45-EFT.WP.Data.Pipeline v1.0 | 第14章 隐私、安全与合规

目录 ／ 文档-技术白皮书 ／ 45-EFT.WP.Data.Pipeline v1.0

第14章 隐私、安全与合规

I. 章节目的与范围

II. 术语与依赖

• 术语：PII、PHI、data_minimization、deidentification、k_anon、ε_dp、lawful_basis、data_residency、DLP、KMS、RBAC、ABAC、mTLS、SSE-KMS、BYOK、IRP（事件响应预案）。
• 依赖：契约与导出（《Core.DataSpec v1.0》）；单位/量纲与校核（《Core.Metrology v1.0》）；隐私/伦理与区域合规（《DatasetCards v1.0》第13章；《ModelCards v1.0》第14章）。
• 数学与符号：内联符号用反引号（如 k_anon、ε_dp、T_inf）；含除号/积分/复合算符必须加括号；公式/符号/定义禁用中文。

III. 字段与结构（规范性）

privacy:

policy: "no-PII|limited-PII|special-category"

lawful_basis: ["consent","contract","legitimate_interest","research"]

data_minimization: true

pii_inventory: ["<fieldA>","<fieldB>"] # PII 字段清单（若适用）

deidentification:

methods: ["hash-id","mask","truncate","generalize","noise"]

k_anon: 10

l_diversity: 2

ε_dp: null

retention:

policy: "min-necessary"

delete_after_days: 365

data_residency: ["EU","US"] # 数据驻留区域

dlp:

enabled: true

rules: ["creditcard","ssn","email"]

notes: "<non-normative>"

security:

encryption:

at_rest: "SSE-KMS|AES-256"

in_transit: "TLS1.2+"

kms: {provider:"cloud-kms|hsm", byok:true}

access_control:

model: "RBAC|ABAC"

roles: ["owner","maintainer","reader"]

enforcement: ["signed-url","token","ip-allowlist","mTLS"]

audit_log: true

network:

segmentation: ["private-subnet","sg-allowlist"]

egress_policy: "deny-by-default"

secrets:

manager: "vault|cloud-secrets"

rotation_days: 90

hardening:

container: ["non-root","readonly-rootfs","seccomp","no-new-privs"]

artifact_signing: true

compliance:

regions: ["EU-GDPR","US-CCPA","CN-DSL"] # 依据实际取舍

data_transfer:

mechanisms: ["SCCs","intra-region-only"]

third_parties:

processors: ["<vendorA>@v1.0"]

dpas_signed: true

incident_response:

contact: "security@org.example"

sla_hours: 72

runbook_ref: "security/irp.md"

audits:

schedule: "annual|quarterly"

artifacts: ["privacy/pii-scan.txt","security/pen-test.md","compliance/dpia.md"]

IV. 数据最小化与去标识化

• 最小化：仅采集/处理实现目的所必需字段；在 pii_inventory 中维护清单并与契约 schema_ref 对表。
• 去标识：采用 hash-id|mask|truncate|generalize|noise；若使用差分隐私，登记 ε_dp 与适用范围；k_anon≥k、l_diversity≥l 的参数与验证报告纳入导出物。
• 再识别风险：启用 DLP 与抽样攻击评估，形成证据报告。

V. 加密、密钥与访问控制

• 加密：静态 SSE-KMS|AES-256，传输 TLS1.2+；密钥由 KMS/HSM 管理，支持 BYOK；密钥轮换记录至审计。
• 访问：RBAC|ABAC 结合 signed-url|token|ip-allowlist|mTLS 强制；最小权限与按需授权；敏感操作必须审计。
• 网络：私网分段与安全组白名单；出口 deny-by-default 并基于域名/标签放行。

VI. 区域合规与数据驻留

• 驻留：data_residency 声明数据允许驻留与处理的区域；跨境传输使用 SCCs 或等效机制，并在导出清单引用。
• 第三方与委托处理：登记处理方与 DPAs 状态；对数据流向进行血缘标注并可追溯。

VII. 事件响应与漏洞管理

• 事件响应：incident_response.sla_hours 与联系人/Runbook 固化；分级（信息/一般/严重）与通报窗口明确；演练与结果归档。
• 漏洞管理：镜像与依赖的 SBOM、CVE 扫描与修补时限；高危缺陷阻断发布。

VIII. 日志、审计与留存

• 日志：结构化 jsonl，开启 pii_redaction；保留期 retention；安全事件进入独立审计流。
• 审计：访问日志、密钥操作、策略变更与异常处置均需可追溯；生成可验证的报告并在 export_manifest 登记 sha256。

IX. 计量与单位（SI）

1. 安全/隐私相关性能与成本度量（如加密开销、脱敏耗时、审计存储量）须以 SI 计量：T_inf(ms)、QPS(1/s)、size_bytes；metrology:{units:"SI", check_dim:true} 为强制。
2. 若合规模块涉及路径量（如 T_arr 相关处理），登记：delta_form、path="gamma(ell)"、measure="d ell"，并采用以下等价式之一通过 check_dim：
   • T_arr = ( 1 / c_ref ) * ( ∫ n_eff d ell )
   • T_arr = ( ∫ ( n_eff / c_ref ) d ell )。

X. 机器可读片段（可直接嵌入）

privacy:

policy: "limited-PII"

lawful_basis: ["consent","research"]

data_minimization: true

pii_inventory: ["user_id","email_hash"]

deidentification: {methods:["hash-id","mask"], k_anon:20, l_diversity:2, ε_dp:null}

retention: {policy:"min-necessary", delete_after_days:180}

data_residency: ["EU"]

dlp: {enabled:true, rules:["email","creditcard"]}

security:

encryption: {at_rest:"SSE-KMS", in_transit:"TLS1.2+", kms:{provider:"cloud-kms", byok:true}}

access_control: {model:"RBAC", roles:["owner","maintainer","reader"], enforcement:["token","ip-allowlist","mTLS"], audit_log:true}

network: {segmentation:["private-subnet"], egress_policy:"deny-by-default"}

secrets: {manager:"vault", rotation_days:90}

hardening: {container:["non-root","readonly-rootfs","seccomp","no-new-privs"], artifact_signing:true}

compliance:

regions: ["EU-GDPR"]

data_transfer: {mechanisms:["SCCs"]}

third_parties: {processors:["processorA@v1.0"], dpas_signed:true}

incident_response: {contact:"security@org.example", sla_hours:72, runbook_ref:"security/irp.md"}

audits: {schedule:"annual", artifacts:["privacy/pii-scan.txt","security/pen-test.md","compliance/dpia.md"]}

XI. Lint 规则（节选，规范性）

lint_rules:

- id: PRIV.POLICY_ALLOWED

when: "$.privacy.policy"

assert: "value in ['no-PII','limited-PII','special-category']"

level: error

- id: PRIV.MINIMIZATION_ON

when: "$.privacy.data_minimization"

assert: "value == true"

level: error

- id: PRIV.DPI_PARAMS

when: "$.privacy.deidentification"

assert: "has_key('methods') and (has_key('k_anon') or has_key('ε_dp'))"

level: error

- id: SEC.ENCRYPTION_REQUIRED

when: "$.security.encryption"

assert: "value.at_rest in ['SSE-KMS','AES-256'] and value.in_transit >= 'TLS1.2+'"

level: error

- id: SEC.CREDENTIALS_MANAGER

when: "$.security.secrets.manager"

assert: "value in ['vault','cloud-secrets']"

level: error

- id: COMP.REGIONS_ALLOWED

when: "$.compliance.regions[*]"

assert: "value in ['EU-GDPR','US-CCPA','CN-DSL']"

level: error

- id: IR.SLA_DEFINED

when: "$.compliance.incident_response.sla_hours"

assert: "is_number(value) and value > 0"

level: error

- id: METROLOGY.SI_AND_CHECKDIM

when: "$.metrology"

assert: "units == 'SI' and check_dim == true"

level: error

XII. 导出清单与审计

export_manifest:

version: "v1.0"

artifacts:

- {path:"privacy/pii-inventory.csv", sha256:"..."}

- {path:"privacy/deid_report.md", sha256:"..."}

- {path:"security/audit.log", sha256:"..."}

- {path:"security/sbom.json", sha256:"..."}

- {path:"compliance/dpia.md", sha256:"..."}

- {path:"compliance/data_transfer.md",sha256:"..."}

references:

- "EFT.WP.Core.DataSpec v1.0:EXPORT"

- "EFT.WP.Core.Metrology v1.0:check_dim"

- "EFT.WP.Data.DatasetCards v1.0:Ch.13"

- "EFT.WP.Data.ModelCards v1.0:Ch.14"

XIII. 本章合规自检

• 已启用数据最小化与去标识化；pii_inventory/k_anon/ε_dp 与验证证据齐备。
• 静态/传输加密生效；密钥由 KMS/HSM 管理并支持轮换；访问控制 RBAC|ABAC 与网络隔离到位，敏感操作可审计。
• 区域合规与驻留策略明确；跨境传输机制与第三方处理方登记完备并具 DPAs。
• 事件响应 SLA、联系人与 Runbook 固化；SBOM/CVE 扫描与修补流程生效。
• SI 计量与 check_dim=true 生效；涉及 T_arr 的处理已登记 delta_form/path/measure 并通过校核。
• 导出清单列出隐私/安全/合规工件与引用锚点并具 sha256，满足发布门槛。