阿里相关认证
aliyun各位工程师
你们好!
我公司邮箱及虚拟服务器都是用贵司产品。现应我司客户需要提供一些云及邮箱安全防护认证及报告信息,烦请aliyun各位工程师帮们提供完成(附截屏)。十分感谢!
Control Criteria控制标准
Question问题
Sub-Question子问题
Answer (YES/NO)回答(是/否)
Attach evidence and supporting documentation附上证据和证明文件
Instructions to answer回答说明
Instructions to review审查说明
Related supporting documentation相关支持文档
Risk score风险评分
Risk Assurance Score风险保证分数
Final evaluation最终评估
Are there independent security certifications available for review?是否有可供审查的独立安全认证?
ISO27001
Check applicable response, attach documentation检查适用的回复,附上文档
It is considered adequate if vendor provides:
- Certificate or Report如果供应商提供:- 证书或报告 12 0 SOC 2 (DC,云,基础设施或应用) Check applicable response, attach documentation检查适用的回复,附上文档 It is considered adequate if vendor provides:
- Report如果供应商提供:
- 报告 10 0 Penetration testing渗透测试 Check applicable response, attach documentation检查适用的回复,附上文档 It is considered adequate if vendor provides:
- Report not older than a year
- Critical and High vulnerabilities remediated如果供应商提供:
- 报告不超过一年
- 修复了严重漏洞和高漏洞 12 0 Is the solution hosted in?该解决方案是否托管? HP CSO惠普计算机服务机构 Checkmark applicable response选中适用的回复 it is considered adequate if vendor confirms that cloud services is hosted by: HP CSO如果供应商确认云服务由以下人员托管,则认为是足够的:HP CSO 6 0 Amazon AWS亚马逊AWS Checkmark applicable response选中适用的回复 it is considered adequate if vendor confirms that cloud services is hosted by: AWS如果供应商确认云服务由以下人员托管,则认为是足够的:AWS 0 Microsoft Azure Checkmark applicable response选中适用的回复 it is considered adequate if vendor confirms that cloud services is hosted by: Microsoft Azure如果供应商确认云服务由以下人员托管,则认为是足够的:Microsoft Azure 0 Other Cloud其他云 Checkmark applicable response选中适用的回复 0 0 Not Cloud (Data Center)非云(数据中心) Checkmark applicable response选中适用的回复 0 0 Data breach or security incident notification process数据泄露或安全事件通知流程 Is there data breach or security incident notification process?是否存在数据泄露或安全事件通知流程? Checkmark, include details选中标记,包括详细信息 Notification expected within 24 hrs after due dilligence investigation performed by vendor and no later than 72 hrs在供应商进行尽职调查后24小时内,不迟于72小时发出通知 - SOC 2 4 0 Does network security include:网络安全包括: Firewalls?防火墙? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Architecture diagram如果供应商提供:
- 架构图
And if Firewalls should not contain open unsecure services ports such as:
- Telnet port 23
- FTP port 21
- POP3 port 110
- SNMP 161如果防火墙不应包含开放的不安全服务端口,例如: - Telnet端口23
- FTP端口21
- POP3端口110
- SNMP 161
SOC 2
- Network diagram网络图 3 0 IDS/IPS? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Architecture diagram where demonstrate IDS/IPS is included如果供应商提供:
- 包含演示IDS / IPS的架构图 - SOC 2
- Network diagram- 网络图 3 0 Does server security include:服务器安全包括: Patch management?补丁管理? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Patch Management Process
It is considered implemented if server patches are up to date如果供应商提供:
- 补丁管理流程
如果服务器补丁是最新的,则认为已实施 - SOC 2 3 0 Supported OS version?支持的OS版本? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- OS licenses within End-of-Support如果供应商提供:
- 支持终止内的操作系统许可 - SOC 2 2 0 Antivirus?防病毒? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Antivirus screenshots如果供应商提供:
- 防病毒截图 - SOC 2 3 0 Anti-malware?反恶意软件? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Antimalware screenshots如果供应商提供:
- 反恶意软件截图 - SOC 2 2 0 Does access controls include:访问控制包括: User Management process?用户管理流程? Checkmark, include technical details选中标记,包括技术细节 It is considered coimplete if vendor provides:
- User Management Process如果供应商提供:
- 用户管理流程 - SOC 2 3 0 Password complexity?密码复杂性? Checkmark, include technical details选中标记,包括技术细节 It will be considered adequate if:
. accounts to be a minimum of eight characters.
- All user accounts including privileged accounts must be set to a maximum of 90 days
- prevent the reuse of the previous six passwords
- set account lockouts to six invalid logins and must remain locked out for 30 minutes before the account is enabled for use again as required by the PCI DSS.
- store passwords using one-way encryption or hashing with sufficient strength that a password cannot be decrypted into clear text.如果满足以下条件,将被认为是足够的: 帐号至少为八个字符。
- 包括特权帐户在内的所有用户帐户必须设置为最多90天
- 防止重复使用前六个密码
- 将帐户锁定设置为六次无效登录,并且必须保持锁定30分钟,然后才能根据PCI DSS的要求再次使用该帐户。
- 使用单向加密或散列来存储密码,其强度足以使密码无法解密为明文。 - SOC 2 3 0 Does the internal software development secure practices include: Secure session management?安全会话管理? Checkmark, include technical details选中标记,包括技术细节 It will be considered adequate if:
limit the number of unsuccessful login attempts allowed:
- Record unsuccessful attempts
- Force a time delay before further login attempts are allowed or reject any further attempts without specific authorization; (forcing a time delay is dependent on risk considerations, for example, 24x7 support outside of normal office hours)
- Disconnect data link connections
- Limit the maximum and minimum time allowed for the login procedure; if exceeded, the system should terminate the login如果符合以下条件,将被认为是
限制允许的不成功登录尝试次数:
- 记录尝试失败
- 在允许进一步登录尝试之前强制延迟一段时间,或在没有特别授权的情(强制延迟时间取决于风险因素,例如,正常办公时间以外的24x7支持)
- 断开数据链路连接
- 限制登录程序允许的最长和最短时间; 如果超过,系统应终止登录 - SOC 2 2 0 Validation against OWASP?验证OWASP? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Penetration/Vulnerability assessent report without open CRITICAL or HIGH Vulnerabilities - SOC 2 3 0 Code vulnerability scans?代码漏洞扫描? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Penetration/Vulnerability assessent report without open CRITICAL or HIGH Vulnerabilities - SOC 2 3 0 Do Cryptographics in place include:加密地图包括: Data encryption at rest?静态数据加密? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if solution:
- Encrypt database fields that contains PII or PCI Data如果解决方案为如下则被认为是足够的:
- 加密包含PII或PCI数据的数据库字段 6 0 Data encryption in-transit?传输中的数据加密? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if solution:
- Encrypt data transmision using HTTPS or TLS/SSL protocols如果解决方案为以下则被认为是足够的:
使用HTTPS或TLS/SSL协议加密数据传输 3 0 Use of TLS1.1 or higher?使用TLS1.1或更高版本? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if solution:
- Use TLS/SSL protocol version 1.1 or 1.2 如果解决方案为以下内容则被认为是足够的:
- 使用TLS / SSL协议版本1.1或1.2 3 0 Secure file transfer?安全的文件传输? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if solution:
- Encrypt data transmision using HTTPS, FTPS, SFTP or TLS/SSL protocols如果解决方案为以下内容,则被认为是足够的:
- 使用HTTPS,FTPS,SFTP或TLS / SSL协议加密数据传输 6 0 IPSS in placeIPSS到位 Is there IPSS/DNSS in place with the vendor?是否与供应商建立了IPSS / DNSS? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if BU provides:
- IPSS Signed如果BU提供,则认为是足够的:- IPSS签名 8 0 FINAL SCORE最终得分 100 0 Final Score最终得分 Low Impact Risk低影响风险 70-100 Medium Impact Risk中等影响风险 40-70 High Impact Risk高影响风险 0-40
- Certificate or Report如果供应商提供:- 证书或报告 12 0 SOC 2 (DC,云,基础设施或应用) Check applicable response, attach documentation检查适用的回复,附上文档 It is considered adequate if vendor provides:
- Report如果供应商提供:
- 报告 10 0 Penetration testing渗透测试 Check applicable response, attach documentation检查适用的回复,附上文档 It is considered adequate if vendor provides:
- Report not older than a year
- Critical and High vulnerabilities remediated如果供应商提供:
- 报告不超过一年
- 修复了严重漏洞和高漏洞 12 0 Is the solution hosted in?该解决方案是否托管? HP CSO惠普计算机服务机构 Checkmark applicable response选中适用的回复 it is considered adequate if vendor confirms that cloud services is hosted by: HP CSO如果供应商确认云服务由以下人员托管,则认为是足够的:HP CSO 6 0 Amazon AWS亚马逊AWS Checkmark applicable response选中适用的回复 it is considered adequate if vendor confirms that cloud services is hosted by: AWS如果供应商确认云服务由以下人员托管,则认为是足够的:AWS 0 Microsoft Azure Checkmark applicable response选中适用的回复 it is considered adequate if vendor confirms that cloud services is hosted by: Microsoft Azure如果供应商确认云服务由以下人员托管,则认为是足够的:Microsoft Azure 0 Other Cloud其他云 Checkmark applicable response选中适用的回复 0 0 Not Cloud (Data Center)非云(数据中心) Checkmark applicable response选中适用的回复 0 0 Data breach or security incident notification process数据泄露或安全事件通知流程 Is there data breach or security incident notification process?是否存在数据泄露或安全事件通知流程? Checkmark, include details选中标记,包括详细信息 Notification expected within 24 hrs after due dilligence investigation performed by vendor and no later than 72 hrs在供应商进行尽职调查后24小时内,不迟于72小时发出通知 - SOC 2 4 0 Does network security include:网络安全包括: Firewalls?防火墙? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Architecture diagram如果供应商提供:
- 架构图
And if Firewalls should not contain open unsecure services ports such as:
- Telnet port 23
- FTP port 21
- POP3 port 110
- SNMP 161如果防火墙不应包含开放的不安全服务端口,例如: - Telnet端口23
- FTP端口21
- POP3端口110
- SNMP 161
SOC 2
- Network diagram网络图 3 0 IDS/IPS? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Architecture diagram where demonstrate IDS/IPS is included如果供应商提供:
- 包含演示IDS / IPS的架构图 - SOC 2
- Network diagram- 网络图 3 0 Does server security include:服务器安全包括: Patch management?补丁管理? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Patch Management Process
It is considered implemented if server patches are up to date如果供应商提供:
- 补丁管理流程
如果服务器补丁是最新的,则认为已实施 - SOC 2 3 0 Supported OS version?支持的OS版本? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- OS licenses within End-of-Support如果供应商提供:
- 支持终止内的操作系统许可 - SOC 2 2 0 Antivirus?防病毒? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Antivirus screenshots如果供应商提供:
- 防病毒截图 - SOC 2 3 0 Anti-malware?反恶意软件? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Antimalware screenshots如果供应商提供:
- 反恶意软件截图 - SOC 2 2 0 Does access controls include:访问控制包括: User Management process?用户管理流程? Checkmark, include technical details选中标记,包括技术细节 It is considered coimplete if vendor provides:
- User Management Process如果供应商提供:
- 用户管理流程 - SOC 2 3 0 Password complexity?密码复杂性? Checkmark, include technical details选中标记,包括技术细节 It will be considered adequate if:
. accounts to be a minimum of eight characters.
- All user accounts including privileged accounts must be set to a maximum of 90 days
- prevent the reuse of the previous six passwords
- set account lockouts to six invalid logins and must remain locked out for 30 minutes before the account is enabled for use again as required by the PCI DSS.
- store passwords using one-way encryption or hashing with sufficient strength that a password cannot be decrypted into clear text.如果满足以下条件,将被认为是足够的: 帐号至少为八个字符。
- 包括特权帐户在内的所有用户帐户必须设置为最多90天
- 防止重复使用前六个密码
- 将帐户锁定设置为六次无效登录,并且必须保持锁定30分钟,然后才能根据PCI DSS的要求再次使用该帐户。
- 使用单向加密或散列来存储密码,其强度足以使密码无法解密为明文。 - SOC 2 3 0 Does the internal software development secure practices include: Secure session management?安全会话管理? Checkmark, include technical details选中标记,包括技术细节 It will be considered adequate if:
limit the number of unsuccessful login attempts allowed:
- Record unsuccessful attempts
- Force a time delay before further login attempts are allowed or reject any further attempts without specific authorization; (forcing a time delay is dependent on risk considerations, for example, 24x7 support outside of normal office hours)
- Disconnect data link connections
- Limit the maximum and minimum time allowed for the login procedure; if exceeded, the system should terminate the login如果符合以下条件,将被认为是
限制允许的不成功登录尝试次数:
- 记录尝试失败
- 在允许进一步登录尝试之前强制延迟一段时间,或在没有特别授权的情(强制延迟时间取决于风险因素,例如,正常办公时间以外的24x7支持)
- 断开数据链路连接
- 限制登录程序允许的最长和最短时间; 如果超过,系统应终止登录 - SOC 2 2 0 Validation against OWASP?验证OWASP? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Penetration/Vulnerability assessent report without open CRITICAL or HIGH Vulnerabilities - SOC 2 3 0 Code vulnerability scans?代码漏洞扫描? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if vendor provides:
- Penetration/Vulnerability assessent report without open CRITICAL or HIGH Vulnerabilities - SOC 2 3 0 Do Cryptographics in place include:加密地图包括: Data encryption at rest?静态数据加密? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if solution:
- Encrypt database fields that contains PII or PCI Data如果解决方案为如下则被认为是足够的:
- 加密包含PII或PCI数据的数据库字段 6 0 Data encryption in-transit?传输中的数据加密? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if solution:
- Encrypt data transmision using HTTPS or TLS/SSL protocols如果解决方案为以下则被认为是足够的:
使用HTTPS或TLS/SSL协议加密数据传输 3 0 Use of TLS1.1 or higher?使用TLS1.1或更高版本? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if solution:
- Use TLS/SSL protocol version 1.1 or 1.2 如果解决方案为以下内容则被认为是足够的:
- 使用TLS / SSL协议版本1.1或1.2 3 0 Secure file transfer?安全的文件传输? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if solution:
- Encrypt data transmision using HTTPS, FTPS, SFTP or TLS/SSL protocols如果解决方案为以下内容,则被认为是足够的:
- 使用HTTPS,FTPS,SFTP或TLS / SSL协议加密数据传输 6 0 IPSS in placeIPSS到位 Is there IPSS/DNSS in place with the vendor?是否与供应商建立了IPSS / DNSS? Checkmark, include technical details选中标记,包括技术细节 It is considered adequate if BU provides:
- IPSS Signed如果BU提供,则认为是足够的:- IPSS签名 8 0 FINAL SCORE最终得分 100 0 Final Score最终得分 Low Impact Risk低影响风险 70-100 Medium Impact Risk中等影响风险 40-70 High Impact Risk高影响风险 0-40
展开
收起
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
相关问答
问答排行榜
最热
最新
相关课程
更多
推荐问答
