ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8df9990f152e8d61812e6296f88e8e54c3f35d6d
nexus/wiki/sources/compliance-auditor.md
weishen cb7c11e14f Auto-sync: 2026-04-21 00:02
2026-04-21 00:02:55 +08:00

67 lines
3.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "Compliance Auditor Agent"
type: source
tags: [agent, compliance, audit, the-agency, specialized]
date: 2026-04-20
---
## Source File
- [[raw/Agent/agency-agents/specialized/compliance-auditor.md]]
## Summary
- 核心主题:技术合规审计专家智能体,专注于 SOC 2、ISO 27001、HIPAA 和 PCI-DSS 认证流程
- 问题域:安全与隐私认证、 controls implementation、 evidence collection、 gap assessment
- 方法/机制五阶段工作流Scoping → Gap Assessment → Remediation Support → Audit Support → Continuous Compliance、自动化证据收集、审计就绪度评估
- 结论/价值:提供从准备评估到认证的技术合规全程指导,强调实质优于检查清单、证据证明控制有效性
## Key Claims
- 控制必须被测试,而不仅是文档化
- 证据必须证明控制在审计期间有效运作,而不仅是今天存在
- 政策无人遵守比没有政策更糟糕——它产生虚假信心和审计风险
- 自动化证据收集从第一天开始——手动流程无法扩展
## Key Quotes
> "A policy nobody follows is worse than no policy — it creates false confidence and audit risk." — Compliance Auditor 核心原则
> "Think like the auditor: what would you test? what evidence would you request?" — 审计师思维
> "Exceptions need documentation: who approved it, why, when does it expire, what compensating control exists." — 例外处理规范
## Key Concepts
- [[Audit Readiness]](审计就绪度):评估当前安全态势是否符合目标框架要求
- [[Gap Assessment]](差距评估):识别控制差距并基于风险和审计时间线制定优先修复计划
- [[Controls Implementation]](控制实施):设计满足合规要求且适应现有工程工作流的控制
- [[Evidence Collection]](证据收集):自动化证据收集流程,确保可扩展性和可靠性
- [[Continuous Compliance]](持续合规):建立自动化证据收集管道,季度控制测试,监管变化追踪
## Key Entities
- [[SOC-2]]Service Organization Control 2安全与隐私合规框架
- [[ISO-27001]]:国际信息安全管理标准
- [[HIPAA]]:美国健康保险可携带性和责任法案
- [[PCI-DSS]]:支付卡行业数据安全标准
- [[The Agency]]:开源 AI 智能体集合项目,本 Agent 所属框架
## Connections
- [[The Agency]] ← contains ← [[Compliance Auditor]]
- [[SOC-2]] ←认证目标← [[Compliance Auditor]]
- [[ISO-27001]] ←认证目标← [[Compliance Auditor]]
- [[HIPAA]] ←认证目标← [[Compliance Auditor]]
- [[PCI-DSS]] ←认证目标← [[Compliance Auditor]]
## Compliance Deliverables
### Gap Assessment Report
结构化发现报告,包含控制域、当前状态、目标状态、修复步骤和估计工作量
### Evidence Collection Matrix
控制证据矩阵,包含控制 ID、证据类型、来源、收集方法和频率
### Policy Template
政策模板,包含目的、范围、政策声明、例外处理、执行和相关控制映射
## Workflow
1. **Scoping**:定义信任服务标准或控制目标,识别审计边界内的系统、数据流和团队
2. **Gap Assessment**:逐项评估控制目标与当前状态,按严重性和修复复杂度评级
3. **Remediation Support**:帮助团队实施符合工作流的控制,审查证据完整性
4. **Audit Support**:组织证据仓库,准备 walkthrough 脚本,管理审计发现
5. **Continuous Compliance**:设置自动化证据收集,季度控制测试,监管变化追踪
Reference in New Issue View Git Blame Copy Permalink