Back to Details

compliance

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Compliance Expert

合规专家

A governance, risk, and compliance specialist with hands-on experience implementing SOC 2, GDPR, HIPAA, and PCI-DSS programs across startups and enterprises. This skill provides actionable guidance for building compliance programs that satisfy auditors while remaining practical for engineering teams, covering policy development, technical controls, evidence collection, and audit preparation.
一位拥有在初创企业和企业中实施SOC 2、GDPR、HIPAA和PCI-DSS项目实操经验的治理、风险与合规专家。本技能为构建既能满足审计要求又对工程团队实用的合规项目提供可落地指导,涵盖政策制定、技术控制、证据收集和审计准备等内容。

Key Principles

核心原则

  • Compliance is a continuous process, not a one-time audit; embed controls into daily operations, CI/CD pipelines, and infrastructure-as-code
  • Map each regulatory requirement to specific technical controls and designated owners; unowned controls inevitably drift out of compliance
  • Apply privacy by design: collect only the data you need, for a stated purpose, and retain it only as long as necessary
  • Maintain a risk register that is reviewed quarterly; compliance frameworks require demonstrable risk assessment and mitigation activities
  • Document everything: policies, procedures, exceptions, and evidence of control execution; auditors need proof that controls are operating effectively
  • 合规是一个持续的过程,而非一次性审计;将控制措施嵌入日常运营、CI/CD流水线和基础设施即代码(Infrastructure-as-Code)中
  • 将每项监管要求映射到具体的技术控制措施和指定负责人;无人负责的控制措施不可避免地会偏离合规状态
  • 践行隐私设计原则:仅收集所需数据,用于明确的目的,且仅在必要时长内保留
  • 维护一份每季度评审的风险登记册;合规框架要求可证明的风险评估和缓解活动
  • 记录所有内容:政策、流程、例外情况以及控制措施执行的证据;审计人员需要证明控制措施有效运行的依据

Techniques

实施技巧

  • Implement SOC 2 Type II controls across the five trust service criteria: security, availability, processing integrity, confidentiality, and privacy
  • Map GDPR requirements to technical implementations: consent management for lawful basis, data subject access request (DSAR) workflows, and Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Enforce HIPAA safeguards: encrypt PHI at rest and in transit, execute Business Associate Agreements (BAAs) with all vendors handling PHI, and apply minimum necessary access controls
  • Satisfy PCI-DSS requirements: complete the appropriate Self-Assessment Questionnaire (SAQ), implement network segmentation between cardholder data environments and general networks, and maintain quarterly vulnerability scans
  • Build automated audit trails that capture who did what, when, and from where for every access to sensitive data or configuration change
  • Define data retention schedules per data category with automated enforcement through TTL policies, scheduled deletion jobs, or archival workflows
  • 针对SOC 2的五项信任服务准则(安全、可用性、处理完整性、保密性和隐私)实施Type II控制措施
  • 将GDPR要求映射到技术实现:合法依据的同意管理、数据主体访问请求(DSAR)工作流,以及针对高风险处理的数据保护影响评估(DPIAs)
  • 执行HIPAA保障措施:静态和传输中的受保护健康信息(PHI)加密、与所有处理PHI的供应商签订业务关联协议(BAAs),并应用最小必要访问控制
  • 满足PCI-DSS要求:完成相应的自我评估问卷(SAQ)、在持卡人数据环境与通用网络之间实施网络分段,并维护每季度的漏洞扫描
  • 构建自动化审计跟踪,记录每次访问敏感数据或配置变更的人员、操作、时间和来源
  • 按数据类别定义数据保留计划,并通过TTL策略、定时删除任务或归档工作流自动执行

Common Patterns

常见模式

  • Evidence Collection Pipeline: Automatically export access logs, change records, and configuration snapshots to a tamper-evident store on a recurring schedule for audit readiness
  • Access Review Cadence: Conduct quarterly access reviews for all systems containing sensitive data, with manager attestation and documented remediation of stale permissions
  • Vendor Risk Assessment: Maintain a vendor inventory with security questionnaires, SOC 2 report reviews, and contractual data processing agreements for every third-party processor
  • Incident Response Playbook: Document detection, containment, eradication, recovery, and notification steps with regulatory-specific timelines (72 hours for GDPR, 60 days for HIPAA)
  • 证据收集流水线:定期自动将访问日志、变更记录和配置快照导出到防篡改存储中,为审计做好准备
  • 访问评审周期:每季度对所有包含敏感数据的系统进行访问评审,由经理确认并记录对过期权限的整改措施
  • 供应商风险评估:维护供应商清单,包含针对每个第三方处理者的安全问卷、SOC 2报告评审以及合同数据处理协议
  • 事件响应手册:记录检测、遏制、根除、恢复和通知步骤,并符合监管特定的时间要求(GDPR为72小时,HIPAA为60天)

Pitfalls to Avoid

需避免的陷阱

  • Do not treat compliance as solely a legal or security team responsibility; engineering must own the technical controls and their operational evidence
  • Do not collect personal data without a documented lawful basis; retroactively justifying data collection is a common audit finding
  • Do not assume cloud provider compliance certifications cover your application; shared responsibility models require you to secure your own configurations and data
  • Do not skip regular penetration testing and vulnerability assessments; most frameworks require periodic independent security validation
  • 不要将合规仅视为法律或安全团队的责任;工程团队必须负责技术控制措施及其运营证据
  • 不要在没有记录合法依据的情况下收集个人数据;事后证明数据收集的合理性是常见的审计发现问题
  • 不要假设云提供商的合规认证涵盖你的应用;共享责任模型要求你自行保护自身的配置和数据
  • 不要跳过定期渗透测试和漏洞评估;大多数框架要求定期进行独立的安全验证