云控制矩陣4.0（中英版）本文由云安全聯(lián)盟大中華區(qū)（CSAGCR）CCM4.0翻譯專家組對《CloudControlsMatrixv4》進(jìn)行翻譯審校。翻譯審校工作專家（以下排名按字母先后排序）?2021云安全聯(lián)盟大中華區(qū)-保留所有權(quán)利。你可以在你的電腦上下載、儲存、展示、查看及打印，或者訪問云安全聯(lián)盟大中華區(qū)官網(wǎng)（）。但必須遵守以下條件a）本文僅可用作個(gè)人、信息獲取，非商業(yè)用途；（b）不得以任何方式篡改本文內(nèi)容c）本文不得轉(zhuǎn)發(fā)d）該商標(biāo)、版權(quán)或其他聲明不得刪除。在遵循中華人民共和國著作權(quán)法相關(guān)條款情況下合理使用本文內(nèi)容，使用時(shí)請注明引用于云安全聯(lián)盟大中華區(qū)。?2021云安全聯(lián)盟大中華區(qū)-版權(quán)所有第2頁官網(wǎng)：WWW.C-CSA.CN郵箱：INFO@C-CSA.CN公眾號：CSAGCRCLOUDCONTROLSMATRIXVERSION4.0ControlTitleCLOUDCONTROLSMATRIXVERSION4.0ControlTitleControlIDUpdatedControlSpecification控制措施控制編號更新的控制措施規(guī)范云控制矩陣4.0Audit&Assurance-A&A審計(jì)&保障AuditandAssurancePolicyandProcedures審計(jì)與保障的策略及規(guī)程A&A-01Establish,document,approve,communicate,apply,evaluateandmaintainauditandassurancepoliciesandproceduresandstandards.Reviewandupdatethepoliciesandproceduresatleastannually.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)審計(jì)和保障策略、規(guī)程和標(biāo)準(zhǔn)。至少每年一次審查和更新公司的策略和規(guī)程。IndependentAssessments獨(dú)立評估A&A-02Conductindependentauditandassuranceassessmentsaccordingtorelevantstandardsatleastannually.每年至少一次，根據(jù)相關(guān)標(biāo)準(zhǔn)進(jìn)行獨(dú)立審計(jì)和保障評估RiskBasedPlanningAssessment基于風(fēng)險(xiǎn)規(guī)劃評估A&A-03Performindependentauditandassuranceassessmentsaccordingtorisk-basedplansandpolicies.根據(jù)基于風(fēng)險(xiǎn)的計(jì)劃和策略執(zhí)行獨(dú)立的審計(jì)和保證評估RequirementsCompliance符合性需求A&A-04Verifycompliancewithallrelevantstandards,regulations,legal/contractual,andstatutoryrequirementsapplicabletotheaudit.驗(yàn)證符合所有適用于審計(jì)的相關(guān)標(biāo)準(zhǔn)、法規(guī)、法律/合同和法定要求AuditManagementProcess審計(jì)管理過程A&A-05DefineandimplementanAuditManagementprocesstosupportauditplanning,riskanalysis,securitycontrolassessment,conclusion,remediationschedules,reportgeneration,andreviewofpastreportsandsupportingevidence.定義和實(shí)施審計(jì)管理過程，以支持審計(jì)計(jì)劃、風(fēng)險(xiǎn)分析、安全控制評估、結(jié)論、補(bǔ)救計(jì)劃、報(bào)告生成，以及對過去報(bào)告和相關(guān)證據(jù)的審查。Remediation補(bǔ)救A&A-06Establish,document,approve,communicate,apply,evaluateandmaintainarisk-basedcorrectiveactionplantoremediateauditfindings,reviewandreportremediationstatustorelevantstakeholders.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)基于風(fēng)險(xiǎn)的糾正行動計(jì)劃，以修正審計(jì)發(fā)現(xiàn)，審查并向相關(guān)利益相關(guān)者報(bào)告修正狀況。Application&InterfaceSecurity-AIS應(yīng)用程序和接口安全ApplicationandInterfaceSecurityPolicyandProcedures應(yīng)用和接口安全策略和規(guī)程AIS-01Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforapplicationsecuritytoprovideguidancetotheappropriateplanning,deliveryandsupportoftheorganization'sapplicationsecuritycapabilities.Reviewandupdatethepoliciesandproceduresatleastannually.建立、記錄、批準(zhǔn)、溝通、申請、評估和維護(hù)應(yīng)用程序安全策略和規(guī)程，為組織的應(yīng)用程序安全能力的適當(dāng)規(guī)劃、交付和支持提供指導(dǎo)。每年至少一次審查和更新公司的策略和規(guī)程。ApplicationSecurityBaselineRequirements應(yīng)用程序安全基線需求AIS-02Establish,documentandmaintainbaselinerequirementsforsecuringdifferentapplications.建立、記錄和維護(hù)保護(hù)不同應(yīng)用程序的基線要求。ApplicationSecurityMetrics應(yīng)用程序安全指標(biāo)AIS-03Defineandimplementtechnicalandoperationalmetricsinalignmentwithbusinessobjectives,securityrequirements,andcomplianceobligations.根據(jù)業(yè)務(wù)目標(biāo)、安全需求和合規(guī)義務(wù)，定義和實(shí)施技術(shù)和運(yùn)行的指標(biāo)。SecureApplicationDesignandDevelopment應(yīng)用程序安全設(shè)計(jì)和開發(fā)AIS-04DefineandimplementaSDLCprocessforapplicationdesign,development,deployment,andoperationinaccordancewithsecurityrequirementsdefinedbytheorganization.根據(jù)組織定義的安全需求，定義并實(shí)現(xiàn)應(yīng)用程序設(shè)計(jì)、開發(fā)、部署和運(yùn)行的SDLC過程AutomatedApplicationSecurityTesting自動應(yīng)用程序安全測試AIS-05Implementatestingstrategy,includingcriteriaforacceptanceofnewinformationsystems,upgradesandnewversions,whichprovidesapplicationsecurityassuranceandmaintainscompliancewhileenablingorganizationalspeedofdeliverygoals.Automatewhenapplicableandpossible.實(shí)現(xiàn)一個(gè)測試戰(zhàn)略，包括新的信息系統(tǒng)、升級和新版本的接受準(zhǔn)則，這提供了應(yīng)用程序的安全保障，并在實(shí)現(xiàn)組織交付速度目標(biāo)的同時(shí)保持遵從性。在適用和可能的情況下，自動化。AutomatedSecureApplicationDeployment自動應(yīng)用程序安全部署AIS-06Establishandimplementstrategiesandcapabilitiesforsecure,standardized,andcompliantapplicationdeployment.Automatewherepossible.為安全、標(biāo)準(zhǔn)化和兼容的應(yīng)用程序部署建立和實(shí)施戰(zhàn)略和能力。盡可能自動化。?2021云安全聯(lián)盟大中華區(qū)-版權(quán)所有第3頁官網(wǎng)：WWW.C-CSA.CN郵箱：INFO@C-CSA.CN公眾號：CSAGCRApplicationVulnerabilityRemediation應(yīng)用程序漏洞修復(fù)AIS-07Defineandimplementaprocesstoremediateapplicationsecurityvulnerabilities,automatingremediationwhenpossible.定義并實(shí)施修復(fù)應(yīng)用程序安全脆弱性的過程，并在可能時(shí)自動修復(fù)。ssCtiityMaagementndOpetinlRsilieeBCR業(yè)BusinessContinuityManagementPolicyandProcedures業(yè)務(wù)連續(xù)性管理策略和規(guī)程BCR-01Establish,document,approve,communicate,apply,evaluateandmaintainbusinesscontinuitymanagementandoperationalresiliencepoliciesandprocedures.Reviewandupdatethepoliciesandproceduresatleastannually.建立、歸檔、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)業(yè)務(wù)連續(xù)性管理和運(yùn)營彈性策略和規(guī)程。每年至少審查和更新公司的策略和規(guī)程。RiskAssessmentandImpactAnalysis風(fēng)險(xiǎn)評估和影響分析BCR-02Determinetheimpactofbusinessdisruptionsandriskstoestablishcriteriafordevelopingbusinesscontinuityandoperationalresiliencestrategiesandcapabilities.確定業(yè)務(wù)中斷的風(fēng)險(xiǎn)和影響，為開發(fā)業(yè)務(wù)連續(xù)性和運(yùn)營彈性策略和能力建立標(biāo)準(zhǔn)。BusinessContinuityStrategy業(yè)務(wù)連續(xù)性策略BCR-03Establishstrategiestoreducetheimpactof,withstand,andrecoverfrombusinessdisruptionswithinriskappetite.在風(fēng)險(xiǎn)偏好范圍內(nèi)建立戰(zhàn)略，以減少、抵御和恢復(fù)業(yè)務(wù)中斷的影響。BusinessContinuityPlanning業(yè)務(wù)連續(xù)性計(jì)劃BCR-04Establish,document,approve,communicate,apply,evaluateandmaintainabusinesscontinuityplanbasedontheresultsoftheoperationalresiliencestrategiesandcapabilities.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)基于運(yùn)營彈性策略和能力結(jié)果的業(yè)務(wù)連續(xù)性計(jì)劃。Documentation文檔記錄BCR-05Develop,identify,andacquiredocumentationthatisrelevanttosupportthebusinesscontinuityandoperationalresilienceprograms.Makethedocumentationavailabletoauthorizedstakeholdersandreviewperiodically.開發(fā)、識別和獲取與支持業(yè)務(wù)連續(xù)性和運(yùn)營彈性計(jì)劃相關(guān)的文件。將文件提供給授權(quán)的利益相關(guān)者，并定期審查。BusinessContinuityExercises業(yè)務(wù)連續(xù)性的演習(xí)BCR-06Exerciseandtestbusinesscontinuityandoperationalresilienceplansatleastannuallyoruponsignificantchanges.至少每年或在重大變更時(shí)，對業(yè)務(wù)連續(xù)性和運(yùn)營彈性計(jì)劃進(jìn)行測試和演習(xí)。Communication溝通BCR-07Establishcommunicationwithstakeholdersandparticipantsinthecourseofbusinesscontinuityandresilienceprocedures.在業(yè)務(wù)連續(xù)性和韌性規(guī)程的過程中與利益相關(guān)者和參與者建立溝通。Backup備份BCR-08Periodicallybackupdatastoredinthecloud.Ensuretheconfidentiality,integrityandavailabilityofthebackup,andverifydatarestorationfrombackupforresiliency.定期備份存儲在云中的數(shù)據(jù)。確保備份的機(jī)密性、完整性和可用性；并為了韌性，驗(yàn)證從備份恢復(fù)的數(shù)據(jù)。DisasterResponsePlan災(zāi)難響應(yīng)計(jì)劃BCR-09Establish,document,approve,communicate,apply,evaluateandmaintainadisasterresponseplantorecoverfromnaturalandman-madedisasters.Updatetheplanatleastannuallyoruponsignificantchanges.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)災(zāi)難響應(yīng)計(jì)劃，以從自然和人為災(zāi)害中恢復(fù)。至少每年更新一次計(jì)劃，或在重大變更時(shí)更新。ResponsePlanExercise響應(yīng)計(jì)劃演習(xí)BCR-10Exercisethedisasterresponseplanannuallyoruponsignificantchanges,includingifpossiblelocalemergencyauthorities.每年或發(fā)生重大變化時(shí)演練災(zāi)難響應(yīng)計(jì)劃，如果可能，聯(lián)合當(dāng)?shù)貞?yīng)急官方機(jī)構(gòu)EquipmentRedundancy設(shè)備冗余BCR-11Supplementbusiness-criticalequipmentwithredundantequipmentindependentlylocatedatareasonableminimumdistanceinaccordancewithapplicableindustrystandards.根據(jù)適用的行業(yè)標(biāo)準(zhǔn)，用獨(dú)立設(shè)置的、合理的最小距離的冗余設(shè)備補(bǔ)充關(guān)鍵業(yè)務(wù)設(shè)備。ChageCtolandConfigatiMnagmntCCC變更控制和配置管理ChangeManagementPolicyandProcedures變更管理策略和規(guī)程CCC-01Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresformanagingtherisksassociatedwithapplyingchangestoorganizationassets,includingapplication,systems,infrastructure,configuration,etc.,regardlessofwhethertheassetsaremanagedinternallyorexternally(i.e.,outsourced).Reviewandupdatethepoliciesandproceduresatleastannually.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)用于變更管理的策略和規(guī)程，為管理申請變更對組織的相關(guān)風(fēng)險(xiǎn)，包括應(yīng)用程序、系統(tǒng)、基礎(chǔ)設(shè)施、配置等，無論資產(chǎn)是在內(nèi)部管理還是在外部管理（即外包）。至少每年審查和更新公司的策略和規(guī)程。QualityTesting質(zhì)量測試CCC-02Followadefinedqualitychangecontrol,approvalandtestingprocesswithestablishedbaselines,testing,andreleasestandards.遵循已制定的質(zhì)量變更控制、批準(zhǔn)和測試過程，以及已建立的基線、測試和發(fā)布標(biāo)準(zhǔn)。?2021云安全聯(lián)盟大中華區(qū)-版權(quán)所有第4頁官網(wǎng)：WWW.C-CSA.CN郵箱：INFO@C-CSA.CN公眾號：CSAGCRChangeManagementTechnology變更管理技術(shù)CCC-03Managetherisksassociatedwithapplyingchangestoorganizationassets,includingapplication,systems,infrastructure,configuration,etc.,regardlessofwhethertheassetsaremanagedinternallyorexternally(i.e.,outsourced).通過變更管理技術(shù)來管理組織資產(chǎn)變更相關(guān)的風(fēng)險(xiǎn)，包括應(yīng)用程序、系統(tǒng)、基礎(chǔ)架構(gòu)、配置等，無論資產(chǎn)是內(nèi)部管理的還是外部管理的（即外包）。UnauthorizedChangeProtection未經(jīng)授權(quán)的變更保護(hù)CCC-04Restricttheunauthorizedaddition,removal,update,andmanagementoforganizationassets.實(shí)施變更管理技術(shù)，限制未經(jīng)授權(quán)添加、刪除、更新和管理組織資產(chǎn)。ChangeAgreements變更協(xié)議CCC-05IncludeprovisionslimitingchangesdirectlyimpactingCSCsownedenvironments/tenantstoexplicitlyauthorizedrequestswithinservicelevelagreementsbetweenCSPsandCSCs.對于直接影響客戶環(huán)境或租戶環(huán)境的變更，在云服務(wù)提供商（CSP）和客戶（CSC）間的服務(wù)水平協(xié)議中，要包含限制條款，以明確授權(quán)請求。ChangeManagementBaseline變更管理基線CCC-06Establishchangemanagementbaselinesforallrelevantauthorizedchangesonorganizationassets.對于所有組織資產(chǎn)的變更授權(quán)建立變更管理基線。DetectionofBaselineDeviation基線偏差檢測CCC-07Implementdetectionmeasureswithproactivenotificationincaseofchangesdeviatingfromtheestablishedbaseline.實(shí)施基線偏離檢測，在在發(fā)生偏離既定基線的變化時(shí)主動告警。ExceptionManagement例外管理CCC-08Implementaprocedureforthemanagementofexceptions,includingemergencies,inthechangeandconfigurationprocess.AligntheprocedurewiththerequirementsofGRC-04:PolicyExceptionProcess.在變更和配置過程中實(shí)施一個(gè)例外管理規(guī)程（包括緊急情況）。該規(guī)程與“GRC-04：策略例外過程”的要求一致。ChangeRestoration變更恢復(fù)CCC-09Defineandimplementaprocesstoproactivelyrollbackchangestoapreviousknowngoodstateincaseoferrorsorsecurityconcerns.定義并實(shí)施過程，在變更出現(xiàn)錯(cuò)誤或安全問題時(shí)主動回退，并將系統(tǒng)/服務(wù)恢復(fù)到上一個(gè)已知的良好狀態(tài)。Cryptography,Encryption&KeyManagement密碼學(xué)、加密與密鑰管理EncryptionandKeyManagementPolicyandProcedures密碼學(xué)、加密與密鑰管理的策略及規(guī)程CEK-01Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforCryptography,EncryptionandKeyManagement.Reviewandupdatethepoliciesandproceduresatleastannually.制定、記錄、批準(zhǔn)、交流、應(yīng)用、評估和維護(hù)密碼學(xué)、加密與密鑰管理的策略及規(guī)程。至少每年審查和更新策略及規(guī)程。CEKRolesandResponsibilities密碼學(xué)、加密與密鑰管理的作用及責(zé)任CEK-02Defineandimplementcryptographic,encryptionandkeymanagementrolesandresponsibilities.定義并實(shí)施密碼學(xué)、加密與密鑰管理的角色及責(zé)任。DataEncryption數(shù)據(jù)加密CEK-03Providecryptographicprotectiontodataat-restandin-transit,usingcryptographiclibrariescertifiedtoapprovedstandards.使用經(jīng)過標(biāo)準(zhǔn)認(rèn)證的密碼（算法）庫，為靜態(tài)和傳輸中的數(shù)據(jù)提供密碼保護(hù)。EncryptionAlgorithm加密算法CEK-04Useencryptionalgorithmsthatareappropriatefordataprotection,consideringtheclassificationofdata,associatedrisks,andusabilityoftheencryptiontechnology.考慮數(shù)據(jù)分級、相關(guān)風(fēng)險(xiǎn)和加密技術(shù)的可用性，使用適合數(shù)據(jù)保護(hù)的加密算法。EncryptionChangeManagement加密變更管理CEK-05Establishastandardchangemanagementprocedure,toaccommodatechangesfrominternalandexternalsources,forreview,approval,implementationandcommunicationofcryptographic,encryptionandkeymanagementtechnologychanges.建立標(biāo)準(zhǔn)的變更管理規(guī)程，以適應(yīng)來自內(nèi)部和外部的變更，用于審查、批準(zhǔn)、執(zhí)行和通報(bào)密碼學(xué)、加密與密鑰管理技術(shù)的變更。EncryptionChangeCostBenefitAnalysis加密變更成本效益分析CEK-06Manageandadoptchangestocryptography-,encryption-,andkeymanagement-relatedsystems(includingpoliciesandprocedures)thatfullyaccountfordownstreameffectsofproposedchanges,includingresidualrisk,cost,andbenefitsanalysis.管理和采用對密碼學(xué)、加密與密鑰管理相關(guān)系統(tǒng)（包括策略及規(guī)程）的變更，以充分考慮擬議變更的下游影響，包括剩余風(fēng)險(xiǎn)、成本和效益分析。?2021云安全聯(lián)盟大中華區(qū)-版權(quán)所有第5頁官網(wǎng)：WWW.C-CSA.CN郵箱：INFO@C-CSA.CN公眾號：CSAGCREncryptionRiskManagement加密風(fēng)險(xiǎn)管理CEK-07Establishandmaintainanencryptionandkeymanagementriskprogramthatincludesprovisionsforriskassessment,risktreatment,riskcontext,monitoring,andfeedback.建立并維護(hù)一個(gè)加密和密鑰管理風(fēng)險(xiǎn)程序，包括風(fēng)險(xiǎn)評估、風(fēng)險(xiǎn)處理、風(fēng)險(xiǎn)關(guān)聯(lián)、監(jiān)控和反饋的規(guī)定。CSCKeyManagementCapabiilityCSC密鑰管理能力CEK-08CSPsmustprovidethecapabilityforCSCstomanagetheirowndataencryptionkeys.云服務(wù)提供商（CSP）必須為客戶（CSC）提供管理自己的數(shù)據(jù)加密密鑰的能力。EncryptionandKeyManagementAudit加密與密鑰管理審計(jì)CEK-09Auditencryptionandkeymanagementsystems,policies,andprocesseswithafrequencythatisproportionaltotheriskexposureofthesystemwithauditoccurringpreferablycontinuouslybutatleastannuallyandafteranysecurityevent(s).審計(jì)加密和密鑰管理系統(tǒng)、策略和規(guī)程的頻率與系統(tǒng)的風(fēng)險(xiǎn)暴露程度成正比，審計(jì)最好是連續(xù)進(jìn)行，但至少每年一次，并在任何安全事態(tài)后進(jìn)行。KeyGeneration密鑰生成CEK-10GenerateCryptographickeysusingindustryacceptedcryptographiclibrariesspecifyingthealgorithmstrengthandtherandomnumbergeneratorused.使用行業(yè)認(rèn)可的密碼（算法）庫生成加密密鑰，指定算法強(qiáng)度和使用的隨機(jī)數(shù)生成器。KeyPurpose密鑰用途CEK-11Managecryptographicsecretandprivatekeysthatareprovisionedforauniquepurpose.管理為特殊用途而準(zhǔn)備的密鑰和私鑰。KeyRotation密鑰輪換CEK-12Rotatecryptographickeysinaccordancewiththecalculatedcryptoperiod,whichincludesprovisionsforconsideringtheriskofinformationdisclosureandlegalandregulatoryrequirements.按照計(jì)算出的加密周期輪換密鑰，其中包括考慮信息披露風(fēng)險(xiǎn)和法律及監(jiān)管要求的規(guī)定。KeyRevocation密鑰廢除CEK-13Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestorevokeandremovecryptographickeyspriortotheendofitsestablishedcryptoperiod,whenakeyiscompromised,oranentityisnolongerpartoftheorganization,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估在既定的加密期結(jié)束前、在密鑰泄密時(shí)或在某一實(shí)體不再是組織的一部分時(shí)，撤銷及刪除密鑰的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。KeyDestruction密鑰銷毀CEK-14Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestodestroykeysstoredoutsideasecureenvironmentandrevokekeysstoredinHardwareSecurityModules(HSMs)whentheyarenolongerneeded,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估銷毀儲存在安全環(huán)境之外的密鑰和在不再需要時(shí)撤銷儲存在硬件安全模塊中的密鑰的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。KeyActivation密鑰激活CEK-15Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestocreatekeysinapre-activatedstatewhentheyhavebeengeneratedbutnotauthorizedforuse,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估在密鑰已生成但未被授權(quán)使用時(shí)，在預(yù)激活狀態(tài)下生成密鑰的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。KeySuspension密鑰停止CEK-16Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestomonitor,reviewandapprovekeytransitionsfromanystateto/fromsuspension,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估監(jiān)測、審查和批準(zhǔn)密鑰從任何狀態(tài)到/從暫停狀態(tài)的關(guān)鍵過渡的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。KeyDeactivation密鑰注銷CEK-17Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestodeactivatekeysatthetimeoftheirexpirationdate,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估在密鑰到期時(shí)停用密鑰的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。KeyArchival密鑰歸檔CEK-18Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestomanagearchivedkeysinasecurerepositoryrequiringleastprivilegeaccess,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估管理需要最低權(quán)限訪問的安全儲存庫中已歸檔密鑰的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。KeyCompromise密鑰泄密CEK-19Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestousecompromisedkeystoencryptinformationonlyincontrolledcircumstance,andthereafterexclusivelyfordecryptingdataandneverforencryptingdata,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估僅在受控情況下使用泄密密鑰對信息進(jìn)行加密，及此后僅用于對數(shù)據(jù)進(jìn)行解密，絕不用于對數(shù)據(jù)進(jìn)行加密的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。?2021云安全聯(lián)盟大中華區(qū)-版權(quán)所有第6頁官網(wǎng)：WWW.C-CSA.CN郵箱：INFO@C-CSA.CN公眾號：CSAGCRKeyRecovery密鑰找回CEK-20Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestoassesstherisktooperationalcontinuityversustheriskofthekeyingmaterialandtheinformationitprotectsbeingexposedifcontrolofthekeyingmaterialislost,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估在失去對密鑰材料的控制時(shí)，業(yè)務(wù)連續(xù)性風(fēng)險(xiǎn)與密鑰材料及其保護(hù)的信息暴露風(fēng)險(xiǎn)的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。KeyInventoryManagement密鑰清單管理CEK-21Define,implementandevaluateprocesses,proceduresandtechnicalmeasuresinorderforthekeymanagementsystemtotrackandreportallcryptographicmaterialsandchangesinstatus,whichincludeprovisionsforlegalandregulatoryrequirements.定義、執(zhí)行和評估使密鑰管理系統(tǒng)能夠跟蹤和報(bào)告所有密碼材料和狀態(tài)的變化的過程、規(guī)程和技術(shù)措施，其中包括法律和監(jiān)管要求的規(guī)定。DatacenterSecurity-DCS數(shù)據(jù)中心安全Off-SiteEquipmentDisposalPolicyandProcedures處置場外設(shè)備的策略和規(guī)程DCS-01Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforthesecuredisposalofequipmentusedoutsidetheorganization'spremises.Iftheequipmentisnotphysicallydestroyedadatadestructionprocedurethatrendersrecoveryofinformationimpossiblemustbeapplied.Reviewandupdatethepoliciesandproceduresatleastannually.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)用于安全處置組織場所以外設(shè)備的策略和規(guī)程。如果設(shè)備未被物理銷毀，則必須采用數(shù)據(jù)銷毀規(guī)程，使信息無法恢復(fù)。每年至少審查和更新公司的策略和規(guī)程。Off-SiteTransferAuthorizationPolicyandProcedures場外傳輸授權(quán)策略和規(guī)程DCS-02Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresfortherelocationortransferofhardware,software,ordata/informationtoanoffsiteoralternatelocation.Therelocationortransferrequestrequiresthewrittenorcryptographicallyverifiableauthorization.Reviewandupdatethepoliciesandproceduresatleastannually.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)用于硬件、軟件或數(shù)據(jù)/信息搬遷或傳輸?shù)綀鐾饣騻溆梦恢玫牟呗院鸵?guī)程。搬遷或傳輸?shù)綀鐾庵氨仨毥?jīng)過書面或可加密驗(yàn)證的授權(quán)。至少每年一次審查和更新公司的策略和規(guī)程。SecureAreaPolicyandProcedures安全區(qū)策略和規(guī)程DCS-03Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresformaintainingasafeandsecureworkingenvironmentinoffices,rooms,andfacilities.Reviewandupdatethepoliciesandproceduresatleastannually.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)用于辦公室、房間和設(shè)施內(nèi)維護(hù)安全工作環(huán)境的策略和規(guī)程。至少每年一次審查和更新公司的策略和規(guī)程。SecureMediaTransportationPolicyandProcedures安全的媒介傳輸策略和規(guī)程DCS-04Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforthesecuretransportationofphysicalmedia.Reviewandupdatethepoliciesandproceduresatleastannually.建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)用于安全傳輸物理媒介的策略和規(guī)程。至少每年一次審查和更新公司的策略和規(guī)程。AssetsClassification資產(chǎn)分級DCS-05Classifyanddocumentthephysical,andlogicalassets(e.g.,applications)basedontheorganizationalbusinessrisk.根據(jù)組織業(yè)務(wù)風(fēng)險(xiǎn)對物理和邏輯資產(chǎn)（例如應(yīng)用程序）進(jìn)行分級和記錄。AssetsCataloguingandTracking資產(chǎn)分類與跟蹤DCS-06CatalogueandtrackallrelevantphysicalandlogicalassetslocatedatalloftheCSP'ssiteswithinasecuredsystem.記錄并跟蹤每一個(gè)安全系統(tǒng)中所有位于云服務(wù)提供商站點(diǎn)的所有物理和邏輯資產(chǎn)。ControlledAccessPoints受控接入點(diǎn)DCS-07Implementphysicalsecurityperimeterstosafeguardpersonnel,data,andinformationsystems.Establishphysicalsecurityperimetersbetweentheadministrativeandbusinessareasandthedatastorageandprocessingfacilitiesareas.實(shí)施物理安全邊界以保護(hù)人員、數(shù)據(jù)和信息系統(tǒng)。在管理區(qū)域和業(yè)務(wù)區(qū)域以及數(shù)據(jù)存儲區(qū)域和數(shù)據(jù)處理區(qū)域之間建立物理安全邊界。EquipmentIdentification設(shè)備標(biāo)識DCS-08Useequipmentidentificationasamethodforconnectionauthentication.使用設(shè)備標(biāo)識作為連接身份鑒別的方法。SecureAreaAuthorization安全區(qū)域授權(quán)DCS-09Allowonlyauthorizedpersonnelaccesstosecureareas,withallingressandegresspointsrestricted,documented,andmonitoredbyphysicalaccesscontrolmechanisms.Retainaccesscontrolrecordsonaperiodicbasisasdeemedappropriatebytheorganization.只允許授權(quán)人員訪問安全區(qū)域，通過物理訪問控制機(jī)制限制、記錄和監(jiān)視所有入口和出口。按組織要求保留訪問控制記錄。SurveillanceSystem監(jiān)視系統(tǒng)DCS-10Implement,maintain,andoperatedatacentersurveillancesystemsattheexternalperimeterandatalltheingressandegresspointstodetectunauthorizedingressandegressattempts.在外部邊界以及所有入口和出口點(diǎn)實(shí)施、維護(hù)和運(yùn)行數(shù)據(jù)中心監(jiān)視系統(tǒng)，以檢測未經(jīng)授權(quán)的出入嘗試。?2021云安全聯(lián)盟大中華區(qū)-版權(quán)所有第7頁官網(wǎng)：WWW.C-CSA.CN郵箱：INFO@C-CSA.CN公眾號：CSAGCRUnauthorizedAccessResponseTraining未授權(quán)訪問響應(yīng)培訓(xùn)DCS-11Traindatacenterpersonneltorespondtounauthorizedingressoregressattempts.培訓(xùn)數(shù)據(jù)中心的人員響應(yīng)未授權(quán)的出入嘗試。CablingSecurity布線安全DCS-12Define,implementandevaluateprocesses,proceduresandtechnicalmeasuresthatensurearisk-basedprotectionofpowerandtelecommunicationcablesfromathreatofinterception,interferenceordamageatallfacilities,officesandrooms.定義、實(shí)施、評估過程、規(guī)程和技術(shù)措施，以確保所有設(shè)施、辦公室、房間的電力和電信電纜有基于風(fēng)險(xiǎn)的保護(hù)，不會受到攔截、干擾或損壞的威脅。EnvironmentalSystems環(huán)境系統(tǒng)DCS-13Implementandmaintaindatacenterenvironmentalcontrolsystemsthatmonitor,maintainandtestforcontinualeffectivenessthetemperatureandhumidityconditionswithinacceptedindustrystandards.實(shí)施和維護(hù)數(shù)據(jù)中心環(huán)境控制系統(tǒng)，以監(jiān)控、維護(hù)和測試溫度和濕度控制的是否符合業(yè)界標(biāo)準(zhǔn)以及控制的持續(xù)有效性。SecureUtilities安全的公用事業(yè)DCS-14Secure,monitor,maintain,andtestutilitiesservicesforcontinualeffectivenessatplannedintervals.定期監(jiān)控、維護(hù)和測試公用事業(yè)（設(shè)施）的安全，確保其能夠提供持續(xù)的服務(wù)。EquipmentLocation設(shè)備位置DCS-15Keepbusiness-criticalequipmentawayfromlocationssubjecttohighprobabilityforenvironmentalriskevents.使關(guān)鍵業(yè)務(wù)設(shè)備遠(yuǎn)離極易發(fā)生環(huán)境風(fēng)險(xiǎn)事態(tài)的位置。DataSecurityandPrivacyLifecycleManagement-DSP數(shù)據(jù)安全和隱私生命周期管理SecurityandPrivacyPolicyandProcedures安全、隱私策略和程序DSP-01Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresfortheclassification,protectionandhandlingofdatathroughoutitslifecycle,andaccordingtoallapplicablelawsandregulations,standards,andrisklevel.Reviewandupdatethepoliciesandproceduresatleastannually.根據(jù)所有適用的法律法規(guī)、標(biāo)準(zhǔn)和風(fēng)險(xiǎn)等級，建立、記錄、批準(zhǔn)、溝通、應(yīng)用、評估和維護(hù)在數(shù)據(jù)的整個(gè)生命周期中對數(shù)據(jù)進(jìn)行分級、保護(hù)和處理的策略和規(guī)程。至少每年審查和更新策略和規(guī)程。SecureDisposal安全處置DSP-02Applyindustryacceptedmethodsforthesecuredisposalofdatafromstoragemediasuchthatdataisnotrecoverablebyanyforensicmeans.應(yīng)用業(yè)界公認(rèn)的方法來安全處置存儲介質(zhì)中的數(shù)據(jù)，使數(shù)據(jù)無法通過任何取證手段恢復(fù)。DataInventory數(shù)據(jù)清單DSP-03Createandmaintainadatainventory,atleastforanysensitivedataandpersonaldata.創(chuàng)建和維護(hù)一個(gè)至少針對任何敏感數(shù)據(jù)和個(gè)人數(shù)據(jù)的數(shù)據(jù)清單。DataClassification數(shù)據(jù)分級DSP-04Classifydataaccordingtoitstypeandsensitivitylevel.根據(jù)數(shù)據(jù)類型和敏感程度對數(shù)據(jù)進(jìn)行分級。DataFlowDocumentation數(shù)據(jù)流文檔DSP-05Createdataflowdocumentationtoidentifywhatdataisprocessed,storedortransmittedwhere.Reviewdataflowdocumentationatdefinedintervals,atleastannually,andafteranychange.創(chuàng)建數(shù)據(jù)流文檔，以確定在何處處理、存儲或傳輸哪些數(shù)據(jù)。在規(guī)定的時(shí)間間隔，至少每年，以及在任何變更之后，審查數(shù)據(jù)流文檔。DataOwnershipandStewardship數(shù)據(jù)所有權(quán)和管理權(quán)DSP-06Documentownershipandstewardshipofallrelevantdocumentedpersonalandsensitivedata.Performreviewatleastannually.記錄所有相關(guān)記錄的個(gè)人和敏感數(shù)據(jù)的所有權(quán)和管理權(quán)。至少每年進(jìn)行一次審查。DataProtectionbyDesignandDefault設(shè)計(jì)和默認(rèn)數(shù)據(jù)保護(hù)DSP-07Developsystems,products,andbusinesspracticesbaseduponaprincipleofsecuritybydesignandindustrybestpractices.根據(jù)設(shè)計(jì)安全原則和行業(yè)最佳實(shí)踐，開發(fā)系統(tǒng)、產(chǎn)品和業(yè)務(wù)實(shí)踐。DataPrivacybyDesignandDefault設(shè)計(jì)和默認(rèn)數(shù)據(jù)隱私DSP-08Developsystems,products,andbusinesspracticesbaseduponaprincipleofprivacybydesignandindustrybestpractices.Ensurethatsystems'privacysettingsareconfiguredbydefault,accordingtoallapplicablelawsandregulations.根據(jù)設(shè)計(jì)隱私原則和行業(yè)最佳實(shí)踐，開發(fā)系統(tǒng)、產(chǎn)品和業(yè)務(wù)實(shí)踐。根據(jù)所有適用的法律法規(guī)，確保系統(tǒng)的隱私設(shè)置默認(rèn)配置。DataProtectionImpactAssessment數(shù)據(jù)保護(hù)影響評估DSP-09ConductaDataProtectionImpactAssessment(DPIA)toevaluatetheorigin,nature,particularityandseverityoftherisksupontheprocessingofpersonaldata,accordingtoanyapplicablelaws,regulationsandindustrybestpractices.根據(jù)任何適用的法律、法規(guī)和行業(yè)最佳實(shí)踐執(zhí)行數(shù)據(jù)保護(hù)影響評估（DPIA）來評估處理個(gè)人數(shù)據(jù)時(shí)風(fēng)險(xiǎn)的來源、性質(zhì)、特殊性和嚴(yán)重性。SensitiveDataTransfer敏感數(shù)據(jù)傳輸DSP-10Define,implementandevaluateprocesses,proceduresandtechnicalmeasuresthatensureanytransferofpersonalorsensitivedataisprotectedfromunauthorizedaccessandonlyprocessedwithinscopeaspermittedbytherespectivelawsandregulations.定義、實(shí)施和評估過程、規(guī)程和技術(shù)措施，以確保個(gè)人或敏感數(shù)據(jù)在傳輸中不受未授權(quán)訪問并且僅在相關(guān)法律法規(guī)允許的范圍內(nèi)被處理。?2021云安全聯(lián)盟大中華區(qū)-版權(quán)所有第8頁官網(wǎng)：WWW.C-CSA.CN郵箱：INFO@C-CSA.CN公眾號：CSAGCRPersonalDataAccess,Reversal,RectificationandDeletion個(gè)人數(shù)據(jù)訪問，撤銷，糾正和刪除DSP-11Defineandimplement,processes,proceduresandtechnicalmeasurestoenabledatasubjectstorequestaccessto,modification,ordeletionoftheirpersonaldata,accordingtoanyapplicablelawsandregulations.根據(jù)任何適用的法律法規(guī)，定義和實(shí)施過程、規(guī)程和技術(shù)措施，以使數(shù)據(jù)主體能夠請求訪問、修改或刪除其個(gè)人數(shù)據(jù)。LimitationofPurposeinPersonalDataProcessing個(gè)人數(shù)據(jù)處理中的目的限制DSP-12Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestoensurethatpersonaldataisprocessedaccordingtoanyapplicablelawsandregulationsandforthepurposesdeclaredtothedatasubject.定義、實(shí)施和評估過程、規(guī)程和技術(shù)措施，以確保個(gè)人數(shù)據(jù)的處理符合任何適用的法律法規(guī)和向數(shù)據(jù)主體聲明的目的。PersonalDataSub-processing個(gè)人數(shù)據(jù)子處理DSP-13Define,implementandevaluateprocesses,proceduresandtechnicalmeasuresforthetransferandsub-processingofpersonaldatawithintheservicesupplychain,accordingtoanyapplicablelawsandregulations.根據(jù)任何適用的法律法規(guī)，定義、實(shí)施和評估服務(wù)供應(yīng)鏈內(nèi)個(gè)人數(shù)據(jù)傳輸和子處理的過程、規(guī)程和技術(shù)措施。DisclosureofDataSub-processors披露數(shù)據(jù)子處理者DSP-14Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestodisclosethedetailsofanypersonalorsensitivedataaccessbysub-processorstothedataownerpriortoinitiationofthatprocessing.定義、實(shí)施和評估過程、規(guī)程和技術(shù)措施，在數(shù)據(jù)開始處理之前，向數(shù)據(jù)所有者披露子處理者訪問任何個(gè)人或敏感數(shù)據(jù)的詳細(xì)信息。LimitationofProductionDataUse生產(chǎn)數(shù)據(jù)使用限制DSP-15Obtainauthorizationfromdataowners,andmanageassociatedriskbeforereplicatingorusingproductiondatainnon-productionenvironments.在非生產(chǎn)環(huán)境中復(fù)制或使用生產(chǎn)數(shù)據(jù)之前，請獲得數(shù)據(jù)所有者的授權(quán)，并管理相關(guān)風(fēng)險(xiǎn)。DataRetentionandDeletion數(shù)據(jù)保留和刪除DSP-16Dataretention,archivinganddeletionismanagedinaccordancewithbusinessrequirements,applicablelawsandregulations.數(shù)據(jù)保留、歸檔和刪除按照業(yè)務(wù)要求和適用的法律法規(guī)進(jìn)行管理。SensitiveDataProtection敏感數(shù)據(jù)保護(hù)DSP-17Defineandimplement,processes,proceduresandtechnicalmeasurestoprotectsensitivedatathroughoutit'slifecycle.定義和實(shí)施過程、規(guī)程和技術(shù)措施，以在敏感數(shù)據(jù)的整個(gè)生命周期中保護(hù)敏感數(shù)據(jù)。DisclosureNotification披露通知DSP-18TheCSPmusthaveinplace,anddescribetoCSCstheproceduretomanageandrespondtorequestsfordisclosureofPersonalDatabyLawEnforcementAuthoritiesaccordingtoapplicablelawsandregulations.TheCSPmustgivespecialattentiontothenotificationproceduretointerestedCSCs,unlessotherwiseprohibited,suchasaprohibitionundercriminallawtopreserveconfidentialityofalawenforcementinvestigation.云服務(wù)提供商必須制定并向云服務(wù)客戶說明管理和響應(yīng)執(zhí)法機(jī)構(gòu)根據(jù)適用法律法規(guī)披露個(gè)人數(shù)據(jù)請求的規(guī)程。云服務(wù)提供商必須特別注意向感興趣的云服務(wù)客戶發(fā)出通知的規(guī)程，除非另有禁止，例如刑法禁止為執(zhí)法調(diào)查保密。DataLocation數(shù)據(jù)位置DSP-19Defineandimplement,processes,proceduresandtechnicalmeasurestospecifyanddocumentthephysicallocationsofdata,includinganylocationsinwhichdataisprocessedorbackedup.定義和實(shí)施過程、規(guī)程和技術(shù)措施，以指定和記錄數(shù)據(jù)的物理位置，包括處理或備份數(shù)據(jù)的任何位置。Governance,RiskandCompliance-GRC治理、風(fēng)險(xiǎn)管理和合規(guī)GovernanceProgramPolicyandProcedures治理計(jì)劃策略和程序GRC-01Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresf