Benjamin_Boenisch/breakpilot-pwa
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(admin-v2): Major SDK/Compliance overhaul and new modules

Browse Source 
SDK modules added/enhanced:
- compliance-hub, compliance-scope, consent-management, notfallplan
- audit-report, workflow, source-policy, dsms
- advisory-board documentation section
- TOM dashboard components, TOM generator SDM mapping
- DSFA: mitigation library, risk catalog, threshold analysis, source attribution
- VVT: baseline catalog, profiling engine, types
- Loeschfristen: baseline catalog, compliance engine, export, profiling, types
- Compliance scope: engine, profiling, golden tests, types

Existing SDK pages updated:
- dsfa/[id], tom, vvt, loeschfristen, advisory-board — expanded functionality
- SDKSidebar, StepHeader — new navigation items and layout
- SDK layout, context, types — expanded type system

Other admin-v2 changes:
- AI agents page, RAG pipeline DSFA integration
- GridOverlay component updates
- Companion feature (development + education)
- Compliance advisor SOUL definition

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
BreakPilot Dev
2026-02-10 00:01:04 +01:00
parent 53219e3eaf
commit dff2ef796b
94 changed files with 29706 additions and 1039 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
admin-v2/lib/sdk/tom-generator/controls/loader.ts
View File

@@ -2072,6 +2072,287 @@ const CONTROL_LIBRARY_DATA: ControlLibrary = {
complexity: 'HIGH',
tags: ['dpia', 'dsfa', 'risk-assessment'],
},
// =========================================================================
// DELETION / VERNICHTUNG — Sichere Datenloeschung & Datentraegervernichtung
// =========================================================================
{
id: 'TOM-DL-01',
code: 'TOM-DL-01',
category: 'SEPARATION',
type: 'TECHNICAL',
name: {
de: 'Sichere Datenloeschung',
en: 'Secure Data Deletion',
},
description: {
de: 'Implementierung sicherer Loeschverfahren, die personenbezogene Daten unwiederbringlich entfernen (z.B. nach DIN 66399).',
en: 'Implementation of secure deletion procedures that irrecoverably remove personal data (e.g. per DIN 66399).',
},
mappings: [
{ framework: 'GDPR_ART17', reference: 'Art. 17' },
{ framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. e' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' },
{ framework: 'BSI_C5', reference: 'SY-09' },
],
applicabilityConditions: [
{
field: 'dataProfile.dataVolume',
operator: 'NOT_EQUALS',
value: 'NONE',
result: 'REQUIRED',
priority: 30,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Loeschkonzept / Loeschrichtlinie',
'Loeschprotokolle mit Zeitstempeln',
'DIN 66399 Konformitaetsnachweis',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['deletion', 'loeschung', 'data-lifecycle', 'din-66399'],
},
{
id: 'TOM-DL-02',
code: 'TOM-DL-02',
category: 'SEPARATION',
type: 'TECHNICAL',
name: {
de: 'Datentraegervernichtung',
en: 'Media Destruction',
},
description: {
de: 'Physische Vernichtung von Datentraegern (Festplatten, SSDs, USB-Sticks, Papier) gemaess DIN 66399 Schutzklassen.',
en: 'Physical destruction of storage media (hard drives, SSDs, USB sticks, paper) per DIN 66399 protection classes.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.14' },
{ framework: 'BSI_C5', reference: 'AM-08' },
],
applicabilityConditions: [
{
field: 'dataProfile.dataVolume',
operator: 'NOT_EQUALS',
value: 'NONE',
result: 'RECOMMENDED',
priority: 20,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Vernichtungsprotokoll mit Seriennummern',
'Zertifikat des Vernichtungsdienstleisters',
'DIN 66399 Sicherheitsstufe-Nachweis',
],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'LOW',
tags: ['deletion', 'media-destruction', 'physical-security', 'din-66399'],
},
{
id: 'TOM-DL-03',
code: 'TOM-DL-03',
category: 'SEPARATION',
type: 'ORGANIZATIONAL',
name: {
de: 'Loeschprotokollierung',
en: 'Deletion Logging',
},
description: {
de: 'Systematische Protokollierung aller Loeschvorgaenge mit Zeitstempel, Verantwortlichem, Datenobjekt und Loeschmethode.',
en: 'Systematic logging of all deletion operations with timestamp, responsible person, data object, and deletion method.',
},
mappings: [
{ framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 2 (Rechenschaftspflicht)' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' },
],
applicabilityConditions: [
{
field: 'dataProfile.dataVolume',
operator: 'NOT_EQUALS',
value: 'NONE',
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Loeschprotokoll-Template',
'Archivierte Loeschprotokolle (Stichprobe)',
'Automatisierungsnachweis (bei automatischen Loeschungen)',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['deletion', 'logging', 'accountability', 'documentation'],
},
{
id: 'TOM-DL-04',
code: 'TOM-DL-04',
category: 'SEPARATION',
type: 'TECHNICAL',
name: {
de: 'Backup-Bereinigung',
en: 'Backup Sanitization',
},
description: {
de: 'Sicherstellung, dass personenbezogene Daten auch in Backup-Systemen nach Ablauf der Loeschfrist entfernt werden.',
en: 'Ensuring that personal data is also removed from backup systems after the retention period expires.',
},
mappings: [
{ framework: 'GDPR_ART17', reference: 'Art. 17 Abs. 2' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.13' },
],
applicabilityConditions: [
{
field: 'techProfile.hasBackups',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Backup-Loeschkonzept',
'Backup-Rotationsplan',
'Nachweis der Backup-Bereinigung',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'MEDIUM',
complexity: 'HIGH',
tags: ['deletion', 'backup', 'data-lifecycle', 'retention'],
},
// =========================================================================
// SCHULUNG / VERTRAULICHKEIT — Training & Awareness
// =========================================================================
{
id: 'TOM-TR-01',
code: 'TOM-TR-01',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: {
de: 'Datenschutzschulung',
en: 'Data Protection Training',
},
description: {
de: 'Regelmaessige Schulung aller Mitarbeiter zu Datenschutzgrundlagen, DSGVO-Anforderungen und betrieblichen Datenschutzrichtlinien.',
en: 'Regular training of all employees on data protection fundamentals, GDPR requirements, and organizational data protection policies.',
},
mappings: [
{ framework: 'GDPR_ART39', reference: 'Art. 39 Abs. 1 lit. b' },
{ framework: 'GDPR_ART47', reference: 'Art. 47 Abs. 2 lit. n' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' },
],
applicabilityConditions: [
{
field: 'orgProfile.employeeCount',
operator: 'GREATER_THAN',
value: 0,
result: 'REQUIRED',
priority: 30,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Schulungsplan (jaehrlich)',
'Teilnahmelisten / Schulungsnachweise',
'Schulungsmaterialien / Praesentation',
'Wissenstest-Ergebnisse (optional)',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['training', 'schulung', 'awareness', 'organizational'],
},
{
id: 'TOM-TR-02',
code: 'TOM-TR-02',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: {
de: 'Verpflichtung auf Datengeheimnis',
en: 'Confidentiality Obligation',
},
description: {
de: 'Schriftliche Verpflichtung aller Mitarbeiter und externen Dienstleister auf die Vertraulichkeit personenbezogener Daten.',
en: 'Written obligation of all employees and external service providers to maintain confidentiality of personal data.',
},
mappings: [
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. b' },
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 4' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.6' },
],
applicabilityConditions: [
{
field: 'orgProfile.employeeCount',
operator: 'GREATER_THAN',
value: 0,
result: 'REQUIRED',
priority: 30,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Muster-Verpflichtungserklaerung',
'Unterschriebene Verpflichtungserklaerungen',
'Register der verpflichteten Personen',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['training', 'confidentiality', 'vertraulichkeit', 'obligation'],
},
{
id: 'TOM-TR-03',
code: 'TOM-TR-03',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: {
de: 'Security Awareness Programm',
en: 'Security Awareness Program',
},
description: {
de: 'Fortlaufendes Awareness-Programm zu IT-Sicherheit, Phishing-Erkennung, Social Engineering und sicherem Umgang mit Daten.',
en: 'Ongoing awareness program on IT security, phishing detection, social engineering, and safe data handling.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' },
{ framework: 'BSI_C5', reference: 'ORP.3' },
],
applicabilityConditions: [
{
field: 'orgProfile.employeeCount',
operator: 'GREATER_THAN',
value: 10,
result: 'REQUIRED',
priority: 20,
},
{
field: 'orgProfile.employeeCount',
operator: 'GREATER_THAN',
value: 0,
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Awareness-Programm-Dokumentation',
'Phishing-Simulationsergebnisse',
'Teilnahmenachweise',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['training', 'security-awareness', 'phishing', 'social-engineering'],
},
],
}