AgentSkillsCN

compliance-frameworks

针对B2B SaaS应用,提供安全与隐私合规的最佳实践,包括SOC 2认证与GDPR合规要求。适用于审计准备、控制措施设计、合规差距分析,或在产品功能中内嵌合规性考量。

SKILL.md
--- frontmatter
name: compliance-frameworks
description: Security and privacy compliance patterns for B2B SaaS (SOC 2, GDPR). Use for audit preparation, control design, compliance gap analysis, or building compliance into features.

Compliance Frameworks Skill

Security and privacy compliance patterns for B2B SaaS products.

When to Use

  • Preparing for SOC 2 Type II audit
  • Implementing GDPR data handling requirements
  • Conducting compliance gap analysis
  • Designing controls for audit evidence
  • Building compliance into new features

Quick Reference

SOC 2 Trust Principles

PrincipleKey ControlsPriority
SecurityAccess control, encryption, monitoringRequired
AvailabilityUptime SLAs, redundancy, backupsRequired
Processing IntegrityInput validation, error handlingConditional
ConfidentialityData classification, encryptionCommon
PrivacyConsent, access requests, retentionIf PII handled

GDPR Rights (Data Subject)

RightImplementationResponse Time
AccessData export endpoint30 days
ErasureDeletion workflow30 days
RectificationEdit profileReasonable
PortabilityMachine-readable export30 days
ObjectionOpt-out mechanismsImmediate

Common Control Categories

CategoryExamples
PreventiveAccess controls, input validation, encryption
DetectiveAudit logging, anomaly detection, SIEM
CorrectiveIncident response, patching, rollback

Key Patterns

Control Design

code
Risk Identification → Control Selection → Implementation → Evidence Collection → Audit

Evidence Types

TypeExamples
DocumentationPolicies, procedures, diagrams
ConfigurationTerraform, IAM policies, firewall rules
LogsAudit trails, access logs, change records
ScreenshotsDashboard configs, settings, approvals

Integration with Development

PR Checklist (Security-Sensitive Changes)

  • No hardcoded secrets
  • Access controls implemented
  • Audit logging added
  • Input validation present
  • Error messages sanitized

Compliance by Design

Build compliance into features from the start:

  1. Data Classification - What data is being handled?
  2. Access Control - Who can access it?
  3. Audit Trail - What operations are logged?
  4. Retention - How long is data kept?
  5. Deletion - How is data removed?

Files

  • reference.md - Detailed checklists, control mappings
  • examples.md - Implementation patterns, evidence templates