1e84df9769
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-ai-compliance (push) Successful in 32s
CI / test-python-backend-compliance (push) Successful in 30s
CI / test-python-document-crawler (push) Successful in 21s
CI / test-python-dsms-gateway (push) Successful in 18s
6-Phasen-Implementation fuer cloud-faehiges, mandantenfaehiges Compliance SDK:
Phase 1: Multi-Tenancy Fix
- Shared tenant_utils.py Dependency (UUID-Validierung, kein "default" mehr)
- VVT tenant_id Column + tenant-scoped Queries
- DSFA/Vendor DEFAULT_TENANT_ID von "default" auf UUID migriert
- Migration 035
Phase 2: Stammdaten-Erweiterung
- Company Profile um JSONB-Felder erweitert (processing_systems, ai_systems, technical_contacts)
- Regulierungs-Flags (NIS2, AI Act, ISO 27001)
- GET /template-context Endpoint
- Migration 036
Phase 3: Dokument-Versionierung
- 5 Versions-Tabellen (DSFA, VVT, TOM, Loeschfristen, Obligations)
- Shared versioning_utils.py Helper
- /{id}/versions Endpoints auf allen 5 Dokumenttypen
- Migration 037
Phase 4: Change-Request System
- Zentrale CR-Inbox mit CRUD + Accept/Reject/Edit Workflow
- Regelbasierte CR-Engine (VVT DPIA → DSFA CR, Datenkategorien → Loeschfristen CR)
- Audit-Trail
- Migration 038
Phase 5: Dokumentengenerierung
- 5 Template-Generatoren (DSFA, VVT, TOM, Loeschfristen, Obligations)
- Preview + Apply Endpoints (erzeugt CRs, keine direkten Dokumente)
Phase 6: Frontend-Integration
- Change-Request Inbox Page mit Stats, Filtern, Modals
- VersionHistory Timeline-Komponente
- SDKSidebar CR-Badge (60s Polling)
- Company Profile: 2 neue Wizard-Steps + "Dokumente generieren" CTA
Docs: 5 neue MkDocs-Seiten, CLAUDE.md aktualisiert
Tests: 97 neue Tests (alle bestanden)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
70 lines
3.7 KiB
Python
70 lines
3.7 KiB
Python
"""TOM template generator — creates TOM checklist based on regulatory flags."""
|
|
|
|
_BASE_TOMS = [
|
|
{"category": "Zutrittskontrolle", "name": "Physische Zugangskontrollen", "description": "Schlüssel, Kartenleser, Videoüberwachung"},
|
|
{"category": "Zugangskontrolle", "name": "Authentifizierung", "description": "Passwortrichtlinien, MFA, SSO"},
|
|
{"category": "Zugriffskontrolle", "name": "Berechtigungskonzept", "description": "RBAC, Least Privilege, regelmäßige Reviews"},
|
|
{"category": "Weitergabekontrolle", "name": "Verschlüsselung im Transit", "description": "TLS 1.3 für alle Verbindungen"},
|
|
{"category": "Eingabekontrolle", "name": "Audit-Logging", "description": "Protokollierung aller Datenänderungen"},
|
|
{"category": "Auftragskontrolle", "name": "AV-Verträge", "description": "Art. 28 DSGVO Auftragsverarbeitungsverträge"},
|
|
{"category": "Verfügbarkeitskontrolle", "name": "Backup & Recovery", "description": "Regelmäßige Backups, Disaster Recovery Plan"},
|
|
{"category": "Trennungsgebot", "name": "Mandantentrennung", "description": "Logische Datentrennung nach Mandanten"},
|
|
]
|
|
|
|
_NIS2_TOMS = [
|
|
{"category": "Cybersicherheit", "name": "Incident Response Plan", "description": "NIS2-konformer Vorfallreaktionsplan (72h Meldepflicht)"},
|
|
{"category": "Cybersicherheit", "name": "Supply Chain Security", "description": "Bewertung der Lieferkettensicherheit"},
|
|
{"category": "Cybersicherheit", "name": "Vulnerability Management", "description": "Regelmäßige Schwachstellenscans und Patch-Management"},
|
|
]
|
|
|
|
_ISO27001_TOMS = [
|
|
{"category": "ISMS", "name": "Risikomanagement", "description": "ISO 27001 Anhang A — Informationssicherheits-Risikobewertung"},
|
|
{"category": "ISMS", "name": "Dokumentenlenkung", "description": "Versionierte Sicherheitsrichtlinien und -verfahren"},
|
|
{"category": "ISMS", "name": "Management Review", "description": "Jährliche Überprüfung des ISMS durch die Geschäftsleitung"},
|
|
]
|
|
|
|
_AI_ACT_TOMS = [
|
|
{"category": "KI-Compliance", "name": "KI-Risikoklassifizierung", "description": "Bewertung aller KI-Systeme nach EU AI Act Risikokategorien"},
|
|
{"category": "KI-Compliance", "name": "Human Oversight", "description": "Menschliche Aufsicht für Hochrisiko-KI-Systeme sicherstellen"},
|
|
{"category": "KI-Compliance", "name": "KI-Transparenz", "description": "Transparenzpflichten bei KI-Einsatz gegenüber Betroffenen"},
|
|
]
|
|
|
|
|
|
def generate_tom_drafts(ctx: dict) -> list[dict]:
|
|
"""Generate TOM measure drafts based on regulatory flags.
|
|
|
|
Args:
|
|
ctx: Flat dict from company-profile/template-context
|
|
|
|
Returns:
|
|
List of TOM measure dicts ready for creation
|
|
"""
|
|
measures = list(_BASE_TOMS)
|
|
|
|
if ctx.get("subject_to_nis2"):
|
|
measures.extend(_NIS2_TOMS)
|
|
|
|
if ctx.get("subject_to_iso27001"):
|
|
measures.extend(_ISO27001_TOMS)
|
|
|
|
if ctx.get("subject_to_ai_act") or ctx.get("has_ai_systems"):
|
|
measures.extend(_AI_ACT_TOMS)
|
|
|
|
# Enrich with metadata
|
|
company = ctx.get("company_name", "")
|
|
result = []
|
|
for i, m in enumerate(measures, 1):
|
|
result.append({
|
|
"control_id": f"TOM-AUTO-{i:03d}",
|
|
"name": m["name"],
|
|
"description": m["description"],
|
|
"category": m["category"],
|
|
"type": "technical" if m["category"] in ("Zugangskontrolle", "Zugriffskontrolle", "Weitergabekontrolle", "Cybersicherheit") else "organizational",
|
|
"implementation_status": "planned",
|
|
"responsible_department": "IT-Sicherheit",
|
|
"priority": "high" if "KI" in m.get("category", "") or "Cyber" in m.get("category", "") else "medium",
|
|
"review_frequency": f"{ctx.get('review_cycle_months', 12)} Monate",
|
|
})
|
|
|
|
return result
|