使用以下调查问卷可以帮助云用户评估公有云供应商的安全状态。
CSA共识评估倡议 调查问卷(CSA共识评估调查问卷) |
Control Group (控制组) | CCM V3.0 | CID | 共识评估问题(共识评估问题) | 回应(回答) |
应用程序和接口安全应用程序和接口安全 | ||||
Application Security 应用程序安全 |
应根据领先的行业标准(例如,用于Web应用程序的OWASP)设计,开发,部署和测试应用程序和编程接口(API),并遵守适用的法律,法定或法规遵从义务。 应按照行业的主流标准(例如针对WEB 应用的OWASP ),并遵守适用的法律,法规或其它监管合规要求来设计,开发,部署并测试相关应用与程序的API 。 |
AIS-01.1 | 您是否使用行业标准(构建安全性成熟度模型[BSIMM]基准测试,Open Group ACS可信技术提供商框架,NIST等)来构建系统/软件开发生命周期(SDLC)的安全性? 您有使用行业标准(如:成熟度模式[BSIMM] ,Open Group ACS可信技术提供商框架,NIST 等)构建系统/ 软件开发生命安全吗? |
|
AIS-01.2 | 您是否使用自动源代码分析工具在生产之前检测代码中的安全缺陷? 在代码部署到生产前,您有使用自动化的源代码分析工具去检测安全缺陷吗? |
|||
AIS-01.3 | 您是否在生产之前使用手动源代码分析来检测代码中的安全缺陷? 在代码部署到生产前,您有使用人工分析去检测安全缺陷吗? |
|||
AIS-01.4 | 您是否验证所有软件供应商是否遵守系统/软件开发生命周期(SDLC)安全性的行业标准? 您是否确认您的所有软件供应商都遵守系统/ 软件开发生命周期安全(SDLC )的行业标准? |
|||
AIS-01.5 | (仅限SaaS)您是否在部署到生产之前检查应用程序是否存在安全漏洞并解决任何问题? (仅限SaaS )在部署到生产之前,您是否检查应用程序的安全漏洞并解决所有问题? |
|||
客户访问要求 客户访问需求 |
在授予客户访问数据,资产和信息系统之前,应确定客户访问的安全性,合同性和监管要求。应用 赋予客户对数据,资产和信息系统的访问权之前,确定客户访问的安全,合同和监管的要求。 |
AIS-02.1 | 在授予客户对数据,资产和信息系统的访问权限之前,是否所有已确定的客户访问安全性,合同性和监管性要求都得到合同解决和补救? 在赋予客户对数据,资产和信息系统的访问权之前,所有访问的安全,合同和监管的要求通过合同解决和补充? |
|
AIS- 02.2 | 是否定义并记录了客户访问的所有要求和信任级别? 客户访问的所有需求和信任级别是否被定义和记录? |
|||
Data Integrity 数据完整性 |
应为应用程序接口和数据库实现数据输入和输出完整性例程(即协调和编辑检查),以防止手动或系统处理错误,数据损坏或误用。 应对程序接口和数据库的数据输入和输出进行常规的完整性校验(即:一致性和编辑检查),以防止人为或系统性的处理错误,数据损坏或误用。 |
AIS-03.1 | 是否为应用程序接口和数据库实现了数据输入和输出完整性例程(即协调和编辑检查),以防止手动或系统处理错误或数据损坏? 是否应用程序接口和数据库实施数据输入和输出完整性例程即:一致性和编辑检查)以防止人为或系统处理错误或损坏数据? |
|
数据安全/完整性 数据安全/ 完整性 |
应建立和维护策略和程序以支持数据安全,以包括跨多个系统接口,管辖区和业务功能的(机密性,完整性和可用性),以防止不当披露,更改或破坏。应当立和 并保持策略和规程,以支持跨越多个系统接口,司法管辖区和职能部门的数据的安全(包括保密性,完整性和可用性),防止对数据不正当泄露,修改和破坏。 |
AIS-04.1 | 您的数据安全架构是使用行业标准设计的(例如,CDSA,MULITSAFE,CSA可信云架构标准,FedRAMP,CAESARS)? 您的数据安全架构是否使用行业标准(例如:CDSA ,MULITSAFE ,CSA 可信云架构标准,FedRAMP ,CAESARS )设计? |
|
审计保障与合规审计保障与合规性 | ||||
审计计划 审计计划 |
应制定和维护审计计划,以解决业务流程中断问题。审计计划应侧重于审查安全行动实施的有效性。所有审计活动必须在执行任何审计之前达成一致。 应开发并维护审计计划以处理业务流程中断。审计计划应关注于对安全运营实施有效性评审。任何审计活动应在执行之前获得许可。 |
AAC-01.1 | Do you produce audit assertions using a structured, industry accepted format (e.g., CloudAudit/A6 URI Ontology, CloudTrust, SCAP/CYBEX, GRC XML, ISACA's Cloud Computing Management Audit/Assurance Program, etc.)? 您是否使用结构化的,行业可接受的格式制作审计声明(如:CloudAudit/A6 URI Ontology, CloudTrust, SCAP/CYBEX, GRC XML, ISACA's Cloud Computing Management Audit/Assurance Program等)? |
|
Independent Audits 独立审计 |
Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations. 应至少每年实施一次独立的评审和评估以确保组织处理了在建立策略、标准、规程和法律符合性方面的不符合情况。 |
AAC-02.1 | Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports? 您是否允许租户查看您的SOC2 / ISO 27001或类似的第三方审核或认证报告? |
|
AAC-02.2 | Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? 您是否按照行业最佳实践和指导的规定定期对云服务基础架构进行网络渗透测试? |
|||
AAC-02.3 | Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance? 您是否按照行业最佳实践和指导的规定定期对云基础架构进行应用程序渗透测试? |
|||
AAC-02.4 | Do you conduct internal audits regularly as prescribed by industry best practices and guidance? 您是否按照行业最佳实践和指导的规定定期进行内部审核? |
|||
AAC-02.5 | Do you conduct external audits regularly as prescribed by industry best practices and guidance? 您是否按照行业最佳实践和指导的规定定期进行外部审核? |
|||
AAC-02.6 | Are the results of the penetration tests available to tenants at their request? 根据他们的要求是否可以向租户提供渗透测试的结果? |
|||
AAC-02.7 | Are the results of internal and external audits available to tenants at their request? 根据他们的要求是否可以向租户提供内部和外部审计的结果? |
|||
AAC-02.8 | Do you have an internal audit program that allows for cross- functional audit of assessments? 您有内部审计程序,允许进行跨职能审计评估吗? |
|||
Information System Regulatory Mapping 信息系统合规映射 |
Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are reflected. 组织应创建并维护一个用以搜集和业务需求相关的标准、法律、法规和强制性要求的控制框架。控制框架应至少每年进行评审以确保可能影响业务流程的变化在框架中得到体现。 |
AAC-03.1 | Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data? 您是否有能力对客户数据进行逻辑分段或加密,这样只能为单个租户生成数据,而不会无意中访问其他租户的数据? |
|
AAC-03.2 | Do you have capability to recover data for a specific customer in the case of a failure or data loss? 在故障或数据丢失的情况下,您是否有能力为特定客户恢复数据? |
|||
AAC-03.3 | Do you have the capability to restrict the storage of customer data to specific countries or geographic locations? 你有能力限制客户数据存储到特定的国家或地理位置吗? |
|||
AAC-03.4 | Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements? 您是否制定了计划,包括监控相关辖区监管要求的变化,根据法律要求的变化调整您的安全计划,并确保符合相关监管要求? |
|||
Business Continuity Management & Operational Resilience 业务连续性管理与运营恢复 | ||||
Business Continuity Planning 业务连续性计划 |
A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. 应以文件化形式建立并采用一个关于业务连续性计划以及计划的开发所需的一致性统一框架,以确保所有的业务连续性计划在测试、维护之前得以完成,并符合信息安全要求。 Requirements for business continuity plans include the following: 业务连续性计划的要求包括以下方面: • Defined purpose and scope, aligned with relevant dependencies 明确的目的和范围,并与相关依存条件一致 • Accessible to and understood by those who will use them 可被使用者获取并理解 • Owned by a named person(s) who is responsible for their review, update, and approval 评审、更新和批准的职责明确到人 • Defined lines of communication, roles, and responsibilities 明确的沟通、角色和责任名单 • Detailed recovery procedures, manual work-around, and reference information 详细的恢复程序、手动应急措施和参考信息 • Method for plan invocation 计划调用的方法 |
BCR-01.1 | Do you provide tenants with geographically resilient hosting options? 您是否为租户提供地理位置灵活的托管选项? |
|
BCR-01.2 | Do you provide tenants with infrastructure service failover capability to other providers? 您是否提供给租户向其他供应商提供基础设施服务故障转移功能? |
|||
Business Continuity Testing 业务连续性测试 |
Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies. 业务连续性和安全事件响应计划应按计划的周期或在组织和环境发生重大变化时进行测试。事件响应计划应包括受到事件影响,且代表关键内部供应链业务流程的客户(租户)和其他业务关系。 |
BCR-02.1 | Are business continuity plans subject to test at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness? 业务连续性计划是否需要按照计划的时间间隔进行测试,或者在组织或环境发生重大变化时进行测试以确保持续有效? |
|
Datacenter Utilities / Environmental Conditions 数据中心设施/环境状况 |
Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications,and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions. 应按计划的时间间隔对数据基础设施服务和环境条件(如:水、电、温湿度控制、通信以及因特网连接)的持续有效性进行保障、监控、维护和测试,保证其免于受到非授权的窃取或破坏,并设计在面临计划内和计划外中断事态时的自动化故障转移或其他方面的冗余机制。 |
BCR-03.1 | Do you provide tenants with documentation showing the transport route of their data between your systems? 您是否向租户提供了显示您的系统之间数据传输路线的文档? |
|
BCR-03.2 | Can tenants define how their data is transported and through which legal jurisdictions? 租户可以定义他们的数据是如何传输的,并通过哪些法律管辖区? |
|||
Documentation 文档化 |
Information system documentation (e.g., administrator and user guides, and architecture diagrams) shall be made available to authorized personnel to ensure the following: 应确保信息系统文档(如:管理员指南、用户指南、架构图)对于授权人员是可获取的,以确保: • Configuring, installing, and operating the information system 配置、安装和运行信息系统; • Effectively using the system's security features 有效使用系统的安全功能。 |
BCR-04.1 | Are information system documents (e.g., administrator and user guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation and operation of the information system? 信息系统文档(如管理员和用户指南、体系结构图等)是否提供给授权人员以确保信息系统的配置、安装和运行? |
|
Environmental Risks 环境风险 |
Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied. 应预测、设计并应用物理防护措施以抵御自然灾害和蓄意攻击,如火灾、洪水、大气放电、太阳磁暴、大风、地震、海啸、爆炸、核事故、火山活动、生物危机、内乱、泥石流、构造活动和其他形式的自然或人为灾难。 |
BCR-05.1 | Is physical protection against damage (e.g., natural causes, natural disasters, deliberate attacks) anticipated and designed with countermeasures applied? 物理保护是否预期并采用对策设计,以免受到损害(例如,自然原因,自然灾害,蓄意攻击)? |
|
Equipment Location 设备的位置 |
To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance. 为减少环境威胁和危害,以及未授权访问的风险,设备应远离高危环境,并将冗余设备部署在合适的距离。 |
BCR-06.1 | Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)? 您的数据中心是否位于高可能性发生环境高风险(洪水,龙卷风,地震,飓风等)的地方? |
|
Equipment Maintenance 设备维护 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel. 应建立设备维护的策略和规程,并实施支持性业务流程和技术手段,以确保操作和支持人员的持续性和可用性。 |
BCR-07.1 | If using virtual infrastructure, does your cloud solution include independent hardware restore and recovery capabilities? 如果使用虚拟基础架构,您的云解决方案是否包含独立硬件恢复和恢复功能? |
|
BCR-07.2 | If using virtual infrastructure, do you provide tenants with a capability to restore a Virtual Machine to a previous state in time? 如果使用虚拟基础架构,您是否为租户提供了将虚拟机及时恢复到以前状态的功能? |
|||
BCR-07.3 | If using virtual infrastructure, do you allow virtual machine images to be downloaded and ported to a new cloud provider? 如果使用虚拟基础架构,是否允许将虚拟机映像下载并移植到新的云提供商? |
|||
BCR-07.4 | If using virtual infrastructure, are machine images made available to the customer in a way that would allow the customer to replicate those images in their own off-site storage location? 如果使用虚拟基础架构,机器图像是否可以让客户在自己的非现场存储位置复制这些图像? |
|||
BCR-07.5 | Does your cloud solution include software/provider independent restore and recovery capabilities? 您的云解决方案是否包含软件/提供商独立还原和恢复功能? |
|||
Equipment Power Failures 设备的电源故障 |
Protection measures shall be put into place to react to natural and man-made threats based upon a geographically-specific Business Impact Assessment. 应根据基于具体地理位置的业务影响评估的结果落实保护措施,以应对自然和人为威胁。 |
BCR-08.1 | Are security mechanisms and redundancies implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.)? 是否实施安全机制和冗余来保护设备免遭公用事业服务中断(例如电力故障,网络中断等)? |
|
Impact Analysis 影响分析 |
There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following: 应定义并记录任何可确定中断对组织(云供应商、云客户)带来的影响的方法,该方法须包含以下内容: • Identify critical products and services 识别关键产品和服务; • Identify all dependencies, including processes, applications, business partners, and third party service providers 识别所有依赖关系,包括流程、应用系统、商业伙伴和第三方服务提供商; • Understand threats to critical products and services 理解关键产品和服务面临的威胁; • Determine impacts resulting from planned or unplanned disruptions and how these vary over time 确定计划内或计划外的中断导致的影响,以及这些影响如何随时间而变化; • Establish the maximum tolerable period for disruption 确定最长可容忍中断时间(MTPD); • Establish priorities for recovery 确定恢复优先级; • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption 根据关键产品和服务的最长可容忍中断时间(MTPD)确定恢复时间目标(RTO); • Estimate the resources required for resumption 确定恢复至正常状态所需的资源。 |
BCR-09.1 | Do you provide tenants with ongoing visibility and reporting of your operational Service Level Agreement (SLA) performance? 您是否为租户提供了持续的可见性并报告了您的业务服务级别协议 (SLA) 性能? |
|
BCR-09.2 | Do you make standards-based information security metrics (CSA, CAMM, etc.) available to your tenants? 您是否可以向租户提供基于标准的信息安全指标(CSA,CAMM等)? |
|||
BCR-09.3 | Do you provide customers with ongoing visibility and reporting of your SLA performance? 您是否为客户提供了对 SLA 性能的持续可见性和报告? |
|||
Policy 策略 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v3 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training. 应建立适宜的IT治理和服务管理相关的策略和规程,并基于行业可接受标准(如 ITIL v3 和 COBIT 5)实施支持性业务流程和技术手段,以保证适宜的策划、交付和支持组织的IT能力用于支持业务职能、员工和/或客户。同时,策略和规程应包括确定的角色和职责,并辅以定期的员工培训。 |
BCR-10.1 | Are policies and procedures established and made available for all personnel to adequately support services operations’ roles? 政策和程序是否建立并提供给所有人员以充分支持服务运营的角色? |
|
Retention Policy 保存策略 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness. 应建立定义了所有关键资产保存期限的策略和规程,并实施支持性业务流程和技术手段。每一项策略、规程以及适用的法律、法规和合规性义务应得到遵从。备份与恢复措施也应该作为BCP的一个组成部分,并通过有效性测试。 |
BCR-11.1 | Do you have technical control capabilities to enforce tenant data retention policies? 您是否拥有技术控制功能来执行租户数据保留策略? |
|
BCR-11.2 | Do you have a documented procedure for responding to requests for tenant data from governments or third parties? 您是否有书面的程序来回应来自政府或第三方的租户数据请求? |
|||
BCR-11.4 | Have you implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements? 您是否实施了备份或冗余机制以确保符合法规,法定,合同或业务要求? |
|||
BCR-11.5 | Do you test your backup or redundancy mechanisms at least annually? 你至少每年测试一次备份或冗余机制吗? |
|||
Change Control & Configuration Management 变更控制和配置管理 | ||||
New Development / Acquisition 新开发/收购 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or datacenter facilities have been pre-authorized by the organization's business leadership or other accountable business role or function. 应建立策略和规程,并实施支持性业务流程和技术手段,以确保开发和/或获取新数据、物理或虚拟应用、基础网络设施和系统组件、或任何公司的、运营的和/或数据中心的设施时,得到组织的业务领导或其他负责的业务角色或部门的预授权。 |
CCC-01.1 | Are policies and procedures established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities? 是否为制定或获得新应用、系统、数据库、基础设施、服务、运营和设施的管理授权制定了政策和程序? |
|
CCC-01.2 | Is documentation available that describes the installation, configuration and use of products/services/featu res? 用于描述安装,配置和用于产品/服务/特性的文档是可用的? |
|||
Outsourced Development 外包开发 |
External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g. ITIL service management processes). 外部业务伙伴应和组织内部开发者一样遵守相同的变更、发布和测试策略和规程(如:ITIL服务管理流程)。 |
CCC-02.1 | Do you have controls in place to ensure that standards of quality are being met for all software development? 您是否有控制措施来确保所有软件开发都符合质量标准? |
|
CCC-02.2 | Do you have controls in place to detect source code security defects for any outsourced software development activities? 您是否有适当的控制措施来检测任何外包软件开发源代码的安全缺陷? |
|||
Quality Testing 质量检测 |
Organization shall follow a defined quality change control and testing process (e.g. ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services. 组织应遵循已定义的质量变更控制和测试流程(如:ITIL服务管理),基于已建立的关注于系统可用性、保密性和系统/服务完整性的基线、测试和发布标准。 |
CCC-03.1 | Do you provide your tenants with documentation that describes your quality assurance process? 您是否向租户提供描述质量保证流程的文档? |
|
CCC-03.2 | Is documentation describing known issues with certain products/services available? 描述某些产品/服务已知问题的文档可用吗? |
|||
CCC-03.3 | Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings? 是否有相应的政策和程序对产品和服务产品报告的缺陷和安全漏洞进行分类和补救? |
|||
CCC-03.4 | Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions? 是否有机制确保从发布的软件版本中删除所有调试和测试代码元素? |
|||
Unauthorized Software Installations 未授权的软件安装 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. 应建立策略和规程,并实施支持性业务流程和技术手段,以限制在组织拥有或管理的用户终端设备(如:配发的工作站、笔记本电脑和移动设备)、IT基础网络设施和系统组件上安装非授权软件。 |
CCC-04.1 | Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems? 您是否有适当的控制来限制和监控未经授权的软件安装到您的系统上? |
|
Production Changes 生产变更 |
Policies and procedures shall be established for managing the risks associated with applying changes to: 应建立策略和规程以管理与变更实施相关的风险: • business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations 对关键业务或客户(租户)产生影响(物理或虚拟)的应用程序,及系统间接口(API)的设计和配置; • infrastructure network and systems components 基础设施网络和系统组件; Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer (tenant) , and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment. 应实施技术手段来为所有直接与已登记的变更请求、关键业务或客户(租户)相关的变更提供保证,并/或在部署前按协议(SLA)要求获得客户(租户)授权。 |
CCC-05.1 | Do you provide tenants with documentation that describes your production change management procedures and their roles / rights / responsibilities within it? 您是否向租户提供描述您的生产变更管理程序及其角色/权利/责任的文档? |
|
Data Security & Information Lifecycle Management 数据安全与信息生命周期管理 | ||||
Classification 分类 |
Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization. 应由数据责任人基于数据类型、数据值和对于组织的敏感程度、关键程度,对数据和包含数据的对象进行分类。 |
DSI-01.1 | Do you provide a capability to identify virtual machines via policy tags/metadata (e.g., tags can be used to limit guest operating systems from booting/instantiating/tr ansporting data in the wrong country)? 您是否提供了通过策略标签/元数据标识虚拟机的功能(例如:标签可用于限制客户操作系统在错误的国家启动/实例化/转储数据)? |
|
DSI-01.2 | Do you provide a capability to identify hardware via policy tags/metadata/hardwar e tags (e.g., TXT/TPM, VN-Tag, etc.)? 您是否提供了通过策略标签/元数据/硬件标签(例如,TXT / TPM,VN-Tag等)标识硬件的功能? |
|||
DSI-01.3 | Do you have a capability to use system geographic location as an authentication factor? 你有能力使用系统地理位置作为认证因素吗? |
|||
DSI-01.4 | Can you provide the physical location/geography of storage of a tenant’s data upon request? 您可以根据要求提供租户数据的物理位置/地理位置吗? |
|||
DSI-01.5 | Can you provide the physical location/geography of storage of a tenant's data in advance? 您能提前提供租户数据存储的物理位置/地理位置吗? |
|||
DSI-01.6 | Do you follow a structured data- labeling standard (e.g., ISO 15489, Oasis XML Catalog Specification, CSA data type guidance)? 您是否遵循结构化数据标签标准(例如ISO 15489,Oasis XML Catalog Specification,CSA数据类型指南)? |
|||
DSI-01.7 | Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? 您是否允许租户为数据路由或资源实例定义可接受的地理位置? |
|||
Data Inventory / Flows 数据目录/数据流 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory, or supply chain agreement (SLA) compliance impact, and to address any other business risks associated with the data. Upon request, provider shall inform customer (tenant) of compliance impact and risk, especially if customer data is used as part of the services. 应建立策略和规程,并实施支持性业务流程和技术手段,对永久性或临时性留存在分布于物理和虚拟区域的服务中的应用程序、基础网络和系统组件的,和/或其他第三方分享的数据进行归档、记录,以及数据流的维护,以确定任何有关法律法规或SLA符合性影响,并确定其他和数据相关的业务风险。基于以上的要求,提供商应告知客户(租户)关于合规的影响和风险,特别是当客户数据作为服务的一部分时。 |
DSI-02.1 | Do you inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems? 您是否对存储(永久或临时)数据的数据进行清点,记录和维护数据流,这些数据位于服务的应用程序和基础架构网络和系统中? |
|
DSI-02.2 | Can you ensure that data does not migrate beyond a defined geographical residency? 您能否确保数据不会超出规定的地理位置? |
|||
eCommerce Transactions 电子商务交易 |
Data related to electronic commerce (e-commerce) that traverses public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data. 穿越公共网络的电子商务(e-commerce)数据应被适当的分类和保护,以防止遭受欺诈、非授权披露或修改,避免合同纠纷和数据破坏。 |
DSI-03.1 | Do you provide open encryption methodologies (3.4ES, AES, etc.) to tenants in order for them to protect their data if it is required to move through public networks (e.g., the Internet)? 如果需要通过公共网络(例如互联网)进行迁移,您是否向租户提供开放式加密方法(3.4ES,AES等)以保护其数据? |
|
DSI-03.2 | Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)? 当基础设施组件需要通过公共网络互相通信时(例如,基于Internet的数据从一个环境复制到另一个环境),您是否利用开放式加密方法? |
|||
Handling / Labeling / Security Policy 处理/标签/安全政策 |
Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data. 应针对数据及包含数据的对象,建立有关数据标识、处理和数据安全的策略和规程。对作为聚合数据容器的对象实行标签继承机制。 |
DSI-04.1 | Are policies and procedures established for labeling, handling and the security of data and objects that contain data? 是否制定了包含数据的数据和对象的标识,处理和安全性的政策和程序? |
|
DSI-04.2 | Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data? 对于作为数据聚合容器的对象,是否实现了标记继承机制? |
|||
Nonproduction Data 非生产数据 |
Production data shall not be replicated or used in non-production environments. Any use of customer data in non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements. 应防止生产数据被复制或使用于非生产环境。任何在非生产环境中使用客户数据的行为应该经该客户明确许可并记录,同时必须符合敏感数据擦除相关的法律法规要求。 |
DSI-05.1 | Do you have procedures in place to ensure production data shall not be replicated or used in non- production environments? 你有没有确保生产数据不被复制或在非生产环境中使用的程序? |
|
Ownership / Stewardship 所有权/管理权 |
All data shall be designated with stewardship, with assigned responsibilities defined, documented, and communicated. 所有数据的管理工作应被定义,并以文件化形式定义和传达被分配的职责。 |
DSI-06.1 | Are the responsibilities regarding data stewardship defined, assigned, documented and communicated? 数据管理的职责是否被定义、分配、记录和沟通? |
|
Secure Disposal 安全处置 |
Policies and procedures shall be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means. 应建立策略和规程,并实施支持性业务流程和技术手段,以安全处置并完全移除所有存储介质中的数据,确保数据没有被任何计算机取证方式所恢复。 |
DSI-07.1 | Do you support secure deletion (e.g., degaussing/cryptograp hic wiping) of archived and backed-up data as determined by the tenant? 您是否支持由租户决定如何安全删除归档和备份数据(例如:消磁/密码擦除)? |
|
DSI-07.2 | Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource? 您可以为退出服务提供一个已发布的流程吗,包括保证在客户退出您的环境或腾出资源后清理租户数据的所有计算资源? |
|||
Datacenter Security 数据中心安全 | ||||
Asset Management 资产管理 |
Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities. 必须按照对业务的关键程度、服务级别期望和运营连续性的要求对资产进行分类。应针对所有场所和区域的资产以及它们的用途,维护一份完整的关键业务资产清单,保持定期的更新,并按照定义的角色和职责来分配责任人。 |
DCS-01.1 | Do you maintain a complete inventory of all of your critical assets that includes ownership of the asset? 您是否维护了一个包含你拥有资产所有权的所有关键资产的完整清单? |
|
DCS-01.2 | Do you maintain a complete inventory of all of your critical supplier relationships? 你是否维护了一个包含你的关键供应商关系的完整清单? |
|||
Controlled Access Points 受控接入点 |
Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems. 应实施物理安全边界(如:栅栏、墙、障碍物、保安、门、电子检测、物理认证机制、前台、安全巡逻)来保护敏感数据和信息系统。 |
DCS-02.1 | Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) implemented? 是否实施了物理安全边界(如:围栏、墙壁、障碍、警卫、门、电子监控、物理认证机制,接待台、保安巡逻)? |
|
Equipment Identification 设备识别 |
Automated equipment identification shall be used as a method of connection authentication. Location-aware technologies may be used to validate connection authentication integrity based on known equipment location. 应使用自动设备识别作为连接认证授权的方法。位置感知技术可被用于根据已知设备位置来验证连接认证的完整性。 |
DCS-03.1 | Is automated equipment identification used as a method to validate connection authentication integrity based on known equipment location? 自动化设备标识是否被用作验证基于已知设备位置的连接认证完整性的方法? |
|
Offsite Authorization 场外授权 |
Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises. 硬件、软件或数据在搬移或传输到场外前必须经过授权。 |
DCS-04.1 | Do you provide tenants with documentation that describes scenarios in which data may be moved from one physical location to another? (e.g., offsite backups, business continuity failovers, replication) 您是否向租户提供了描述数据可能从一个物理位置移动到另一个物理位置的文档? (例如:异地备份,业务连续性故障转移,复制) |
|
Offsite equipment 场外设备 |
Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization's premises. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full overwrite of the drive to ensure that the erased drive is released to inventory for reuse and deployment, or securely stored until it can be destroyed. 应建立策略和规程,以保证组织场所以外的设备(按资产类型),通过使信息不可恢复的擦除方案或破坏流程进行了安全处置。应通过对驱动器完整覆写的擦除方式,来确保擦除的驱动器可以回归资源池以供再次使用和部署,或使数据被安全存储直至被破坏。 |
DCS-05.1 | Can you provide tenants with evidence documenting your policies and procedures governing asset management and repurposing of equipment? 您能否向租户提供证明,关于记录您资产管理和设备再利用的政策和程序的证据? |
|
Policy 策略 |
Policies and procedures shall be established, and supporting business processes implemented, for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information. 应建立策略和规程,并实施支持性业务流程,以在存有敏感信息的办公室、房间、设施以及安全区域内维护一个安全的工作环境。 |
DCS-06.1 | Can you provide evidence that policies, standards and procedures have been established for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas? 您能否提供证据证明政策,标准和程序已经建立,以便在办公室,房间,设施和安全区域维持安全和可靠的工作环境? |
|
DCS-06.2 | Can you provide evidence that your personnel and involved third parties have been trained regarding your documented policies, standards and procedures? 您能否提供证据证明您的人员和相关第三方已接受过有关您的书面政策,标准和程序的培训? |
|||
Secure Area Authorization 安全区域授权 |
Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access. 安全区域的出入应采用物理访问控制机制加以限制和监视,以确保只有经过授权的人员可以访问。 |
DCS-07.1 | Do you allow tenants to specify which of your geographic locations their data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)? 您是否允许租户指定您的哪些物理位置允许数据移入/移出(根据数据存储位置和访问位置来解决法律管辖权考虑)? |
|
Unauthorized Persons Entry 未经授权的人员进入 |
Ingress and egress points such as service areas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss. 出入区域,如服务区和其他非授权人员可能进入的区域,应被监视、控制并与数据存储和处理设施相隔离(如可能),以防止未经授权的数据破坏、损害和损失。 |
DCS-08.1 | Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and isolated from data storage and process? 入口点和出口点,例如服务区和其他未经授权的人员可能进入场所,监控,控制和隔离数据存储和处理的点? |
|
User Access 用户访问 |
Physical access to information assets and functions by users and support personnel shall be restricted. 应限制用户和支持人员对信息资产和职能部门的物理访问。 |
DCS-09.1 | Do you restrict physical access to information assets and functions by users and support personnel? 您是否限制用户和支持人员对信息资产和职能部门的物理访问? |
|
Encryption & Key Management 加密与密钥管理 | ||||
Entitlement 权利 |
Keys must have identifiable owners (binding keys to identities) and there shall be key management policies. 密钥必须具备可识别的所有者(将密钥与身份绑定),并建立密钥管理策略。 |
EKM-01.1 | Do you have key management policies binding keys to identifiable owners? 是否有key管理策略绑定key去识别拥有者? |
|
Key Generation 密钥生成 |
Policies and procedures shall be established for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptographic protocol design and algorithms used, access controls in place for secure key generation, and exchange and storage including segregation of keys used for encrypted data or sessions). Upon request, provider shall inform the customer (tenant) of changes within the cryptosystem, especially if the customer (tenant) data is used as part of the service, and/or the customer (tenant) has some shared responsibility over implementation of the control. 应建立策略和规程,以管理服务加密系统中的密钥(如:从密钥生成到撤销和更换的全生命周期,公钥架构、加密协议设计和算法使用,安全密钥生成的访问控制,以及加密数据或会话的交换和隔离存储)。按要求,提供商应通知客户(租户)有关密码系统的变更,特别是当客户(租户)的数据作为服务的一部分,和/或客户(租户)共同承担控制措施实施责任时。 |
EKM-02.1 | Do you have a capability to allow creation of unique encryption keys per tenant? 您是否有能力为每个租户创建唯一的加密密钥? |
|
EKM-02.2 | Do you have a capability to manage encryption keys on behalf of tenants? 您是否有能力代表租户管理加密密钥? |
|||
EKM-02.3 | Do you maintain key management procedures? 您是否维护密钥管理程序? |
|||
EKM-02.4 | Do you have documented ownership for each stage of the lifecycle of encryption keys? 您是否拥有加密密钥生命周期每个阶段的文档所有权? |
|||
EKM-02.5 | Do you utilize any third party/open source/proprietary frameworks to manage encryption keys? 你是否利用任何第三方/开源/专有框架来管理加密密钥? |
|||
Encryption 加密 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations. 使用加密协议时应建立策略和规程,并实施支持性业务流程和技术手段,按照适用的法律、法规和合规性义务,以保护敏感数据的存储(如文件服务器、数据库、终端用户工作站)、使用(内存中数据)、传输(如系统交互、跨越公共网络和电子消息)。 |
EKM-03.1 | Do you encrypt tenant data at rest (on disk/storage) within your environment? 您是否在环境中对静态数据(在磁盘/存储上)进行加密? |
|
EKM-03.2 | Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? 在网络和虚拟机管理程序实例之间进行传输时,您是否利用加密来保护数据和虚拟机映像? |
|||
EKM-03.3 | Do you support tenant- generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g. identity-based encryption)? 您是否支持租户生成的加密密钥或允许租户将数据加密为身份,而无需访问公钥证书(例如基于身份的加密)? |
|||
EKM-03.4 | Do you have documentation establishing and defining your encryption management policies, procedures and guidelines? 你是否有文件确定和定义你的加密管理政策,程序和指导方针吗? |
|||
Storage and Access 存储和访问 |
Platform and data-appropriate encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties. 应要求使用开放、可验证格式和标准算法(例如,AES-256)对平台和数据进行适当加密。密钥不应被存储在云端(即:存在争议的云服务提供商),而是由云用户或可信的密钥管理服务商维护。密钥管理和密钥使用应做到职责分离。 |
EKM-04.1 | Do you have platform and data appropriate encryption that uses open/validated formats and standard algorithms? 您是否有对平台和数据进行适当加密,使用了哪些使用开放、可验证格式和标准算法? |
|
EKM-04.2 | Are your encryption keys maintained by the cloud consumer or a trusted key management provider? 您的加密密钥是由云消费者还是受信任的密钥管理提供商维护的? |
|||
EKM-04.3 | Do you store encryption keys in the cloud? 您是否将加密密钥存储在云中? |
|||
EKM-04.4 | Do you have separate key management and key usage duties? 是否有单独的密钥管理和密钥使用职责? |
|||
Governance and Risk Management 治理与风险管理 | ||||
Baseline Requirements 基本要求 |
Baseline security requirements shall be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory and regulatory compliance obligations. Deviations from standard baseline configurations must be authorized following change management policies and procedures prior to deployment, provisioning, or use. Compliance with security baseline requirements must be reassessed at least annually unless an alternate frequency has been established and authorized based on business need. 应对应用软件、基础系统和网络组件建立安全基线要求,涵盖自主开发或采购的、组织拥有或管理的、物理或虚拟的应用、基础架构系统和网络组件,使其遵循适用的法律法规和合规性义务。标准基线配置的偏差必须在部署、配置或使用前按照变更管理策略和规程执行授权。安全基线要求应至少每年重新评估一次,除非已授权了另一个基于业务需求的评估频率。 |
GRM-01.1 | Do you have documented information security baselines for every component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)? 您是否为基础设施的每个组件(例如,虚拟机管理程序,操作系统,路由器,DNS服务器等)的信息安全基线文档化? |
|
GRM-01.2 | Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines? 您是否有能力持续监视和报告您的基础架构是否符合您的信息安全基线? |
|||
GRM-01.3 | Do you allow your clients to provide their own trusted virtual machine image to ensure conformance to their own internal standards? 您是否允许客户提供自己的可信的虚拟机映像以确保符合其内部标准? |
|||
Risk Assessments 风险评估 |
Risk assessments associated with data governance requirements shall be conducted at planned intervals and shall consider the following: 应按计划的时间隔执行与数据治理要求相关的风险评估,并考虑以下方面: • Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure 意识到敏感数据会在应用程序、数据库、服务器和网络架构中被存储和传输到哪些地方; • Compliance with defined retention periods and end-of-life disposal requirements 符合定义的保留期和废弃处置的要求 • Data classification and protection from unauthorized use, access, loss, destruction, and falsification 为防止未授权使用、访问、丢失、损毁和伪造,而进行的数据分类和保护。 |
GRM-02.1 | Do you provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring (which allows continual tenant validation of your physical and logical control status)? 您是否提供安全控制健康数据以允许租户实施行业标准连续监测(允许持续验证您的物理和逻辑控制状态)? |
|
GRM-02.2 | Do you conduct risk assessments associated with data governance requirements at least once a year? 您是否每年至少进行一次与数据治理要求相关的风险评估? |
|||
Management Oversight 管理监督 |
Managers are responsible for maintaining awareness of, and complying with, security policies, procedures, and standards that are relevant to their area of responsibility. 管理者负责保持其管辖范围相关的安全策略、规程和标准的意识知晓与合规遵从。 |
GRM-03.1 | Are your technical, business, and executive managers responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility? 你的技术、业务和执行管理者是否有责任保持对他们自己和员工的安全政策、程序和标准的认识和遵守,因为它们涉及到管理者和员工的职责范围? |
|
Management Program 管理程序 |
An Information Security Management Program (ISMP) shall be developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program shall include, but not be limited to, the following areas insofar as they relate to the characteristics of the business: 应开发文件化的信息安全管理方案(ISMP)并得到批准和实施,该方案包括管理、技术和物理的安全保护,使资产和数据免受丢失、误用、非授权访问、泄露、修改和破坏。根据其与业务特性的相关程度,安全方案应包括但不限于以下内容: • Risk management 风险管理 • Security policy 安全策略 • Organization of information security 信息安全组织 • Asset management 资产管理 • Human resources security 人力资源安全 • Physical and environmental security 物理和环境安全 • Communications and operations management 通信和操作管理 • Access control 访问控制 • Information systems acquisition, development, and maintenance 信息系统获取、开发和维护。 |
GRM-04.1 | Do you provide tenants with documentation describing your Information Security Management Program (ISMP)? 您是否向租户提供描述您的信息安全管理计划(ISMP)的文档? |
|
GRM-04.2 | Do you review your Information Security Management Program (ISMP) least once a year? 您是否每年至少检查一次您的信息安全管理计划(ISMP)? |
|||
Management Support / Involvement 管理支持/参与 |
Executive and line management shall take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned. 各级管理层应通过明确的、文档化的指引和承诺,采取正式的行动来支持信息安全,并确保行动已被分配。 |
GRM-05.1 | Do you ensure your providers adhere to your information security and privacy policies? 你保证你的供应商遵守你的信息安全和隐私政策吗? |
|
Policy 政策 |
Information security policies and procedures shall be established and made readily available for review by all impacted personnel and external business relationships. Information security policies must be authorized by the organization's business leadership (or other accountable business role or function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership. 应建立信息安全政策和程序,并使之可供所有受影响的人员和外部业务关系随时评审。信息安全政策必须由组织的业务领导(或其他负责的业务角色或部门)授权,获得业务战略计划和信息安全管理程序支持,包括为业务领导定义的信息安全角色和职责。 |
GRM-06.1 | Do your information security and privacy policies align with industry standards (ISO-27001, ISO-22307, CoBIT, etc.)? 您的信息安全和隐私政策是否与行业标准(ISO-27001,ISO-22307,CoBIT等)保持一致? |
|
GRM-06.2 | Do you have agreements to ensure your providers adhere to your information security and privacy policies? 您是否有协议来确保您的提供商遵守您的信息安全和隐私政策? |
|||
GRM-06.3 | Can you provide evidence of due diligence mapping of your controls, architecture and processes to regulations and/or standards? 您能提供您的控制、架构和流程的适当映射到法规和/或标准的证据吗? |
|||
GRM-06.4 | Do you disclose which controls, standards, certifications and/or regulations you comply with? 你是否公开了你所遵守的控制、标准、认证和规章制度? |
|||
Policy Enforcement 政策执行 |
A formal disciplinary or sanction policy shall be established for employees who have violated security policies and procedures. Employees shall be made aware of what action might be taken in the event of a violation, and disciplinary measures must be stated in the policies and procedures. 应建立一个正式的纪律处分或处罚政策,以应对员工违反安全策略和规程的情况。应让员工知道什么行为会引起违规事件,同时应在策略和规程中明示惩戒措施。 |
GRM-07.1 | Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures? 是否为违反安全政策和程序的员工制定了正式的纪律或处罚政策? |
|
GRM-07.2 | Are employees made aware of what actions could be taken in the event of a violation via their policies and procedures? 员工是否意识到一旦违反了他们的政策和程序,可能采取什么行动? |
|||
Business / Policy Change Impacts 业务/政策变化影响 |
Risk assessment results shall include updates to security policies, procedures, standards, and controls to ensure that they remain relevant and effective. 风险评估结果应包括更新的安全策略、规程、标准和控制措施,从而确保风险评估与它们相关并且是有效的。 |
GRM-08.1 | Do risk assessment results include updates to security policies, procedures, standards and controls to ensure they remain relevant and effective? 风险评估结果是否包括对安全政策、程序、标准和控制的更新,以确保它们保持相关性和有效性? |
|
Policy Reviews 政策检查 |
The organization's business leadership (or other accountable business role or function) shall review the information security policy at planned intervals or as a result of changes to the organization to ensure its continuing alignment with the security strategy, effectiveness, accuracy, relevance, and applicability to legal, statutory, or regulatory compliance obligations. 组织的业务领导(或其他负责的业务角色或部门)应按计划的时间间隔,或在组织发生变革时,评审其信息安全方针,以确保信息安全方针持续符合安全战略且有效、准确、适宜,并符合法律法规要求及合规性义务。 |
GRM-09.1 | Do you notify your tenants when you make material changes to your information security and/or privacy policies? 当您对您的信息安全和/或隐私政策进行重大更改时,您是否通知租户? |
|
GRM-09.2 | Do you perform, at minimum, annual reviews to your privacy and security policies? 您是否至少对您的隐私和安全策略进行年度评估? |
|||
Assessments 评估 |
Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually or at planned intervals, (and in conjunction with any changes to information systems) to determine the likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk shall be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance). 应保持与企业层面的框架的一致性,至少每年或按计划的时间间隔(伴随信息系统的任何变更)开展一次正式的风险评估,使用定性和定量的方法来确定所有已识别风险的可能性和影响。固有风险和残余风险的可能性和影响应相互独立,并综合考虑所有风险类别(如:审计结果、威胁和脆弱性分析、合规性等)。 |
GRM-10.1 | Are formal risk assessments aligned with the enterprise- wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods? 正式风险评估是否与企业范围框架一致,并且至少每年或按照计划的时间间隔进行,使用定性和定量方法确定所有已识别风险的可能性和影响? |
|
GRM-10.2 | Is the likelihood and impact associated with inherent and residual risk determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance)? 考虑到所有风险类别(例如审计结果,威胁和脆弱性分析以及法规遵从性),是否独立确定固有风险和剩余风险相关的可能性和影响? |
|||
Program 程序 |
Risks shall be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and stakeholder approval. 风险应控制在一个可接受的水平。应建立基于风险准则的风险接受级别并将其文件化,使其符合合理的解决时间框架并得到利益相关方的批准。 |
GRM-11.1 | Do you have a documented, organization-wide program in place to manage risk? 你有一个文件化的组织范围的项目来管理风险吗? |
|
GRM-11.2 | Do you make available documentation of your organization-wide risk management program? 你有没有提供全组织风险管理计划的文件? |
|||
Human Resources Security 人力资源安全 | ||||
Asset Returns 资产归还 |
Upon termination of workforce personnel and/or expiration of external business relationships, all organizationally-owned assets shall be returned within an established period. 当员工离职和/或外部业务关系终止时,应保证所有组织资产在规定时间内归还。 |
HRS-01.1 | Are systems in place to monitor for privacy breaches and notify tenants expeditiously if a privacy event may have impacted their data? 如果隐私事件可能影响了他们的数据,是否有系统监控隐私泄露并迅速通知租户? |
|
HRS-01.2 | Is your Privacy Policy aligned with industry standards? 你的隐私政策符合行业标准吗? |
|||
Background Screening 背景调查 |
Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties shall be subject to background verification proportional to the data classification to be accessed, the business requirements, and acceptable risk. 应根据当地的法律、法规、道德和合同约束,针对所有候选员工、承包商和第三方,根据其可访问的数据类别、业务需求和可接受风险来开展背景调查。 |
HRS-02.1 | Pursuant to local laws, regulations, ethics and contractual constraints, are all employment candidates, contractors and involved third parties subject to background verification? 根据当地法律、规章、道德和合同约束,是否所有雇用候选人、承包商和参与第三方的背景核实? |
|
Employment Agreements 雇佣协议 |
Employment agreements shall incorporate provisions and/or terms for adherence to established information governance and security policies and must be signed by newly hired or on-boarded workforce personnel (e.g., full or part-time employee or contingent staff) prior to granting workforce personnel user access to corporate facilities, resources, and assets. 就业协议应包括规定和/或既定的信息治理和安全政策,由新聘或在职员工(例如:全职、兼职或临时员工)在被授权访问企业的设施、资源和资产之前签署。 |
HRS-03.1 | Do you specifically train your employees regarding their specific role and the information security controls they must fulfill? 您是否专门培训员工关于他们的特定角色以及他们必须履行的信息安全控制? |
|
HRS-03.2 | Do you document employee acknowledgment of training they have completed? 你是否记录员工对他们所完成的培训的认可? |
|||
HRS-03.3 | Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information? 是否需要所有人员签署保密协议或保密协议作为雇佣条件以保护客户/租户信息? |
|||
HRS-03.4 | Is successful and timed completion of the training program considered a prerequisite for acquiring and maintaining access to sensitive systems? 培训计划的成功和按时完成被认为是获取和保持对敏感系统的访问的先决条件吗? |
|||
HRS-03.5 | Are personnel trained and provided with awareness programs at least once a year? 人员是否受过培训, 每年至少提供一次宣传计划? |
|||
Employment Termination 雇佣终止 |
Roles and responsibilities for performing employment termination or change in employment procedures shall be assigned, documented, and communicated. 应在工作管理规程中分配执行离职或转岗的角色和职责,形成文件并传达。 |
HRS-04.1 | Are documented policies, procedures and guidelines in place to govern change in employment and/or termination? 是否有文件化的政策、程序和指导方针来控制雇佣和/或解雇的变化? |
|
HRS-04.2 | Do the above procedures and guidelines account for timely revocation of access and return of assets? 上述程序和准则是否涉及及时撤销资产的获取和归还? |
|||
Portable / Mobile Devices 便携/移动设备 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to manage business risks associated with permitting mobile device access to corporate resources and may require the implementation of higher assurance compensating controls and acceptable-use policies and procedures (e.g., mandated security training, stronger identity, entitlement and access controls, and device monitoring). 应建立策略和规程,并实施支持性业务流程和技术手段,管理允许移动设备访问企业资源引起的业务风险,可能需要采用强度更高的补偿控制措施和可接受的使用策略和规程(如:强制安全培训、强化的身份标识、授权和访问控制,以及设备监控)。 |
HRS-05.1 | Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g. laptops, cell phones and personal digital assistants (PDAs)), which are generally higher-risk than non- portable devices (e.g., desktop computers at the provider organization’s facilities)? 是否建立了政策和程序,并采取措施严格限制便携式和移动设备(例如便携式计算机,手机和个人数字助理(PDA))访问敏感数据和租户数据,这些设备通常比非便携式设备具有更高风险(例如,提供商组织设施处的台式计算机)? |
|
Nondisclosure Agreements 保密协议 |
Requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details shall be identified, documented, and reviewed at planned intervals. 应识别、记录反映组织数据保护和执行细节要求的不扩散或保密协议要求,并按计划的时间间隔进行评审。 |
HRS-06.1 | Are requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details identified, documented and reviewed at planned intervals? 非公开或保密协议的要求是否反映了本组织保护数据和业务细节的需要,并按计划间隔确定、记录和审查? |
|
Roles / Responsibilities 角色/职责 |
Roles and responsibilities of contractors, employees, and third-party users shall be documented as they relate to information assets and security. 当涉及信息资产与安全时,应对承包商、员工和第三方用户的角色和责任进行文件化。 |
HRS-07.1 | Do you provide tenants with a role definition document clarifying your administrative responsibilities versus those of the tenant? 您是否向租户提供了一份角色定义文件,阐明了您与租户的行政责任? |
|
Technology Acceptable Use 技术可接受使用 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining allowances and conditions for permitting usage of organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. Additionally, defining allowances and conditions to permit usage of personal mobile devices and associated applications with access to corporate resources (i.e., BYOD) shall be considered and incorporated as appropriate. 应建立策略和规程,并实施支持性业务流程和技术手段,明确组织拥有或管理的用户终端设备(如:下发的工作站、笔记本电脑和移动设备)及IT基础网络和系统组件的使用条件和场合。此外,应考虑允许个人移动设备和相关的应用程序(即BYOD)准入和访问企业资源的条件和场合。 |
HRS-08.1 | Do you provide documentation regarding how you may or access tenant data and metadata? 您是否提供了有关如何访问租户数据和元数据的文档? |
|
HRS-08.2 | Do you collect or create metadata about tenant data usage through inspection technologies (search engines, etc.)? 您是否通过检测技术(搜索引擎等)收集或创建有关租户数据使用情况的元数据? |
|||
HRS-08.3 | Do you allow tenants to opt out of having their data/metadata accessed via inspection technologies? 您是否允许租户选择不通过检测技术访问其数据/元数据? |
|||
Training / Awareness 培训/意识 |
A security awareness training program shall be established for all contractors, third-party users, and employees of the organization and mandated when appropriate. All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization. 应针对所有承包商、第三方用户,以及组织的员工建立安全意识培训方案,并在合适时强制执行。所有访问组织数据的人员应根据他们的专业职能,接受适当的意识培训和定期更新的组织程序和过程的培训。 |
HRS-09.1 | Do you provide a formal, role-based, security awareness training program for cloud-related access and data management issues (e.g., multi- tenancy, nationality, cloud delivery model segregation of duties implications and conflicts of interest) for all persons with access to tenant data? 对于所有拥有租户数据的人来说,你是否提供一个正式的,基于角色的,安全意识培训计划,用于与云相关的访问和数据管理问题(例如,多租户、国籍、云交付模型、职责划分和利益冲突)? |
|
HRS-09.2 | Are administrators and data stewards properly educated on their legal responsibilities with regard to security and data integrity? 管理人员和数据管理人员是否就安全和数据完整性的法律责任进行了适当的教育? |
|||
User Responsibility 用户责任 |
All personnel shall be made aware of their roles and responsibilities for: 所有人员应认识到他们的角色和责任: • Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. 保持对既定政策、规程以及适用的法律法规和合规性义务的知晓和遵从。 • Maintaining a safe and secure working environment 维护一个安全的工作环境。 |
HRS-10.1 | Are users made aware of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards and applicable regulatory requirements? 用户是否意识到他们有责任维护和遵守已发布的安全政策、程序、标准和适用的法规要求? |
|
HRS-10.2 | Are users made aware of their responsibilities for maintaining a safe and secure working environment? 用户是否意识到他们有责任维护安全可靠的工作环境? |
|||
HRS-10.3 | Are users made aware of their responsibilities for leaving unattended equipment in a secure manner? 用户是否意识到他们有责任以安全的方式离开无人看管的设备? |
|||
Workspace 工作区 |
Policies and procedures shall be established to require that unattended workspaces do not have openly visible (e.g., on a desktop) sensitive documents and user computing sessions are disabled after an established period of inactivity. 应建立策略和规程,要求无人值守的工作场所不存在公开可见的(如:桌面)敏感文件,要求用户计算会话在设定的不活动时间后关闭。 |
HRS-11.1 | Do your data management policies and procedures address tenant and service level conflicts of interests? 你的数据管理政策和程序能解决租户和服务级别的利益冲突吗? |
|
HRS-11.2 | Do your data management policies and procedures include a tamper audit or software integrity function for unauthorized access to tenant data? 对于未经授权访问租户数据,您的数据管理政策和程序是否包含篡改审核或软件完整性功能? |
|||
HRS-11.3 | Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine? 虚拟机管理基础架构是否包含篡改审核或软件完整性功能以检测虚拟机的构建/配置更改? |
|||
Identity & Access Management 身份与访问控制 | ||||
Audit Tools Access 审计工具访问 |
Access to, and use of, audit tools that interact with the organization's information systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data. 针对与组织的信息系统具有交互功能的审计工具,应适当隔离和限制对其的访问和使用,以防止审计日志数据被破坏和误用。 |
IAM-01.1 | Do you restrict, log and monitor access to your information security management systems? (E.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.) 您是否限制,记录和监控对信息安全管理系统的访问? (例如,管理程序,防火墙,漏洞扫描程序,网络嗅探器,API等) |
|
IAM-01.2 | Do you monitor and log privileged access (administrator level) to information security management systems? 您是否监视和记录信息安全管理系统的特权访问(管理员级别)? |
|||
User Access Policy 用户访问策略 |
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes, and measures must incorporate the following: 应建立用户访问策略和规程,并实施支持性业务流程和技术手段,确保公司内部的和客户(租户)的用户访问数据、组织所有或管理的(物理和虚拟的)的应用程序接口、基础设施网络和系统组件时,具有适当的身份、授权和访问管理。这些策略、规程、流程和措施必须包括以下内容: • Procedures and supporting roles and responsibilities for provisioning and de-provisioning user account entitlements following the rule of least privilege based on job function (e.g., internal employee and contingent staff personnel changes, customer-controlled access, suppliers' business relationships, or other third-party business relationships) 基于工作职能(如:内部员工和临时员工的变动、客户拜访、提供商业务关系或其他第三方业务关系),按照最小授权原则建立供给和撤销用户账号权限的程序,以及支持性角色和责任。 • Business case considerations for higher levels of assurance and multi-factor authentication secrets (e.g., management interfaces, key generation, remote access, segregation of duties, emergency access, large-scale provisioning or geographically-distributed deployments, and personnel redundancy for critical systems) 有关更高级保证和多因素身份验证秘密(如:管理界面、密钥生成、远程访问、职责分离、紧急通道、大规模供给或分布式部署,关键系统人员冗余)的商业论证。 • Access segmentation to sessions and data in multi-tenant architectures by any third party (e.g., provider and/or other customer (tenant)) 在多租户架构中,对任何第三方(如:提供商、客户/租户)针对会话与数据的访问隔离。 • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and federation) 身份可信性验证、服务到服务的API和信息流交互(如:SSO和联合身份验证)。 • Account credential lifecycle management from instantiation through revocation 账号凭证生命周期管理,从实例化到回收的全过程。 • Account credential and/or identity store minimization or re-use when feasible 如可行,账号凭证和/或身份信息存储最小化或重用。 • Authentication, authorization, and accounting (AAA) rules for access to data and sessions (e.g., encryption and strong/multi-factor, expireable, non-shared authentication secrets) 访问数据和会话的认证、授权和记账(AAA)规则(如:加密和强/多因素认证、可过期的、非共享秘密认证信息)。 • Permissions and supporting capabilities for customer (tenant) controls over authentication, authorization, and accounting (AAA) rules for access to data and sessions 基于认证、授权和记账(AAA)规则,为客户(租户)访问数据和会话提供许可和支持能力。 • Adherence to applicable legal, statutory, or regulatory compliance requirements 遵守适用的法律法规和行业合规要求。 |
IAM-02.1 | Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes? 你是否有控制措施,确保及时删除因业务意向不再需要的系统访问? |
|
IAM-02.2 | Do you provide metrics to track the speed with which you are able to remove systems access that is no longer required for business purposes? 您是否提供了衡量指标来跟踪删除因业务意向不再需要的系统访问的速度? |
|||
Identity & Access Management 身份与访问控制 | ||||
Diagnostic / Configuration Ports Access 诊断/配置端口访问 |
User access to diagnostic and configuration ports shall be restricted to authorized individuals and applications. 对诊断和配置端口的访问应仅限于授权的人员和应用程序。 |
IAM-03.1 | Do you use dedicated secure networks to provide management access to your cloud service infrastructure? 您是否使用专用安全网络为您的云服务基础架构提供管理访问权限? |
|
Policies and Procedures 政策与程序 |
Policies and procedures shall be established to store and manage identity information about every person who accesses IT infrastructure and to determine their level of access. Policies shall also be developed to control access to network resources based on user identity. 应建立策略和规程,以存储和管理每个可访问IT基础设施的人员的身份信息,并确定其访问级别。同时应基于用户身份建立策略以控制对网络资源访问。 |
IAM-04.1 | Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access? 您是否管理并存储了所有可以访问IT基础设施的人员的身份,包括他们的访问级别? |
|
IAM-04.2 | Do you manage and store the user identity of all personnel who have network access, including their level of access? 您是否管理和存储所有有网络访问权限的人员的用户身份,包括他们的访问级别? |
|||
Segregation of Duties 职责分离 |
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest. 应建立用户访问策略和规程,并实施支持性业务流程和技术手段,按照既定的职责分离原则限制用户访问,以处理因用户角色的利益冲突而引起的业务风险。 |
IAM-05.1 | Do you provide tenants with documentation on how you maintain segregation of duties within your cloud service offering? 您是否向租户提供了有关如何在您的云服务产品中维护职责分离的文档? |
|
Source Code Access Restriction 源代码访问限制 |
Access to the organization's own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software shall be appropriately restricted following the rule of least privilege based on job function as per established user access policies and procedures. 应按照既定的用户访问策略和规程,基于业务职能并遵循最小权限原则,适当限制对组织自主开发的应用、程序、目标代码或其他任何形式的知识产权(IP)的访问,以及对专有软件的使用。 |
IAM-06.1 | Are controls in place to prevent unauthorized access to your application, program or object source code, and assure it is restricted to authorized personnel only? 是否有控制措施来防止未经授权访问您的应用程序,程序或对象源代码,并确保仅限授权人员使用? |
|
IAM-06.2 | Are controls in place to prevent unauthorized access to tenant application, program or object source code, and assure it is restricted to authorized personnel only? 是否有适当的控制措施来防止未经授权访问租户应用程序,程序或对象源代码,并确保仅限授权人员使用? |
|||
Third Party Access 第三方访问 |
The identification, assessment, and prioritization of risks posed by business processes requiring third-party access to the organization's information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning access. 应识别、评估由于业务流程的需要,第三方访问组织信息系统和数据的风险,并排定风险的优先级。为管理这些风险,应协调应用资源,监控、测量未授权或不合适的访问的可能性和影响,并使其最小化。应在提供访问之前根据风险分析结果采取补偿措施控制风险。 |
IAM-07.1 | Do you provide multi- failure disaster recovery capability? 您是否提供多故障灾难恢复功能? |
|
IAM-07.2 | Do you monitor service continuity with upstream providers in the event of provider failure? 如果供应商出现故障,您是否监控上游提供商的服务连续性? |
|||
IAM-07.3 | Do you have more than one provider for each service you depend on? 您所依赖的每个服务都有一个以上的提供者吗? |
|||
IAM-07.4 | Do you provide access to operational redundancy and continuity summaries, including the services you depend on? 您是否提供运营冗余和连续性摘要,包括您所依赖的服务? |
|||
IAM-07.5 | Do you provide the tenant the ability to declare a disaster? 你是否向租户提供宣布灾难的能力? |
|||
IAM-07.6 | Do you provided a tenant-triggered failover option? 你提供了租户触发的故障转移选项吗? |
|||
IAM-07.7 | Do you share your business continuity and redundancy plans with your tenants? 您是否与租户分享您的业务连续性和冗余计划? |
|||
User Access Restriction / Authorization 用户访问限制/授权 |
Policies and procedures are established for permissible storage and access of identities used for authentication to ensure identities are only accessible based on rules of least privilege and replication limitation only to users explicitly defined as business necessary. 针对可允许存储和访问的用于认证的身份信息,应建立策略与规程确保对身份信息的访问是基于最小权限原则,且复制仅限于明确定义为业务所需的用户。 |
IAM-08.1 | Do you document how you grant and approve access to tenant data? 您是否记录了您如何授予和批准访问租户数据? |
|
IAM-08.2 | Do you have a method of aligning provider and tenant data classification methodologies for access control purposes? 您是否有一种方法来调整供应商和租户数据分类方法,以达到访问控制的目的? |
|||
User Access Authorization 用户访问授权 |
Provisioning user access (e.g., employees, contractors, customers (tenants), business partners and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization's management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer (tenant) of this user access, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control. 在提供用户(如:员工、承包商、客户/租户、合作伙伴和/或供应商)访问数据和组织所有或管理的(物理和虚拟的)应用程序、基础设施系统和网络组件时,用户应在被获准访问前由组织的管理层授权,并按照既定的策略和规程加以适当限制。根据要求,访问提供者应向客户(租户)通告这种用户访问情况,特别是如果客户(租户)的数据被用作服务的一部分时,和/或客户(租户)具有共同承担实施控制措施的责任时。 |
IAM-09.1 | Does your management provision the authorization and restrictions for user access (e.g. employees, contractors, customers (tenants), business partners and/or suppliers) prior to their access to data and any owned or managed (physical and virtual) applications, infrastructure systems and network components? 您的管理人员在访问数据和拥有或管理(物理和虚拟)应用程序、基础设施系统和网络组件之前,提供对用户访问的授权和限制(例如雇员、承包商、客户(租户)、业务合作伙伴和/或供应商)吗? |
|
IAM-09.2 | Do you provide upon request user access (e.g. employees, contractors, customers (tenants), business partners and/or suppliers) to data and any owned or managed (physical and virtual) applications, infrastructure systems and network components? 您是否根据请求提供用户(例如员工,承包商,客户(租户),商业伙伴和/或供应商)对数据和任何拥有或管理的(物理的和虚拟的)应用程序,基础架构系统和网络组件的访问权? |
|||
User Access Reviews 用户访问审查 |
User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization's business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies and procedures. 应按计划的时间间隔,由组织的业务领导或其他负责的业务角色或职能授权和重新生效的适宜的用户访问权限,此过程需有证据证明组织遵守了基于工作职责的最小权限原则。对于违反访问控制要求的情况,须按照既定的用户访问策略和规程采取补救措施。 |
IAM-10.1 | Do you require at least annual certification of entitlements for all system users and administrators (exclusive of users maintained by your tenants)? 您是否要求至少每年为所有系统用户和管理员颁发证书(不包括租户维护的用户)? |
|
IAM-10.2 | If users are found to have inappropriate entitlements, are all remediation and certification actions recorded? 如果发现用户拥有不适当的权利,是否记录了所有补救和认证行为? |
|||
IAM-10.3 | Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data? 如果租户的访问不适当,您会与租户共享用户权限补救和认证报告吗? |
|||
User Access Revocation 用户访问撤销 |
Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user's change in status (e.g., termination of employment or other business relationship, job change or transfer). Upon request, provider shall inform customer (tenant) of these changes, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control. 应按照既定的策略和规程,基于用户状态的变化(如:员工离职或其他业务关系终止、工作变动或轮换),及时撤销(取消或调整)用户访问数据、组织所有或管理的(物理和虚拟的)的应用程序、基础设施系统和网络组件的权限。根据要求,提供商应通知客户(租户)以上变化,特别是当客户(租户)的数据被用作服务的一部分时,和/或客户(租户)具有共同承担实施控制措施的责任时。 |
IAM-11.1 | Is timely deprovisioning, revocation or modification of user access to the organizations systems, information assets and data implemented upon any change in status of employees, contractors, customers, business partners or involved third parties? 在员工,承包商,客户,业务合作伙伴或相关第三方的状态发生任何变化时,及时撤销,撤销或修改用户对组织系统,信息资产和数据的访问权限? |
|
IAM-11.2 | Is any change in user access status intended to include termination of employment, contract or agreement, change of employment or transfer within the organization? 用户访问状态的任何变化是否包括终止雇佣、合同或协议、改变雇佣或在组织内的转移? |
|||
User ID Credentials 用户ID凭证 |
Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: 为确保适当的身份标识、授权和访问管理,应依照既定的策略和规程,按以下要求限制公司内部或客户(租户)的用户账号凭证: • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) 身份标识的可信验证、服务到服务应用(API)和信息处理交互性(如:SSO和联合身份验证)。 • Account credential lifecycle management from instantiation through revocation 从实例化到回收的账号凭证生命周期管理。 • Account credential and/or identity store minimization or re-use when feasible 如可行,账号凭据和/或身份标识存储最小化或再利用。 • Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and accounting (AAA) rules (e.g., strong/multi-factor, expireable, non-shared authentication secrets) 遵守行业可接受的和/或监管合规的认证、授权、审计(AAA)规则(如:强/多因素、可过期的、非共享秘密认证信息)。 |
IAM-12.1 | Do you support use of, or integration with, existing customer- based Single Sign On (SSO) solutions to your service? 您支持使用或集成现有的基于客户的单点登录(SSO)解决方案吗? |
|
IAM-12.2 | Do you use open standards to delegate authentication capabilities to your tenants? 您是否使用开放标准将身份验证功能委托给租户? |
|||
IAM-12.3 | Do you support identity federation standards (SAML, SPML, WS- Federation, etc.) as a means of authenticating/authorizi ng users? 您是否支持身份联合标准(SAML,SPML,WS-Federation等)作为认证/授权用户的手段? |
|||
IAM-12.4 | Do you have a Policy Enforcement Point capability (e.g., XACML) to enforce regional legal and policy constraints on user access? 您是否拥有政策执行点功能(例如XACML)来强制用户访问的地区法律和政策限制? |
|||
IAM-12.5 | Do you have an identity management system (enabling classification of data for a tenant) in place to enable both role-based and context-based entitlement to data? 您是否有身份管理系统(为租户启用数据分类)以实现基于角色和基于上下文的数据授权? |
|||
IAM-12.6 | Do you provide tenants with strong (multifactor) authentication options (digital certs, tokens, biometrics, etc.) for user access? 您是否向用户提供强大的(多因素)认证选项(数字证书,令牌,生物识别等)以供用户访问? |
|||
IAM-12.7 | Do you allow tenants to use third-party identity assurance services? 你是否允许租户使用第三方身份保证服务? |
|||
IAM-12.8 | Do you support password (minimum length, age, history, complexity) and account lockout (lockout threshold, lockout duration) policy enforcement? 您支持密码(最小长度、年龄、历史、复杂性)和帐户锁定(锁定阈值、锁定持续时间)策略执行吗? |
|||
IAM-12.9 | Do you allow tenants/customers to define password and account lockout policies for their accounts? 您是否允许租户/客户为其帐户定义密码和帐户锁定策略? |
|||
IAM-12.10 | Do you support the ability to force password changes upon first logon? 您支持在首次登录时强制更改密码吗? |
|||
IAM-12.11 | Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)? 你有没有机制来解锁被锁定的账户(例如,通过电子邮件进行自我服务,定义挑战问题,手动解锁)? |
|||
Utility Programs Access 实用程序访问 |
Utility programs capable of potentially overriding system, object, network, virtual machine, and application controls shall be restricted. 应限制可能超越系统、对象、网络、虚拟机和应用程序控制措施的实用程序。 |
IAM-13.1 | Are utilities that can significantly manage virtualized partitions (e.g., shutdown, clone, etc.) appropriately restricted and monitored? 可以有效管理虚拟分区(例如关机、克隆等)的实用程序是否受到适当的限制和监视? |
|
IAM-13.2 | Do you have a capability to detect attacks that target the virtual infrastructure directly (e.g., shimming, Blue Pill, Hyper jumping, etc.)? 您是否有能力检测直接针对虚拟基础架构的攻击(例如:shimming, Blue Pill, Hyper jumping等)? |
|||
IAM-13.3 | Are attacks that target the virtual infrastructure prevented with technical controls? 针对虚拟基础设施的攻击是否受到技术控制的限制? |
|||
Infrastructure & Virtualization Security 基础设施与虚拟化安全 | ||||
Audit Logging / Intrusion Detection 审计日志/入侵检测 |
Higher levels of assurance are required for protection, retention, and lifecyle management of audit logs, adhering to applicable legal, statutory or regulatory compliance obligations and providing unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, and to support forensic investigative capabilities in the event of a security breach. 需建立对审计日志保护、保留和生命周期管理的高级别保证机制,以符合适用的法律法规和强制性义务,确保提供用户访问的唯一可追溯能力,以检测潜在的可疑网络行为和/或文件完整性异常,并提供在安全违规的情况下的取证调查能力。 |
IVS-01.1 | Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents? 文件完整性(主机)和网络入侵检测(IDS)工具的实现有助于促进及时发现、调查根源分析和应对事件吗? |
|
IVS-01.2 | Is physical and logical user access to audit logs restricted to authorized personnel? 审核日志的物理和逻辑用户访问是否限于授权人员? |
|||
IVS-01.3 | Can you provide evidence that due diligence mapping of regulations and standards to your controls/architecture/pr ocesses has been done? 你能提供证据证明尽职调查测绘法规和标准控件/结构/过程已经完成了吗? |
|||
IVS-01.4 | Are audit logs centrally stored and retained? 审计日志是否集中存储和保留? |
|||
IVS-01.5 | Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)? 审计日志是否定期审查安全事件(例如,使用自动化工具)? |
|||
Change Detection 变更检测 |
The provider shall ensure the integrity of all virtual machine images at all times. Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g. dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image's integrity must be immediately available to customers through electronic methods (e.g. portals or alerts). 提供商应时刻确保所有虚拟机镜像的完整性。必须记录虚拟机镜像的任何改变并发出警报,无论其处于何种状态(如:休眠、关闭或运行中)。对于虚拟机镜像的改变、移动和随后对镜像完整性校验的结果,必须通过电子方式(如:门户网站或告警信息)让客户能够立即获取到。 |
IVS-02.1 | Do you log and alert any changes made to virtual machine images regardless of their running state (e.g. dormant, off or running)? 无论其运行状态如何(例如休眠,关闭或运行),您是否记录并警告对虚拟机映像所做的任何更改? |
|
IVS-02.2 | Are changes made to virtual machines, or moving of an image and subsequent validation of the image's integrity, made immediately available to customers through electronic methods (e.g. portals or alerts)? 对虚拟机的更改,或对镜像的移动,以及随后对镜像完整性的验证,通过电子方法(如Portal或告警)立即提供给客户? |
|||
Clock Synchronization 时钟同步 |
A reliable and mutually agreed upon external time source shall be used to synchronize the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines. 应使用一个可靠且经双向认可的外部时钟源,对所有相关信息处理系统的系统时钟进行同步,以便跟踪和重建活动时间表。 |
IVS-03.1 | Do you use a synchronized time- service protocol (e.g., NTP) to ensure all systems have a common time reference? 你使用同步时间服务协议(例如NTP)来确保所有系统都有一个共有的时间参考吗? |
|
Capacity / Resource Planning 能力/资源计划 |
The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations. Projections of future capacity requirements shall be made to mitigate the risk of system overload. 应对可用性、质量以及适度的容量和资源进行计划、准备和测量,以符合法律法规和强制性义务要求的系统性能。应预测未来的容量需求以减少系统过载的风险。 |
IVS-04.1 | Do you provide documentation regarding what levels of system (network, storage, memory, I/O, etc.) oversubscription you maintain and under what circumstances/scenarios? 您是否提供了有关您维护的系统级别(网络,存储,内存,I / O等)超额预订以及在什么情况下/场景下的文档? |
|
IVS-04.2 | Do you restrict use of the memory oversubscription capabilities present in the hypervisor? 您是否限制使用虚拟机管理程序中的内存超额预订功能? |
|||
IVS-04.3 | Do your system capacity requirements take into account current, projected and anticipated capacity needs for all systems used to provide services to the tenants? 您的系统能力需求是否考虑到为租户提供服务的所有系统的当前、预计和预期的能力需求? |
|||
IVS-04.4 | Is system performance monitored and tuned in order to continuously meet regulatory, contractual and business requirements for all the systems used to provide services to the tenants? 系统性能是否受到监控和调整,以便持续满足用于向租户提供服务的所有系统的监管,合同和业务要求? |
|||
Management - Vulnerability Management 管理-漏洞管理 |
Implementers shall ensure that the security vulnerability assessment tools or services accommodate the virtualization technologies used (e.g.virtualization aware). 执行者应确保安全漏洞评估工具或服务适应当前使用的虚拟化技术(如虚拟化感知)。 |
IVS-05.1 | Do security vulnerability assessment tools or services accommodate the virtualization technologies being used (e.g. virtualization aware)? 安全漏洞评估工具或服务是否适应正在使用的虚拟化技术(如虚拟化感知)? |
|
Network Security 网络安全 |
Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, and ports, and by compensating controls. 应设计并配置网络环境和虚拟机实例,以限制和监控可信与不可信通信中的流量。应至少每年对这些配置进行一次评审,书面说明所有允许的服务、协议和端口的使用理由,并建立补偿性控制措施。 |
IVS-06.1 | For your IaaS offering, do you provide customers with guidance on how to create a layered security architecture equivalence using your virtualized solution? 对于您的IaaS产品,您是否会向客户提供有关如何使用虚拟化解决方案创建分层安全体系结构等效性的指导? |
|
IVS-06.2 | Do you regularly update network architecture diagrams that include data flows between security domains/zones? 您是否定期更新包含安全域/区域之间数据流的网络体系结构图? |
|||
IVS-06.3 | Do you regularly review for appropriateness the allowed access/connectivity (e.g., firewall rules) between security domains/zones within the network? 您是否定期审查网络中安全域/区域之间允许的访问/连接(例如防火墙规则)是否合适? |
|||
IVS-06.4 | Are all firewall access control lists documented with business justification? 所有的防火墙访问控制列表是否都有商业依据记录? |
|||
OS Hardening and Base Controls 操作系统加固和基础控制措施 |
Each operating system shall be hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template. 应对每个操作系统进行加固,以提供业务必需的端口、协议和服务,并落实技术控制措施,如:杀毒软件、文件完整性监控、日志记录等,这些可以作为其运行构建的基线标准或模板的一部分。 |
IVS-07.1 | Are operating systems hardened to provide only the necessary ports, protocols and services to meet business needs using technical controls (i.e antivirus, file integrity monitoring and logging) as part of their baseline build standard or template? 作为其基准构建标准或模板的一部分,操作系统是否能够提供仅使用技术控制(即防病毒,文件完整性监控和日志记录)来满足业务需求的必要端口,协议和服务? |
|
Production / Nonproduction Environments 生产/非生产环境 |
Production and non-production environments shall be separated to prevent unauthorized access or changes to information assets. Separation of the environments may include: stateful inspection firewalls, domain/realm authentication sources, and clear segregation of duties for personnel accessing these environments as part of their job duties. 应隔离生产和非生产环境,以防止对信息资产的未授权访问或变更。环境隔离的手段可包括:状态检测防火墙、域认证源、人员因本职工作需访问该环境时的明确的职责分离。 |
IVS-08.1 | For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes? 对于SaaS或PaaS产品,您是否为租户提供独立的生产和测试环境? |
|
IVS-08.2 | For your IaaS offering, do you provide tenants with guidance on how to create suitable production and test environments? 对于您的IaaS产品,您是否向租户提供有关如何创建合适的生产和测试环境的指导? |
|||
IVS-08.3 | Do you logically and physically segregate production and non- production environments? 你在逻辑上和物理上隔离生产环境和非生产环境? |
|||
Segmentation 隔离 |
Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure system and network components, shall be designed, developed, deployed and configured such that provider and customer (tenant) user access is appropriately segmented from other tenant users, based on the following considerations: 应设计、开发、部署、配置多租户情况下组织所有或管理的(物理和虚拟的)应用程序、基础设施系统和网络组件,在提供商和客户(租户)之间,以及租户之间提供用户访问隔离,在隔离时基于以下考虑: • Established policies and procedures 既定的策略和规程。 • Isolation of business critical assets and/or sensitive user data, and sessions that mandate stronger internal controls and high levels of assurance 隔离关键业务资产和/或敏感用户数据及会话时,使用更强的内部控制措施和更高级别的保证。 • Compliance with legal, statutory and regulatory compliance obligations 符合法律法规和强制性义务的要求。 |
IVS-09.1 | Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements? 系统和网络环境是否受防火墙或虚拟防火墙保护以确保业务和客户安全要求? |
|
IVS-09.2 | Are system and network environments protected by a firewall or virtual firewall to ensure compliance with legislative, regulatory and contractual requirements? 系统和网络环境是否受防火墙或虚拟防火墙保护,以确保符合法律,法规和合同要求? |
|||
IVS-09.3 | Are system and network environments protected by a firewall or virtual firewall to ensure separation of production and non- production environments? 系统和网络环境是否受防火墙或虚拟防火墙保护,以确保生产和非生产环境的分离? |
|||
IVS-09.4 | Are system and network environments protected by a firewall or virtual firewall to ensure protection and isolation of sensitive data? 系统和网络环境是否受防火墙或虚拟防火墙保护以确保敏感数据的保护和隔离? |
|||
VM Security - vMotion Data Protection 虚拟机安全-迁移数据保护 |
Secured and encrypted communication channels shall be used when migrating physical servers, applications, or data to virtualized servers and, where possible, shall use a network segregated from production-level networks for such migrations. 当将物理服务器、应用程序或数据向虚拟服务器迁移时,应使用安全、加密的信道,如可能,还应使用一个与生产级别网络隔离的网络完成迁移。 |
IVS-10.1 | Are secured and encrypted communication channels used when migrating physical servers, applications or data to virtual servers? 将物理服务器,应用程序或数据迁移到虚拟服务器时使用安全且加密的通信通道? |
|
IVS-10.2 | Do you use a network segregated from production-level networks when migrating physical servers, applications or data to virtual servers? 当将物理服务器、应用程序或数据迁移到虚拟服务器时,是否使用与生产级网络隔离的网络? |
|||
VMM Security - Hypervisor Hardening 虚拟机监控器安全-加固 |
Access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems shall be restricted to personnel based upon the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls, and TLS encapsulated communications to the administrative consoles). 当访问虚拟机监控器的管理功能或宿主系统的管理控制台时,应基于最小权限原则限制人员访问,并采用技术控制措施(如:双因素认证、审计追踪、IP地址过滤、防火墙、TLS协议和管理控制台通信)。 |
IVS-11.1 | Do you restrict personnel access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems based on the principle of least privilege and supported through technical controls (e.g. two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)? 您是否根据最低权限原则限制人员访问所有虚拟化系统的管理程序管理功能或管理控制台,并通过技术控制(例如双因素身份验证,审计跟踪,IP地址过滤,防火墙和TLS封装的通信 到行政控制台)? |
|
Wireless Security 无线安全 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following: 应建立策略和规程,并实施支持性业务流程和技术手段,保护无线网络环境,包括以下内容: • Perimeter firewalls implemented and configured to restrict unauthorized traffic 部署和配置边界防火墙以限制非授权流程。 • Security settings enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, and SNMP community strings) 对认证和传输启用强加密的安全设置,以替代厂商的默认设置(如:加密密钥、口令和SNMP社区字符串)。 • User access to wireless network devices restricted to authorized personnel 仅允许授权人员访问无线网络设备。 • The capability to detect the presence of unauthorized (rogue) wireless network devices for a timely disconnect from the network 检测未授权的(流氓)无线网络设备并及时断开与其网络连接的能力。 |
IVS-12.1 | Are policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic? 是否建立了策略和程序,并配置和实施了机制以保护无线网络环境的边界并限制未授权的无线流量? |
|
IVS-12.2 | Are policies and procedures established and mechanisms implemented to ensure wireless security settings are enabled with strong encryption for authentication and transmission, replacing vendor default settings? (e.g., encryption keys, passwords, SNMP community strings) 是否建立了策略和程序,并实施了机制以确保无线安全设置通过强大的加密进行验证和传输,取代了供应商的默认设置? (例如,加密密钥,密码,SNMP社区字符串) |
|||
IVS-12.3 | Are policies and procedures established and mechanisms implemented to protect wireless network environments and detect the presence of unauthorized (rogue) network devices for a timely disconnect from the network? 是否建立了策略和程序,并实施了机制来保护无线网络环境并检测是否存在未授权(非法)网络设备以及时断开与网络的连接? |
|||
Network Architecture 网线架构 |
Network architecture diagrams shall clearly identify high-risk environments and data flows that may have legal compliance impacts. Technical measures shall be implemented and shall apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling, and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks. 网络架构图应清楚地识别可能有法律合规性影响的高风险环境和数据流。应实施技术措施和深度防御技术(如:深度包分析、流量抑制和黑洞)检测并及时响应和出入站异常流量模式相关的基于网络的攻击(如:MAC欺骗和ARP中毒攻击)和/或分布式拒绝服务(DDoS)攻击。 |
IVS-13.1 | Do your network architecture diagrams clearly identify high- risk environments and data flows that may have legal compliance impacts? 您的网络体系结构图是否清楚地识别可能产生法律合规影响的高风险环境和数据流? |
|
IVS-13.2 | Do you implement technical measures and apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling and black-holing) for detection and timely response to network- based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of- service (DDoS) attacks? 您是否实施了技术措施并应用深度防御技术(例如,深度数据包分析,流量限制和黑洞攻击)来检测并及时响应与异常入口或出口流量模式相关的基于网络的攻击(例如MAC欺骗 和ARP中毒攻击)和/或分布式拒绝服务(DDoS)攻击? |
|||
Interoperability & Portability 互操作与可移植性 | ||||
Interoperability & Portability APIs 互操作性&可移植性 API相关 |
The provider shall use open and published APIs to ensure support for interoperability between components and to facilitate migrating applications. 提供商应使用开放和已发布的API来为组件之间的互操作提供支持,以及实现对应用的迁移。 |
IPY-01 | Do you publish a list of all APIs available in the service and indicate which are standard and which are customized? 您是否发布了服务中可用的所有API的列表,并指出哪些是标准的,哪些是自定义的? |
|
Interoperability & Portability Data Request 互操作性&可移植性 数据请求 |
All structured and unstructured data shall be available to the customer and provided to them upon request in an industry-standard format (e.g., .doc, .xls, .pdf, logs, and flat files) 应将所有结构化和非结构化的数据以行业标准格式向客户提供(如:DOC、XLS、PDF、日志和纯文本文件)。 |
IPY-02 | Is unstructured customer data available on request in an industry-standard format (e.g., .doc, .xls, or .pdf)? 是否可以按行业标准格式(例如.doc,.xls或.pdf)提供非结构化客户数据? |
|
Interoperability & Portability Policy & Legal 互操作性&可移植性 政策和法律 |
Policies, procedures, and mutually-agreed upon provisions and/or terms shall be established to satisfy customer (tenant) requirements for service-to-service application (API) and information processing interoperability, and portability for application development and information exchange, usage, and integrity persistence. 建立策略、规程和以及双方同意基础上的规定和/或条款,以满足客户(租户)服务到服务应用(API)和信息处理互操作性的要求、应用程序开发和信息交换使用的可移植性、完整性保持的要求。 |
IPY-03.1 | Do you provide policies and procedures (i.e. service level agreements) governing the use of APIs for interoperability between your service and third-party applications? 您是否提供了政策和程序(即服务级别协议SLA)来管理API的使用,以实现您的服务与第三方应用程序之间的互操作性? |
|
IPY-03.2 | Do you provide policies and procedures (i.e. service level agreements) governing the migration of application data to and from your service? 您是否提供了政策和程序(即服务级别协议SLA),用于管理应用程序数据在您服务中的迁移? |
|||
Interoperability & Portability Standardized Network Protocols 互操作性&可移植性 标准化的网络协议 |
The provider shall use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and shall make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved. 提供商应使用安全的(如:非明文且经过认证的)标准网络协议,以输入和输出数据并管理服务,还应向客户(租户)提供详细介绍相关互操作性和可移植性标准的文件。 |
IPY-04.1 | Can data import, data export and service management be conducted over secure (e.g., non-clear text and authenticated), industry accepted standardized network protocols? 数据导入,数据导出和服务管理是否可以通过安全的(例如,非明文和认证)以及业界公认的标准化网络协议进行? |
|
IPY-04.2 | Do you provide consumers (tenants) with documentation detailing the relevant interoperability and portability network protocol standards that are involved? 您是否向消费者(租户)提供详细说明相关的互操作性和可移植性网络协议标准的文档? |
|||
Interoperability & Portability Virtualization 互操作性&可移植性 虚拟化 |
The provider shall use an industry-recognized virtualization platform and standard virtualization formats (e.g., OVF) to help ensure interoperability, and shall have documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. 提供商应使用行业公认的虚拟化平台和标准虚拟化格式(如:OVF)来确保互操作性,针对使用中的虚拟机监控器以及特定解决方案的虚拟化钩子程序的任何自定义变更都应记录并在用户审查时保持可用。 |
IPY-05.1 | Do you use an industry-recognized virtualization platform and standard virtualization formats (e,g., OVF) to help ensure interoperability? 您是否使用行业认可的虚拟化平台和标准虚拟化格式(例如OVF)来确保互操作性? |
|
IPY-05.2 | Do you have documented custom changes made to any hypervisor in use, and all solution-specific virtualization hooks available for customer review? 您是否记录了对正在使用的任何虚拟机管理程序所做的自定义更改,以及可供客户查看的所有特定于解决方案的虚拟化挂钩? |
|||
Mobile Security 移动安全 | ||||
Mobile Security Anti-Malware 移动设备安全 反恶意软件 |
Anti-malware awareness training, specific to mobile devices, shall be included in the provider's information security awareness training. 应将针对移动设备的防恶意程序意识培训纳入提供商信息安全意识培训之中。 |
MOS-01 | Do you provide anti- malware training specific to mobile devices as part of your information security awareness training? 作为信息安全意识培训的一部分,你是否提供针对移动设备的反恶意软件培训? |
|
Mobile Security Application Stores 移动设备安全 应用程序商店 |
A documented list of approved application stores has been defined as acceptable for mobile devices accessing or storing provider managed data. 针对能访问和存储提供商管理数据的移动设备,定义一个可接受的且通过审批的应用商店的文档化列表。 |
MOS-02 | Do you document and make available lists of approved application stores for mobile devices accessing or storing company data and/or company systems? 对于访问或存储公司数据和/或公司系统的移动设备,你是否记录和制作了批准的应用程序商店列表? |
|
Mobile Security Approved Applications 移动设备安全 批准的应用程序 |
The company shall have a documented policy prohibiting the installation of non-approved applications or approved applications not obtained through a pre-identified application store. 公司应建立一个文件化策略禁止安装那些未经批准或已批准但不是通过已鉴定的应用商店获取的应用程序。 |
MOS-03 | Do you have a policy enforcement capability (e.g., XACML) to ensure that only approved applications and those from approved application stores be loaded onto a mobile device? 您是否拥有策略强制功能(例如XACML)以确保只有经批准的应用程序和来自已批准的应用程序商店的应用程序才能加载到移动设备上? |
|
Mobile Security Approved Software for BYOD 移动设备安全 批准的BYOD软件 |
The BYOD policy and supporting awareness training clearly states the approved applications, application stores, and application extensions and plugins that may be used for BYOD usage. 通过BYOD策略和相关意识培训明确规定可供BYOD使用的经批准的应用程序、应用程序商店以及应用扩展插件。 |
MOS-04 | Does your BYOD policy and training clearly state which applications and applications stores are approved for use on BYOD devices? 您的BYOD(Bring Your Own Device 自带设备办公)政策和培训是否明确说明哪些应用程序和应用程序商店已获准用于BYOD设备? |
|
Mobile Security Awareness and Training 移动设备安全 意识和培训 |
The provider shall have a documented mobile device policy that includes a documented definition for mobile devices and the acceptable usage and requirements for all mobile devices. The provider shall post and communicate the policy and requirements through the company's security awareness and training program. 提供商应建立一个文件化的移动设备策略,包括对移动设备的文件化定义和所有移动设备的使用条件和要求。提供商应通过公司安全意识宣导和培训方案发布和传达该策略。 |
MOS-05 | Do you have a documented mobile device policy in your employee training that clearly defines mobile devices and the accepted usage and requirements for mobile devices? 您的员工培训中是否有明文规定的移动设备政策,明确规定移动设备以及移动设备的接受使用情况和要求? |
|
Mobile Security Cloud Based Services 移动设备安全 基于云的服务 |
All cloud-based services used by the company's mobile devices or BYOD shall be pre-approved for usage and the storage of company business data. 所有用于访问云服务的公司移动设备或BYOD,应提前得到批准方可使用和存储公司业务数据。 |
MOS-06 | Do you have a documented list of pre- approved cloud based services that are allowed to be used for use and storage of company business data via a mobile device? 您是否有一份文件化的预批准的基于云的服务列表,允许通过移动设备使用和存储公司业务数据? |
|
Mobile Security Compatibility 移动设备安全 兼容性 |
The company shall have a documented application validation process to test for mobile device, operating system, and application compatibility issues. 公司应建立文件化的应用程序验证流程,用于测试移动设备、操作系统和应用程序的兼容性问题。 |
MOS-07 | Do you have a documented application validation process for testing device, operating system and application compatibility issues? 您是否有文档化的应用程序验证过程用于测试设备、操作系统和应用程序兼容性问题? |
|
Mobile Security Device Eligibility 移动设备安全 设备资格 |
The BYOD policy shall define the device and eligibility requirements to allow for BYOD usage. BYOD策略应规定允许使用的BYOD设备和使用BOYD的资格要求。 |
MOS-08 | Do you have a BYOD policy that defines the device(s) and eligibility requirements allowed for BYOD usage? 您是否有BYOD策略来定义允许BYOD使用的设备和资格要求? |
|
Mobile Security Device Inventory 移动设备安全 设备清单 |
An inventory of all mobile devices used to store and access company data shall be kept and maintained. All changes to the status of these devices (i.e., operating system and patch levels, lost or decommissioned status, and to whom the device is assigned or approved for usage (BYOD)) will be included for each device in the inventory. 应保存并维护一份可以存储和访问公司数据的移动设备清单。清单中应包括每台设备的所有状态变化(如:操作系统和补丁级别、丢失或退役的状态、(BYOD)被分配或授权的使用人)。 |
MOS-09 | Do you maintain an inventory of all mobile devices storing and accessing company data which includes device status (os system and patch levels, lost or decommissioned, device assignee)? 您是否维护了存储和访问公司数据 (包括设备状态 (os 系统和修补程序级别)、丢失或退役、设备受让人) 的所有移动设备的库存? |
|
Mobile Security Device Management 移动设备安全 设备管理 |
A centralized, mobile device management solution shall be deployed to all mobile devices permitted to store, transmit, or process customer data. 应针对可以存储、传输或处理客户数据的移动设备,建立一个集中化的移动设备管理解决方案。 |
MOS-10 | Do you have a centralized mobile device management solution deployed to all mobile devices that are permitted to store, transmit, or process company data? 是否已将集中式移动设备管理解决方案部署到允许存储、传输或处理公司数据的所有移动设备上? |
|
Mobile Security Encryption 移动设备安全 加密 |
The mobile device policy shall require the use of encryption either for the entire device or for data identified as sensitive on all mobile devices and shall be enforced through technology controls. 移动设备策略应要求对整个设备和其中的敏感数据进行加密,并通过技术控制措施实现。 |
MOS-11 | Does your mobile device policy require the use of encryption for either the entire device or for data identified as sensitive enforceable through technology controls for all mobile devices? 您的移动设备策略是否需要对整个设备使用加密, 还是要求通过所有移动设备的技术控制来识别为敏感可执行的数据? |
|
Mobile Security Jailbreaking and Rooting 移动设备安全 越狱和root |
The mobile device policy shall prohibit the circumvention of built-in security controls on mobile devices (e.g. jailbreaking or rooting) and shall enforce the prohibition through detective and preventative controls on the device or through a centralized device management system (e.g. mobile device management). 移动设备策略应禁止出现破坏移动设备内置安全控制措施的行为(如:越狱或获得最高权限),并通过集中式移动设备管理系统的检测和预防性控制功能来强化禁令的执行。 |
MOS-12.1 | Does your mobile device policy prohibit the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting)? 您的移动设备策略是否禁止绕过移动设备上的内置安全控制 (例如, 越狱或rooting)? |
|
MOS-12.2 | Do you have detective and preventative controls on the device or via a centralized device management system which prohibit the circumvention of built-in security controls? 您是否在设备上有侦探和预防性控制, 或者通过集中式设备管理系统禁止规避内置安全控制? |
|||
Mobile Security Legal 移动设备安全 法律 |
The BYOD policy includes clarifying language for the expectation of privacy, requirements for litigation, e-discovery, and legal holds. The BYOD policy shall clearly state the expectations regarding the loss of non-company data in the case a wipe of the device is required. BYOD策略中应明确注明个人隐私、诉讼需求、电子发现、法律证据方面的内容。BYOD策略应明确声明非公司的数据会在对设备进行数据擦除时随之丢失。 |
MOS-13.1 | Does your BYOD policy clearly define the expectation of privacy, requirements for litigation, e- discovery and legal holds? 您的 BYOD 政策是否明确定义了对隐私、诉讼要求、电子发现和合法持有的期望? |
|
MOS-13.2 | Do you have detective and preventative controls on the device or via a centralized device management system which prohibit the circumvention of built-in security controls? 您是否在设备上有侦探和预防性控制, 或者通过集中式设备管理系统禁止规避内置安全控制? |
|||
Mobile Security Lockout Screen 移动设备安全 锁定屏幕 |
BYOD and/or company-owned devices are configured to require an automatic lockout screen, and the requirement shall be enforced through technical controls. 应要求通过技术手段将BYOD和/或公司设备配置成自动锁屏。 |
MOS-14 | Do you require and enforce via technical controls an automatic lockout screen for BYOD and company owned devices? 您是否需要并通过技术控制强制执行 BYOD 和公司拥有的设备的自动锁定屏幕? |
|
Mobile Security Operating Systems 移动设备安全 操作系统 |
Changes to mobile device operating systems, patch levels, and/or applications shall be managed through the company's change management processes. 应通过公司的变更管理流程管理移动设备操作系统、补丁级别和应用程序的变更。 |
MOS-15 | Do you manage all changes to mobile device operating systems, patch levels and applications via your company's change management processes? 您是否通过公司的变更管理流程来管理对移动设备操作系统、补丁级别和应用程序的所有更改? |
|
Mobile Security Passwords 移动设备安全 密码 |
Password policies, applicable to mobile devices, shall be documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and shall prohibit the changing of password/PIN lengths and authentication requirements. 应文件化并通过技术手段实现公司设备或授权使用的BYOD的移动设备口令策略,并禁止对口令/PIN长度和认证要求的变更。 |
MOS-16.1 | Do you have password policies for enterprise issued mobile devices and/or BYOD mobile devices? 您是否有企业颁发的移动设备和/或 BYOD 移动设备的密码策略? |
|
MOS-16.2 | Are your password policies enforced through technical controls (i.e. MDM)? 您的密码策略是通过技术控制 (即 MDM) 实施的吗? |
|||
MOS-16.3 | Do your password policies prohibit the changing of authentication requirements (i.e. password/PIN length) via a mobile device? 您的密码策略是否禁止通过移动设备更改身份验证要求 (即密码/PIN 长度)? |
|||
Mobile Security Policy 移动设备安全 政策 |
The mobile device policy shall require the BYOD user to perform backups of data, prohibit the usage of unapproved application stores, and require the use of anti-malware software (where supported). 移动设备策略应要求BYOD用户执行数据备份,禁止使用非授权应用商店,以及(在设备支持的情况下)使用防恶意程序软件。 |
MOS-17.1 | Do you have a policy that requires BYOD users to perform backups of specified corporate data? 您是否有一项要求BYOD用户执行指定的公司数据备份的政策? |
|
MOS-17.2 | Do you have a policy that requires BYOD users to prohibit the usage of unapproved application stores? 您是否有一项政策要求BYOD用户禁止使用未经批准的应用程序商店? |
|||
MOS-17.3 | Do you have a policy that requires BYOD users to use anti- malware software (where supported)? 您是否有一项政策要求BYOD用户使用反恶意软件软件(在支持的情况下)? |
|||
Mobile Security Remote Wipe 移动设备安全 远程擦除 |
All mobile devices permitted for use through the company BYOD program or a company-assigned mobile device shall allow for remote wipe by the company's corporate IT or shall have all company-provided data wiped by the company's corporate IT. 公司BYOD方案允许使用的所有移动设备或是公司配发的移动设备,应允许公司的企业IT远程擦除设备或公司提供的数据。 |
MOS-18.1 | Does your IT provide remote wipe or corporate data wipe for all company-accepted BYOD devices? 您的 IT 为所有公司接受的 BYOD 设备提供远程擦除或企业数据擦除吗? |
|
MOS-18.2 | Does your IT provide remote wipe or corporate data wipe for all company-assigned mobile devices? 您的 IT 为所有公司指定的移动设备提供远程擦除或企业数据擦除吗? |
|||
Mobile Security Security Patches 移动设备安全 安全补丁 |
Mobile devices connecting to corporate networks, or storing and accessing company information, shall allow for remote software version/patch validation. All mobile devices shall have the latest available security-related patches installed upon general release by the device manufacturer or carrier and authorized IT personnel shall be able to perform these updates remotely. 对于可连接到企业网络,或存储和访问公司信息的移动设备,应允许对其进行远程软件版本/补丁验证。应保证所有移动设备能获取由设备制造商或运营商发布的最新的安全补丁,同时允许授权的IT人员执行更新远程。 |
MOS-19.1 | Do your mobile devices have the latest available security- related patches installed upon general release by the device manufacturer or carrier? 您的移动设备是否在设备制造商或承运人的一般发行版上安装了最新的与安全相关的修补程序? |
|
MOS-19.2 | Do your mobile devices allow for remote validation to download the latest security patches by company IT personnel? 您的移动设备是否允许远程验证通过公司 IT 人员下载最新的安全修补程序? |
|||
Mobile Security Users 移动设备安全 用户 |
The BYOD policy shall clarify the systems and servers allowed for use or access on a BYOD-enabled device. BYOD策略应明确在BYOD设备上可以访问和使用的系统和服务器。 |
MOS-20.1 | Does your BYOD policy clarify the systems and servers allowed for use or access on the BYOD- enabled device? 您的 BYOD 策略是否澄清了允许在启用 BYOD 的设备上使用或访问的系统和服务器? |
|
MOS-20.2 | Does your BYOD policy specify the user roles that are allowed access via a BYOD- enabled device? 您的 BYOD 策略是否指定允许通过 BYOD 启用的设备进行访问的用户角色? |
|||
Security Incident Management, E-Discovery & Cloud Forensics 安全事件管理,电子发现与云取证 | ||||
Security Incident Management, E-Discovery & Cloud Forensics Contact / Authority Maintenance 安全事件管理,电子发现&云端取证 联系/权限维护 |
Points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities shall be maintained and regularly updated (e.g., change in impacted-scope and/or a change in any compliance obligation) to ensure direct compliance liaisons have been established and to be prepared for a forensic investigation requiring rapid engagement with law enforcement. 和相关监管机构、国家和地方执法机关以及其他法律管辖机关之间联络点应加以维护和定期更新(如:在影响范围和/或任何合规义务发生变化时),确保已建立直接联系,并为各类取证调查能迅速加入执法过程做好准备。 |
SEF-01.1 | Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations? 您是否按照合同和适当的规定, 与地方当局保持联络和联系点? |
|
Security Incident Management, E-Discovery & Cloud Forensics Incident Management 安全事件管理,电子发现&云端取证 事件管理 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures. 应建立用户访问策略和规程,并实施支持性业务流程和技术手段,以分类安全相关事态,并确保符合既定IT服务管理策略和规程的及时且全面的事件管理。 |
SEF-02.1 | Do you have a documented security incident response plan? 您是否有书面的安全事件响应计划? |
|
SEF-02.2 | Do you integrate customized tenant requirements into your security incident response plans? 您是否将自定义租户要求集成到安全事件响应计划中? |
|||
SEF-02.3 | Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents? 您是否发布角色和责任文档, 指定您与租户在安全事件期间应负责的内容? |
|||
SEF-02.4 | Have you tested your security incident response plans in the last year? 您是否在过去一年中测试了安全事件响应计划? |
|||
Security Incident Management, E-Discovery & Cloud Forensics Incident Reporting 安全事件管理,电子发现&云端取证 事件报告 |
Workforce personnel and external business relationships shall be informed of their responsibilities and, if required, shall consent and/or contractually agree to report all information security events in a timely manner. Information security events shall be reported through predefined communications channels in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations. 应向员工和外部业务关系告知他们的责任,必要时,应采用双方认可的形式和/或通过合同形式要求他们及时报告所有信息安全事件。应通过预定义的沟通渠道及时报告地信息安全事态,并遵守适用的法律法规或强制性义务。 |
SEF-03.1 | Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting? 您的安全信息和事件管理(SIEM)系统是否将数据源(应用程序日志,防火墙日志,IDS日志,物理访问日志等)合并为粒度分析和警报? |
|
SEF-03.2 | Does your logging and monitoring framework allow isolation of an incident to specific tenants? 您的日志记录和监控框架是否允许将特定租户的事件隔离开来? |
|||
Security Incident Management, E-Discovery & Cloud Forensics Incident Response Legal Preparation 安全事件管理,电子发现&云端取证 事件响应法律准备 |
Proper forensic procedures, including chain of custody, are required for the presentation of evidence to support potential legal action subject to the relevant jurisdiction after an information security incident. Upon notification, customers and/or other external business partners impacted by a security breach shall be given the opportunity to participate as is legally permissible in the forensic investigation. 在发生信息安全事件后,根据相关司法管辖区要求,需要适当的司法程序(包括监管链),提供证据来支持潜在的法律行动。在接到通知后,应给予受安全违规影响的客户和/或其他外部业务伙伴基于法律许可参与调查取证的机会。 |
SEF-04.1 | Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls? 您的事件响应计划是否符合法定许可的监管链管理流程和控制的行业标准? |
|
SEF-04.2 | Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques? 您的事件响应能力是否包括使用法律上可接受的法庭数据收集和分析技术? |
|||
SEF-04.3 | Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data? 在不冻结其他租户数据的情况下, 您是否能够支持特定租户的诉讼持有 (冻结特定时间点的数据)? |
|||
SEF-04.4 | Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas? 您是否强制和证明租户数据分离时, 为响应法律传票产生数据? |
|||
Security Incident Management, E-Discovery & Cloud Forensics Incident Response Metrics 安全事件管理,电子发现&云端取证 事件响应指标 |
Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents. 应落实监测、量化信息安全事件类型、数量和成本的机制。 |
SEF-05.1 | Do you monitor and quantify the types, volumes and impacts on all information security incidents? 您是否监视并量化了所有信息安全事件的类型、数量和影响? |
|
SEF-05.2 | Will you share statistical information for security incident data with your tenants upon request? 您是否愿意根据要求与您的租户共享安全事件数据的统计信息? |
|||
Supply Chain Management, Transparency and Accountability 供应链管理,透明与可审计 | ||||
Supply Chain Management, Transparency and Accountability Data Quality and Integrity 供应链管理,透明度和问责制 数据质量和完整性 |
Providers shall inspect, account for, and work with their cloud supply-chain partners to correct data quality errors and associated risks. Providers shall design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. 提供商应检查、负责并与他们的云供应链合作伙伴一起纠正数据质量错误及相关风险。提供商应对其供应链内的所有人员采用适当的职责分离、基于角色的访问、最小权限原则,设计并实施控制措施以缓解和遏制数据安全风险。 |
STA-01.1 | Do you inspect and account for data quality errors and associated risks, and work with your cloud supply-chain partners to correct them? 您是否检查和解释数据质量错误和相关风险, 并与您的云供应链合作伙伴一起纠正它们? |
|
STA-01.2 | Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain? 您是否设计和实施控制, 通过适当地分离职责、基于角色的访问和对您的供应链中的所有人员进行最少特权访问来减轻和控制数据安全风险? |
|||
Supply Chain Management, Transparency and Accountability Incident Reporting 供应链管理,透明度和问责制 事件报告 |
The provider shall make security incident information available to all affected customers and providers periodically through electronic methods (e.g. portals). 提供商应定期通过电子方式(如:门户网站)将安全事件的信息提供给所有受影响的客户和提供商。 |
STA-02.1 | Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g. portals)? 您是否通过电子方法 (如门户网站) 定期为所有受影响的客户和提供商提供安全事件信息? |
|
Supply Chain Management, Transparency and Accountability Network / Infrastructure Services 供应链管理,透明度和问责制 网络/基础设施服务 |
Business-critical or customer (tenant) impacting (physical and virtual) application and system-system interface (API) designs and configurations, and infrastructure network and systems components, shall be designed, developed, and deployed in accordance with mutually agreed-upon service and capacity-level expectations, as well as IT governance and service management policies and procedures. 针对关键业务或受影响客户(租户)的(物理和虚拟的)应用系统接口(API)的设计和配置,以及基础网络和系统组件,应按照双方商定的服务水平和能力期望,以及IT治理和服务管理策略和规程进行设计、开发和部署。 |
STA-03.1 | Do you collect capacity and use data for all relevant components of your cloud service offering? 您是否为云服务提供的所有相关组件收集容量并使用数据? |
|
STA-03.2 | Do you provide tenants with capacity planning and use reports? 您是否为租户提供了容量规划和使用报告? |
|||
Supply Chain Management, Transparency and Accountability Provider Internal Assessments 供应链管理,透明度和问责制 供应商内部评估 |
The provider shall perform annual internal assessments of conformance to, and effectiveness of, its policies, procedures, and supporting measures and metrics. 提供商应每年对策略、规程及配套措施和指标的符合性和有效性进行内部评估。 |
STA-04.1 | Do you perform annual internal assessments of conformance and effectiveness of your policies, procedures, and supporting measures and metrics? 您是否对您的政策、程序和支持措施和指标的一致性和有效性进行年度内部评估? |
|
Supply Chain Management, Transparency and Accountability Third Party Agreements 供应链管理,透明度和问责制 第三方协议 |
Supply chain agreements (e.g., SLAs) between providers and customers (tenants) shall incorporate at least the following mutually-agreed upon provisions and/or terms: 提供商和客户(租户)之间的供应链协议(如:SLA)应至少包括以下双方同意的规定和/或条款: • Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations) 业务关系和服务提供(如:客户(租户)数据获取、交换和使用;特征集和功能点;用于服务交付和支持的人员、基础网络和系统组件;云服务提供商、客户(租户)、分包商或外包业务的角色和责任;托管服务的地理位置;以及任何已知的监管合规考虑)的范围。 • Information security requirements, provider and customer (tenant) primary points of contact for the duration of the business relationship, and references to detailed supporting and relevant business processes and technical measures implemented to enable effectively governance, risk management, assurance and legal, statutory and regulatory compliance obligations by all impacted business relationships 信息安全要求;提供商与租户(客户)在业务存续期间的主要联络点;精细化支撑相关参考;针对所有受影响的业务关系实施有效的治理、风险管理、保证、法律法规及监管合规义务的相关业务流程与技术措施。 • Notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts 任何由提供商控制并对客户(租户)产生影响的变更的通知和/或预授权。 • Timely notification of a security incident (or confirmed breach) to all customers (tenants) and other business relationships impacted (i.e., up- and down-stream impacted supply chain) 及时向所有客户(租户)和其它业务关系(即受影响的供应链上、下游)通知产生影响的安全事件(或已确认的破坏)。 • Assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed 不造成产生被评估组织不可接受风险的,符合协议规定和/或条款(例如:行业认可的认证、审核报告或同等形式的保证)的评估和独立验证。 • Expiration of the business relationship and treatment of customer (tenant) data impacted 业务关系到期以及对受影响的客户(租户)数据的处置。 • Customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence 用于应用程序开发和信息交换、使用及保持完整性的客户(租户)服务到服务的应用程序(API)和数据互操作性和可移植性的要求。 |
STA-05.1 | Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed, stored and transmitted? 您是否根据处理、存储和传输数据的国家的法律选择和监视外包供应商? |
|
STA-05.2 | Do you select and monitor outsourced providers in compliance with laws in the country where the data originates? 您是否按照数据来源所在国家的法律选择和监视外包供应商? |
|||
STA-05.3 | Does legal counsel review all third-party agreements? 法律顾问是否审查所有第三方协议? |
|||
STA-05.4 | Do third-party agreements include provision for the security and protection of information and assets? 第三方协议是否包括对信息和资产的安全和保护的规定? |
|||
STA-05.5 | Do you provide the client with a list and copies of all sub processing agreements and keep this updated? 您是否向客户提供了所有子处理协议的列表和副本, 并保持此更新? |
|||
Supply Chain Management, Transparency and Accountability Supply Chain Governance Reviews 供应链管理,透明度和问责制 供应链管理审查 |
Providers shall review the risk management and governance processes of their partners so that practices are consistent and aligned to account for risks inherited from other members of that partner's cloud supply chain. 提供商应评审其合作伙伴的风险管理和治理流程,以确保合作伙伴对从其供应链其他成员那里继承的风险负责。 |
STA-06.1 | Do you review the risk management and governance processes of partners to account for risks inherited from other members of that partner's supply chain? 您是否审查了合作伙伴的风险管理和治理过程, 以考虑从该合作伙伴的供应链的其他成员继承的风险? |
|
Supply Chain Management, Transparency and Accountability Supply Chain Metrics 供应链管理,透明度和问责制 供应链指标 |
Policies and procedures shall be implemented to ensure the consistent review of service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream). 应实施策略和规程,以确保能够对提供商和客户(租户)跨越相关供应链(上下游)的服务协议(如:SLAs)的持续评审。 Reviews shall performed at least annually and identity non-conformance to established agreements. The reviews should result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships. 评审应至少每年进行一次,并根据已签订协议识别不符合。评审结果应触发行动去处理由不同供应商引起的服务级别冲突或不一致。 |
STA-07.1 | Are policies and procedures established, and supporting business processes and technical measures implemented, for maintaining complete, accurate and relevant agreements (e.g., SLAs) between providers and customers (tenants)? 是否制定了政策和程序, 并支持业务流程和技术措施, 以便在提供者和客户之间维持完整、准确和相关的协议 (例如 sla)? |
|
STA-07.2 | Do you have the ability to measure and address non- conformance of provisions and/or terms across the entire supply chain (upstream/downstream )? 您是否有能力测量和解决整个供应链 (上游/下游) 的条款和/或条款的不符合性? |
|||
STA-07.3 | Can you manage service-level conflicts or inconsistencies resulting from disparate supplier relationships? 您能否管理由于不同的供应商关系而导致的服务级别冲突或不一致? |
|||
STA-07.4 | Do you review all agreements, policies and processes at least annually? 您是否至少每年审查所有协议、政策和流程? |
|||
Supply Chain Management, Transparency and Accountability Third Party Assessment 供应链管理,透明度和问责制 第三方评估 |
Providers shall assure reasonable information security across their information supply chain by performing an annual review. The review shall include all partners/third party-providers upon which their information supply chain depends on. 提供商应通过年度评审保证跨信息供应链的合理的信息安全。评审应包括信息供应链所依赖的所有合作伙伴/第三方提供商。 |
STA-08.1 | Do you assure reasonable information security across your information supply chain by performing an annual review? 您是否通过每年一次的审查, 确保跨信息供应链的合理信息安全? |
|
STA-8.2 | Does your annual review include all partners/third-party providers upon which your information supply chain depends? 您的年度审查包括您的信息供应链所依赖的所有合作伙伴/第三方供应商吗? |
|||
Supply Chain Management, Transparency and Accountability Third Party Audits 供应链管理,透明度和问责制 第三方审计 |
Third-party service providers shall demonstrate compliance with information security and confidentiality, access control, service definitions, and delivery level agreements included in third-party contracts. Third-party reports, records, and services shall undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements. 第三方服务提供商应证明其符合信息安全、保密、访问控制、服务定义以及包括在第三方合同中的交付级别协议的要求。为管控和维护服务交付协议,第三方报告、记录和服务应至少每年接受审核和评审。 |
STA-09.1 | Do you permit tenants to perform independent vulnerability assessments? 您是否允许租户进行独立的脆弱性评估? |
|
STA-09.2 | Do you have external third party services conduct vulnerability scans and periodic penetration tests on your applications and networks? 您是否有外部第三方服务对您的应用程序和网络进行漏洞扫描和定期渗透测试? |
|||
Threat and Vulnerability Management 威胁、脆弱性管理 | ||||
Threat and Vulnerability Management Antivirus / Malicious Software 威胁和漏洞管理 防病毒/恶意软件 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally-owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. 应建立策略和规程,并实施支持性业务流程和技术手段,以防止恶意软件在组织所有或管理的用户终端设备(即:工作站、笔记本电脑和移动设备)以及IT基础设施网络和系统组件上执行。 |
TVM-01.1 | Do you have anti- malware programs that support or connect to your cloud service offerings installed on all of your systems? 是否有反恶意软件程序支持或连接到安装在所有系统上的云服务产品? |
|
TVM-01.2 | Do you ensure that security threat detection systems using signatures, lists or behavioral patterns are updated across all infrastructure components within industry accepted time frames? 您是否确保使用签名,列表或行为模式的安全威胁检测系统在行业接受的时间框架内的所有基础架构组件中更新? |
|||
Threat and Vulnerability Management Vulnerability / Patch Management 威胁和漏洞管理 漏洞/补丁管理 |
Policies and procedures shall be established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components (e.g. network vulnerability assessment, penetration testing) to ensure the efficiency of implemented security controls. A risk-based model for prioritizing remediation of identified vulnerabilities shall be used. Changes shall be managed through a change management process for all vendor-supplied patches, configuration changes, or changes to the organization's internally developed software. Upon request, the provider informs customer (tenant) of policies and procedures and identfied weaknesses especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control. 应建立策略和规程,并实施支持性业务流程和技术手段(如:网络脆弱性评估、渗透测试),及时检测在组织所有或管理的应用程序、基础网络和系统组件中的脆弱性,以确保实施安全控制措施的有效性。应使用一个基于风险的模型优先修复已发现的漏洞。应通过变更管理流程管理变更,如:厂商提供的补丁、配置变更或组织自主开发的软件的变更。根据要求,提供商应向客户(租户)告知策略、规程和已识别的弱点,特别是当客户(租户)的数据被用作服务的一部分和/或客户(租户)具有共同承担实施控制措施的责任时。 |
TVM-02.1 | Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices? 您是否按照行业最佳实践的规定定期进行网络层漏洞扫描? |
|
TVM-02.2 | Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices? 您是否按照业界最佳做法的规定定期进行应用程序层漏洞扫描? |
|||
TVM-02.3 | Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices? 您是否按照业界最佳做法的规定定期进行本地操作系统层漏洞扫描? |
|||
TVM-02.4 | Will you make the results of vulnerability scans available to tenants at their request? 您是否会根据请求向租户提供漏洞扫描的结果? |
|||
TVM-02.5 | Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications and systems? 您是否有能力在所有计算设备、应用程序和系统中快速修补漏洞? |
|||
TVM-02.6 | Will you provide your risk-based systems patching time frames to your tenants upon request? 您是否会根据要求为您的租户提供基于风险的系统修补时间框架? |
|||
Threat and Vulnerability Management Mobile Code 威胁和漏洞管理 移动代码 |
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of unauthorized mobile code, defined as software transferred between systems over a trusted or untrusted network and executed on a local system without explicit installation or execution by the recipient, on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. 应建立策略和规程,并实施支持性业务流程和技术手段,以防止非授权的移动代码在组织所有或管理的用户终端设备(如:工作站、笔记本电脑和移动设备)以及IT基础设施网络和系统组件上执行。移动代码的定义为在可信或不可信网络中的系统之间传输、在本地系统执行且无需接受者主动安装或执行的软件。 |
TVM-03.1 | 移动代码在安装和使用之前是否经过授权,并且检查了代码配置,以确保授权的移动代码根据明确定义的安全策略运行? 是否在安装和使用之前授权移动代码,并检查代码配置,以确保授权的移动代码按照明确定义的安全策略运行? |
|
TVM-03.2 | 是否所有未经授权的移动代码都无法执行? 是否所有未经授权的移动代码都无法执行? |