ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishAIS-01.
1:Application&InterfaceSecurity-ApplicationSecurityDoyouuseindustrystandards(BuildSecurityinMaturityModel[BSIMM]benchmarks,OpenGroupACSTrustedTechnologyProviderFramework,NIST,etc.
)tobuildinsecurityforyourSystems/SoftwareDevelopmentLifecycle(SDLC)Y是,阿里云已参考ISO27001等国际标准及相应最佳实践建立了云产品安全生命周期(SecureProductLifecycle,简称SPLC),是阿里云为云上产品量身定制的云产品安全生命周期,目标是将安全融入到整个产品开发生命周期中.
Yes,AlibabaCloudhasestablishedaCloudSecureProductLifecycle(SPLC)withreferencetointernationalstandardssuchasISO27001andcorrespondingbestpractices.
Integratesecurityintotheentireproductdevelopmentlifecycle.
AIS-01.
2:Application&InterfaceSecurity-ApplicationSecurityDoyouuseanautomatedsourcecodeanalysistooltodetectsecuritydefectsincodepriortoproductionY是,阿里云遵循SPLC流程中的规定,通过自动化的代码安全扫描工具进行代码库的扫描,保证代码扫描未通过的产品、未通过人工代码安全审核的产品均无法正式上线.
详细的控制措施见SOC2/3报告.
Yes,AlibabaCloudfollowstherulesintheSPLCprocessandscansthecodebasethroughanautomatedcodesecurityscanningtooltoensurethatproductsthatfailthecodescanandproductsthatfailthemanualcodesecurityauditcannotbeofficiallylaunched.
DetailedcontrolmeasurescanbefoundintheSOC2/3report.
AIS-01.
3:Application&InterfaceSecurity-ApplicationSecurityDoyouusemanualsource-codeanalysistodetectsecuritydefectsincodepriortoproductionY是,阿里云遵循SPLC流程中的规定,通过自动化的代码安全扫描工具进行代码库的扫描,保证代码扫描未通过的产品、未通过人工代码安全审核的产品均无法正式上线.
详细的控制措施见SOC2/3报告.
Yes,AlibabaCloudfollowstherulesintheSPLCprocessandscansthecodebasethroughanautomatedcodesecurityscanningtooltoensurethatproductsthatfailthecodescanandproductsthatfailthemanualcodesecurityauditcannotbeofficiallylaunched.
DetailedcontrolmeasurescanbefoundintheSOC2/3report.
AIS-01.
4:Application&InterfaceSecurity-ApplicationSecurityDoyouverifythatallofyoursoftwaresuppliersadheretoindustrystandardsforSystems/SoftwareDevelopmentLifecycle(SDLC)securityY是,阿里云已有制定供应商管理规范,且在针对供应商的安全管理要求中明确了其信息安全管理体系的符合性,同时针对所有上线的云产品均应通过架构评审、安全技术评审和合规评审,以保证对于涉及第三方软件供应商的场景可以满足阿里云的安全要求后方可产品上线.
Yes,AlibabaCloudhasestablishedsuppliermanagementpolicy,andhasclarifiedthecomplianceofitsinformationsecuritymanagementsysteminthesecuritymanagementrequirementsforsuppliers.
Atthesametime,allcloudproductsthathavegoneonlineshouldpassarchitecturereview,securitytechnologyreview,compliancereviewtoensurethatthescenariosinvolvingthird-partysoftwarevendorscanmeetthesecurityrequirementsofAlibabaCloudbeforetheproductgoesonline.
AIS-01.
5:Application&InterfaceSecurity-ApplicationSecurity(SaaSonly)DoyoureviewyourapplicationsforsecurityvulnerabilitiesandaddressanyissuespriortodeploymenttoproductionY是,阿里云遵循SPLC流程中的规定,通过自动化的代码安全扫描工具进行代码库的扫描,保证代码扫描未通过的产品、未通过人工代码安全审核的产品均无法正式上线.
详细的控制措施见SOC2/3报告.
Yes,AlibabaCloudfollowstherulesintheSPLCprocessandscansthecodebasethroughanautomatedcodesecurityscanningtooltoensurethatproductsthatfailthecodescanandproductsthatfailthemanualcodesecurityauditcannotbeofficiallylaunched.
DetailedcontrolmeasurescanbefoundintheSOC2/3report.
AIS-02.
1:Application&InterfaceSecurity-CustomerAccessRequirementsAreallidentifiedsecurity,contractualandregulatoryrequirementsforcustomeraccesscontractuallyaddressedandremediatedpriortograntingcustomersaccesstodata,assetsandinformationsystemsY是,阿里云通过面向客户的法律各类协议、权威第三方审计/认证和云安全白皮书等多种形式来说明云平台自身的安全能力.
Yes,AlibabaClouddemonstratesthesecuritycapabilitiesofthecloudplatformthroughvariousformsofcustomer-orientedlegalagreements,authoritativethird-partyaudits/certifications,andcloudsecuritywhitepapers.
AIS-02.
2:Application&InterfaceSecurity-CustomerAccessRequirementsAreallrequirementsandtrustlevelsforcustomers'accessdefinedanddocumentedY是,基于共担责任模型,由阿里云保障云平台自身安全并提供安全产品和能力给云上客户,且由客户负责基于阿里云服务构建的应用系统的安全.
Yes,thesecurityofapplicationsbuiltonAlibabaCloudisthejointresponsibilityofAlibabaCloudandthecustomers.
AlibabaCloudisresponsibleforthesecurityoftheunderlyingcloudserviceplatformandprovidingsecurityservicesandcapabilitiestocustomers,whilecustomersareresponsibleforthesecurityofapplicationsbuiltbasedonAlibabaCloudservices.
AIS-03.
1:Application&InterfaceSecurity-DataIntegrityAredatainputandoutputintegrityroutines(i.
e.
,reconciliationandeditchecks)implementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrorsorcorruptionofdataY是,阿里云基于数据安全管理策略,通过访问控制实现只有合法的(或预期的)用户才能修改数据,同时在数据的传输和存储中可以通过校验算法来加强用户数据的完整性保护.
Yes,basedondatasecuritymanagementpolicies,onlylegitimate(orexpected)userscanmodifydatathroughaccesscontrol.
Atthesametime,theintegrityprotectionofuserdatacanbeenhancedbyverifyingalgorithmsindatatransmissionandstorage.
AIS-04.
1:Application&InterfaceSecurity-DataSecurity/IntegrityIsyourDataSecurityArchitecturedesignedusinganindustrystandard(e.
g.
,CDSA,MULITSAFE,CSATrustedCloudArchitecturalStandard,FedRAMP,CAESARS)Y是,阿里云基于自身业务运营的需求涉及了数据安全架构,并通过第三方权威认证来证明数据安全架构的符合性,如ISO27001、SOC2/3报告等.
Yes,therequirementsofAlibabaCloudbasedonitsownbusinessoperationsinvolvedatasecurityarchitecture,andcertificationofdatasecurityarchitectureisverifiedbythird-partyauthoritycertifications,suchasISO27001,SOC2/3reports,etc.
AAC-01.
1:AuditAssurance&Compliance-AuditPlanningDoyouproduceauditassertionsusingastructured,industryacceptedformat(e.
g.
,CloudAudit/A6URIOntology,CloudTrust,SCAP/CYBEX,GRCXML,ISACA'sCloudComputingManagementAudit/AssuranceProgram,etc.
)Y是,阿里云先后通过了海内外数十家第三方权威机构的认证和审计,如ISO27001、SOC2/3报告.
Yes,AlibabaCloudhaspassedcertificationsandauditsofdozensofthird-partyauthoritiesglobally,suchasISO27001andSOC2/3reports.
AAC-02.
1:AuditAssurance&Compliance-IndependentAuditsDoyouallowtenantstoviewyourSOC2/ISO27001orsimilarthird-partyauditorcertificationreportsY是,阿里云设立了相关渠道将SOC2/3报告、ISO27001认证的证书提供给客户,国内业务的证书可通过阿里云的工单系统申请,国际业务的证书可通过官网信任中心获取.
Yes,AlibabaCloudhasestablishedrelevantchannelstoprovidecustomerswithSOC2/3reportsandISO27001certificate.
CertificatesfordomesticbusinesscanbeappliedthroughAlibabaCloud'sticketingsystem,andcertificatesforinternationalbusinesscanbeobtainedthroughtheofficialwebsitetrustcenter.
AlibabaCloudAlibabaCloudResponsestoCSACAIQv3.
0.
1ApplicationandInterfaceSecurity:ControlsAIS-01throughAIS-04AuditAssuranceandCompliance:ControlsAAC-01throughAAC-03ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishAAC-02.
2:AuditAssurance&Compliance-IndependentAuditsDoyouconductnetworkpenetrationtestsofyourcloudserviceinfrastructureregularlyasprescribedbyindustrybestpracticesandguidanceY是,阿里云建立云平台侧红蓝对抗计划,通过组织具备黑客能力的专家成立蓝军队伍,充分施展黑客攻击技术和渗透思路(不限时间、不限技术、不限范围),以周期实战性质的攻防对抗方式找出云平台最脆弱的环节,客观检验阿里云安全防御能力、威胁检测能力的水位,提升阿里云核心安全能力,完善平台防御体系.
Yes,AlibabaCloudestablishesaredandblueteamconfrontationplanonthesideofthecloudplatform.
Byorganizingexpertswithhackingcapabilitiestosetupablueteam,itfullyimplementshackingtechniquesandpenetrationideas(unlimitedtime,unlimitedtechnology,andunlimitedscope).
Theoffensiveanddefensivemethodsofnaturefindoutthemostvulnerablepartofthecloudplatform,objectivelytestthelevelofAlibabaCloud'ssecuritydefensecapabilitiesandthreatdetectioncapabilities,improveAlibabaCloud'scoresecuritycapabilities,andimprovetheplatform'sdefensesystem.
AAC-02.
3:AuditAssurance&Compliance-IndependentAuditsDoyouconductapplicationpenetrationtestsofyourcloudinfrastructureregularlyasprescribedbyindustrybestpracticesandguidanceY是,阿里云建立云平台侧红蓝对抗计划,通过组织具备黑客能力的专家成立蓝军队伍,充分施展黑客攻击技术和渗透思路(不限时间、不限技术、不限范围),以周期实战性质的攻防对抗方式找出云平台最脆弱的环节,客观检验阿里云安全防御能力、威胁检测能力的水位,提升阿里云核心安全能力,完善平台防御体系.
Yes,AlibabaCloudestablishesaredandblueteamconfrontationplanonthesideofthecloudplatform.
Byorganizingexpertswithhackingcapabilitiestosetupablueteam,itfullyimplementshackingtechniquesandpenetrationideas(unlimitedtime,unlimitedtechnology,andunlimitedscope).
Theoffensiveanddefensivemethodsofnaturefindoutthemostvulnerablepartofthecloudplatform,objectivelytestthelevelofAlibabaCloud'ssecuritydefensecapabilitiesandthreatdetectioncapabilities,improveAlibabaCloud'scoresecuritycapabilities,andimprovetheplatform'sdefensesystem.
AAC-02.
4:AuditAssurance&Compliance-IndependentAuditsDoyouconductinternalauditsregularlyasprescribedbyindustrybestpracticesandguidanceY是,阿里云基于合规需求和行业最佳实践执行定期的内部审计.
Yes,AlibabaCloudperformsregularinternalauditsbasedoncompliancerequirementsandindustrybestpractices.
AAC-02.
5:AuditAssurance&Compliance-IndependentAuditsDoyouconductexternalauditsregularlyasprescribedbyindustrybestpracticesandguidanceY是,阿里云基于第三方权威认证及审计的需求执行定期的外部审计,如SOC1/2/3、ISO27001系列等.
Yes,AlibabaCloudperformsregularexternalauditsbasedontherequirementsofthird-partyauthoritycertificationandauditing,suchasSOC1/2/3,ISO27001series,etc.
AAC-02.
6:AuditAssurance&Compliance-IndependentAuditsAretheresultsofthepenetrationtestsavailabletotenantsattheirrequestN否,阿里云云平台侧的渗透测试结果由云平台自行跟进.
No,thepenetrationtestresultsonthesideofAlibabaCloudplatformwillbefollowedupbythecloudplatformitself.
AAC-02.
7:AuditAssurance&Compliance-IndependentAuditsAretheresultsofinternalandexternalauditsavailabletotenantsattheirrequestY是,阿里云定期开展内部审计和第三方权威审计,一旦客户对阿里云的审计结果有需求,阿里云会基于客户的需求和阿里云的数据安全管理要求将审计结果提供给客户.
Yes,AlibabaCloudregularlyconductsinternalauditsandthird-partyaudits.
OncecustomershaverequirementsforAlibabaCloud'sauditresults,AlibabaCloudcanshareauditresultstocustomersbasedontheirneedsaswellasAlibabaCloud'sdatasecuritymanagementrequirements.
AAC-02.
8:AuditAssurance&Compliance-IndependentAuditsDoyouhaveaninternalauditprogramthatallowsforcross-functionalauditofassessmentsY是,阿里云引入了各职能方参与内部审计工作,以保证内部审计团队能够覆盖到阿里云各领域.
Yes,AlibabaCloudhasintroducedvariousfunctionalpartiestoparticipateininternalauditworktoensurethattheinternalauditteamcancoverallareasofAlibabaCloud.
AAC-03.
1:AuditAssurance&Compliance-InformationSystemRegulatoryMappingDoyouhavetheabilitytologicallysegmentorencryptcustomerdatasuchthatdatamaybeproducedforasingletenantonly,withoutinadvertentlyaccessinganothertenant'sdataY是,阿里云通过虚拟化技术,包括CPU隔离、内存隔离、存储隔离和网络隔离实现租户间的资源隔离.
同时,阿里云提供存储加密的产品能力供用户根据需求执行数据加密,如EBS、OSS、RDS、Tablestore、NAS、Maxcompute等产品均支持存储加密功能,用户可使用阿里云的KMS产品进行密钥管理.
Yes,AlibabaCloudimplementsresourceisolationbetweentenantsthroughvirtualizationtechnologiesincludingCPUisolation,memoryisolation,storageisolation,andnetworkisolation.
Atthesametime,AlibabaCloudprovidesstorageencryptionproductcapabilitiesforuserstoperformdataencryptionaccordingtotheirneeds.
Forexample,EBS,OSS,RDS,TableStore,NAS,Maxcomputeandotherproductssupportstorageencryption.
UserscanuseAlibabaCloud'sKMSproductforkeysmanagement.
AAC-03.
2:AuditAssurance&Compliance-InformationSystemRegulatoryMappingDoyouhavecapabilitytorecoverdataforaspecificcustomerinthecaseofafailureordatalossY是,阿里云在产品文档内与客户说明可提供数据恢复能力的方式与限制.
Yes,AlibabaCloudexplainstocustomersintheproductdocumentationthewaysandlimitationstoprovidedatarecoverycapabilities.
AAC-03.
3:AuditAssurance&Compliance-InformationSystemRegulatoryMappingDoyouhavethecapabilitytorestrictthestorageofcustomerdatatospecificcountriesorgeographiclocationsY是,用户在购买产品时可选择数据存储的可用区.
Yes,theusercanselecttheAvailabilityZoneofthedatastorewhenpurchasingtheproduct.
AAC-03.
4:AuditAssurance&Compliance-InformationSystemRegulatoryMappingDoyouhaveaprograminplacethatincludestheabilitytomonitorchangestotheregulatoryrequirementsinrelevantjurisdictions,adjustyoursecurityprogramforchangestolegalrequirements,andensurecompliancewithrelevantregulatoryrequirementsY是,阿里云会持续监控业务符合性以保证满足变化的外部监管合规环境,阿里云的用户需要基于其业务所应满足的监管合规要求,保证对其应满足的监管合规要求的符合度.
Yes,AlibabaCloudwillcontinuouslymonitorbusinesscompliancetoensurethatthechangingexternalregulatorycomplianceenvironmentismet.
AlibabaCloudusersneedtoensurecompliancewiththeregulatorycompliancerequirementstheyshouldmeetbasedontheregulatorycompliancerequirementsaccordingtotheirbusinessneeds.
ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishBCR-01.
1:BusinessContinuityManagement&OperationalResilience-BusinessContinuityPlanningDoyouprovidetenantswithgeographicallyresilienthostingoptionsY是,阿里云在全球提供多可用区给客户选择,且客户可依照自身需求挑选特定可用区.
最新的可用区开服状况,请参考阿里云官网:https://www.
alibabacloud.
com/global-locations.
Yes,AlibabaCloudprovidesmultipleAvailabilityZonesforcustomerstochoosefrom,andcustomerscanchoosespecificAvailabilityZonesaccordingtotheirneeds.
Forthelatestavailabilityzoneavailabilitystatus,pleaserefertoAlibabaCloud'sofficialwebsite:https://www.
alibabacloud.
com/global-locations.
BCR-01.
2:BusinessContinuityManagement&OperationalResilience-BusinessContinuityPlanningDoyouprovidetenantswithinfrastructureservicefailovercapabilitytootherprovidersN否,但客户可依照自身需求,选择多可用区实现冗余机制.
No,butcustomerscanchooseMulti-AZtoimplementredundancymechanismaccordingtotheirownneeds.
BCR-02.
1:BusinessContinuityManagement&OperationalResilience-BusinessContinuityTestingArebusinesscontinuityplanssubjecttotestatplannedintervalsoruponsignificantorganizationalorenvironmentalchangestoensurecontinuingeffectivenessY是,阿里云已参考ISO27001及ISO22301等国际标准及相应最佳实践,建立业务连续性计划并定期测试Yes,AlibabaCloudhasreferencedinternationalstandardssuchasISO27001andISO22301andcorrespondingbestpracticestoestablishbusinesscontinuityplansandregularlytestBCR-03.
1:DatacenterUtilities/EnvironmentalConditionsDoyouprovidetenantswithdocumentationshowingthetransportrouteoftheirdatabetweenyoursystemsN否,客户可以自行选择一个区域或数据中心存储其数据内容,无论客户将其数据内容存储在哪个区域或数据中心,客户都可以对其进行有效的控制,在没有客户授权的情况下,这些数据不会离开客户选择的区域或数据中心.
阿里云所有的数据中心皆有维护相应的网络拓朴图,但因该信息属于内部敏感信息,故不对客户公开.
然而,客户可在签署NDA的状况,向阿里云获取SOC2/3报告,理解网络管理的相应控制概要.
No,thecustomercanchoosearegionordatacentertostoreitsdata.
Nomatterwhichregionordatacenterthecustomerstoresitsdatacontent,thecustomercaneffectivelycontrolit.
Withoutthecustomer'sauthorization,thesedatadoesnotleavethecustomer'schosenregionordatacenter.
AllAlibabaClouddatacentersmaintaincorrespondingnetworktopologies,duetosensitivity,itisnotdisclosedtocustomers.
However,customerscanobtaintheSOC2/3reportfromAlibabaCloudwhentheNDAissigned,andunderstandthecorrespondingcontrolsummaryofnetworkmanagement.
BCR-03.
2:BusinessContinuityManagement&OperationalResilience-DatacenterUtilities/EnvironmentalConditionsCantenantsdefinehowtheirdataistransportedandthroughwhichlegaljurisdictionsN否,客户可依照自身需求,挑选期望数据存储的可用区,但无法选择数据流动的路径No,customerscanchoosetheavailabilityzonewheredataisexpectedtobestoredaccordingtotheirownneeds,butcannotchoosethepathofdataflowBCR-04.
1:BusinessContinuityManagement&OperationalResilience-DocumentationAreinformationsystemdocuments(e.
g.
,administratoranduserguides,architecturediagrams,etc.
)madeavailabletoauthorizedpersonneltoensureconfiguration,installationandoperationoftheinformationsystemY是,阿里云依循相关国际标准建立信息系统相关文档,授权员工皆可访问相应的文档信息Yes,AlibabaCloudestablishesinformationsystemrelateddocumentsinaccordancewithrelevantinternationalstandards,andauthorizedemployeescanaccessthecorrespondingdocumentinformationBCR-05.
1:BusinessContinuityManagement&OperationalResilience-EnvironmentalRisksIsphysicalprotectionagainstdamage(e.
g.
,naturalcauses,naturaldisasters,deliberateattacks)anticipatedanddesignedwithcountermeasuresappliedY是,数据中心周边皆有建立相应的物理保护机制,且该机制定期由三方审计进行查核Yes,correspondingphysicalprotectionmechanismsareestablishedaroundthedatacenter,andthismechanismisregularlycheckedbyathird-partyauditBCR-06.
1:BusinessContinuityManagement&OperationalResilience-EquipmentLocationAreanyofyourdatacenterslocatedinplacesthathaveahighprobability/occurrenceofhigh-impactenvironmentalrisks(floods,tornadoes,earthquakes,hurricanes,etc.
)N否,阿里云于数据中心选址阶段,接会对高危环境进行评估,确保数据中心避免建置于高危环境No,duringthedatacentersiteselectionphase,AlibabaCloudwillassessthehigh-riskenvironmenttoensurethatthedatacenterisnotbuiltinahigh-riskenvironmentBCR-07.
1:BusinessContinuityManagement&OperationalResilience-EquipmentMaintenanceIfusingvirtualinfrastructure,doesyourcloudsolutionincludeindependenthardwarerestoreandrecoverycapabilitiesY是,数据中心内的硬盘皆支持热拔插机制Yes,allharddrivesinthedatacentersupporthot-pluggingmechanismBCR-07.
2:BusinessContinuityManagement&OperationalResilience-EquipmentMaintenanceIfusingvirtualinfrastructure,doyouprovidetenantswithacapabilitytorestoreaVirtualMachinetoapreviousstateintimeY是,阿里云弹性计算服务提供客户快照与镜像能力,客户可导出或导入镜像,具体信息请参考官网产品文档Yes,AlibabaCloudElasticComputingServiceprovidescustomerswithsnapshotandmirroringcapabilities.
Customerscanexportorimportimages.
Fordetails,pleaserefertotheofficialwebsiteproductdocumentation.
BCR-07.
3:BusinessContinuityManagement&OperationalResilience-EquipmentMaintenanceIfusingvirtualinfrastructure,doyouallowvirtualmachineimagestobedownloadedandportedtoanewcloudproviderY是,阿里云弹性计算服务提供客户快照与镜像能力,客户可导出或导入镜像,具体信息请参考官网产品文档Yes,AlibabaCloudElasticComputingServiceprovidescustomerswithsnapshotandmirroringcapabilities.
Customerscanexportorimportimages.
Fordetails,pleaserefertotheofficialwebsiteproductdocumentation.
BusinessContinuityManagementandOperationalResilience:ControlsBCR-01throughBCR-11ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishBCR-07.
4:BusinessContinuityManagement&OperationalResilience-EquipmentMaintenanceIfusingvirtualinfrastructure,aremachineimagesmadeavailabletothecustomerinawaythatwouldallowthecustomertoreplicatethoseimagesintheirownoff-sitestoragelocationY是,阿里云弹性计算服务提供客户快照与镜像能力,客户可导出或导入镜像,具体信息请参考官网产品文档Yes,AlibabaCloudElasticComputingServiceprovidescustomerswithsnapshotandmirroringcapabilities.
Customerscanexportorimportimages.
Fordetails,pleaserefertotheofficialwebsiteproductdocumentation.
BCR-07.
5:BusinessContinuityManagement&OperationalResilience-EquipmentMaintenanceDoesyourcloudsolutionincludesoftware/providerindependentrestoreandrecoverycapabilitiesY是,阿里云提供了迁云工具,通过快照(EBSSnapshot)来人工或者定期Backup,详见阿里云安全白皮书.
Yes,AlibabaCloudprovidescloudmigrationtools,whichcanbemanuallyorregularlybackedupviaEBSSnapshot.
Fordetails,seetheAlibabaCloudSecurityWhitePaper.
BCR-08.
1:BusinessContinuityManagement&OperationalResilience-EquipmentPowerFailuresAresecuritymechanismsandredundanciesimplementedtoprotectequipmentfromutilityserviceoutages(e.
g.
,powerfailures,networkdisruptions,etc.
)Y是,阿里云数据中心内已有配置冗余与相应保安机制,降低服务故障可能造成的影响,相关的信息可在阿里云SOC2/3审计报告内查看.
Yes,theAlibabaClouddatacenterhasbeenconfiguredwithredundancyandcorrespondingsecuritymechanismstoreducethepossibleimpactofservicefailures.
RelatedinformationcanbeviewedintheAlibabaCloudSOC2/3auditreport.
BCR-09.
1:BusinessContinuityManagement&OperationalResilience-ImpactAnalysisDoyouprovidetenantswithongoingvisibilityandreportingofyouroperationalServiceLevelAgreement(SLA)performanceY是,阿里云提供了云监控产品,让客户可以通过可视化的方式查看资源运行状况Yes,AlibabaCloudprovidescloudmonitoringproducts,allowingcustomerstovisuallychecktheresourceoperationstatusBCR-09.
2:BusinessContinuityManagement&OperationalResilience-ImpactAnalysisDoyoumakestandards-basedinformationsecuritymetrics(CSA,CAMM,etc.
)availabletoyourtenantsY是,云监控产品让用户可以在仪表板上查看相应监控数据,并且可于信任中心下载相应的合规资质Yes,cloudmonitoringproductsallowuserstoviewthecorrespondingmonitoringdataonthedashboardanddownloadthecorrespondingcompliancequalificationsinthetrustcenterBCR-09.
3:BusinessContinuityManagement&OperationalResilience-ImpactAnalysisDoyouprovidecustomerswithongoingvisibilityandreportingofyourSLAperformanceY是,阿里云提供了云监控产品,让客户可以通过可视化的方式查看资源运行状况Yes,AlibabaCloudprovidescloudmonitoringproducts,allowingcustomerstovisuallychecktheresourceoperationstatusBCR-10.
1:BusinessContinuityManagement&OperationalResilience-PolicyArepoliciesandproceduresestablishedandmadeavailableforallpersonneltoadequatelysupportservicesoperations'rolesY是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立相关日常运维文档,阿里云所有员工皆可依照职责访问相应的文档信息Yes,AlibabaCloudestablishesrelevantdailyoperationandmaintenancedocumentsinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
).
AllAlibabaCloudemployeescanaccessthecorrespondingdocumentinformationaccordingtotheirresponsibilities.
BCR-11.
1:BusinessContinuityManagement&OperationalResilience-RetentionPolicyDoyouhavetechnicalcontrolcapabilitiestoenforcetenantdataretentionpoliciesY是,阿里云在服务协议内描述了数据保留期限的规则.
此外,阿里云产品提供客户存储与删除数据的能力,但数据的控制与管理权由客户负责,存储规则亦由客户依照自身需求配置Yes,AlibabaClouddescribestherulesfordataretentionperiodsintheserviceagreement.
Inaddition,AlibabaCloudproductsprovidecustomerswiththeabilitytostoreanddeletedata,butthecontrolandmanagementofdataistheresponsibilityofthecustomer,andstoragerulesarealsoconfiguredbythecustomeraccordingtotheirownneedsBCR-11.
2:BusinessContinuityManagement&OperationalResilience-RetentionPolicyDoyouhaveadocumentedprocedureforrespondingtorequestsfortenantdatafromgovernmentsorthirdpartiesY是,客户一般可通过阿里云的工单系统提出对阿里云相关的资质、说明报告等信息,一旦属于客户合理的要求,阿里云均会及时响应客户的需求.
同时,阿里云也在探索更多增加透明度的方式,通过将与特定客户相关的内部操作透传给客户的方式,进一步消除客户对阿里云内部"黑盒"的疑虑.
这种突破了静态展示的界限而主动将动态的信息传递给客户的方式,将是阿里云"透明度"的长期方向.
Yes,customerscansubmitticketstorequestinformationsuchasAlibabaCloudqualificationsandexplanatoryreportsthroughtheAlibabaCloudticketsystem.
AlibabaCloudwillrespondtoanyreasonablerequestsofcustomersinatimelymanner.
AlibabaCloudisalsoexploringwaystoincreasetransparency,suchasbydisclosingrelevantinternaloperationstocustomers.
Inturn,AlibabaCloudwishestoeliminatecustomers'doubtsaboutany"blackboxoperations"fromacloudprovider.
Suchanapproachwillbethelong-termdirectionandcontinuouseffortofAlibabaCloudtowardstransparency.
BCR-11.
3:BusinessContinuityManagement&OperationalResilience-RetentionPolicyHaveyouimplementedbackuporredundancymechanismstoensurecompliancewithregulatory,statutory,contractualorbusinessrequirementsY是,阿里云负责基础设施的冗余与备份机制,并且定期进行测试与校验.
且定期的三方审计也会针对机制内容进行审计确认Yes,AlibabaCloudisresponsibleforinfrastructureredundancyandbackupmechanisms,andconductsregulartestingandverification.
Andregularthird-partyauditswillalsoauditandconfirmthecontentofthemechanismBCR-11.
4:BusinessContinuityManagement&OperationalResilience-RetentionPolicyDoyoutestyourbackuporredundancymechanismsatleastannuallyY是,阿里云依循相关国际标准(如ISO27001/22301)建立冗余与备份机制,且至少每年进行一次测试Yes,AlibabaCloudestablishesredundancyandbackupmechanismsinaccordancewithrelevantinternationalstandards(suchasISO27001/22301)andtestsatleastonceayearBCR-11.
5:BusinessContinuityManagement&OperationalResilience-RetentionPolicyDoyouhavetechnicalcontrolcapabilitiestoenforcetenantdataretentionpoliciesY是,阿里云会定期进行冗余与备份机制的测试.
同时,客户需要依照业务场景目的在云产品上配置相应的数据存储时间Yes,AlibabaCloudregularlyteststheredundancyandbackupmechanisms.
Atthesametime,thecustomerneedstoconfigurethecorrespondingdatastoragetimeonthecloudproductaccordingtothepurposeofthebusinessscenarioCCC-01.
1:ChangeControl&ConfigurationManagement-NewArepoliciesandproceduresestablishedformanagementauthorizationfordevelopmentoracquisitionofnewapplications,systems,databases,infrastructure,services,operationsandfacilitiesY是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立相关文档体系,且客户可在阿里云官网查看产品相关的操作手册信息Yes,AlibabaCloudestablishesrelatedmanagementsystemsinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
),andcustomerscanviewproduct-relatedoperationmanualinformationontheAlibabaCloudofficialwebsiteChangeControl&ConfigurationManagement:ControlsCCC-01throughCCC-05ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishCCC-01.
2:ChangeControl&ConfigurationManagement-NewIsdocumentationavailablethatdescribestheinstallation,configurationanduseofproducts/services/featuresY是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立相关文档体系,且客户可在阿里云官网查看产品相关的操作手册信息Yes,AlibabaCloudestablishesrelatedmanagementsystemsinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
),andcustomerscanviewproduct-relatedoperationmanualinformationontheAlibabaCloudofficialwebsiteCCC-02.
1:ChangeControl&ConfigurationManagement-OutsourcedDevelopmentDoyouhavecontrolsinplacetoensurethatstandardsofqualityarebeingmetforallsoftwaredevelopmentY是,虽阿里云并没有委外开发的产品或软件,但阿里云仍依循相关国际标准建立校验流程.
Yes,althoughAlibabaClouddoesnothaveoutsourcedproductsorsoftware,AlibabaCloudhasestablishesaverificationprocessinaccordancewithrelevantinternationalstandards.
CCC-02.
2:ChangeControl&ConfigurationManagement-OutsourcedDevelopmentDoyouhavecontrolsinplacetodetectsourcecodesecuritydefectsforanyoutsourcedsoftwaredevelopmentactivitiesY是,虽阿里云并没有委外开发的产品或软件,但阿里云仍依循相关国际标准建立校验流程Yes,AlibabaCloudestablishesrelatedmanagementsystemsinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
),andcustomerscanviewproduct-relatedoperationmanualinformationontheAlibabaCloudofficialwebsiteCCC-03.
1:ChangeControl&ConfigurationManagement-QualityTestingDoyouprovideyourtenantswithdocumentationthatdescribesyourqualityassuranceprocessY是,阿里云已通过ISO9001的认证,并且由三方审计确认阿里云确实建立质量管理体系相关文档Yes,AlibabaCloudhaspassedISO9001certification,andathird-partyauditconfirmedthatAlibabaCloudhasindeedestablishedqualitymanagementsystemrelateddocumentsCCC-03.
2:ChangeControl&ConfigurationManagement-QualityTestingIsdocumentationdescribingknownissueswithcertainproducts/servicesavailableY是,阿里云已通过ISO9001的认证,并且由三方审计确认阿里云确实建立质量管理体系相关文档.
此外,阿里云官网的文档页面也对外提供了产品/服务相应文档Yes,AlibabaCloudhaspassedISO9001certification,andathird-partyauditconfirmedthatAlibabaCloudhasindeedestablishedqualitymanagementsystemrelateddocumentsYes,AlibabaCloudhaspassedISO9001certification,andathird-partyauditconfirmedthatAlibabaCloudhasindeedestablishedqualitymanagementsystemrelateddocuments.
Inaddition,thedocumentationofAlibabaCloud'sproduct/serviceisalsoavailableonAlibabaCloud'sofficialwebsite.
CCC-03.
3:ChangeControl&ConfigurationManagement-QualityTestingAretherepoliciesandproceduresinplacetotriageandremedyreportedbugsandsecurityvulnerabilitiesforproductandserviceofferingsY是,阿里云已通过ISO9001的认证,并且由三方审计确认阿里云确实建立质量管理体系相关文档Yes,AlibabaCloudhaspassedISO9001certification,andathird-partyauditconfirmedthatAlibabaCloudhasindeedestablishedqualitymanagementsystemrelateddocumentsCCC-03.
4:ChangeControl&ConfigurationManagement-QualityTestingAremechanismsinplacetoensurethatalldebuggingandtestcodeelementsareremovedfromreleasedsoftwareversionsY是,阿里云已通过ISO9001的认证,并且由三方审计确认阿里云确实建立质量管理体系相关文档Yes,AlibabaCloudhaspassedISO9001certification,andathird-partyauditconfirmedthatAlibabaCloudhasindeedestablishedqualitymanagementsystemrelateddocumentsCCC-04.
1:ChangeControl&ConfigurationManagement-UnauthorizedSoftwareInstallationsDoyouhavecontrolsinplacetorestrictandmonitortheinstallationofunauthorizedsoftwareontoyoursystemsY是,未授权软件不得被安装且实时监控,且相应的控制于定期的三方审计过程中也被一并审计确认Yes,unauthorizedsoftwaremustnotbeinstalledandmonitoredinrealtime,andthecorrespondingcontrolsarealsoauditedandconfirmedduringtheregularthird-partyauditCCC-05.
1:ChangeControl&ConfigurationManagement-ProductionChangesDoyouprovidetenantswithdocumentationthatdescribesyourproductionchangemanagementproceduresandtheirroles/rights/responsibilitieswithinitY是,在阿里云的SOC报告及安全白皮书内,皆有对客户说明的相应信息Yes,therearecorrespondinginformationexplainedtocustomersinAlibabaCloud'sSOCreportandsecuritywhitepaperDSI-01.
1:DataSecurity&InformationLifecycleManagement-ClassificationDoyouprovideacapabilitytoidentifyvirtualmachinesviapolicytags/metadata(e.
g.
,tagscanbeusedtolimitguestoperatingsystemsfrombooting/instantiating/transportingdatainthewrongcountry)Y是,阿里云云服务器ECS实例是一个虚拟的计算环境,包含CPU、内存、操作系统、磁盘、带宽等最基础的服务器组件,是ECS提供给每个用户的操作实体.
一个实例就等同于一台虚拟机,用户对所创建的实例拥有管理员权限,可以随时登录进行使用和管理.
Yes,theECSinstanceofAlibabaCloudServerisavirtualcomputingenvironmentthatcontainsthemostbasicservercomponentssuchasCPU,memory,operatingsystem,disk,andbandwidth.
ItisanoperatinginstanceprovidedbyECStoeachuser.
Aninstanceisequivalenttoavirtualmachine.
Theuserhasadministratorrightstothecreatedinstanceandcanlogintouseandmanageitatanytime.
DSI-01.
2:DataSecurity&InformationLifecycleManagement-ClassificationDoyouprovideacapabilitytoidentifyhardwareviapolicytags/metadata/hardwaretags(e.
g.
,TXT/TPM,VN-Tag,etc.
)Y是,阿里云通对客户提供ECS实例打标能力Yes,AlibabaCloudprovidesECSinstancemarkingcapabilitiestocustomersDSI-01.
3:DataSecurity&InformationLifecycleManagement-ClassificationDoyouhaveacapabilitytousesystemgeographiclocationasanauthenticationfactorY是,阿里云提供了基于IP地址的用户访问控制能力,客户也能够对他们的用户使用阿里云的产品进行基于IP地址的访问控制.
Yes,AlibabaCloudprovidesIPaddress-baseduseraccesscontrolcapabilities,andcustomerscanalsoperformIPaddress-basedaccesscontrolontheirusersusingAlibabaCloudproducts.
DSI-01.
4:DataSecurity&InformationLifecycleManagement-ClassificationCanyouprovidethephysicallocation/geographyofstorageofatenant'sdatauponrequestY是,阿里云给客户提供了选择产品所在地域的能力,由客户自行决定其数据存储的地点.
Yes,AlibabaCloudprovidescustomerswiththeabilitytochoosethelocationoftheproduct,andthecustomerdecideswheretostoreitsdata.
DataSecurityandInformationLifecycleManagement:ControlsDSI-01throughDSI-07ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishDSI-01.
5:DataSecurity&InformationLifecycleManagement-ClassificationCanyouprovidethephysicallocation/geographyofstorageofatenant'sdatainadvanceY是,阿里云在产品购买时向客户明示可选择的产品所在地域的清单,如ECS产品的地域和可用区情况见https://help.
aliyun.
com/document_detail/123712.
htmlYes,AlibabaCloudclearlyindicatestocustomersthelistofproductlocationsthatcanbeselectedwhenpurchasingproducts.
Forexample,theregionandavailabilityofECSproductscanbefoundathttps://help.
aliyun.
com/document_detail/123712.
htmlDSI-01.
6:DataSecurity&InformationLifecycleManagement-ClassificationDoyoufollowastructureddata-labelingstandard(e.
g.
,ISO15489,OasisXMLCatalogSpecification,CSAdatatypeguidance)Y是,客户对其数据进行安全管控,依据其业务需求进行数据的标识操作.
Yes,customersmanagetheirdatasecurely,andperformdataidentificationoperationsbasedontheirbusinessneeds.
DSI-01.
7:DataSecurity&InformationLifecycleManagement-ClassificationDoyouallowtenantstodefineacceptablegeographicallocationsfordataroutingorresourceinstantiationY是,阿里云给客户提供了选择产品所在地域的能力,由客户自行决定其数据存储的地点.
Yes,AlibabaCloudprovidescustomerswiththeabilitytochoosethelocationoftheproduct,andthecustomerdecideswheretostoreitsdata.
DSI-02.
1:DataSecurity&InformationLifecycleManagement-DataInventory/FlowsDoyouinventory,document,andmaintaindataflowsfordatathatisresident(permanentortemporary)withintheservices'applicationsandinfrastructurenetworkandsystemsY是,阿里云对所有的网络数据流量均进行了记录.
Yes,AlibabaCloudhasrecordedallnetworkdatatraffic.
DSI-02.
2:DataSecurity&InformationLifecycleManagement-DataInventory/FlowsCanyouensurethatdatadoesnotmigratebeyondadefinedgeographicalresidencyY是,阿里云给客户提供了选择产品所在地域的能力,由客户自行决定其数据存储的地点.
Yes,AlibabaCloudprovidescustomerswiththeabilitytochoosethelocationoftheproduct,andthecustomerdecideswheretostoreitsdata.
DSI-03.
1:DataSecurity&InformationLifecycleManagement-e-CommerceTransactionsDoyouprovideopenencryptionmethodologies(3.
4ES,AES,etc.
)totenantsinorderforthemtoprotecttheirdataifitisrequiredtomovethroughpublicnetworks(e.
g.
,theInternet)Y是,阿里云在云产品中支持使用开放加密算法,详见阿里云安全白皮书https://security.
aliyun.
com/trustYes,AlibabaCloudsupportstheuseofopenencryptionalgorithmsincloudproducts.
Fordetails,seeAlibabaCloudSecurityWhitePaperhttps://security.
aliyun.
com/trustDSI-03.
2:DataSecurity&InformationLifecycleManagement-e-CommerceTransactionsDoyouutilizeopenencryptionmethodologiesanytimeyourinfrastructurecomponentsneedtocommunicatewitheachotherviapublicnetworks(e.
g.
,Internet-basedreplicationofdatafromoneenvironmenttoanother)Y是,阿里云产品为用户访问(包括读取和上传)数据提供了SSL/TLS协议来保证数据传输的安全.
例如,用户如果通过阿里云控制台操作,阿里云控制台会使用HTTPS进行数据传输.
所有的阿里云产品都为客户提供了支持HTTPS的API访问点,并提供高达256位密钥的传输加密强度,满足敏感数据加密传输需求.
Yes,AlibabaCloudproductsprovideSSL/TLSprotocolsforuserstoaccess(includingreadandupload)datatoensurethesecurityofdatatransmission.
Forexample,iftheuseroperatesthroughtheAlibabaCloudconsole,theAlibabaCloudconsolewilluseHTTPSfordatatransmission.
AllAlibabaCloudproductsprovidecustomerswithAPIaccesspointsthatsupportHTTPS,andprovidetransmissionencryptionstrengthofupto256-bitkeystomeetsensitivedataencryptiontransmissionrequirements.
DSI-04.
1:DataSecurity&InformationLifecycleManagement-Handling/Labeling/SecurityPolicyArepoliciesandproceduresestablishedforlabeling,handlingandthesecurityofdataandobjectsthatcontaindataY是,客户存放在云上的数据由客户依据其业务需求和安全策略流程进行管控.
Yes,thedatathatcustomersstoreonthecloudismanagedandcontrolledbycustomersinaccordancewiththeirbusinessneedsandsecuritypolicyprocesses.
DSI-04.
2:DataSecurity&InformationLifecycleManagement-Handling/Labeling/SecurityPolicyAremechanismsforlabelinheritanceimplementedforobjectsthatactasaggregatecontainersfordataY是,客户存放在云上的数据由客户依据其业务需求和安全策略流程进行管控.
Yes,thedatathatcustomersstoreonthecloudismanagedandcontrolledbycustomersinaccordancewiththeirbusinessneedsandsecuritypolicyprocesses.
DSI-05.
1:DataSecurity&InformationLifecycleManagement-Non-ProductionDataDoyouhaveproceduresinplacetoensureproductiondatashallnotbereplicatedorusedinnon-productionenvironmentsY是,阿里云内部建立了规范的流程以保证非必要场景下不会在非生产环境使用阿里云业务中生产环境的数据,客户的数据由客户根据其数据安全要求进行管控.
Yes,AlibabaCloudhasestablishedastandardizedprocesstoensurethatthedataintheproductionenvironmentofAlibabaCloud'sbusinesswillnotbeusedinnon-productionenvironmentsinnon-essentialscenarios.
Thecustomer'sdataiscontrolledbythecustomeraccordingtoitsdatasecurityrequirements.
DSI-06.
1:DataSecurity&InformationLifecycleManagement-Ownership/StewardshipAretheresponsibilitiesregardingdatastewardshipdefined,assigned,documentedandcommunicatedY是,阿里云在相关法律协议条款和安全白皮书中明确说明了阿里云和客户在数据安全上的职责边界.
Yes,AlibabaCloudclearlystatestheboundariesofAlibabaCloud'sandcustomers'datasecurityresponsibilitiesinrelevantlegalagreementtermsandsecuritywhitepapers.
DSI-07.
1:DataSecurity&InformationLifecycleManagement-SecureDisposalDoyousupportsecuredeletion(e.
g.
,degaussing/cryptographicwiping)ofarchivedandbacked-updataasdeterminedbythetenantY是,阿里云建立了数据安全删除的机制,当面向客户的服务终止时会及时删除云服务客户数据资产或根据相关协议要求返还其数据资产.
Yes,AlibabaCloudhasestablishedamechanismforsecuredatadeletion.
Whenthecustomer-facingserviceisterminated,thecloudservicecustomer'sdataassetswillbedeletedinatimelymannerorreturnedtotheirdataassetsinaccordancewiththerequirementsofrelevantagreements.
DSI-07.
2:DataSecurity&InformationLifecycleManagement-SecureDisposalCanyouprovideapublishedprocedureforexitingtheservicearrangement,includingassurancetosanitizeallcomputingresourcesoftenantdataonceacustomerhasexitedyourenvironmentorhasvacatedaresourceY是,阿里云安全白皮书的8.
6章节为数据销毁的相关说明.
Yes,section8.
6oftheAlibabaCloudSecurityWhitePaperisrelatedtodatadestructionsecurity.
ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishDCS-01.
1:DatacenterSecurity-AssetManagementDoyoumaintainacompleteinventoryofallofyourcriticalassetsthatincludesownershipoftheassetY是,阿里云通过电子系统对所有的资产进行管理.
Yes,AlibabaCloudmanagesallassetsthroughsystems.
DCS-01.
2:DatacenterSecurity-AssetManagementDoyoumaintainacompleteinventoryofallofyourcriticalsupplierrelationshipsY是,阿里云通过电子系统进行供应商资源管理.
Yes,AlibabaCloudmanagessupplierresourcesthroughsystems.
DCS-02.
1:DatacenterSecurity-ControlledAccessPointsArephysicalsecurityperimeters(e.
g.
,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesksandsecuritypatrols)implementedY是,阿里云遵循相关合规资质认证标准中的要求进行物理安全管理,建立了物理安全的系列规章制度、流程,并设立的专门的团队对物理安全机制的控制落实情况进行检查.
详见SOC2/3报告.
Yes,AlibabaCloudfollowstherequirementsofrelevantcompliancecertificationstandardsforphysicalsecuritymanagement,establishesaseriesofrulesandproceduresforphysicalsecurity,andsetsupadedicatedteamtochecktheimplementationofthephysicalsecuritymechanismcontrol.
SeetheSOC2/3reportfordetails.
DCS-03.
1:DatacenterSecurity-EquipmentIdentificationIsautomatedequipmentidentificationusedasamethodtovalidateconnectionauthenticationintegritybasedonknownequipmentlocationY是,阿里云遵循相关合规资质认证标准中的要求进行物理安全管理,建立了物理安全的系列规章制度、流程,并设立的专门的团队对物理安全机制的控制落实请款进行检查.
Yes,AlibabaCloudcomplieswiththerequirementsofrelevantcompliancecertificationstandardsforphysicalsecuritymanagement,establishesaseriesofrulesandproceduresforphysicalsecurity,andsetsupadedicatedteamtocheckthecontrolandimplementationofthephysicalsecuritymechanism.
DCS-04.
1:DatacenterSecurity-Off-SiteAuthorizationDoyouprovidetenantswithdocumentationthatdescribesscenariosinwhichdatamaybemovedfromonephysicallocationtoanother(e.
g.
,offsitebackups,businesscontinuityfailovers,replication)Y是,阿里云给客户提供了选择产品所在地域的能力,由客户自行决定其数据存储的地点.
Yes,AlibabaCloudprovidescustomerswiththeabilitytochoosethelocationoftheproduct,andthecustomerdecideswheretostoreitsdata.
DCS-05.
1:DatacenterSecurity-Off-SiteEquipmentCanyouprovidetenantswithevidencedocumentingyourpoliciesandproceduresgoverningassetmanagementandrepurposingofequipmentY是,阿里云依循相关国际标准(如ISO27001/CSA-STAR等)建立资产管理流程,包含资产识别、使用、汰换与销毁过程,可通过SOC2/3报告查看相关信息Yes,AlibabaCloudestablishesassetmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/CSA-STAR,etc.
),includingassetidentification,use,replacementanddestructionprocesses.
YoucanviewrelatedinformationthroughtheSOC2/3reportDCS-06.
1:DatacenterSecurity-PolicyCanyouprovideevidencethatpolicies,standardsandprocedureshavebeenestablishedformaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilitiesandsecureareasY是,阿里云依循相关国际标准(如ISO27001/CSA-STAR等)建立机房安全管理流程,可通过SOC2/3报告查看相关信息Yes,AlibabaCloudestablishescomputerroomsecuritymanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/CSA-STAR,etc.
),andrelevantinformationcanbeviewedthroughSOC2/3reportsDCS-06.
2:DatacenterSecurity-PolicyCanyouprovideevidencethatyourpersonnelandinvolvedthirdpartieshavebeentrainedregardingyourdocumentedpolicies,standardsandproceduresY是,阿里云对与数据中心运营相关的员工及第三方人员均进行相关的物理安全知识培训.
Yes,AlibabaCloudprovidesrelevantphysicalsecurityknowledgetrainingtoemployeesandthird-partypersonnelrelatedtodatacenteroperations.
DCS-07.
1:DatacenterSecurity-SecureAreaAuthorizationDoyouallowtenantstospecifywhichofyourgeographiclocationstheirdataisallowedtomoveinto/outof(toaddresslegaljurisdictionalconsiderationsbasedonwheredataisstoredvs.
accessed)Y是,阿里云给客户提供了选择产品所在地域的能力,由客户自行决定其数据存储的地点.
Yes,AlibabaCloudprovidescustomerswiththeabilitytochoosethelocationoftheproduct,andthecustomerdecideswheretostoreitsdata.
DCS-08.
1:DatacenterSecurity-UnauthorizedPersonsEntryAreingressandegresspoints,suchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremises,monitored,controlledandisolatedfromdatastorageandprocessY是,阿里云数据中心仅向本数据中心运维人员授予长期访问权限,一旦运维人员转岗或离职,权限立即清除.
其他人员若因为业务需求要进入数据中心,必须先提出申请,经各方主管审批通过后才能获取短期授权;每次出入需要出示证件并进行登记,且数据中心运维人员全程陪同.
阿里云数据中心内部划分机房包间、测电区域、库房间等区域,各个区域拥有独立的门禁系统,重要区域采用指纹等双因素认证,特定区域采用铁笼进行物理隔离.
阿里云园区和办公区均设置入口管控并划分单独的访客区,访客出入必须佩戴证件,且由阿里云员工陪同.
阿里云数据中心机房各区域设有安防监控系统,监控范围覆盖所有区域和通道,配有物业保安7*24小时巡逻.
所有视频监控和文档记录均会长期保存,且由专人定期复核.
Yes,theAlibabaClouddatacenteronlygrantslong-termaccessrightstotheoperationandmaintenancepersonnelofthisdatacenter.
Oncetheoperationandmaintenancepersonnelaretransferredorresigned,thepermissionsareimmediatelycleared.
Ifotherpersonnelwanttoenterthedatacenterduetobusinessneeds,theymustfirstapplyforitandobtainshort-termauthorizationafterbeingapprovedbythesupervisorsofallparties;eachtimetheyenterandexit,theyneedtoshowtheircredentialsandregister,andthedatacenteroperationandmaintenancepersonnelareaccompaniedthroughouttheprocess.
TheAlibabaClouddatacenterisdividedintoareassuchascomputerrooms,powerareas,andwarehouserooms.
Eachareahasanindependentaccesscontrolsystem.
Importantareasusetwo-factorauthenticationsuchasfingerprints.
Specificareasuseironcagesforphysicalisolation.
AlibabaCloudParkandtheofficeareaareequippedwithentrancecontrolandaseparatevisitorarea.
VisitorsmustwearIDswhentheyenterandexit,andareaccompaniedbyAlibabaCloudemployees.
EachareaoftheAlibabaClouddatacentercomputerroomisequippedwithasecuritymonitoringsystemthatcoversallareasandaisles,andisequippedwithpropertysecuritypatrols7*24hours.
AllvideosurveillanceanddocumentationwillbekeptforDatacenterSecurity:ControlsDCS-01throughDCS-09ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishDCS-09.
1:DatacenterSecurity-UserAccessDoyourestrictphysicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnelY是,阿里云数据中心仅向本数据中心运维人员授予长期访问权限,一旦运维人员转岗或离职,权限立即清除.
其他人员若因为业务需求要进入数据中心,必须先提出申请,经各方主管审批通过后才能获取短期授权;每次出入需要出示证件并进行登记,且数据中心运维人员全程陪同.
阿里云数据中心内部划分机房包间、测电区域、库房间等区域,各个区域拥有独立的门禁系统,重要区域采用指纹等双因素认证,特定区域采用铁笼进行物理隔离.
阿里云园区和办公区均设置入口管控并划分单独的访客区,访客出入必须佩戴证件,且由阿里云员工陪同.
阿里云数据中心机房各区域设有安防监控系统,监控范围覆盖所有区域和通道,配有物业保安7*24小时巡逻.
所有视频监控和文档记录均会长期保存,且由专人定期复核.
Yes,theAlibabaClouddatacenteronlygrantslong-termaccessrightstotheoperationandmaintenancepersonnelofthisdatacenter.
Oncetheoperationandmaintenancepersonnelaretransferredorresigned,thepermissionsareimmediatelycleared.
Ifotherpersonnelwanttoenterthedatacenterduetobusinessneeds,theymustfirstapplyforitandobtainshort-termauthorizationafterbeingapprovedbythesupervisorsofallparties;eachtimetheyenterandexit,theyneedtoshowtheircredentialsandregister,andthedatacenteroperationandmaintenancepersonnelareaccompaniedthroughouttheprocess.
TheAlibabaClouddatacenterisdividedintoareassuchascomputerrooms,powerareas,andwarehouserooms.
Eachareahasanindependentaccesscontrolsystem.
Importantareasusetwo-factorauthenticationsuchasfingerprints.
Specificareasuseironcagesforphysicalisolation.
AlibabaCloudParkandtheofficeareaareequippedwithentrancecontrolandaseparatevisitorarea.
VisitorsmustwearIDswhentheyenterandexit,andareaccompaniedbyAlibabaCloudemployees.
EachareaoftheAlibabaClouddatacentercomputerroomisequippedwithasecuritymonitoringsystemthatcoversallareasandaisles,andisequippedwithpropertysecuritypatrols7*24hours.
AllvideosurveillanceanddocumentationwillbekeptforEKM-01.
1:Encryption&KeyManagement-EntitlementDoyouhavekeymanagementpoliciesbindingkeystoidentifiableownersY是,阿里云已建立密钥管理的策略和要求.
Yes,AlibabaCloudhasestablishedpoliciesandrequirementsforkeymanagement.
EKM-02.
1:Encryption&KeyManagement-KeyGenerationDoyouhaveacapabilitytoallowcreationofuniqueencryptionkeyspertenantY是,阿里云云产品的存储加密功能支持使用托管给云产品的服务密钥作为主密钥实现.
当用户在一个地域第一次使用某一个云产品服务的数据加密功能时,该服务系统会为用户在密钥管理服务(KMS)中的使用地域自动创建一个专为该服务使用的用户主密钥(CustomerMasterKey,简称CMK).
本密钥会作为服务密钥且其生命周期是托管给云产品的.
用户可以通过在支持的云产品中选择自己创建或上传用户主密钥(CMK)到KMS中,并直接管理自选密钥的生命周期.
Yes,thestorageencryptionfunctionofAlibabaCloudproductssupportstheuseofservicekeyshostedtocloudproductsasthemasterkey.
Whenauserusesthedataencryptionfunctionofacertaincloudproductserviceforthefirsttimeinaregion,theservicesystemwillautomaticallycreateausersecretfortheregionwheretheuserusesthekeymanagementservice(KMS).
CustomerMasterKey(CMK).
Thiskeyactsasaservicekeyanditslifecycleishostedtothecloudproduct.
Userscanchoosetocreateoruploadausermasterkey(CMK)totheKMSbyselectingoneofthesupportedcloudproducts,anddirectlymanagethelifecycleoftheself-selectedkeyEKM-02.
2:Encryption&KeyManagement-KeyGenerationDoyouhaveacapabilitytomanageencryptionkeysonbehalfoftenantsY是,阿里云云产品的存储加密功能支持使用托管给云产品的服务密钥作为主密钥实现.
当用户在一个地域第一次使用某一个云产品服务的数据加密功能时,该服务系统会为用户在密钥管理服务(KMS)中的使用地域自动创建一个专为该服务使用的用户主密钥(CustomerMasterKey,简称CMK).
本密钥会作为服务密钥且其生命周期是托管给云产品的.
用户可以通过在支持的云产品中选择自己创建或上传用户主密钥(CMK)到KMS中,并直接管理自选密钥的生命周期.
Yes,thestorageencryptionfunctionofAlibabaCloudproductssupportstheuseofservicekeyshostedtocloudproductsasthemasterkey.
Whenauserusesthedataencryptionfunctionofacertaincloudproductserviceforthefirsttimeinaregion,theservicesystemwillautomaticallycreateausersecretfortheregionwheretheuserusesthekeymanagementservice(KMS).
CustomerMasterKey(CMK).
Thiskeyactsasaservicekeyanditslifecycleishostedtothecloudproduct.
Userscanchoosetocreateoruploadausermasterkey(CMK)totheKMSbyselectingoneofthesupportedcloudproducts,anddirectlymanagethelifecycleoftheself-selectedkeyEKM-02.
3:Encryption&KeyManagement-KeyGenerationDoyoumaintainkeymanagementproceduresY是,阿里云云产品的存储加密功能支持使用托管给云产品的服务密钥作为主密钥实现.
当用户在一个地域第一次使用某一个云产品服务的数据加密功能时,该服务系统会为用户在密钥管理服务(KMS)中的使用地域自动创建一个专为该服务使用的用户主密钥(CustomerMasterKey,简称CMK).
本密钥会作为服务密钥且其生命周期是托管给云产品的.
用户可以通过在支持的云产品中选择自己创建或上传用户主密钥(CMK)到KMS中,并直接管理自选密钥的生命周期.
Yes,thestorageencryptionfunctionofAlibabaCloudproductssupportstheuseofservicekeyshostedtocloudproductsasthemasterkey.
Whenauserusesthedataencryptionfunctionofacertaincloudproductserviceforthefirsttimeinaregion,theservicesystemwillautomaticallycreateausersecretfortheregionwheretheuserusesthekeymanagementservice(KMS).
CustomerMasterKey(CMK).
Thiskeyactsasaservicekeyanditslifecycleishostedtothecloudproduct.
Userscanchoosetocreateoruploadausermasterkey(CMK)totheKMSbyselectingoneofthesupportedcloudproducts,anddirectlymanagethelifecycleoftheself-selectedkeyEncryptionandKeyManagement:ControlsEKM-01throughEKM-04ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishEKM-02.
4:Encryption&KeyManagement-KeyGenerationDoyouhavedocumentedownershipforeachstageofthelifecycleofencryptionkeysY是,阿里云云产品的存储加密功能支持使用托管给云产品的服务密钥作为主密钥实现.
当用户在一个地域第一次使用某一个云产品服务的数据加密功能时,该服务系统会为用户在密钥管理服务(KMS)中的使用地域自动创建一个专为该服务使用的用户主密钥(CustomerMasterKey,简称CMK).
本密钥会作为服务密钥且其生命周期是托管给云产品的.
用户可以通过在支持的云产品中选择自己创建或上传用户主密钥(CMK)到KMS中,并直接管理自选密钥的生命周期.
Yes,thestorageencryptionfunctionofAlibabaCloudproductssupportstheuseofservicekeyshostedtocloudproductsasthemasterkey.
Whenauserusesthedataencryptionfunctionofacertaincloudproductserviceforthefirsttimeinaregion,theservicesystemwillautomaticallycreateausersecretfortheregionwheretheuserusesthekeymanagementservice(KMS).
CustomerMasterKey(CMK).
Thiskeyactsasaservicekeyanditslifecycleishostedtothecloudproduct.
Userscanchoosetocreateoruploadausermasterkey(CMK)totheKMSbyselectingoneofthesupportedcloudproducts,anddirectlymanagethelifecycleoftheself-selectedkeyEKM-02.
5:Encryption&KeyManagement-KeyGenerationDoyouutilizeanythirdparty/opensource/proprietaryframeworkstomanageencryptionkeysY是,阿里云的KMS服务支持用户将密钥托管在硬件安全模块(HardwareSecurityModule,HSM)之中,并可利用HSM进行密码运算和安全托管等功能.
各市场分别符合市场认可的密码合规标准,阿里云的密钥管理服务的系统机制,包含其使用的HSM,也符合PCI-DSS合规.
Yes,AlibabaCloud'sKMSserviceallowsuserstohostkeysinaHardwareSecurityModule(HSM),andcanuseHSMforcryptographicoperationsandsecureescrowfunctions.
Eachmarketmeetsthemarket-recognizedpasswordcompliancestandards,andthesystemmechanismofAlibabaCloud'skeymanagementservice,includingtheHSMsituses,alsocomplywithPCI-DSScompliance.
EKM-03.
1:Encryption&KeyManagement-SensitiveDataProtectionDoyouencrypttenantdataatrest(ondisk/storage)withinyourenvironmentY是,阿里云为客户提供了云产品落盘存储加密能力给用户,并统一使用阿里云密钥管理服务(KeyManagementService,简称KMS)进行密钥管理.
阿里云的存储加密提供256位密钥的存储加密强度(AES256),满足敏感数据的加密存储需求.
如EBS、OSS、RDS、TableStore、NAS、Maxcompute,详见阿里云安全白皮书.
Yes,AlibabaCloudprovidescustomerswithcloudstorageencryptioncapabilitiesforusers,andusesAlibabaCloudKeyManagementService(KMS)forkeymanagement.
AlibabaCloud'sstorageencryptionprovidesastorageencryptionstrengthof256-bitkeys(AES256)tomeettheencryptedstorageneedsofsensitivedata.
SuchasEBS,OSS,RDS,TableStore,NAS,Maxcompute,seeAlibabaCloudSecurityWhitePaperfordetails.
EKM-03.
2:Encryption&KeyManagement-SensitiveDataProtectionDoyouleverageencryptiontoprotectdataandvirtualmachineimagesduringtransportacrossandbetweennetworksandhypervisorinstancesY是,用户如果通过阿里云控制台操作,阿里云控制台会使用HTTPS进行数据传输.
所有的阿里云产品都为客户提供了支持HTTPS的API访问点,并提供高达256位密钥的传输加密强度.
Yes,ifusersoperatethroughAlibabaCloudconsole,AlibabaCloudconsolewilluseHTTPSfordatatransmission.
AllAlibabaCloudproductsprovidecustomerswithAPIaccesspointsthatsupportHTTPS,andprovidetransmissionencryptionstrengthofupto256-bitkeys.
EKM-03.
3:Encryption&KeyManagement-SensitiveDataProtectionDoyousupporttenant-generatedencryptionkeysorpermittenantstoencryptdatatoanidentitywithoutaccesstoapublickeycertificate(e.
g.
,identity-basedencryption)Y是,用户可以通过在支持的云产品中选择自己创建或上传用户主密钥(CMK)到KMS中,并直接管理自选密钥的生命周期.
通过RAM的授权后,自选密钥也可用于云产品的数据加密功能,并赋能用户更多的安全能力.
Yes,userscanchoosetocreateoruploadaCustomerMasterKey(CMK)totheKMSbychoosingamongthesupportedcloudproducts,anddirectlymanagethelifecycleoftheself-selectedkey.
AfterbeingauthorizedbytheRAM,theoptionalkeycanalsobeusedforthedataencryptionfunctionofcloudproductsandempoweruserswithmoresecuritycapabilities.
EKM-03.
4:Encryption&KeyManagement-SensitiveDataProtectionDoyouhavedocumentationestablishinganddefiningyourencryptionmanagementpolicies,proceduresandguidelinesY是,阿里云依循相关国际标准(如ISO27001/CSA-STAR等)建立加密管理机制,包含创建、使用、汰换等,可通过SOC2/3报告查看相关信息Yes,AlibabaCloudestablishesencryptionmanagementmechanismsinaccordancewithrelevantinternationalstandards(suchasISO27001/CSA-STAR,etc.
),includingcreation,use,andreplacement.
YoucanviewrelatedinformationthroughtheSOC2/3reportEKM-04.
1:Encryption&KeyManagement-StorageandAccessDoyouhaveplatformanddataappropriateencryptionthatusesopen/validatedformatsandstandardalgorithmsY是,阿里云的加密服务全面支持国产算法以及部分国际通用密码算法,满足用户各种加密算法需求.
对称密码算法:支持SM1、SM4、DES、3DES、AES;非对称密码算法:支持SM2、RSA(1024-2048);摘要算法:支持SM3、SHA1、SHA256、SHA384.
Yes,AlibabaCloud'sencryptionservicesfullysupportdomesticalgorithmsandsomeinternationalcommoncryptographicalgorithmstomeetusers'variousencryptionalgorithmneeds.
Symmetriccipheralgorithm:supportSM1,SM4,DES,3DES,AES;asymmetriccipheralgorithm:supportSM2,RSA(1024-2048);digestalgorithm:supportSM3,SHA1,SHA256,SHA384.
EKM-04.
2:Encryption&KeyManagement-StorageandAccessAreyourencryptionkeysmaintainedbythecloudconsumeroratrustedkeymanagementproviderY是,阿里云负责维护自己的加密密钥,同时客户需要负责维护自己的加密密钥Yes,AlibabaCloudisresponsibleformaintainingitsownencryptionkeys,andcustomersareresponsibleformaintainingtheirownencryptionkeysEKM-04.
3:Encryption&KeyManagement-StorageandAccessDoyoustoreencryptionkeysinthecloudY是,阿里云将自己的秘钥存储在生产环境中.
Yes,AlibabaCloudstoresitsownkeysinaproductionenvironment.
ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishEKM-04.
4:Encryption&KeyManagement-StorageandAccessDoyouhaveseparatekeymanagementandkeyusagedutiesY是,阿里云的密钥管理系统独立于密钥使用的业务.
Yes,AlibabaCloud'skeymanagementsystemisisolatedfromthekeyusebusiness.
GRM-01.
1:GovernanceandRiskManagement-BaselineRequirementsDoyouhavedocumentedinformationsecuritybaselinesforeverycomponentofyourinfrastructure(e.
g.
,hypervisors,operatingsystems,routers,DNSservers,etc.
)Y是,阿里云于内部规范已有制定安全基线,针对物理、虚拟及相关元件皆有不同的安全基线要求Yes,AlibabaCloudhasestablishedasecuritybaselineinitsinternalrequirements.
Therearedifferentsecuritybaselinerequirementsforphysical,virtual,andrelatedcomponents.
GRM-01.
2:GovernanceandRiskManagement-BaselineRequirementsDoyouhaveacapabilitytocontinuouslymonitorandreportthecomplianceofyourinfrastructureagainstyourinformationsecuritybaselinesY是,阿里云通过系统的方式监测相关安全基线的配置与运行状况Yes,AlibabaCloudmonitorstheconfigurationandoperatingstatusofrelevantsecuritybaselinesinasystematicwayGRM-01.
3:GovernanceandRiskManagement-BaselineRequirementsDoyouallowyourclientstoprovidetheirowntrustedvirtualmachineimagetoensureconformancetotheirowninternalstandardsY是,阿里云提供客户创建或导入自定义镜像的能力Yes,AlibabaCloudprovidescustomerswiththeabilitytocreateorimportcustomimagesGRM-02.
1:GovernanceandRiskManagement-DataFocusRiskAssessmentsDoyouprovidesecuritycontrolhealthdatainordertoallowtenantstoimplementindustrystandardContinuousMonitoring(whichallowscontinualtenantvalidationofyourphysicalandlogicalcontrolstatus)Y是,阿里云提供了云监控产品,让客户可以通过可视化的方式查看资源运行状况Yes,AlibabaCloudprovidescloudmonitoringproducts,allowingcustomerstovisuallychecktheresourceoperationstatusGRM-02.
2:GovernanceandRiskManagement-DataFocusRiskAssessmentsDoyouconductriskassessmentsassociatedwithdatagovernancerequirementsatleastonceayearY是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立风险评估流程,并且通过三方的审计确认Yes,AlibabaCloudestablishesariskassessmentprocessinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
)andhasbeenconfirmedbythird-partyauditsGRM-03.
1:GovernanceandRiskManagement-ManagementOversightAreyourtechnical,business,andexecutivemanagersresponsibleformaintainingawarenessofandcompliancewithsecuritypolicies,procedures,andstandardsforboththemselvesandtheiremployeesastheypertaintothemanagerandemployees'areaofresponsibilityY是,阿里云的管理层与相应的权责团队会依照频率要求定期审阅信息安全相应的文档,确保文档的适用与可操作性Yes,AlibabaCloud'smanagementandthecorrespondingrightsandresponsibilitiesteamwillregularlyreviewtheinformationsecuritycorrespondingdocumentsaccordingtothefrequencyrequirementstoensuretheapplicationandoperabilityofthedocumentsGRM-04.
1:GovernanceandRiskManagement-ManagementProgramDoyouprovidetenantswithdocumentationdescribingyourInformationSecurityManagementProgram(ISMP)Y是,阿里云提供三方审计报告以及相关认证信息,并且持续遵循ISO27001维护相应文档Yes,AlibabaCloudprovidesthird-partyauditreportsandrelatedcertificationinformation,andcontinuestofollowISO27001tomaintaincorrespondingdocumentsGRM-04.
2:GovernanceandRiskManagement-ManagementProgramDoyoureviewyourInformationSecurityManagementProgram(ISMP)leastonceayearY是,阿里云依循相关国际标准(如ISO27001)建立信息安全管理体系,且至少每年审阅一次Yes,AlibabaCloudestablishesaninformationsecuritymanagementsysteminaccordancewithrelevantinternationalstandards(suchasISO27001),andreviewsitatleastonceayearGRM-05.
1:GovernanceandRiskManagement-ManagementSupport/InvolvementDoyouensureyourprovidersadheretoyourinformationsecurityandprivacypoliciesY是,阿里云在供应商管理流程内已纳入安全与隐私相关的要求,且在双方的合同内纳入相应管理要求,确保供应商必须遵循相关的要求Yes,AlibabaCloudhasincludedsecurityandprivacyrelatedrequirementsinthesuppliermanagementprocess,andincludedthecorrespondingmanagementrequirementsinthecontractbetweenthetwopartiestoensurethatthesuppliermustcomplywiththerelevantrequirementsGRM-06.
1:GovernanceandRiskManagement-PolicyDoyourinformationsecurityandprivacypoliciesalignwithindustrystandards(ISO-27001,ISO-22307,CoBIT,etc.
)Y是,阿里云依循相关国际标准(ISO27001/27017/27018/27701等)建立信息安全与隐私管理体系Yes,AlibabaCloudestablishesaninformationsecurityandprivacymanagementsysteminaccordancewithrelevantinternationalstandards(ISO27001/27017/27018/27701,etc.
)GRM-06.
2:GovernanceandRiskManagement-PolicyDoyouhaveagreementstoensureyourprovidersadheretoyourinformationsecurityandprivacypoliciesY是,阿里云在供应商管理流程内已纳入安全与隐私相关的要求,且在双方的合同内纳入相应管理要求,确保供应商必须遵循相关的要求Yes,AlibabaCloudhasincludedsecurityandprivacyrelatedrequirementsinthesuppliermanagementprocess,andincludedthecorrespondingmanagementrequirementsinthecontractbetweenthetwopartiestoensurethatthesuppliermustcomplywiththerelevantrequirementsGRM-06.
3:GovernanceandRiskManagement-PolicyCanyouprovideevidenceofduediligencemappingofyourcontrols,architectureandprocessestoregulationsand/orstandardsY是,阿里云提供SOC2/3报告作为内部控制与AICPATSC标准的映射信息Yes,AlibabaCloudprovidesSOC2/3reportasmappinginformationbetweeninternalcontrolandAICPATSCstandardGRM-06.
4:GovernanceandRiskManagement-PolicyDoyoudisclosewhichcontrols,standards,certificationsand/orregulationsyoucomplywithY是,阿里云持续完成多个国际标准、行业认证的要求,并展示于阿里云信任中心Yes,AlibabaCloudhascontinuouslycompletedmultipleinternationalstandardsandindustrycertificationrequirements,anddisplayeditatAlibabaCloudTrustCenterGRM-07.
1:GovernanceandRiskManagement-PolicyEnforcementIsaformaldisciplinaryorsanctionpolicyestablishedforemployeeswhohaveviolatedsecuritypoliciesandproceduresY是,阿里云在员工管理的举措中,包含对于人员行为规范与安全红线的处置方式Yes,AlibabaCloud'smeasuresforemployeemanagementincludethedisposalofpersonnelbehaviorstandardsandsafetyredlinesGovernanceandRiskManagement:ControlsGRM-01throughGRM-11ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishGRM-07.
2:GovernanceandRiskManagement-PolicyEnforcementAreemployeesmadeawareofwhatactionscouldbetakenintheeventofaviolationviatheirpoliciesandproceduresY是,所有员工在入职时,都必须完成员工管理相关的守则阅读与确认Yes,allemployeesmustcompletetherelevantemployeemanagementcodeofconductreadingandconfirmationuponentryGRM-08.
1:GovernanceandRiskManagement-PolicyImpactonRiskAssessmentsDoriskassessmentresultsincludeupdatestosecuritypolicies,procedures,standardsandcontrolstoensuretheyremainrelevantandeffectiveY是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立风险评估流程,并且将风险评估结果纳入体系持续优化的输入Yes,AlibabaCloudestablishesariskassessmentprocessinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
),andincorporatestheriskassessmentresultsintotheinputofthesystem'scontinuousoptimizationGRM-09.
1:GovernanceandRiskManagement-PolicyDoyounotifyyourtenantswhenyoumakematerialchangestoyourinformationsecurityand/orprivacypoliciesY是,虽信息安全相关管理体系属于阿里云内部信息,但若有影响客户时,也会同步于安全白皮书内更新Yes,althoughtheinformationsecurityrelatedmanagementsystembelongstoAlibabaCloudinternalinformation,ifitaffectscustomers,itwillalsobeupdatedinthesecuritywhitepaper.
GRM-09.
2:GovernanceandRiskManagement-PolicyDoyouperform,atminimum,annualreviewstoyourprivacyandsecuritypoliciesY是,阿里云依循相关国际标准(如ISO27001)建立信息安全管理体系,且至少每年审阅一次Yes,AlibabaCloudestablishesaninformationsecuritymanagementsysteminaccordancewithrelevantinternationalstandards(suchasISO27001),andreviewsitatleastonceayearGRM-10.
1:GovernanceandRiskManagement-RiskAssessmentsAreformalriskassessmentsalignedwiththeenterprise-wideframeworkandperformedatleastannually,oratplannedintervals,determiningthelikelihoodandimpactofallidentifiedrisks,usingqualitativeandquantitativemethodsY是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立风险评估流程,并且通过三方的审计确认Yes,AlibabaCloudestablishesariskassessmentprocessinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
)andhasbeenconfirmedbythird-partyauditsGRM-10.
2:GovernanceandRiskManagement-RiskAssessmentsIsthelikelihoodandimpactassociatedwithinherentandresidualriskdeterminedindependently,consideringallriskcategories(e.
g.
,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance)Y是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立风险评估流程,并且通过三方的审计确认Yes,AlibabaCloudestablishesariskassessmentprocessinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
)andhasbeenconfirmedbythird-partyauditsGRM-11.
1:GovernanceandRiskManagement-ManagementFrameworkDoyouhaveadocumented,organization-wideprograminplcaetomanageriskY是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立风险评估流程,并记录与跟进相关的风险处置方案Yes,AlibabaCloudestablishesariskassessmentprocessinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
)andhasbeenconfirmedbythird-partyauditsGRM-11.
2:GovernanceandRiskManagement-ManagementFrameworkDoyoumakeavailabledocumentationofyourorganization-wideriskmanagementprogramY是,阿里云依循相关国际标准(如ISO9001/27001/27017/27018等)建立风险评估流程,并记录与跟进相关的风险处置方案Yes,AlibabaCloudestablishesariskassessmentprocessinaccordancewithrelevantinternationalstandards(suchasISO9001/27001/27017/27018,etc.
)andhasbeenconfirmedbythird-partyauditsHRS-01.
1:HumanResources-AssetReturnsAresystemsinplacetomonitorforprivacybreachesandnotifytenantsexpeditiouslyifaprivacyeventmayhaveimpactedtheirdataY是,阿里云建立了隐私泄露的应急响应流程,当涉及客户的隐私泄漏时将向客户明确告知.
Yes,AlibabaCloudhasestablishedanemergencyresponseprocessforprivacybreach,andwillclearlyinformcustomerswhenitinvolvescustomerprivacybreach.
HRS-01.
2:HumanResources-AssetReturnsIsyourPrivacyPolicyalignedwithindustrystandardsY是,阿里云的隐私权政策符合行业相关标准,目前阿里云已经获得了隐私领域的ISO27701/27018/29151和BS10012认证.
Yes,AlibabaCloud'sprivacypolicycomplieswithrelevantindustrystandards.
Atpresent,AlibabaCloudhasobtainedISO27701/27018/29151andBS10012certificationsinthefieldofprivacy.
HRS-02.
1:HumanResources-BackgroundScreeningPursuanttolocallaws,regulations,ethicsandcontractualconstraints,areallemploymentcandidates,contractorsandinvolvedthirdpartiessubjecttobackgroundverificationY是,阿里云会依据行业最佳实践开展对员工及第三方的背景调查.
Yes,AlibabaCloudconductsbackgroundchecksonemployeesandthirdpartiesbasedonindustrybestpractices.
HRS-03.
1:HumanResources-EmploymentAgreementsDoyouspecificallytrainyouremployeesregardingtheirspecificroleandtheinformationsecuritycontrolstheymustfulfillY是,阿里云针对员工整体的安全意识及职业技能均会展开定期的培训.
Yes,AlibabaCloudconductsregulartrainingforemployees'overallsecurityawarenessandprofessionalskills.
HRS-03.
2:HumanResources-EmploymentAgreementsDoyoudocumentemployeeacknowledgmentoftrainingtheyhavecompletedY是,阿里云开展的员工培训均会有相关的培训记录或考试记录.
Yes,allemployeetrainingconductedbyAlibabaCloudwillhaverelatedtrainingrecordsorexaminationrecords.
HRS-03.
3:HumanResources-EmploymentAgreementsAreallpersonnelrequiredtosignNDAorConfidentialityAgreementsasaconditionofemploymenttoprotectcustomer/tenantinformationY是,阿里云所有的员工入职均需签署标准模板的保密协议.
Yes,allemployeesofAlibabaCloudmustsignanon-disclosureagreementwithastandardtemplateforentry.
HRS-03.
4:HumanResources-EmploymentAgreementsIssuccessfulandtimedcompletionofthetrainingprogramconsideredaprerequisiteforacquiringandmaintainingaccesstosensitivesystemsY是,阿里云将新员工入职培训及年度的培训作为每个员工必须完成的工作任务.
Yes,AlibabaCloudtakesnewemployeeinductiontrainingandannualtrainingasataskthateachemployeemustcomplete.
HRS-03.
5:HumanResources-EmploymentAgreementsArepersonneltrainedandprovidedwithawarenessprogramsatleastonceayearY是,阿里云每年都会启动对员工的安全意识培训.
Yes,AlibabaCloudlaunchessecurityawarenesstrainingforemployeeseveryyear.
HRS-04.
1:HumanResources-EmploymentTerminationAredocumentedpolicies,proceduresandguidelinesinplacetogovernchangeinemploymentand/orterminationY是,阿里云建立了员工入职、装转岗和离职的管控流程,将员工的账号权限管理与HR流程自动化打通.
Yes,AlibabaCloudhasestablishedmanagementandcontrolproceduresforemployees'on-boarding,transfer,andresignationtoautomatethemanagementofemployeeaccountrightsandHRprocesses.
HRS-04.
2:HumanResources-EmploymentTerminationDotheaboveproceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassetsY是,阿里云建立了员工入职、装转岗和离职的管控流程,将员工的账号权限管理与HR流程自动化打通.
Yes,AlibabaCloudhasestablishedmanagementandcontrolproceduresforemployees'on-boarding,transfer,andresignationtoautomatethemanagementofemployeeaccountrightsandHRprocesses.
HumanResources:ControlsHRS-01throughHRS-11ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishHRS-05.
1:HumanResources-MobileDeviceManagementArepoliciesandproceduresestablishedandmeasuresimplementedtostrictlylimitaccesstoyoursensitivedataandtenantdatafromportableandmobiledevices(e.
g.
,laptops,cellphonesandpersonaldigitalassistants(PDAs)),whicharegenerallyhigher-riskthannon-portabledevices(e.
g.
,desktopcomputersattheproviderorganization'sfacilities)Y是,阿里云严格管控员工工作中终端设备安全,非授权设备不可进入办公内网.
阿里云不会在未授权状况下触碰用户数据.
Yes,AlibabaCloudstrictlycontrolsthesecurityofterminalequipmentduringemployees'work.
Unauthorizedequipmentcannotentertheofficeintranet.
AlibabaCloudwillnotaccessuserdatawithoutauthorization.
HRS-06.
1:HumanResources-Non-DisclosureAgreementsArerequirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documentedandreviewedatplannedintervalsY是,阿里云会定期审阅保密协议文件以保证适应业务的需求.
Yes,AlibabaCloudregularlyreviewstheconfidentialityagreementdocumentstoensurethattheymeettheneedsofthebusiness.
HRS-07.
1:HumanResources-Roles/ResponsibilitiesDoyouprovidetenantswitharoledefinitiondocumentclarifyingyouradministrativeresponsibilitiesversusthoseofthetenantY是的,阿里云的安全白皮书中明确说明了与客户的安全管理责任.
https://security.
aliyun.
com/trustYes,AlibabaCloud'ssecuritywhitepaperclearlystatesthesecuritymanagementresponsibilitieswithcustomers.
https://www.
alibabacloud.
com/trust-centerHRS-08.
1:HumanResources-TechnologyAcceptableUseDoyouprovidedocumentationregardinghowyoumayoraccesstenantdataandmetadataY是,阿里云内部建立了访问控制的相关流程机制,遵循最小化原则来进行权限的管控;客户管控对其数据的访问控制,且阿里云不会未授权状况下触碰用户数据.
.
阿里云整体已通过第三方的ISO27001和ISO27018的认证.
Yes,AlibabaCloudhasestablishedarelatedprocessmechanismforaccesscontrol,whichcontrolspermissionsbasedontheprincipleofminimization;customerscontrolaccesstotheirdata,andAlibabaClouddoesnotaccessuserdataunderunauthorizedconditions.
.
AlibabaCloudhaspassedISO27001andISO27018certificationsbythirdparties.
HRS-08.
2:HumanResources-TechnologyAcceptableUseDoyoucollectorcreatemetadataabouttenantdatausagethroughinspectiontechnologies(searchengines,etc.
)NA不适用,阿里云不通过这种方式采集数据.
Notapplicable,AlibabaClouddoesnotcollectdatainthisway.
HRS-08.
3:HumanResources-TechnologyAcceptableUseDoyouallowtenantstooptoutofhavingtheirdata/metadataaccessedviainspectiontechnologiesNA不适用,阿里云不通过这种方式采集数据.
Notapplicable,AlibabaClouddoesnotcollectdatainthisway.
HRS-09.
1:HumanResources-Training/AwarenessDoyouprovideaformal,role-based,securityawarenesstrainingprogramforcloud-relatedaccessanddatamanagementissues(e.
g.
,multi-tenancy,nationality,clouddeliverymodelsegregationofdutiesimplicationsandconflictsofinterest)forallpersonswithaccesstotenantdataY是,阿里云开展定期的全员安全意识培训及考试.
Yes,AlibabaCloudconductsregularsecurityawarenesstrainingandexaminationsforallemployees.
HRS-09.
2:HumanResources-Traninig/AwarenessAreadministratorsanddatastewardsproperlyeducatedontheirlegalresponsibilitieswithregardtosecurityanddataintegrityY是,阿里云开展定期的全员安全意识培训及考试.
Yes,AlibabaCloudconductsregularsecurityawarenesstrainingandexaminationsforallemployees.
HRS-10.
1:HumanResources-UserResponsibilityAreusersmadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublishedsecuritypolicies,procedures,standardsandapplicableregulatoryrequirementsY是,阿里云开展定期的全员安全意识培训及考试.
Yes,AlibabaCloudconductsregularsecurityawarenesstrainingandexaminationsforallemployees.
HRS-10.
2:HumanResources-UserResponsiblilityAreusersmadeawareoftheirresponsibilitiesformaintainingasafeandsecureworkingenvironmentY是,阿里云开展定期的全员安全意识培训及考试.
Yes,AlibabaCloudconductsregularsecurityawarenesstrainingandexaminationsforallemployees.
HRS-10.
3:HumanResources-UserResponsiblilityHumanAreusersmadeawareoftheirresponsibilitiesforleavingunattendedequipmentinasecuremannerY是,阿里云开展定期的全员安全意识培训及考试.
Yes,AlibabaCloudconductsregularsecurityawarenesstrainingandexaminationsforallemployees.
HRS-11.
1:HumanResources-WorkspaceDoyourdatamanagementpoliciesandproceduresaddresstenantandservicelevelconflictsofinterestsY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立数据安全管理体系,并通过了三方认证.
Yes,AlibabaCloudhasestablishedadatasecuritymanagementsysteminaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
)andhaspassedthird-partycertification.
HRS-11.
2:HumanResources-WorkspaceDoyourdatamanagementpoliciesandproceduresincludeatamperauditorsoftwareintegrityfunctionforunauthorizedaccesstotenantdataY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立数据安全管理体系,并通过了三方认证.
Yes,AlibabaCloudhasestablishedadatasecuritymanagementsysteminaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
)andhaspassedthird-partycertification.
HRS-11.
3:HumanResources-WorkspaceDoesthevirtualmachinemanagementinfrastructureincludeatamperauditorsoftwareintegrityfunctiontodetectchangestothebuild/configurationofthevirtualmachineY是,阿里云支持虚拟机层面的逃逸检测.
Yes,AlibabaCloudsupportsescapedetectionatthevirtualmachinelevel.
IAM-01.
1:Identity&AccessManagement-AuditToolsAccessDoyourestrict,logandmonitoraccesstoyourinformationsecuritymanagementsystems(E.
g.
,hypervisors,firewalls,vulnerabilityscanners,networksniffers,APIs,etc.
)Y是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIdentityandAccessManagement:ControlsIAM-01throughIAM-13ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishIAM-01.
2:Identity&AccessManagement-AuditToolsAccessDoyoumonitorandlogprivilegedaccess(administratorlevel)toinformationsecuritymanagementsystemsY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-02.
1:Identity&AccessManagement-CredentialLifecycle/ProvisionManagementDoyouhavecontrolsinplaceensuringtimelyremovalofsystemsaccessthatisnolongerrequiredforbusinesspurposesY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-02.
2:Identity&AccessManagement-CredentialLifecycle/ProvisionManagementDoyouprovidemetricstotrackthespeedwithwhichyouareabletoremovesystemsaccessthatisnolongerrequiredforbusinesspurposesY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-03.
1:Identity&AccessManagement-Diagnostic/ConfigurationPortsAccessDoyouusededicatedsecurenetworkstoprovidemanagementaccesstoyourcloudserviceinfrastructureY是,阿里云的生产环境、运维环境与办公环境皆有配置网络隔离机制Yes,AlibabaCloud'sproductionenvironment,operationandmaintenanceenvironmentandofficeenvironmentallhaveanetworkisolationmechanism.
IAM-04.
1:Identity&AccessManagement-PoliciesandProceduresDoyoumanageandstoretheidentityofallpersonnelwhohaveaccesstotheITinfrastructure,includingtheirlevelofaccessY是,阿里云已建立集中的访问管理系统Yes,AlibabaCloudhasestablishedacentralizedaccessmanagementsystemIAM-04.
2:Identity&AccessManagement-PoliciesandProceduresDoyoumanageandstoretheuseridentityofallpersonnelwhohavenetworkaccess,includingtheirlevelofaccessY是,阿里云已建立集中的访问管理系统Yes,AlibabaCloudhasestablishedacentralizedaccessmanagementsystemIAM-05.
1:Identity&AccessManagement-SegregationofDutiesDoyouprovidetenantswithdocumentationonhowyoumaintainsegregationofdutieswithinyourcloudserviceofferingY是,阿里云在安全白皮书内与SOC2/3审计报告内已有说明相应的信息Yes,AlibabaCloudhasstatedthecorrespondinginformationinthesecuritywhitepaperandSOC2/3auditreport.
IAM-06.
1:Identity&AccessManagement-SourceCodeAccessRestrictionArecontrolsinplacetopreventunauthorizedaccesstoyourapplication,programorobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonlyY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-06.
2:Identity&AccessManagement-SourceCodeAccessRestrictionArecontrolsinplacetopreventunauthorizedaccesstotenantapplication,programorobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonlyY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-07.
1:Identity&AccessManagement-ThirdPartyAccessDoyouprovidemulti-failuredisasterrecoverycapabilityY是,阿里云依循相关国际标准(ISO27001/22301等)建立业务连续性管理机制,且阿里云提供客户多个可用区的选择,支持客户在多点部署相应的资源,确保服务持续运作.
Yes,AlibabaCloudestablishesabusinesscontinuitymanagementmechanisminaccordancewithrelevantinternationalstandards(ISO27001/22301,etc.
),andAlibabaCloudprovidescustomerswiththechoiceofmultipleAvailabilityZones,supportscustomerstodeploycorrespondingresourcesatmultiplepoints,andensuresthecontinuousoperationofservices.
IAM-07.
2:Identity&AccessManagement-ThirdPartyAccessDoyoumonitorservicecontinuitywithupstreamprovidersintheeventofproviderfailureY是,阿里云依循相关国际标准(ISO27001/22301等)建立业务连续性管理机制,且阿里云提供客户多个可用区的选择,支持客户在多点部署相应的资源,确保服务持续运作.
Yes,AlibabaCloudestablishesabusinesscontinuitymanagementmechanisminaccordancewithrelevantinternationalstandards(ISO27001/22301,etc.
),andAlibabaCloudprovidescustomerswiththechoiceofmultipleAvailabilityZones,supportscustomerstodeploycorrespondingresourcesatmultiplepoints,andensuresthecontinuousoperationofservices.
ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishIAM-07.
3:Identity&AccessManagement-ThirdPartyAccessDoyouhavemorethanoneproviderforeachserviceyoudependonY是,阿里云依循相关国际标准(ISO27001/22301等)建立业务连续性管理机制,且阿里云提供客户多个可用区的选择,支持客户在多点部署相应的资源,确保服务持续运作.
Yes,AlibabaCloudestablishesabusinesscontinuitymanagementmechanisminaccordancewithrelevantinternationalstandards(ISO27001/22301,etc.
),andAlibabaCloudprovidescustomerswiththechoiceofmultipleAvailabilityZones,supportscustomerstodeploycorrespondingresourcesatmultiplepoints,andensuresthecontinuousoperationofservices.
IAM-07.
4:Identity&AccessManagement-ThirdPartyAccessDoyouprovideaccesstooperationalredundancyandcontinuitysummaries,includingtheservicesyoudependonY是,阿里云依循相关国际标准(ISO27001/22301等)建立业务连续性管理机制,且阿里云提供客户多个可用区的选择,支持客户在多点部署相应的资源,确保服务持续运作.
Yes,AlibabaCloudestablishesabusinesscontinuitymanagementmechanisminaccordancewithrelevantinternationalstandards(ISO27001/22301,etc.
),andAlibabaCloudprovidescustomerswiththechoiceofmultipleAvailabilityZones,supportscustomerstodeploycorrespondingresourcesatmultiplepoints,andensuresthecontinuousoperationofservices.
IAM-07.
5:Identity&AccessManagement-ThirdPartyAccessDoyouprovidethetenanttheabilitytodeclareadisasterY是,阿里云依循相关国际标准(ISO27001/22301等)建立业务连续性管理机制,且阿里云提供客户多个可用区的选择,支持客户在多点部署相应的资源,确保服务持续运作.
Yes,AlibabaCloudestablishesabusinesscontinuitymanagementmechanisminaccordancewithrelevantinternationalstandards(ISO27001/22301,etc.
),andAlibabaCloudprovidescustomerswiththechoiceofmultipleAvailabilityZones,supportscustomerstodeploycorrespondingresourcesatmultiplepoints,andensuresthecontinuousoperationofservices.
IAM-07.
6:Identity&AccessManagement-ThirdPartyAccessDoyouprovideatenant-triggeredfailoveroptionY是,阿里云依循相关国际标准(ISO27001/22301等)建立业务连续性管理机制,且阿里云提供客户多个可用区的选择,支持客户在多点部署相应的资源,确保服务持续运作.
Yes,AlibabaCloudestablishesabusinesscontinuitymanagementmechanisminaccordancewithrelevantinternationalstandards(ISO27001/22301,etc.
),andAlibabaCloudprovidescustomerswiththechoiceofmultipleAvailabilityZones,supportscustomerstodeploycorrespondingresourcesatmultiplepoints,andensuresthecontinuousoperationofservices.
IAM-07.
7:Identity&AccessManagement-ThirdPartyAccessDoyoushareyourbusinesscontinuityandredundancyplanswithyourtenantsN否,业务连续性计划属于阿里云内部信息,但定期由三方审计进行审计与确认No,thebusinesscontinuityplanbelongstoAlibabaCloudinternalinformation,butisregularlyauditedandcheckedbyathird-partyauditIAM-08.
1:Identity&AccessManagement-TrustedSourcesDoyoudocumenthowyougrantandapproveaccesstotenantdataY是,阿里云于服务协议内说明对于客户数据的管理责任与访问权责,仅在客户授权的状况下才能访问客户数据,且相应的操作都会留存日志以供查验Yes,AlibabaCloudstatedintheserviceagreementthemanagementresponsibilitiesandaccessrightsforcustomerdata.
Thecustomerdatacanbeaccessedonlywhenauthorizedbythecustomer,andthecorrespondingoperationswillkeeplogsforinspection.
IAM-08.
2:Identity&AccessManagement-TrustedSourcesDoyouhaveamethodofaligningproviderandtenantdataclassificationmethodologiesforaccesscontrolpurposesN否,客户数据的分类由客户自身决定No,theclassificationofcustomerdataisuptothecustomerIAM-09.
1:Identity&AccessManagement-UserAccessAuthorizationDoesyourmanagementprovisiontheauthorizationandrestrictionsforuseraccess(e.
g.
,employees,contractors,customers(tenants),businesspartnersand/orsuppliers)priortotheiraccesstodataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystemsandnetworkcomponentsY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-09.
2:Identity&AccessManagement-UserAccessAuthorizationDoyouprovideuponrequestuseraccess(e.
g.
,employees,contractors,customers(tenants),businesspartnersand/orsuppliers)todataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystemsandnetworkcomponentsY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-10.
1:Identity&AccessManagement-UserAccessReviewsDoyourequireatleastannualcertificationofentitlementsforallsystemusersandadministrators(exclusiveofusersmaintainedbyyourtenants)Y是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-10.
2:Identity&AccessManagement-UserAccessReviewsIfusersarefoundtohaveinappropriateentitlements,areallremediationandcertificationactionsrecordedY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishIAM-10.
3:Identity&AccessManagement-UserAccessReviewsWillyoushareuserentitlementremediationandcertificationreportswithyourtenants,ifinappropriateaccessmayhavebeenallowedtotenantdataY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查.
此外,阿里云仅在获得客户授权的情况下才会访问客户的数据,相关权限均遵循统一的访问控制规则.
Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigation.
Inaddition,AlibabaCloudonlyaccessescustomerdataifauthorizedbythecustomer,andtherelevantpermissionsfollowuniformaccesscontrolrules.
IAM-11.
1:Identity&AccessManagement-UserAccessRevocationIstimelydeprovisioning,revocationormodificationofuseraccesstotheorganizationssystems,informationassetsanddataimplementeduponanychangeinstatusofemployees,contractors,customers,businesspartnersorinvolvedthirdpartiesY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-11.
2:Identity&AccessManagement-UserAccessRevocationIsanychangeinuseraccessstatusintendedtoincludeterminationofemployment,contractoragreement,changeofemploymentortransferwithintheorganizationY是,阿里云依循相关国际标准(如ISO27001)建立访问控制管理流程,确保访问权限最小化使用,并且通过自动化访问控管机制,确保权限及时收回与冻结,且留存相关日志以供调查Yes,AlibabaCloudestablishesaccesscontrolmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001)toensurethataccessrightsareminimized,andthroughautomatedaccesscontrolmechanisms,rightsarerecoveredandfrozeninatimelymanner,andrelevantlogsareretainedforinvestigationIAM-12.
1:Identity&AccessManagement-UserIDCredentialsDoyousupportuseof,orintegrationwith,existingcustomer-basedSingleSignOn(SSO)solutionstoyourserviceY是,阿里云的资源访问管理服务支持SSO的集成Yes,AlibabaCloud'sresourceaccessmanagementservicesupportsSSOintegrationIAM-12.
2:Identity&AccessManagement-UserIDCredentialsDoyouuseopenstandardstodelegateauthenticationcapabilitiestoyourtenantsY是,阿里云支持SAML2.
0与相关行业通用标准Yes,AlibabaCloudsupportsSAML2.
0andrelatedindustrycommonstandardsIAM-12.
3:Identity&AccessManagement-UserIDCredentialsDoyousupportidentityfederationstandards(SAML,SPML,WS-Federation,etc.
)asameansofauthenticating/authorizingusersY是,阿里云支持SAML2.
0与相关行业通用标准Yes,AlibabaCloudsupportsSAML2.
0andrelatedindustrycommonstandardsIAM-12.
4:Identity&AccessManagement-UserIDCredentialsDoyouhaveaPolicyEnforcementPointcapability(e.
g.
,XACML)toenforceregionallegalandpolicyconstraintsonuseraccessY是,阿里云的资源访问管理服务提供权限管理功能,让客户能依照自身的要求配置相关的权限,并且可设置相关的安全功能(如密码复杂度与多因素验证)Yes,AlibabaCloud'sresourceaccessmanagementserviceprovidespermissionmanagementfunctions,allowingcustomerstoconfigurerelatedpermissionsaccordingtotheirownrequirements,andcansetrelatedsecurityfunctions(suchaspasswordcomplexityandmulti-factorauthentication)IAM-12.
5:Identity&AccessManagement-UserIDCredentialsDoyouhaveanidentitymanagementsystem(enablingclassificationofdataforatenant)inplacetoenablebothrole-basedandcontext-basedentitlementtodataY是,阿里云的资源访问管理服务提供权限管理功能,让客户能依照自身的要求配置相关的权限,并且可设置相关的安全功能(如密码复杂度与多因素验证)Yes,AlibabaCloud'sresourceaccessmanagementserviceprovidespermissionmanagementfunctions,allowingcustomerstoconfigurerelatedpermissionsaccordingtotheirownrequirements,andcansetrelatedsecurityfunctions(suchaspasswordcomplexityandmulti-factorauthentication)IAM-12.
6:Identity&AccessManagement-UserIDCredentialsDoyouprovidetenantswithstrong(multifactor)authenticationoptions(digitalcerts,tokens,biometrics,etc.
)foruseraccessY是,阿里云的资源访问管理服务提供权限管理功能,让客户能依照自身的要求配置相关的权限,并且可设置相关的安全功能(如密码复杂度与多因素验证)Yes,AlibabaCloud'sresourceaccessmanagementserviceprovidespermissionmanagementfunctions,allowingcustomerstoconfigurerelatedpermissionsaccordingtotheirownrequirements,andcansetrelatedsecurityfunctions(suchaspasswordcomplexityandmulti-factorauthentication)IAM-12.
7:Identity&AccessManagement-UserIDCredentialsDoyouallowtenantstousethird-partyidentityassuranceservicesY是,阿里云的资源访问管理服务提供权限管理功能,让客户能依照自身的要求配置相关的权限,并且可设置相关的安全功能(如密码复杂度与多因素验证)Yes,AlibabaCloud'sresourceaccessmanagementserviceprovidespermissionmanagementfunctions,allowingcustomerstoconfigurerelatedpermissionsaccordingtotheirownrequirements,andcansetrelatedsecurityfunctions(suchaspasswordcomplexityandmulti-factorauthentication)IAM-12.
8:Identity&AccessManagement-UserIDCredentialsDoyousupportpassword(minimumlength,age,history,complexity)andaccountlockout(lockoutthreshold,lockoutduration)policyenforcementY是,阿里云的资源访问管理服务提供权限管理功能,让客户能依照自身的要求配置相关的权限,并且可设置相关的安全功能(如密码复杂度与多因素验证)Yes,AlibabaCloud'sresourceaccessmanagementserviceprovidespermissionmanagementfunctions,allowingcustomerstoconfigurerelatedpermissionsaccordingtotheirownrequirements,andcansetrelatedsecurityfunctions(suchaspasswordcomplexityandmulti-factorauthentication)IAM-12.
9:Identity&AccessManagement-UserIDCredentialsDoyouallowtenants/customerstodefinepasswordandaccountlockoutpoliciesfortheiraccountsY是,阿里云的资源访问管理服务提供权限管理功能,让客户能依照自身的要求配置相关的权限,并且可设置相关的安全功能(如密码复杂度与多因素验证)Yes,AlibabaCloud'sresourceaccessmanagementserviceprovidespermissionmanagementfunctions,allowingcustomerstoconfigurerelatedpermissionsaccordingtotheirownrequirements,andcansetrelatedsecurityfunctions(suchaspasswordcomplexityandmulti-factorauthentication)ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishIAM-12.
10:Identity&AccessManagement-UserIDCredentialsDoyousupporttheabilitytoforcepasswordchangesuponfirstlogonY是,阿里云的资源访问管理服务提供权限管理功能,让客户能依照自身的要求配置相关的权限,并且可设置相关的安全功能(如密码复杂度与多因素验证)Yes,AlibabaCloud'sresourceaccessmanagementserviceprovidespermissionmanagementfunctions,allowingcustomerstoconfigurerelatedpermissionsaccordingtotheirownrequirements,andcansetrelatedsecurityfunctions(suchaspasswordcomplexityandmulti-factorauthentication)IAM-12.
11:Identity&AccessManagement-UserIDCredentialsDoyouhavemechanismsinplaceforunlockingaccountsthathavebeenlockedout(e.
g.
,self-serviceviaemail,definedchallengequestions,manualunlock)Y是,阿里云的资源访问管理服务提供权限管理功能,让客户能依照自身的要求配置相关的权限,并且可设置相关的安全功能(如密码复杂度与多因素验证)Yes,AlibabaCloud'sresourceaccessmanagementserviceprovidespermissionmanagementfunctions,allowingcustomerstoconfigurerelatedpermissionsaccordingtotheirownrequirements,andcansetrelatedsecurityfunctions(suchaspasswordcomplexityandmulti-factorauthentication)IAM-13.
1:Identity&AccessManagement-UtilityProgramsAccessAreutilitiesthatcansignificantlymanagevirtualizedpartitions(e.
g.
,shutdown,clone,etc.
)appropriatelyrestrictedandmonitoredY是,阿里云的云产品运维系统有划分高危操作,并且确保只有被授权的人员才可能被授予高权限能力Yes,AlibabaCloud'scloudproductoperationandmaintenancesystemisdividedintohigh-riskoperationsandensuresthatonlyauthorizedpersonnelcanbegrantedhighauthoritycapabilitiesIAM-13.
2:Identity&AccessManagement-UtilityProgramsAccessDoyouhaveacapabilitytodetectattacksthattargetthevirtualinfrastructuredirectly(e.
g.
,shimming,BluePill,Hyperjumping,etc.
)Y是,阿里云实时的对云平台进行安全监控,分析潜在的攻击与漏洞,并进行相应的处置Yes,AlibabaCloudmonitorsthecloudplatforminrealtime,analyzespotentialattacksandvulnerabilities,andhandlesthemaccordingly.
IAM-13.
3:Identity&AccessManagement-UtilityProgramsAccessAreattacksthattargetthevirtualinfrastructurepreventedwithtechnicalcontrolsY是,阿里云实时的对云平台进行安全监控,分析潜在的攻击与漏洞,并进行相应的处置Yes,AlibabaCloudmonitorsthecloudplatforminrealtime,analyzespotentialattacksandvulnerabilities,andhandlesthemaccordingly.
IVS-01.
1:Infrastructure&VirtualizationSecurity-AuditLogging/IntrusionDetectionArefileintegrity(host)andnetworkArefileintegrity(host)andnetworkintrusiondetection(IDS)toolsimplementedtohelpfacilitatetimelydetection,investigationbyrootcauseanalysisandresponsetoincidentsY是,阿里云云平台侧的安全监控可及时发现平台自身的应用和主机、网络等资源被恶意攻击的安全事件,并在发现安全事件之后,触发云平台内部应急响应流程进行妥善处置,及时消除影响.
Yes,securitymonitoringontheAlibabaCloudplatformsidecantimelydiscoversecurityincidentsinwhichtheplatform'sownapplicationsandhosts,networks,andotherresourceshavebeenmaliciouslyattacked.
Afterthesecurityincidentsarediscovered,thecloudplatform'sinternalemergencyresponseprocessistriggeredtoproperlyhandleandeliminatetheimpactinatimelymanner.
.
IVS-01.
2:Infrastructure&VirtualizationSecurity-AuditLogging/IntrusionDetectionIsphysicalandlogicaluseraccesstoauditlogsrestrictedtoauthorizedpersonnelY是,阿里云内部建立了严格的访问控制机制,对日志数据的访问也需遵循访问控制要求.
Yes,AlibabaCloudhasestablishedastrictaccesscontrolmechanism,andaccesstologdatamustalsocomplywithaccesscontrolrequirements.
IVS-01.
3:Infrastructure&VirtualizationSecurity-AuditLogging/IntrusionDetectionCanyouprovideevidencethatduediligencemappingofregulationsandstandardstoyourcontrols/architecture/processeshasbeendoneY是,阿里云已经安全控制和相关外部合规要求进行了匹配,如SOC2/3,ISO27002等.
Yes,AlibabaCloudhasmatchedsecuritycontrolsandrelatedexternalcompliancerequirements,suchasSOC2/3,ISO27002,etc.
IVS-01.
4:Infrastructure&VirtualizationSecurity-AuditLogging/IntrusionDetectionAreauditlogscentrallystoredandretainedY是,阿里云自动采集日志、集中化管理、实时/准实时监控/审计.
Yes,AlibabaCloudautomaticallycollectslogs,centralizedmanagement,andreal-time/near-real-timemonitoring/auditing.
IVS-01.
5:Infrastructure&VirtualizationSecurity-AuditLogging/IntrusionDetectionAreauditlogsreviewedonaregularbasisforsecurityevents(e.
g.
,withautomatedtools)Y是,阿里云自动采集日志、集中化管理、实时/准实时监控/审计.
Yes,AlibabaCloudautomaticallycollectslogs,centralizedmanagement,andreal-time/near-real-timemonitoring/auditing.
IVS-02.
1:Infrastructure&VirtualizationSecurity-ChangeDetectionDoyoulogandalertanychangesmadetovirtualmachineimagesregardlessoftheirrunningstate(e.
g.
,dormant,offorrunning)Y是,阿里云记录所有的变更,变更日志会纳入日志监控的范围.
Yes,AlibabaCloudrecordsallchanges,andthechangelogwillbeincludedinthescopeoflogmonitoring.
IVS-02.
2:Infrastructure&VirtualizationSecurity-ChangeDetectionArechangesmadetovirtualmachines,ormovingofanimageandsubsequentvalidationoftheimage'sintegrity,madeimmediatelyavailabletocustomersthroughelectronicmethods(e.
g.
,portalsoralerts)Y是,当阿里云的镜像有更新时,客户可以在官网产品文档或通知内获取相关信息Yes,whentheAlibabaCloudimageisupdated,customerscanobtainrelevantinformationintheofficialwebsiteproductdocumentationornotificationIVS-03.
1:Infrastructure&VirtualizationSecurity-ClockSynchronizationDoyouuseasynchronizedtime-serviceprotocol(e.
g.
,NTP)toensureallsystemshaveacommontimereferenceY是,阿里云已实现了时钟同步.
Yes,AlibabaCloudhasachievedclocksynchronization.
IVS-04.
1:Infrastructure&VirtualizationSecurity-InformationSystemDocumentationDoyouprovidedocumentationregardingwhatlevelsofsystem(network,storage,memory,I/O,etc.
)oversubscriptionyoumaintainandunderwhatcircumstances/scenariosY是的,阿里云产品均提供了面向客户的SLA文档.
Yes,allAlibabaCloudproductsprovidecustomer-orientedSLAdocuments.
InfrastructureandVirtualizationSecurity:ControlsIVS-01throughIVS-13ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishIVS-04.
2:Infrastructure&VirtualizationSecurity-InformationSystemDocumentationDoyourestrictuseofthememoryoversubscriptioncapabilitiespresentinthehypervisorY是,阿里云建立了完善的资源管理机制,提前进行容量规划、并系统化的方式对资源进行实时监控,以保证资源对业务需求的满足.
Yes,AlibabaCloudhasestablishedacomprehensiveresourcemanagementmechanismthatperformscapacityplanninginadvanceandsystematicallymonitorsresourcesinrealtimetoensurethatresourcesmeetbusinessneeds.
IVS-04.
3:Infrastructure&VirtualizationSecurity-InformationSystemDocumentationDoyoursystemcapacityrequirementstakeintoaccountcurrent,projectedandanticipatedcapacityneedsforallsystemsusedtoprovideservicestothetenantsY是,阿里云建立了完善的资源管理机制,提前进行容量规划、并系统化的方式对资源进行实时监控,以保证资源对业务需求的满足.
Yes,AlibabaCloudhasestablishedacomprehensiveresourcemanagementmechanismthatperformscapacityplanninginadvanceandsystematicallymonitorsresourcesinrealtimetoensurethatresourcesmeetbusinessneeds.
IVS-04.
4:Infrastructure&VirtualizationSecurity-InformationSystemDocumentationIssystemperformancemonitoredandtunedinordertocontinuouslymeetregulatory,contractualandbusinessrequirementsforallthesystemsusedtoprovideservicestothetenantsY是,阿里云实施监控各产品的性能以保证对SLA的符合度以及对业务需求和监管需求的符合度.
Yes,AlibabaCloudmonitorstheperformanceofvariousproductstoensurecompliancewithSLAsandcompliancewithbusinessandregulatoryrequirements.
IVS-05.
1:Infrastructure&VirtualizationSecurity-VulnerabilityManagementDosecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesbeingused(e.
g.
,virtualizationaware)Y是,阿里云采用漏洞扫描、渗透测试、黑盒/白盒测试等形式来发现安全问题.
Yes,AlibabaCloudusesvulnerabilityscanning,penetrationtesting,andblack/whiteboxtestingtodiscoversecurityissues.
IVS-06.
1:Infrastructure&VirtualizationSecurity-NetworkSecurityForyourIaaSoffering,doyouprovidecustomerswithguidanceonhowtocreatealayeredsecurityarchitectureequivalenceusingyourvirtualizedsolutionY是,阿里云发布了安全白皮书、企业上云安全指引等指引类文件帮助用户实现产品的安全部署.
Yes,AlibabaCloudhasreleasedguidancedocumentssuchassecuritywhitepapersandenterprisecloudsecurityguidelinestohelpusersimplementsecureproductdeployment.
IVS-06.
2:Infrastructure&VirtualizationSecurity-NetworkSecurityDoyouregularlyupdatenetworkarchitecturediagramsthatincludedataflowsbetweensecuritydomains/zonesY是,阿里云网络团队维护并定期更新网络架构图.
Yes,theAlibabaCloudnetworkteammaintainsandregularlyupdatesthenetworkarchitecturediagram.
IVS-06.
3:Infrastructure&VirtualizationSecurity-NetworkSecurityDoyouregularlyreviewforappropriatenesstheallowedaccess/connectivity(e.
g.
,firewallrules)betweensecuritydomains/zoneswithinthenetworkY是,阿里云实施监控网络安全状态并进行及时的风险跟进.
Yes,AlibabaCloudmonitorsthestatusofnetworksecurityandconductstimelyriskfollow-up.
IVS-06.
4:Infrastructure&VirtualizationSecurity-NetworkSecurityAreallfirewallaccesscontrollistsdocumentedwithbusinessjustificationY是,所有的网络访问规则通过平台记录,并且须经过审批后才可进行变更Yes,allnetworkaccessrulesarerecordedbytheplatformandcanonlybechangedafterapprovalIVS-07.
1:Infrastructure&VirtualizationSecurity-OSHardeningandBaseControlsAreoperatingsystemshardenedtoprovideonlythenecessaryports,protocolsandservicestomeetbusinessneedsusingtechnicalcontrols(i.
e.
antivirus,fileintegritymonitoringandlogging)aspartoftheirbaselinebuildstandardortemplateY是,阿里云已建立安全基线与加固配置规范,对操作系统与镜像进行加固Yes,AlibabaCloudhasestablishedasecuritybaselineandhardeningconfigurationrequirementstohardentheoperatingsystemandimagesIVS-08.
1:Infrastructure&VirtualizationSecurity-Production/Non-ProductionEnvironmentsForyourSaaSorPaaSoffering,doyouprovidetenantswithseparateenvironmentsforproductionandtestprocessesY是,可由客户自行对其生产环境和非生产环境进行区分.
Yes,customerscandevidetheirproductionandnon-productionenvironmentsaccordingtotheirchoice.
IVS-08.
2:Infrastructure&VirtualizationSecurity-Production/Non-ProductionEnvironmentsForyourIaaSoffering,doyouprovidetenantswithguidanceonhowtocreatesuitableproductionandtestenvironmentsY是,阿里云提供了最佳实践和企业上云指引,详见阿里云官网.
Yes,AlibabaCloudprovidesbestpracticesandguidelinesforenterprisestogotothecloud.
Fordetails,seeAlibabaCloud'sofficialwebsite.
IVS-08.
3:Infrastructure&VirtualizationSecurity-Production/Non-ProductionEnvironmentsDoyoulogicallyandphysicallysegregateproductionandnon-productionenvironmentsY是,阿里云对生产环境和非生产环境进行了隔离.
Yes,AlibabaCloudhasisolatedproductionandnon-productionenvironments.
IVS-09.
1:Infrastructure&VirtualizationSecurity-SegmentationAresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurebusinessandcustomersecurityrequirementsY是,阿里云依循相关国际标准(如ISO27001/CSA-STAR/PCI-DSS等)建立网络管理机制,且定期由三方审核确认适切性Yes,AlibabaCloudestablishesanetworkmanagementmechanisminaccordancewithrelevantinternationalstandards(suchasISO27001/CSA-STAR/PCI-DSS,etc.
),andregularreviewbythird-partytoconfirmsuitabilityIVS-09.
2:Infrastructure&VirtualizationSecurity-SegmentationAresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurecompliancewithlegislative,regulatoryandcontractualrequirementsY是,阿里云依循相关国际标准(如ISO27001/CSA-STAR/PCI-DSS等)建立网络管理机制,且定期由三方审核确认适切性Yes,AlibabaCloudestablishesanetworkmanagementmechanisminaccordancewithrelevantinternationalstandards(suchasISO27001/CSA-STAR/PCI-DSS,etc.
),andregularreviewbythird-partytoconfirmsuitabilityIVS-09.
3:Infrastructure&VirtualizationSecurity-SegmentationAresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureseparationofproductionandnon-productionenvironmentsY是,阿里云依循相关国际标准(如ISO27001/CSA-STAR/PCI-DSS等)建立网络管理机制,且定期由三方审核确认适切性Yes,AlibabaCloudestablishesanetworkmanagementmechanisminaccordancewithrelevantinternationalstandards(suchasISO27001/CSA-STAR/PCI-DSS,etc.
),andregularreviewbythird-partytoconfirmsuitabilityIVS-09.
4:Infrastructure&VirtualizationSecurity-SegmentationAresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureprotectionandisolationofsensitivedataY是,阿里云依循相关国际标准(如ISO27001/CSA-STAR/PCI-DSS等)建立网络管理机制,且定期由三方审核确认适切性Yes,AlibabaCloudestablishesanetworkmanagementmechanisminaccordancewithrelevantinternationalstandards(suchasISO27001/CSA-STAR/PCI-DSS,etc.
),andregularreviewbythird-partytoconfirmsuitabilityControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishIVS-10.
1:Infrastructure&VirtualizationSecurity-VMSecurityAresecuredandencryptedcommunicationchannelsusedwhenmigratingphysicalservers,applicationsordatatovirtualserversY是,阿里云的数据传输安全是通过数据传输链路加密来保障的.
传输加密是指云产品为用户访问(包括读取和上传)数据提供了SSL/TLS协议来保证数据传输的安全.
例如,用户如果通过阿里云控制台操作,阿里云控制台会使用HTTPS进行数据传输.
所有的阿里云产品都为客户提供了支持HTTPS的API访问点,并提供高达256位密钥的传输加密强度,满足敏感数据加密传输需求.
Yes,AlibabaCloud'sdatatransmissionsecurityisguaranteedbydatatransmissionlinkencryption.
TransmissionencryptionmeansthatcloudproductsprovideSSL/TLSprotocolforuserstoaccess(includingreadandupload)datatoensurethesecurityofdatatransmission.
Forexample,iftheuseroperatesthroughtheAlibabaCloudconsole,theAlibabaCloudconsolewilluseHTTPSfordatatransmission.
AllAlibabaCloudproductsprovidecustomerswithAPIaccesspointsthatsupportHTTPS,andprovidetransmissionencryptionstrengthofupto256-bitkeystomeetsensitivedataencryptiontransmissionrequirements.
IVS-10.
2:Infrastructure&VirtualizationSecurity-VMSecurityDoyouuseanetworksegregatedfromproduction-levelnetworkswhenmigratingphysicalservers,applicationsordatatovirtualserversY是,阿里云的生产网与非生产网隔离.
Yes,AlibabaCloud'sproductionnetworkisisolatedfromnon-productionnetworks.
IVS-11.
1:Infrastructure&VirtualizationSecurity-HypervisorHardeningDoyourestrictpersonnelaccesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsbasedontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.
g.
,two-factorauthentication,audittrails,IPaddressfiltering,firewallsandTLS-encapsulatedcommunicationstotheadministrativeconsoles)Y是,阿里云严格管控生产系统的访问权限,所有的访问均有日志记录并纳入入侵检测和日志审计的范畴.
Yes,AlibabaCloudstrictlycontrolstheaccessrightsoftheproductionsystem.
Allaccessesareloggedandincludedinthescopeofintrusiondetectionandlogaudit.
IVS-12.
1:Infrastructure&VirtualizationSecurity-WirelessSecurityArepoliciesandproceduresestablishedandmechanismsconfiguredandimplementedtoprotectthewirelessnetworkenvironmentperimeterandtorestrictunauthorizedwirelesstrafficY是,阿里云建立了严格的无线网络管控机制,以防止对生产网的非授权访问.
Yes,AlibabaCloudhasestablishedastrictwirelessnetworkmanagementandcontrolmechanismtopreventunauthorizedaccesstotheproductionnetwork.
IVS-12.
2:Infrastructure&VirtualizationSecurity-WirelessSecurityArepoliciesandproceduresestablishedandmechanismsimplementedtoensurewirelesssecuritysettingsareenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.
g.
,encryptionkeys,passwords,SNMPcommunitystrings)Y是,阿里云对使用的无线网络均进行了安全配置加固,以防止非授权人员的对相关资源的访问.
Yes,AlibabaCloudhasstrengthenedthesecurityconfigurationofthewirelessnetworksusedtopreventunauthorizedpersonsfromaccessingrelatedresources.
IVS-12.
3:Infrastructure&VirtualizationSecurity-WirelessSecurityArepoliciesandproceduresestablishedandmechanismsimplementedtoprotectwirelessnetworkenvironmentsanddetectthepresenceofunauthorized(rogue)networkdevicesforatimelydisconnectfromthenetworkY是,阿里云建立了网络入侵防护体系,通过工具实时/准实时探测非授权访问.
Yes,AlibabaCloudhasestablishedanetworkintrusionpreventionsystemthatdetectsunauthorizedaccessinreal-time/near-real-timethroughtools.
IVS-13.
1:Infrastructure&VirtualizationSecurity-NetworkArchitectureDoyournetworkarchitecturediagramsclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpactsY是,阿里云维护并更新网络架构图,并实时分析评估相关法律合规风险.
Yes,AlibabaCloudmaintainsandupdatesthenetworkarchitecturediagram,andanalyzesandevaluatesrelevantlegalcompliancerisksinrealtime.
IVS-13.
2:Infrastructure&VirtualizationSecurity-NetworkArchitectureDoyouimplementtechnicalmeasuresandapplydefense-in-depthtechniques(e.
g.
,deeppacketanalysis,trafficthrottlingandblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.
g.
,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacksY是,阿里云的安全监控主要分为日志收集、异常分析检测和告警展示三个部分.
日志收集主要是将平台侧的主机日志、网络日志、应用层和云产品的日志进行收集,并分别导入实时计算平台和离线计算平台.
异常分析检测会在各个计算平台中,通过安全监控算法模型,对日志进行处理和分析,进而完成风险的发现与监控.
一旦发现异常安全事件,会在阿里云内部的安全监控平台上进行告警展示,并通过钉钉,短信,邮件通知等方式通知安全应急人员在第一时间进行响应处置.
Yes,AlibabaCloud'ssecuritymonitoringismainlydividedintothreeparts:logcollection,anomalyanalysisanddetection,andalarmdisplay.
Logcollectionismainlytocollecthostlogs,networklogs,applicationlayerandcloudproductlogsontheplatformsideandimportthemtothereal-timecomputingplatformandofflinecomputingplatform,respectively.
Anomalyanalysisanddetectionwillprocessandanalyzelogsthroughsecuritymonitoringalgorithmmodelsinvariouscomputingplatformstocompleteriskdiscoveryandmonitoring.
Onceabnormalsecurityeventsarefound,alarmswillbedisplayedonAlibabaCloud'sinternalsecuritymonitoringplatform,andsecurityemergencypersonnelwillbenotifiedbynailing,textmessaging,emailnotification,etc.
torespondanddealwiththemassoonaspossible.
IPY-01.
1:Interoperability&Portability-APIsDoyoupublishalistofallAPIsavailableintheserviceandindicatewhicharestandardandwhicharecustomizedY是,阿里云已有发布API相关的操作信息,详情请参阅阿里云官网文档Yes,AlibabaCloudhasreleasedAPI-relatedoperationinformation.
Fordetails,pleaserefertotheAlibabaCloudofficialwebsitedocumentation.
IPY-02.
1:Interoperability&Portability-DataRequestIsunstructuredcustomerdataavailableonrequestinanindustry-standardformat(e.
g.
,.
doc,.
xls,or.
pdf)Y是,阿里云已有发布API相关的操作信息,详情请参阅阿里云官网文档Yes,AlibabaCloudhasreleasedAPI-relatedoperationinformation.
Fordetails,pleaserefertotheAlibabaCloudofficialwebsitedocumentation.
IPY-03.
1:Interoperability&Portability-Policy&LegalDoyouprovidepoliciesandprocedures(i.
e.
servicelevelagreements)governingtheuseofAPIsforinteroperabilitybetweenyourserviceandthird-partyapplicationsY是,阿里云已有发布API相关的操作信息,详情请参阅阿里云官网文档Yes,AlibabaCloudhasreleasedAPI-relatedoperationinformation.
Fordetails,pleaserefertotheAlibabaCloudofficialwebsitedocumentation.
IPY-03.
2:Interoperability&Portability-Policy&LegalDoyouprovidepoliciesandprocedures(i.
e.
servicelevelagreements)governingthemigrationofapplicationdatatoandfromyourserviceY是,阿里云各产品有制定相应的服务水平协议,说明客户数据的保管责任认信Yes,eachproductofAlibabaCloudhasacorrespondingservicelevelagreement,statingtheresponsibilityofcustomerdatastorageIPY-04.
1:Interoperability&Portability-StandardizedNetworkProtocolsCandataimport,dataexportandservicemanagementbeconductedoversecure(e.
g.
,non-cleartextandauthenticated),industryacceptedstandardizednetworkprotocolsY是,数据传输的过程中可使用行业通用的网络传输加密协定Yes,theindustry-widenetworktransmissionencryptionprotocolcanbeusedduringdatatransmissionIPY-04.
2:Interoperability&Portability-StandardizedNetworkProtocolsDoyouprovideconsumers(tenants)withdocumentationdetailingtherelevantinteroperabilityandportabilitynetworkprotocolstandardsthatareinvolvedY是,数据传输的过程中可使用行业通用的网络传输加密协定Yes,theindustry-widenetworktransmissionencryptionprotocolcanbeusedduringdatatransmissionInteroperabilityandPortability:ControlsIPY-01throughIPY-05ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishIPY-05.
1:Interoperability&Portability-VirtualizationDoyouuseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.
g.
.
,OVF)tohelpensureinteroperabilityY是,阿里云的镜像导出与导入采用行业通用的OVF及其他格式Yes,AlibabaCloud'simageexportandimportusestheindustry'scommonOVFandotherformatsIPY-05.
2:Interoperability&Portability-VirtualizationDoyouhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooksavailableforcustomerreviewY是,阿里云已有留存相关记录.
Yes,AlibabaCloudhasretainedrelevantrecords.
MOS-01.
1:MobileSecurity-Anti-Doyouprovideanti-malwaretrainingspecifictomobiledevicesaspartofyourinformationsecurityawarenesstrainingY是,阿里云提供的新员工培训和全员年度的安全培训中,都包含了恶意代码防范的意识和技能.
Yes,thenewemployeetrainingandannualsecuritytrainingprovidedbyAlibabaCloudbothincludeawarenessandskillsinmaliciouscodeprevention.
MOS-02.
1:MobileSecurity-ApplicationStoresDoyoudocumentandmakeavailablelistsofapprovedapplicationstoresformobiledevicesaccessingorstoringcompanydataand/orcompanysystemsY是,阿里云提供了统一的平台供员工下载办公软件.
Yes,AlibabaCloudprovidesaunifiedplatformforemployeestodownloadofficesoftware.
MOS-03.
1:MobileSecurity-ApprovedApplicationsDoyouhaveapolicyenforcementcapability(e.
g.
,XACML)toensurethatonlyapprovedapplicationsandthosefromapprovedapplicationstoresbeloadedontoamobiledeviceY是,阿里云利用自动化工具扫描员工的移动办公终端,以发现是否安装了非授权软件在移动终端上.
Yes,AlibabaCloudusesautomatedtoolstoscanemployees'mobileofficeterminalstofindoutifunauthorizedsoftwareisinstalledonthemobileterminals.
MOS-04.
1:MobileSecurity-ApprovedSoftwareforBYODDoesyourBYODpolicyandtrainingclearlystatewhichapplicationsandapplicationsstoresareapprovedforuseonBYODdevicesY是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
MOS-05.
1:MobileSecurity-AwarenessandTrainingDoyouhaveadocumentedmobiledevicepolicyinyouremployeetrainingthatclearlydefinesmobiledevicesandtheacceptedusageandrequirementsformobiledevicesY是,阿里云遵循的安全红线中明确了对移动设备的安全要求,同时这些要求也都在每年的安全培训中进行全员宣导.
Yes,thesecurityredlinefollowedbyAlibabaCloudclearlyspecifiesthesecurityrequirementsformobiledevices.
Atthesametime,theserequirementsareallpublicizedduringtheannualsecuritytraining.
MOS-06.
1:MobileSecurity-CloudBasedServicesDoyouhaveadocumentedlistofpre-approvedcloudbasedservicesthatareallowedtobeusedforuseandstorageofcompanybusinessdataviaamobiledeviceY是,阿里云仅允许员工使用公司自研发的云存储产品/服务.
Yes,AlibabaCloudonlyallowsemployeestousethecompany'sself-developedcloudstorageproducts/services.
MOS-07.
1:MobileSecurity-Doyouhaveadocumentedapplicationvalidationprocessfortestingdevice,operatingsystemandapplicationcompatibilityissuesY是,软件的兼容性是阿里云对软件的基本要求中的关注点.
Yes,softwarecompatibilityisthefocusofAlibabaCloud'sbasicsoftwarerequirements.
MOS-08.
1:MobileSecurity-DeviceEligibilityDoyouhaveaBYODpolicythatdefinesthedevice(s)andeligibilityrequirementsallowedforBYODusageY是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
MOS-09.
1:MobileSecurity-DeviceInventoryDoyoumaintainaninventoryofallmobiledevicesstoringandaccessingcompanydatawhichincludesdevicestatus(ossystemandpatchlevels,lostordecommissioned,deviceassignee)Y是,阿里云所有的移动办公设备均需要在公司的终端管理系统上进行注册.
Yes,allAlibabaCloudmobileofficeequipmentneedstoberegisteredonthecompany'sterminalmanagementsystem.
MOS-10.
1:MobileSecurity-DeviceManagementDoyouhaveacentralizedmobiledevicemanagementsolutiondeployedtoallmobiledevicesthatarepermittedtostore,transmit,orprocesscompanydataY是,阿里云有集中的终端管理系统进行移动办公设备的统一管理.
Yes,AlibabaCloudhasacentralizedterminalmanagementsystemforunifiedmanagementofremoteworkingequipment.
MOS-11.
1:MobileSecurity-EncryptionDoesyourmobiledevicepolicyrequiretheuseofencryptionforeithertheentiredeviceorfordataidentifiedassensitiveenforceablethroughtechnologycontrolsforallmobiledevicesY是,阿里云的移动设备安全策略明确要求对接触敏感数据的移动设备进行硬盘加密.
Yes,AlibabaCloud'smobiledevicesecuritypolicyexplicitlyrequiresharddriveencryptionformobiledevicesthatcomeintocontactwithsensitivedata.
MOS-12.
1:MobileSecurity-JailbreakingandRootingDoesyourmobiledevicepolicyprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.
g.
,jailbreakingorrooting)Y是,阿里云的移动设备安全策略禁止对公司派发的移动设备绕过内置的安全管控(如越狱),并通过终端管理软件进行监控.
Yes,AlibabaCloud'smobiledevicesecuritypolicyprohibitsmobiledevicesdistributedbythecompanyfrombypassingbuilt-insecuritycontrols(suchasjailbreak)andmonitoringthroughterminalmanagementsoftware.
MOS-12.
2:MobileSecurity-JailbreakingandRootingDoyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrolsY是,阿里云的移动设备安全策略禁止对公司派发的移动设备绕过内置的安全管控(如越狱),并通过终端管理软件进行监控.
Yes,AlibabaCloud'smobiledevicesecuritypolicyprohibitsmobiledevicesdistributedbythecompanyfrombypassingbuilt-insecuritycontrols(suchasjailbreak)andmonitoringthroughterminalmanagementsoftware.
MOS-13.
1:MobileSecurity-LegalDoesyourBYODpolicyclearlydefinetheexpectationofprivacy,requirementsforlitigation,e-discoveryandlegalholdsY是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
MOS-13.
2:MobileSecurity-LegalDoyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrolsY是,阿里云有统一的终端管理系统进行移动设备管理.
Yes,AlibabaCloudhasaunifiedterminalmanagementsystemformobiledevicemanagement.
MobileSecurity:ControlsMOS-01throughMOS-20ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishMOS-14:MobileSecurity-LockoutScreenDoyourequireandenforceviatechnicalcontrolsanautomaticlockoutscreenforBYODandcompanyowneddevicesY是,通过技术实现对锁屏策略的设置.
Yes,settingthelockscreenstrategythroughtechnology.
MOS-15:MobileSecurity-OperatingSystemsDoyoumanageallchangestomobiledeviceoperatingsystems,patchlevelsandapplicationsviayourcompany'schangemanagementprocessesY是,所有对操作系统的补丁升级变更都会被监控.
Yes,allpatchupdatestotheoperatingsystemaremonitored.
MOS-16.
1:MobileSecurity-PasswordsDoyouhavepasswordpoliciesforenterpriseissuedmobiledevicesand/orBYODmobiledevicesY是,阿里云通过系统配置了密码安全策略.
Yes,AlibabaCloudhasconfiguredapasswordsecuritypolicythroughthesystem.
MOS-16.
2:MobileSecurity-PasswordsAreyourpasswordpoliciesenforcedthroughtechnicalcontrols(i.
e.
MDM)Y是,阿里云系统化实现密码的安全策略配置.
Yes,AlibabaCloudsystematicallyimplementspasswordsecuritypolicyconfiguration.
MOS-16.
3:MobileSecurity-PasswordsDoyourpasswordpoliciesprohibitthechangingofauthenticationrequirements(i.
e.
password/PINlength)viaamobiledeviceY是,阿里云的密码安全策略里面有认证的相关配置要求,如密码长度.
Yes,AlibabaCloud'spasswordsecuritypolicyhasauthentication-relatedconfigurationrequirements,suchaspasswordlength.
MOS-17.
1:MobileSecurity-PolicyDoyouhaveapolicythatrequiresBYODuserstoperformbackupsofspecifiedcorporatedataY是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
同时,禁止办公数据在BYOD的设备上进行本地存储.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
Atthesametime,localstorageofofficedataonBYODdevicesisprohibited.
MOS-17.
2:MobileSecurity-PolicyDoyouhaveapolicythatrequiresBYODuserstoprohibittheusageofunapprovedapplicationstoresY是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
同时,禁止办公数据在BYOD的设备上进行本地存储.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
Atthesametime,localstorageofofficedataonBYODdevicesisprohibited.
MOS-17.
3:MobileSecurity-PolicyDoyouhaveapolicythatrequiresBYODuserstouseanti-malwaresoftware(wheresupported)Y是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
同时,禁止办公数据在BYOD的设备上进行本地存储.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
Atthesametime,localstorageofofficedataonBYODdevicesisprohibited.
MOS-18.
1:MobileSecurity-RemoteWipeDoesyourITprovideremotewipeorcorporatedatawipeforallcompany-acceptedBYODdevicesY是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
同时,禁止办公数据在BYOD的设备上进行本地存储.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
Atthesametime,localstorageofofficedataonBYODdevicesisprohibited.
MOS-18.
2:MobileSecurity-RemoteWipeDoesyourITprovideremotewipeorcorporatedatawipeforallcompany-assignedmobiledevicesY是,阿里云针对接触敏感数据的设备提供远程清除设备数据的能力.
Yes,AlibabaCloudprovidestheabilitytoremotelyerasedevicedatafordevicesexposedtosensitivedata.
MOS-19.
1:MobileSecurity-SecurityPatchesDoyourmobiledeviceshavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrierY是,阿里云通过终端安全软件统一管理以保证设备上安全补丁及时更新.
Yes,AlibabaCloudusesunifiedmanagementofterminalsecuritysoftwaretoensurethatsecuritypatchesondevicesareupdatedinatimelymanner.
MOS-19.
2:MobileSecurity-SecurityPatchesDoyourmobiledevicesallowforremotevalidationtodownloadthelatestsecuritypatchesbycompanyITpersonnelY是,阿里云允许移动设备远程下载最新的安全补丁.
Yes,AlibabaCloudallowsmobiledevicestoremotelydownloadthelatestsecuritypatches.
MOS-20.
1:MobileSecurity-UsersDoesyourBYODpolicyclarifythesystemsandserversallowedforuseoraccessontheBYOD-enableddeviceY是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
同时,禁止办公数据在BYOD的设备上进行本地存储.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
Atthesametime,localstorageofofficedataonBYODdevicesisprohibited.
MOS-20.
2:MobileSecurity-UsersDoesyourBYODpolicyspecifytheuserrolesthatareallowedaccessviaaBYOD-enableddeviceY是,阿里云禁止对办公电脑BYOD,其他设备如需BYOD(如手机)则需要在终端管理系统进行注册绑定员工身份,且只可访问办公网络环境.
同时,禁止办公数据在BYOD的设备上进行本地存储.
Yes,AlibabaCloudprohibitsBYODforofficecomputers.
ForotherdevicesthatrequireBYOD(suchasmobilephones),theyneedtoregisterwiththeterminalmanagementsystemtobindemployees,andtheycanonlyaccesstheofficenetworkenvironment.
Atthesametime,localstorageofofficedataonBYODdevicesisprohibited.
ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishSEF-01.
1:SecurityIncidentManagement,E-Discovery&CloudForensics-Contact/AuthorityMaintenanceDoyoumaintainliaisonsandpointsofcontactwithlocalauthoritiesinaccordancewithcontractsandappropriateregulationsY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立安全事件管理流程,包含发现、调查、通报、解决、复盘等流程,包含对客户的沟通与协作机制Yes,AlibabaCloudestablishessecurityincidentmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
),includingprocessessuchasdiscovery,investigation,notification,resolution,andreview,includingcustomercommunicationandcollaborationmechanismSEF-02.
1:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentManagementDoyouhaveadocumentedsecurityincidentresponseplanY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立安全事件管理流程,包含发现、调查、通报、解决、复盘等流程,包含对客户的沟通与协作机制Yes,AlibabaCloudestablishessecurityincidentmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
),includingprocessessuchasdiscovery,investigation,notification,resolution,andreview,includingcustomercommunicationandcollaborationmechanismSEF-02.
2:SecurityIncidentManagement,EDiscovery&CloudForensics-IncidentManagementDoyouintegratecustomizedtenantrequirementsintoyoursecurityincidentresponseplansY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立安全事件管理流程,包含发现、调查、通报、解决、复盘等流程,包含对客户的沟通与协作机制Yes,AlibabaCloudestablishessecurityincidentmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
),includingprocessessuchasdiscovery,investigation,notification,resolution,andreview,includingcustomercommunicationandcollaborationmechanismSEF-02.
3:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentManagementDoyoupublisharolesandresponsibilitiesdocumentspecifyingwhatyouvs.
yourtenantsareresponsibleforduringsecurityincidentsY是,于阿里云的安全白皮书与服务协议内已有说明客户与阿里云的责任义务Yes,theresponsibilitiesofthecustomerandAlibabaCloudhavebeenstatedinAlibabaCloud'ssecuritywhitepaperandserviceagreement.
SEF-02.
4:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentManagementHaveyoutestedyoursecurityincidentresponseplansinthelastyearY是,阿里云每年至少进行一次安全事件应变流程审阅与测试Yes,AlibabaCloudreviewsandtestssecurityincidentresponseprocessesatleastonceayearSEF-03.
1:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentReportingDoesyoursecurityinformationandeventmanagement(SIEM)systemmergedatasources(applogs,firewalllogs,IDSlogs,physicalaccesslogs,etc.
)forgranularanalysisandalertingY是,阿里云通过系统化的方式自动收集相关日志信息,作为后续调查与审计的基础Yes,AlibabaCloudautomaticallycollectsrelevantloginformationinasystematicmannerasthebasisforsubsequentinvestigationsandauditsSEF-03.
2:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentReportingDoesyourloggingandmonitoringframeworkallowisolationofanincidenttospecifictenantsY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立安全事件管理流程,包含发现、调查、通报、解决、复盘等流程,包含对客户的沟通与协作机制Yes,AlibabaCloudestablishessecurityincidentmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
),includingprocessessuchasdiscovery,investigation,notification,resolution,andreview,includingcustomercommunicationandcollaborationmechanismsSEF-04.
1:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentResponseLegalPreparationDoesyourincidentresponseplancomplywithindustrystandardsforlegallyadmissiblechain-of-custodymanagementprocessesandcontrolsY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立安全事件管理流程,包含发现、调查、通报、解决、复盘等流程,包含对客户的沟通与协作机制Yes,AlibabaCloudestablishessecurityincidentmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
),includingprocessessuchasdiscovery,investigation,notification,resolution,andreview,includingcustomercommunicationandcollaborationmechanismsSEF-04.
2:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentResponseLegalPreparationDoesyourincidentresponsecapabilityincludetheuseoflegallyadmissibleforensicdatacollectionandanalysistechniquesY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立安全事件管理流程,包含发现、调查、通报、解决、复盘等流程,包含对客户的沟通与协作机制Yes,AlibabaCloudestablishessecurityincidentmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
),includingprocessessuchasdiscovery,investigation,notification,resolution,andreview,includingcustomercommunicationandcollaborationmechanismsSEF-04.
3:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentResponseLegalPreparationAreyoucapableofsupportinglitigationholds(freezeofdatafromaspecificpointintime)foraspecifictenantwithoutfreezingothertenantdataY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立安全事件管理流程,包含发现、调查、通报、解决、复盘等流程,包含对客户的沟通与协作机制Yes,AlibabaCloudestablishessecurityincidentmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
),includingprocessessuchasdiscovery,investigation,notification,resolution,andreview,includingcustomercommunicationandcollaborationmechanismsSecurityIncidentManagement,E-Discovery&CloudForensics:ControlsSEF-01throughSEF-05ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishSEF-04.
4:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentResponseLegalPreparationDoyouenforceandattesttotenantdataseparationwhenproducingdatainresponsetolegalsubpoenasY是,阿里云依循相关国际标准(如ISO27001/27017/27018等)建立安全事件管理流程,包含发现、调查、通报、解决、复盘等流程,包含对客户的沟通与协作机制Yes,AlibabaCloudestablishessecurityincidentmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO27001/27017/27018,etc.
),includingprocessessuchasdiscovery,investigation,notification,resolution,andreview,includingcustomercommunicationandcollaborationmechanismsSEF-05.
1:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentResponseMetricsDoyoumonitorandquantifythetypes,volumesandimpactsonallinformationsecurityincidentsY是,当信息安全事件发生时,相应的过程记录会被完整记录及复盘Yes,whenaninformationsecurityincidentoccurs,thecorrespondingprocessrecordswillbefullyrecordedandreviewedSEF-05.
2:SecurityIncidentManagement,E-Discovery&CloudForensics-IncidentResponseMetricsWillyousharestatisticalinformationforsecurityincidentdatawithyourtenantsuponrequestY是,当信息安全事件影响客户时,阿里云会及时与客户同步处理进度Yes,wheninformationsecurityincidentsaffectcustomers,AlibabaCloudwillsynchronizetheprogresswithcustomersinatimelymannerSTA-01.
1:SupplyChainManagement,TransparencyandAccountability-DataQualityandIntegrityDoyouinspectandaccountfordataqualityerrorsandassociatedrisks,andworkwithyourcloudsupply-chainpartnerstocorrectthemY是,阿里云已有制定供应商管理规范,且针对供应商制定了数据安全的管理规范并建立了定期第三方数据安全审计的机制.
Yes,AlibabaCloudhasestablishedsuppliermanagementpolicy,butitisnotcurrentlyrelyingonpartnerstodeliverproductsSTA-01.
2:SupplyChainManagement,TransparencyandAccountability-DataQualityandIntegrityDoyoudesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegedaccessforallpersonnelwithinyoursupplychainY是,阿里云已有制定供应商管理规范,且针对供应商制定了数据安全的管理规范并建立了定期第三方数据安全审计的机制.
Notapplicable,althoughAlibabaCloudhasestablishedsuppliermanagementpolicy,butithasnotreliedonpartnerstodeliverproductsSTA-02.
1:SupplyChainManagement,TransparencyandAccountability-IncidentReportingDoyoumakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.
g.
,portals)Y是,当信息安全事件影响客户时,阿里云会及时与客户同步处理进度Yes,wheninformationsecurityincidentsaffectcustomers,AlibabaCloudwillsynchronizetheprogresswithcustomersinatimelymannerSTA-03.
1:SupplyChainManagement,TransparencyandAccountability-Network/InfrastructureServicesDoyoucollectcapacityandusedataforallrelevantcomponentsofyourcloudserviceofferingY是,阿里云通过收集这些信息调校与优化产品的服务能力Yes,AlibabaCloudcollectsthisinformationtoadjustandoptimizeproductservicecapabilitiesSTA-03.
2:SupplyChainManagement,TransparencyandAccountability-Network/InfrastructureServicesDoyouprovidetenantswithcapacityplanningandusereportsNA不适用,客户的使用资源由客户自身管理与规划,与阿里云自身的资源管理无直接关联性Notapplicable,thecustomer'suseofresourcesismanagedandplannedbythecustomer,andhasnodirectrelationshipwithAlibabaCloud'sownresourcemanagementSTA-04.
1:SupplyChainManagement,TransparencyandAccountability-ProviderInternalAssessmentsDoyouperformannualinternalassessmentsofconformanceandeffectivenessofyourpolicies,procedures,andsupportingmeasuresandmetricsY是,阿里云依循相关国际标准(如ISO20000)建立服务水平管理流程,至少每年一次审阅服务水平协议内容Yes,AlibabaCloudestablishesservicelevelmanagementprocessesinaccordancewithrelevantinternationalstandards(suchasISO20000),andreviewsthecontentoftheservicelevelagreementatleastonceayearSTA-05.
1:SupplyChainManagement,TransparencyandAccountability-SupplyChainAgreementsDoyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataisprocessed,storedandtransmittedY是,虽阿里云目前没有委外的数据处理者,但已有制定相应协议与管理规范Yes,althoughAlibabaCloudcurrentlydoesnothaveoutsourceddataprocessors,ithasformulatedcorrespondingprotocolsandmanagementpolicies.
STA-05.
2:SupplyChainManagement,TransparencyandAccountability-SupplyChainAgreementsDoyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataoriginatesY是,虽阿里云目前没有委外的数据处理者,但已有制定相应协议与管理规范Yes,althoughAlibabaCloudcurrentlydoesnothaveoutsourceddataprocessors,ithasformulatedcorrespondingagreementsandmanagementpolicies.
SupplyChainManagement,TransparencyandAccountability:ControlsSTA-01throughSTA-09ControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishSTA-05.
3:SupplyChainManagement,TransparencyandAccountability-SupplyChainAgreementsDoeslegalcounselreviewallthird-partyagreementsY是,阿里云的所有协议皆由法务团队审阅与确认Yes,allAlibabaCloudagreementsarereviewedandcheckedbythelegalteamSTA-05.
4:SupplyChainManagement,TransparencyandAccountability-SupplyChainAgreementsDothird-partyagreementsincludeprovisionforthesecurityandprotectionofinformationandassetsY是,阿里云在供应商管理流程内已纳入安全与隐私相关的要求,且在双方的合同内纳入相应管理要求,确保供应商必须遵循相关的要求Yes,AlibabaCloudhasincludedsecurityandprivacyrelatedrequirementsinthesuppliermanagementprocess,andincludedthecorrespondingmanagementrequirementsinthecontractbetweenthetwopartiestoensurethatthesuppliermustcomplywiththerelevantrequirementsSTA-05.
5:SupplyChainManagement,TransparencyandAccountability-SupplyChainAgreementsDoyouprovidetheclientwithalistandcopiesofallsub-processingagreementsandkeepthisupdatedNA不适用,阿里云目前没有委外的数据处理者Noapplicable,AlibabaCloudcurrentlyhasnooutsourceddataprocessorsSTA-06.
1:SupplyChainManagement,TransparencyandAccountability-SupplyChainGovernanceReviewsDoyoureviewtheriskmanagementandgovernanceprocessesofpartnerstoaccountforrisksinheritedfromothermembersofthatpartner'ssupplychainY是,阿里云的合同模板内已有纳入安全与隐私相关要求,并且说明对于供应商的检查与审计需求,确保供应商的服务能力Yes,AlibabaCloud'scontracttemplatehasincludedsecurityandprivacyrelatedrequirements,andexplainedtheinspectionandauditrequirementsforsupplierstoensuresupplierservicecapabilitiesSTA-07.
1:SupplyChainManagement,TransparencyandAccountability-SupplyChainMetricsArepoliciesandproceduresestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,formaintainingcomplete,accurateandrelevantagreements(e.
g.
,SLAs)betweenprovidersandcustomers(tenants)Y是,阿里云的合同模板内已有纳入安全与隐私相关要求,并且说明对于供应商的检查与审计需求,确保供应商的服务能力Yes,AlibabaCloud'scontracttemplatehasincludedsecurityandprivacyrelatedrequirements,andexplainedtheinspectionandauditrequirementsforsupplierstoensuresupplierservicecapabilitiesSTA-07.
2:SupplyChainManagement,TransparencyandAccountability-SupplyChainMetricsDoyouhavetheabilitytomeasureandaddressnon-conformanceofprovisionsand/ortermsacrosstheentiresupplychain(upstream/downstream)Y是,阿里云的合同模板内已有纳入安全与隐私相关要求,并且说明对于供应商的检查与审计需求,确保供应商的服务能力Yes,AlibabaCloud'scontracttemplatehasincludedsecurityandprivacyrelatedrequirements,andexplainedtheinspectionandauditrequirementsforsupplierstoensuresupplierservicecapabilitiesSTA-07.
3:SupplyChainManagement,TransparencyandAccountability-SupplyChainMetricsCanyoumanageservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationshipsY是,阿里云的合同模板内已有纳入安全与隐私相关要求,并且说明对于供应商的检查与审计需求,确保供应商的服务能力Yes,AlibabaCloud'scontracttemplatehasincludedsecurityandprivacyrelatedrequirements,andexplainedtheinspectionandauditrequirementsforsupplierstoensuresupplierservicecapabilitiesSTA-07.
4:SupplyChainManagement,TransparencyandAccountability-SupplyChainMetricsDoyoureviewallagreements,policiesandprocessesatleastannuallyY是,阿里云的合同模板内已有纳入安全与隐私相关要求,并且说明对于供应商的检查与审计需求,确保供应商的服务能力Yes,AlibabaCloud'scontracttemplatehasincludedsecurityandprivacyrelatedrequirements,andexplainedtheinspectionandauditrequirementsforsupplierstoensuresupplierservicecapabilitiesSTA-08.
1:SupplyChainManagement,TransparencyandAccountability-ThirdPartyAssessmentDoyouassurereasonableinformationsecurityacrossyourinformationsupplychainbyperforminganannualreviewY是,阿里云的合同模板内已有纳入安全与隐私相关要求,并且说明对于供应商的检查与审计需求,确保供应商的服务能力Yes,AlibabaCloud'scontracttemplatehasincludedsecurityandprivacyrelatedrequirements,andexplainedtheinspectionandauditrequirementsforsupplierstoensuresupplierservicecapabilitiesSTA-08.
2:SupplyChainManagement,TransparencyandAccountability-ThirdPartyAssessmentDoesyourannualreviewincludeallpartners/third-partyprovidersuponwhichyourinformationsupplychaindependsY是,阿里云的合同模板内已有纳入安全与隐私相关要求,并且说明对于供应商的检查与审计需求,确保供应商的服务能力Yes,AlibabaCloud'scontracttemplatehasincludedsecurityandprivacyrelatedrequirements,andexplainedtheinspectionandauditrequirementsforsupplierstoensuresupplierservicecapabilitiesSTA-09.
1:SupplyChainManagement,TransparencyandAccountability-ThirdPartyAuditsDoyoupermittenantstoperformindependentvulnerabilityassessmentsY是,客户可对自己的资源进行漏洞扫描评估Yes,customerscanconductvulnerabilityscanassessmentsoftheirownresourcesSTA-09.
2:SupplyChainManagement,TransparencyandAccountability-ThirdPartyAuditsDoyouhaveexternalthirdpartyservicesconductvulnerabilityscansandperiodicpenetrationtestsonyourapplicationsandnetworksY是,阿里云至少每半年要求三方进行一次外部渗透测试Yes,AlibabaCloudrequiresthird-partytoconductexternalpenetrationtestingatleastonceeverysixmonthsControlIDinCCMConsensusAssessmentQuestionsYesNoN/ANotesinChineseNotesinEnglishTVM-01.
1:ThreatandVulnerabilityManagement-Anti-Virus/MaliciousSoftwareDoyouhaveanti-malwareprogramsthatsupportorconnecttoyourcloudserviceofferingsinstalledonallofyoursystemsY是,阿里云在云平台侧建立了恶意软件防护机制,并在云安全中心提供恶意软件防护能力供客户使用.
Yes,AlibabaCloudhasestablishedamalwareprotectionmechanismonthecloudplatformside,andprovidedmalwareprotectioncapabilitiesintheCloudSecurityCenterforcustomerstouse.
TVM-01.
2:ThreatandVulnerabilityManagement-Anti-Virus/MaliciousSoftwareDoyouensurethatsecuritythreatdetectionsystemsusingsignatures,listsorbehavioralpatternsareupdatedacrossallinfrastructurecomponentswithinindustryacceptedtimeframesY是,阿里云的入侵检测防护系统持续更新,以保证对外部威胁的监测发现.
Hostodo近日发布了美国独立日优惠促销活动,主要推送了四款特价优惠便宜的VPS云服务器产品,基于KVM虚拟架构,NVMe阵列,1Gbps带宽,默认分配一个IPv4+/64 IPv6,采用solusvm管理,赠送收费版DirectAdmin授权,服务有效期内均有效,大致约为7折优惠,独立日活动时间不定,活动机型售罄为止,有需要的朋友可以尝试一下。Hostodo怎么样?Hostodo服务器好不好?...
我们先普及一下常识吧,每年9月的第一个星期一是美国劳工节。于是,有一些服务商会基于这些节日推出吸引用户的促销活动,比如RackNerd有推出四款洛杉矶和犹他州独立服务器,1G带宽、5个独立IP地址,可以配置Windows和Linux系统,如果有需要独立服务器的可以看看。第一、劳工节促销套餐这里有提供2个套餐。两个方案是选择犹他州的,有2个方案是可以选择洛杉矶机房的。CPU内存SSD硬盘配置流量价格...
轻云互联怎么样?轻云互联,广州轻云网络科技有限公司旗下品牌,2018年5月成立以来,轻云互联以性价比的价格一直为提供个人,中大小型企业/团队云上解决方案。本次轻云互联送上的是美国圣何塞cn2 vps(免费50G集群防御)及香港沙田cn2 vps(免费10G集群防御)促销活动,促销产品均为cn2直连中国大陆线路、采用kvm虚拟技术架构及静态内存。目前,轻云互联推出美国硅谷、圣何塞CN2GIA云服务器...