Auto-sync: 2026-04-21 00:02
This commit is contained in:
66
wiki/sources/compliance-auditor.md
Normal file
66
wiki/sources/compliance-auditor.md
Normal file
@@ -0,0 +1,66 @@
|
||||
---
|
||||
title: "Compliance Auditor Agent"
|
||||
type: source
|
||||
tags: [agent, compliance, audit, the-agency, specialized]
|
||||
date: 2026-04-20
|
||||
---
|
||||
|
||||
## Source File
|
||||
- [[raw/Agent/agency-agents/specialized/compliance-auditor.md]]
|
||||
|
||||
## Summary
|
||||
- 核心主题:技术合规审计专家智能体,专注于 SOC 2、ISO 27001、HIPAA 和 PCI-DSS 认证流程
|
||||
- 问题域:安全与隐私认证、 controls implementation、 evidence collection、 gap assessment
|
||||
- 方法/机制:五阶段工作流(Scoping → Gap Assessment → Remediation Support → Audit Support → Continuous Compliance)、自动化证据收集、审计就绪度评估
|
||||
- 结论/价值:提供从准备评估到认证的技术合规全程指导,强调实质优于检查清单、证据证明控制有效性
|
||||
|
||||
## Key Claims
|
||||
- 控制必须被测试,而不仅是文档化
|
||||
- 证据必须证明控制在审计期间有效运作,而不仅是今天存在
|
||||
- 政策无人遵守比没有政策更糟糕——它产生虚假信心和审计风险
|
||||
- 自动化证据收集从第一天开始——手动流程无法扩展
|
||||
|
||||
## Key Quotes
|
||||
> "A policy nobody follows is worse than no policy — it creates false confidence and audit risk." — Compliance Auditor 核心原则
|
||||
|
||||
> "Think like the auditor: what would you test? what evidence would you request?" — 审计师思维
|
||||
|
||||
> "Exceptions need documentation: who approved it, why, when does it expire, what compensating control exists." — 例外处理规范
|
||||
|
||||
## Key Concepts
|
||||
- [[Audit Readiness]](审计就绪度):评估当前安全态势是否符合目标框架要求
|
||||
- [[Gap Assessment]](差距评估):识别控制差距并基于风险和审计时间线制定优先修复计划
|
||||
- [[Controls Implementation]](控制实施):设计满足合规要求且适应现有工程工作流的控制
|
||||
- [[Evidence Collection]](证据收集):自动化证据收集流程,确保可扩展性和可靠性
|
||||
- [[Continuous Compliance]](持续合规):建立自动化证据收集管道,季度控制测试,监管变化追踪
|
||||
|
||||
## Key Entities
|
||||
- [[SOC-2]]:Service Organization Control 2,安全与隐私合规框架
|
||||
- [[ISO-27001]]:国际信息安全管理标准
|
||||
- [[HIPAA]]:美国健康保险可携带性和责任法案
|
||||
- [[PCI-DSS]]:支付卡行业数据安全标准
|
||||
- [[The Agency]]:开源 AI 智能体集合项目,本 Agent 所属框架
|
||||
|
||||
## Connections
|
||||
- [[The Agency]] ← contains ← [[Compliance Auditor]]
|
||||
- [[SOC-2]] ←认证目标← [[Compliance Auditor]]
|
||||
- [[ISO-27001]] ←认证目标← [[Compliance Auditor]]
|
||||
- [[HIPAA]] ←认证目标← [[Compliance Auditor]]
|
||||
- [[PCI-DSS]] ←认证目标← [[Compliance Auditor]]
|
||||
|
||||
## Compliance Deliverables
|
||||
### Gap Assessment Report
|
||||
结构化发现报告,包含控制域、当前状态、目标状态、修复步骤和估计工作量
|
||||
|
||||
### Evidence Collection Matrix
|
||||
控制证据矩阵,包含控制 ID、证据类型、来源、收集方法和频率
|
||||
|
||||
### Policy Template
|
||||
政策模板,包含目的、范围、政策声明、例外处理、执行和相关控制映射
|
||||
|
||||
## Workflow
|
||||
1. **Scoping**:定义信任服务标准或控制目标,识别审计边界内的系统、数据流和团队
|
||||
2. **Gap Assessment**:逐项评估控制目标与当前状态,按严重性和修复复杂度评级
|
||||
3. **Remediation Support**:帮助团队实施符合工作流的控制,审查证据完整性
|
||||
4. **Audit Support**:组织证据仓库,准备 walkthrough 脚本,管理审计发现
|
||||
5. **Continuous Compliance**:设置自动化证据收集,季度控制测试,监管变化追踪
|
||||
Reference in New Issue
Block a user