| name | moai-security-compliance |
| version | 4.0.0 |
| status | stable |
| description | Enterprise Skill for advanced development |
| allowed-tools | Read, Bash, WebSearch, WebFetch |
moai-security-compliance: Regulatory Compliance & Audit Logging
GDPR, HIPAA, SOC 2, ISO 27001, PCI DSS Compliance Framework
Trust Score: 9.9/10 | Version: 4.0.0 | Enterprise Mode | Last Updated: 2025-11-12
Overview
Comprehensive regulatory compliance framework for GDPR, HIPAA, SOC 2, ISO 27001, and PCI DSS. Covers audit logging, data classification, retention policies, and evidence collection for regulatory audits. 2025 trend: 83-85% of enterprises now require SOC 2 compliance from vendors.
When to use this Skill:
- Implementing GDPR compliance (EU data protection)
- HIPAA PHI protection (healthcare)
- SOC 2 audit preparation (security & availability)
- ISO 27001 information security
- PCI DSS payment card security
- Building audit trails for regulatory proof
- GDPR right-to-erasure implementation
Level 1: Foundations
Regulatory Framework Overview
GDPR (EU):
├─ Scope: Any organization processing EU citizen data
├─ Key: Right-to-erasure, data portability, consent
├─ Penalties: Up to EUR 20 million or 4% revenue
└─ Focus: Privacy & data protection
HIPAA (USA):
├─ Scope: Healthcare providers, insurers, PHI handlers
├─ Key: Confidentiality, integrity, availability (CIA triad)
├─ Penalties: Up to USD 1.5 million per violation
└─ Focus: Patient health information security
SOC 2 (USA):
├─ Scope: Service organizations (any industry)
├─ Key: Security, availability, processing integrity, confidentiality, privacy
├─ Type I: Design of controls at point in time
├─ Type II: Operating effectiveness over 6-12 months
└─ Note: Not legally required, but customer-demanded
ISO 27001 (International):
├─ Scope: Information security management
├─ Key: 114 controls across 4 domains
├─ Requires: Annual audit, continuous monitoring
└─ Focus: Systematic security approach
PCI DSS (Payment cards):
├─ Scope: Any organization handling payment card data
├─ Key: Cardholder data protection (CHD)
├─ Compliance: Annual assessment
└─ Levels: 1-4 based on transaction volume
Data Classification
class DataClassifier {
classify(data) {
// Classify data for compliance purposes
if (this.isPII(data)) return 'SENSITIVE';
if (this.isPHI(data)) return 'RESTRICTED';
if (this.isPaymentData(data)) return 'CONFIDENTIAL';
if (this.isPublicData(data)) return 'PUBLIC';
return 'INTERNAL';
}
isPII(data) {
// Personal Identifiable Information
return /(\d{3}-\d{2}-\d{4}|email|phone|address)/.test(JSON.stringify(data));
}
isPHI(data) {
// Protected Health Information (HIPAA)
return /(diagnosis|medication|patient|medical_record)/.test(JSON.stringify(data));
}
isPaymentData(data) {
// Credit card, bank account (PCI DSS)
return /(\d{16}|\d{9}|BIC|IBAN)/.test(JSON.stringify(data));
}
isPublicData(data) {
// Explicitly marked as public
return data.classification === 'PUBLIC';
}
}
Level 2: Core Patterns
Pattern 1: Winston-Based Audit Logging
const winston = require('winston');
const Transport = require('winston-transport');
class AuditLogger {
constructor(config) {
this.config = config;
this.logger = this.createLogger();
}
createLogger() {
return winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }),
winston.format.json(),
// Custom format for audit logging
winston.format.printf(({ timestamp, level, message, ...meta }) => ({
timestamp,
level,
message,
...meta,
// Add compliance fields
compliance_tags: ['audit_trail'],
data_classification: 'SENSITIVE',
retention_days: 2555, // 7 years (GDPR default)
}))
),
transports: [
// File storage (tamper-proof)
new winston.transports.File({
filename: './logs/audit.log',
maxsize: 5242880, // 5MB
maxFiles: 5,
tailable: true,
options: { flags: 'a', mode: 0o640 }, // Read-only for security
}),
// Database storage (queryable)
new DatabaseTransport({
collection: 'audit_logs',
db: this.config.db,
}),
// Cloud storage (immutable)
new S3Transport({
bucket: 'audit-logs',
prefix: `${new Date().getFullYear()}`,
}),
],
});
}
logUserAccess(userId, action, resource, result) {
this.logger.info('User action', {
userId,
action,
resource,
result,
timestamp: new Date().toISOString(),
ip_address: this.getIpAddress(),
user_agent: this.getUserAgent(),
compliance: {
gdpr: true,
soc2: true,
hipaa: true,
},
});
}
logDataAccess(userId, dataType, action, timestamp) {
this.logger.info('Data access', {
userId,
dataType,
action,
timestamp,
classification: this.classifyData(dataType),
retention_until: this.calculateRetention(dataType),
});
}
logSecurityEvent(severity, eventType, details) {
this.logger.warn('Security event', {
severity,
eventType,
details,
timestamp: new Date().toISOString(),
action_required: severity >= 'HIGH',
});
}
classifyData(dataType) {
const classifications = {
'health_record': 'RESTRICTED', // HIPAA
'payment_card': 'CONFIDENTIAL', // PCI DSS
'social_security': 'SENSITIVE', // GDPR
'user_email': 'SENSITIVE', // GDPR
};
return classifications[dataType] || 'INTERNAL';
}
calculateRetention(dataType) {
const retentionDays = {
'audit_log': 2555, // 7 years (GDPR)
'payment_log': 2555, // 7 years (PCI DSS)
'access_log': 365, // 1 year (SOC 2)
};
const days = retentionDays[dataType] || 90;
const date = new Date();
date.setDate(date.getDate() + days);
return date.toISOString();
}
}
// Custom Winston transport for database
class DatabaseTransport extends Transport {
constructor(opts) {
super(opts);
this.db = opts.db;
this.collection = opts.collection;
}
log(info, callback) {
setImmediate(() => {
this.db.collection(this.collection).insertOne({
...info,
_id: new ObjectId(),
timestamp: new Date(),
});
});
if (callback) {
callback();
}
}
}
Pattern 2: Data Retention & Erasure (GDPR Right-to-Erasure)
class DataRetentionManager {
constructor(db) {
this.db = db;
}
// Schedule automatic retention-based deletion
scheduleRetention() {
// Run daily
cron.schedule('0 2 * * *', async () => {
console.log('Running retention cleanup');
await this.deleteExpiredData();
await this.archiveOldLogs();
});
}
async deleteExpiredData() {
const now = new Date();
// GDPR: Delete personal data when retention expires
const expiredUsers = await this.db.users.find({
deletion_scheduled_at: { $lt: now },
deleted: false,
});
for (const user of expiredUsers) {
await this.eraseUserData(user.id);
}
}
async eraseUserData(userId) {
const user = await this.db.users.findById(userId);
// 1. Delete all personal data
await this.db.users.deleteOne({ _id: userId });
await this.db.user_profiles.deleteMany({ userId });
await this.db.user_preferences.deleteMany({ userId });
// 2. Anonymize audit logs (keep for compliance)
await this.db.audit_logs.updateMany(
{ userId },
{
$set: {
userId: null,
userName: '[REDACTED]',
anonymized: true,
anonymized_at: new Date(),
},
}
);
// 3. Log the erasure
await this.db.erasure_logs.insertOne({
userId,
erasedAt: new Date(),
reason: 'GDPR right-to-erasure',
dataErased: [
'user_profile',
'preferences',
'settings',
],
});
console.log(`User ${userId} data erased per GDPR request`);
}
async archiveOldLogs() {
// Archive logs older than 1 year to cold storage
const oneYearAgo = new Date();
oneYearAgo.setFullYear(oneYearAgo.getFullYear() - 1);
const oldLogs = await this.db.audit_logs.find({
timestamp: { $lt: oneYearAgo },
archived: false,
});
for (const log of oldLogs) {
// Compress and upload to S3 Glacier
await this.archiveToS3(log);
// Mark as archived in database
await this.db.audit_logs.updateOne(
{ _id: log._id },
{ $set: { archived: true } }
);
}
}
async requestErasure(userId) {
// User initiates GDPR right-to-erasure
await this.db.users.updateOne(
{ _id: userId },
{
$set: {
deletion_requested_at: new Date(),
deletion_scheduled_at: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
},
}
);
// Send confirmation email
await sendEmail({
to: user.email,
subject: 'Data Erasure Request Confirmed',
body: 'Your data will be permanently deleted within 30 days.',
});
}
}
Pattern 3: SOC 2 Evidence Collection
class SOC2EvidenceCollector {
constructor() {
this.evidence = [];
}
// Collect evidence for SOC 2 Type II audit
async collectEvidence() {
// CC (Change Control)
await this.collectChangeControlEvidence();
// AC (Access Control)
await this.collectAccessControlEvidence();
// CA (Cryptography)
await this.collectCryptographyEvidence();
// IL (Incident & Logging)
await this.collectIncidentLoggingEvidence();
return this.generateAuditReport();
}
async collectAccessControlEvidence() {
const evidence = {
access_policies: await fs.readFile('./policies/access-control.md'),
mfa_enabled: await this.checkMFAStatus(),
privileged_access_logs: await this.queryAuditLogs({
action: 'privileged_access',
days: 90,
}),
access_reviews: await this.getMonthlyAccessReviews(),
user_provisioning_logs: await this.getProvisioningLogs(),
};
this.evidence.push({
domain: 'ACCESS_CONTROL',
timestamp: new Date(),
evidence,
});
}
async collectChangeControlEvidence() {
const evidence = {
code_deployment_logs: await this.getDeploymentLogs(),
approval_chain: await this.getChangeApprovals(),
testing_results: await this.getTestResults(),
rollback_procedures: await fs.readFile('./procedures/rollback.md'),
deployment_frequency: await this.calculateDeploymentFrequency(),
};
this.evidence.push({
domain: 'CHANGE_CONTROL',
timestamp: new Date(),
evidence,
});
}
generateAuditReport() {
return {
auditType: 'SOC 2 Type II',
period: {
start: this.auditStartDate,
end: this.auditEndDate,
},
evidence: this.evidence,
summary: this.generateSummary(),
};
}
}
Level 3: Advanced
Advanced: Drata Integration (Automated Compliance)
const { DrataClient } = require('drata-api');
class AutomatedComplianceMonitoring {
constructor(apiKey) {
this.drata = new DrataClient(apiKey);
}
// Automatically collect evidence for Drata audits
async syncComplianceEvidence() {
const frameworks = ['SOC2', 'GDPR', 'HIPAA', 'ISO27001'];
for (const framework of frameworks) {
const evidence = await this.collectFrameworkEvidence(framework);
await this.drata.uploadEvidence(framework, evidence);
}
}
async collectFrameworkEvidence(framework) {
// Query system for framework-specific evidence
// Push to Drata for audit preparation
const controlsMapping = {
'SOC2': this.soC2Controls,
'GDPR': this.gdprControls,
'HIPAA': this.hipaaControls,
};
return controlsMapping[framework];
}
get soC2Controls() {
return {
'CC6.1': this.getSecurityIncidentLogs(),
'CC6.2': this.getIncidentResponseLogs(),
'CC7.2': this.getSystemMonitoringLogs(),
'A1.2': this.getAccessReviewLogs(),
};
}
}
Checklist
- Data classification system implemented
- Audit logging to file, database, and cloud
- GDPR right-to-erasure process working
- Retention policies scheduled and tested
- Access logs collected and retained
- Change control logs for deployments
- SOC 2 evidence collection automated
- Drata integration for audit readiness
- HIPAA BAA signed if processing PHI
- PCI DSS self-assessment annual review
Quick Reference
| Regulation | Key Focus | Retention |
|---|---|---|
| GDPR | Privacy | 7 years (after processing ends) |
| HIPAA | Health Info | 6 years |
| SOC 2 | Security | 6-12 months (audit period) |
| ISO 27001 | InfoSec | 3 years |
| PCI DSS | Payment Cards | 1 year minimum |