: 12 },
// pciDss: { compliant: false, controls: 8, passed: 7 },
// violations: [{ control: 'card-storage', severity: 'critical' }],
// auditReport: 'compliance-audit-2025-12-02.pdf'
// }Agent Coordination Hints
Agent协调提示
Memory Namespace
内存命名空间
aqe/compliance-testing/
├── regulations/* - Regulation requirements
├── controls/* - Control test results
├── audit-reports/* - Generated audit reports
└── violations/* - Compliance violationsaqe/compliance-testing/
├── regulations/* - 法规要求
├── controls/* - 控制措施测试结果
├── audit-reports/* - 生成的审计报告
└── violations/* - 合规性违规记录Fleet Coordination
集群协调
typescript
const complianceFleet = await FleetManager.coordinate({
strategy: 'compliance-validation',
agents: [
'qe-security-scanner', // Scan for vulnerabilities
'qe-test-executor', // Execute compliance tests
'qe-quality-gate' // Block non-compliant releases
],
topology: 'sequential'
});typescript
const complianceFleet = await FleetManager.coordinate({
strategy: 'compliance-validation',
agents: [
'qe-security-scanner', // Scan for vulnerabilities
'qe-test-executor', // Execute compliance tests
'qe-quality-gate' // Block non-compliant releases
],
topology: 'sequential'
});Related Skills
相关技能
- security-testing - Security vulnerabilities
- test-data-management - PII handling
- accessibility-testing - Legal requirements
- security-testing - 安全漏洞测试
- test-data-management - 测试数据管理
- accessibility-testing - 合规性要求测试
Remember
注意事项
Compliance is mandatory, not optional. Fines are severe: GDPR up to €20M or 4% of revenue, HIPAA up to $1.5M per violation. But beyond fines, non-compliance damages reputation and user trust.
Audit trail everything. Every access to sensitive data, every consent, every deletion must be logged with timestamps and user IDs.
With Agents: Agents validate compliance requirements continuously, detect violations early, and generate audit-ready reports. Catch compliance issues in development, not in audits.
合规性是强制性要求,而非可选项。 处罚措施非常严厉:GDPR最高罚款2000万欧元或全球年营业额的4%,HIPAA每次违规最高150万美元。除了罚款,不合规还会损害企业声誉和用户信任。
所有操作都需保留审计轨迹。 每一次敏感数据访问、每一次用户同意、每一次数据删除都必须记录时间戳和用户ID。
借助Agent: Agent可持续验证合规性要求,提前检测违规情况,并生成可直接用于审计的报告。在开发阶段发现合规问题,而非等到审计时才暴露。