CCSP最全思维导图
2024-12-25 15:09:19 0 举报AI智能生成
云端安全与新兴科技是现今信息安全趋势之一, ISC2 CCSP 是非特定厂商且权威、内容知识丰富的云端信息安全管理认证!能够让云端安全从业者学习到许多实用知识。
作者其他创作
大纲/内容
D1 云概念、架构和设计
Cloud Concepts, Architecture and Design
Cloud Concepts, Architecture and Design
1.1 了解云计算概念
Understand cloud computing concepts
Understand cloud computing concepts
云计算定义
Cloud computing definitions
Cloud computing definitions
云计算角色和职责
Cloud computing roles and responsibilities
Cloud computing roles and responsibilities
云服务客户
cloud service customer
cloud service customer
云服务供应商
cloud service provider
cloud service provider
云服务合作伙伴
cloud service partner
cloud service partner
云服务代理
cloud service broker
cloud service broker
监管机构
regulator
regulator
云计算关键特性
Key cloud computing characteristics
Key cloud computing characteristics
按需自助服务
on-demand self-service
on-demand self-service
广泛的网络访问
broad network access
broad network access
多租户
multi-tenancy
multi-tenancy
快速弹性和可伸缩性
rapid elasticity and scalability
rapid elasticity and scalability
资源池化
resource pooling
resource pooling
可度量服务
measured service
measured service
构建块技术
Building block technologies
Building block technologies
虚拟化
virtualization
virtualization
存储
storage
storage
联网
networking
networking
数据库
databases
databases
编排
orchestration
orchestration
1.2 描述云计算参考架构
Describe cloud reference architecture
Describe cloud reference architecture
云计算活动
Cloud computing activities
Cloud computing activities
云服务能力
Cloud service capabilities
Cloud service capabilities
应用能力类型
application capability types
application capability types
平台能力类型
platform capability types
platform capability types
基础设施能力类型
infrastructure capability types
infrastructure capability types
云服务类别
Cloud service categories
Cloud service categories
软件即服务 (SaaS)
Software as a Service (SaaS)
Software as a Service (SaaS)
基础设施即服务 (IaaS)
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS)
平台即服务 (PaaS)
Platform as a Service (PaaS)
Platform as a Service (PaaS)
云部署模型
Cloud deployment models
Cloud deployment models
公共云
public
public
私有云
private
private
混合云
hybrid
hybrid
社区云
community
community
多云
multi-cloud
multi-cloud
云共享考虑因素
Cloud shared considerations
Cloud shared considerations
互操作性
interoperability
interoperability
可移植性
portability
portability
可逆性
reversibility
reversibility
可用性
availability
availability
安全性
security
security
隐私
privacy
privacy
弹性
resiliency
resiliency
性能
performance
performance
治理
governance
governance
维护和版本控制
maintenance and versioning
maintenance and versioning
服务等级和服务等级协议 (SLA)
service levels and service-level agreements (SLA)
service levels and service-level agreements (SLA)
可审计性
auditability
auditability
监管
regulatory
regulatory
外包
outsourcing
outsourcing
相关技术的影响
Impact of related technologies
Impact of related technologies
数据科学
data science
data science
机器学习
machine learning
machine learning
人工智能 (AI)
artificial intelligence (AI)
artificial intelligence (AI)
区块链
blockchain
blockchain
物联网 (IoT)
Internet of Things (IoT)
Internet of Things (IoT)
容器
containers
containers
量子计算
quantum computing
quantum computing
边缘计算
edge computing
edge computing
机密计算
confidential computing
confidential computing
DevSecOps
1.3 了解与云计算相关的安全概念
Understand security concepts relevant to cloud computing
Understand security concepts relevant to cloud computing
密码学和密钥管理
Cryptography and key management
Cryptography and key management
身份和访问控制
Identity and access control
Identity and access control
用户访问
user access
user access
特权访问
privilege access
privilege access
服务访问
service access
service access
数据和媒介清理
Data and media sanitization
Data and media sanitization
覆盖
overwriting
overwriting
加密擦除
cryptographic erase
cryptographic erase
网络安全
Network security
Network security
网络安全组
network security groups
network security groups
流量检查
traffic inspection
traffic inspection
地理围栏
geofencing
geofencing
零信任网络
zero trust network
zero trust network
虚拟化安全
Virtualization security
Virtualization security
hypervisor 安全
hypervisor security
hypervisor security
容器安全
container security
container security
临时计算
ephemeral computing
ephemeral computing
无服务器技术
serverless technology
serverless technology
常见威胁
Common threats
Common threats
安全卫生
Security hygiene
Security hygiene
打补丁
patching
patching
基线
baselining
baselining
1.4 了解安全云计算的设计原则
Understand design principles of secure cloud computing
Understand design principles of secure cloud computing
云安全数据生命周期
Cloud secure data lifecycle
Cloud secure data lifecycle
基于云的业务连续性 (BC) 和灾难恢复 (DR) 计划
Cloud-based business continuity (BC) and disaster recovery (DR) plan
Cloud-based business continuity (BC) and disaster recovery (DR) plan
业务影响分析 (BIA)
Business impact analysis (BIA)
Business impact analysis (BIA)
成本效益分析
cost-benefit analysis
cost-benefit analysis
投资回报率 (ROI)
return on investment (ROI)
return on investment (ROI)
功能安全要求
Functional security requirements
Functional security requirements
可移植性
portability
portability
互操作性
interoperability
interoperability
供应商锁定
vendor lock-in
vendor lock-in
不同云类别的安全注意事项和责任
Security considerations and responsibilities for different cloud categories
Security considerations and responsibilities for different cloud categories
软件即服务 (SaaS)
Software as a Service (SaaS)
Software as a Service (SaaS)
基础设施即服务 (IaaS)
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS)
平台即服务 (PaaS)
Platform as a Service (PaaS)
Platform as a Service (PaaS)
云设计模式
Cloud design patterns
Cloud design patterns
SANS 安全原则
SANS security principles
SANS security principles
架构完善的框架
Well-Architected Framework
Well-Architected Framework
云安全联盟 (CSA) 企业架构
Cloud Security Alliance (CSA) Enterprise Architecture
Cloud Security Alliance (CSA) Enterprise Architecture
DevOps 安全
DevOps security
DevOps security
1.5 评估云服务供应商
Evaluate cloud service providers
Evaluate cloud service providers
根据标准进行验证
Verification against criteria
Verification against criteria
国际标准组织/国际电子技术委员会 (ISO/IEC) 27017
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017
支付卡行业数据安全标准 (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS)
系统/子系统产品认证
System/subsystem product certifications
System/subsystem product certifications
通用标准 (CC)
Common Criteria (CC)
Common Criteria (CC)
联邦信息处理标准 (FIPS) 140-2
Federal Information Processing Standard (FIPS) 140-2
Federal Information Processing Standard (FIPS) 140-2
D2 云数据安全
Cloud Data Security
Cloud Data Security
2.1 描述云数据概念
Describe cloud data concepts
Describe cloud data concepts
云数据生命周期阶段
Cloud data life cycle phases
Cloud data life cycle phases
数据分散
Data dispersion
Data dispersion
数据流
Data flows
Data flows
2.2 设计和实现云数据存储架构
Design and implement cloud data storage architectures
Design and implement cloud data storage architectures
存储类型
Storage types
Storage types
长期
long-term
long-term
临时
ephemeral
ephemeral
原始存储
raw storage
raw storage
对存储类型的威胁
Threats to storage types
Threats to storage types
2.3 设计和应用数据安全技术和策略
Design and apply data security technologies and strategies
Design and apply data security technologies and strategies
加密和密钥管理
Encryption and key management
Encryption and key management
散列
Hashing
Hashing
数据混淆
Data obfuscation
Data obfuscation
屏蔽
masking
masking
匿名化
anonymization
anonymization
令牌化
Tokenization
Tokenization
数据丢失防护(DLP)
Data loss prevention (DLP)
Data loss prevention (DLP)
密钥、机密和证书管理
Keys, secrets and certificates management
Keys, secrets and certificates management
2.4 实现数据发现
Implement data discovery
Implement data discovery
结构化数据
Structured data
Structured data
非结构化数据
Unstructured data
Unstructured data
半结构化数据
Semi-structured data
Semi-structured data
数据位置
Data location
Data location
2.5 计划和实现数据分类
Plan and implement data classification
Plan and implement data classification
数据分类策略
Data classification policies
Data classification policies
数据映射
Data mapping
Data mapping
数据标记
Data labeling
Data labeling
2.6 设计和实现信息权限管理 (IRM)
Design and implement Information Rights Management (IRM)
Design and implement Information Rights Management (IRM)
目标
Objectives
Objectives
数据权限
data rights
data rights
访问
provisioning
provisioning
访问模型
access models
access models
适当的工具
Appropriate tools
Appropriate tools
颁发和撤销证书
issuing and revocation of certificates
issuing and revocation of certificates
2.7 规划和实施数据保留、删除和归档策略
Plan and implement data retention, deletion and archiving policies
Plan and implement data retention, deletion and archiving policies
数据保留策略
Data retention policies
Data retention policies
数据删除程序和机制
Data deletion procedures and mechanisms
Data deletion procedures and mechanisms
数据归档程序和机制
Data archiving procedures and mechanisms
Data archiving procedures and mechanisms
依法保留
Legal hold
Legal hold
2.8 设计和实施数据事件的可审计性、可追溯性和责任性
Design and implement auditability, traceability and accountability of data events
Design and implement auditability, traceability and accountability of data events
事件源的定义和事件属性的要求
Definition of event sources and requirement of event attributes
Definition of event sources and requirement of event attributes
身份
identity
identity
互联网协议 (IP) 地址
Internet Protocol (IP) address
Internet Protocol (IP) address
地理位置
geolocation
geolocation
数据事件的日志记录、存储和分析
Logging, storage and analysis of data events
Logging, storage and analysis of data events
监管链和不可抵赖性
Chain of custody and non-repudiation
Chain of custody and non-repudiation
D3 云平台和基础架构安全
Cloud Platform and Infrastructure Security
Cloud Platform and Infrastructure Security
3.1 理解云基础架构和平台组件
Comprehend cloud infrastructure and platform components
Comprehend cloud infrastructure and platform components
物理环境
Physical environment
Physical environment
网络与通信
Network and communications
Network and communications
计算
Compute
Compute
虚拟化
Virtualization
Virtualization
存储
Storage
Storage
管理平面
Management plane
Management plane
3.2 设计安全的数据中心
Design a secure data center
Design a secure data center
逻辑设计
Logical design
Logical design
租户分区
tenant partitioning
tenant partitioning
访问控制
access control
access control
物理设计
Physical design
Physical design
位置
location
location
购买或建造
buy or build
buy or build
环境设计
Environmental design
Environmental design
供暖
Heating
Heating
通风与空调 (HVAC)
Heating, Ventilation, and Air Conditioning (HVAC)
Heating, Ventilation, and Air Conditioning (HVAC)
多供应商通路连接
multi-vendor pathway connectivity
multi-vendor pathway connectivity
设计弹性
Design resilient
Design resilient
3.3 分析与云基础架构和平台相关的风险
Analyze risks associated with cloud infrastructure and platforms
Analyze risks associated with cloud infrastructure and platforms
风险评估
Risk assessment
Risk assessment
识别
identification
identification
分析
analysis
analysis
云漏洞、威胁和攻击
Cloud vulnerabilities, threats and attacks
Cloud vulnerabilities, threats and attacks
风险缓解策略
Risk mitigation strategies
Risk mitigation strategies
3.4 计划和实现安全控制
Plan and implementation of security controls
Plan and implementation of security controls
物理和环境保护
Physical and environmental protection
Physical and environmental protection
内部部署
on-premises
on-premises
系统、存储和通信保护
System, storage and communication protection
System, storage and communication protection
云环境中的识别、认证和授权
Identification, authentication and authorization in cloud environments
Identification, authentication and authorization in cloud environments
审计机制
Audit mechanisms
Audit mechanisms
日志收集
log collection
log collection
关联
correlation
correlation
数据包捕获
packet capture
packet capture
3.5 计划业务连续性 (BC) 和灾难恢复 (DR)
Plan business continuity (BC) and disaster recovery (DR)
Plan business continuity (BC) and disaster recovery (DR)
业务连续性 (BC) / 灾难恢复 (DR) 策略
Business continuity (BC) / disaster recovery (DR) strategy
Business continuity (BC) / disaster recovery (DR) strategy
业务需求
Business requirements
Business requirements
恢复时间目标 (RTO)
Recovery Time Objective (RTO)
Recovery Time Objective (RTO)
恢复点目标 (RPO)
Recovery Point Objective (RPO)
Recovery Point Objective (RPO)
恢复服务级别
recovery service level
recovery service level
计划的创建、实施和测试
Creation, implementation and testing of plan
Creation, implementation and testing of plan
D4 云应用安全
Cloud Application Security
Cloud Application Security
4.1 倡导应用程序安全性的培训和意识
Advocate training and awareness for application security
Advocate training and awareness for application security
云开发基础
Cloud development basics
Cloud development basics
常见陷阱
Common pitfalls
Common pitfalls
常见云漏洞
Common cloud vulnerabilities
Common cloud vulnerabilities
开放web应用安全项目 (OWASP) 10 大风险
Open Web Application Security Project (OWASP) Top-10
Open Web Application Security Project (OWASP) Top-10
SANS 前 25 个最危险的软件错误
SANS Top-25
SANS Top-25
4.2 描述安全软件开发生命周期 (SDLC) 流程
Describe the Secure Software Development Life Cycle (SDLC) process
Describe the Secure Software Development Life Cycle (SDLC) process
业务需求
Business requirements
Business requirements
阶段和方法
Phases and methodologies
Phases and methodologies
设计
design
design
编码
code
code
测试
test
test
维护
maintain
maintain
瀑布式与敏捷
waterfall vs. agile
waterfall vs. agile
4.3 应用安全软件开发生命周期 (SDLC)
Apply the Secure Software Development Life Cycle (SDLC)
Apply the Secure Software Development Life Cycle (SDLC)
云特定风险
Cloud-specific risks
Cloud-specific risks
威胁建模
Threat modeling
Threat modeling
欺骗、篡改、抵赖、信息泄露、拒绝服务和特权提升 (STRIDE)
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE)
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE)
灾难、可重现性、可利用性、受影响用户与可发现性 (DREAD)
Damage, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD)
Damage, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD)
架构、威胁、攻击面和缓解措施(ATASM)
Architecture, Threats, Attack Surfaces, and Mitigations (ATASM)
Architecture, Threats, Attack Surfaces, and Mitigations (ATASM)
攻击模拟和威胁分析过程 (PASTA)
Process for Attack Simulation and Threat Analysis (PASTA)
Process for Attack Simulation and Threat Analysis (PASTA)
避免开发过程中的常见漏洞
Avoid common vulnerabilities during development
Avoid common vulnerabilities during development
安全编码
Secure coding
Secure coding
开放web应用安全项目 (OWASP) 应用安全检验标准 (ASVS)
Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS)
Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS)
卓越代码软件保障论坛 (SAFECode)
Software Assurance Forum for Excellence in Code (SAFECode)
Software Assurance Forum for Excellence in Code (SAFECode)
软件配置管理和版本控制
Software configuration management and versioning
Software configuration management and versioning
4.4 应用云软件保障和验证
Apply cloud software assurance and validation
Apply cloud software assurance and validation
功能和非功能测试
Functional and non-functional testing
Functional and non-functional testing
安全测试方法
Security testing methodologies
Security testing methodologies
黑盒
blackbox
blackbox
白盒
whitebox
whitebox
静态
static
static
动态
dynamic
dynamic
软件组成分析(SCA)
Software Composition Analysis (SCA)
Software Composition Analysis (SCA)
交互式应用程序安全测试 (IAST)
interactive application security testing (IAST)
interactive application security testing (IAST)
质量保证 (QA)
Quality assurance (QA)
Quality assurance (QA)
滥用案例测试
Abuse case testing
Abuse case testing
4.5 使用经过验证的安全软件
Use verified secure software
Use verified secure software
保护应用编程接口 (API)
Securing application programming interfaces (API)
Securing application programming interfaces (API)
供应链管理
Supply-chain management
Supply-chain management
供应商评估
vendor assessment
vendor assessment
第三方软件管理
Third-party software management
Third-party software management
许可
licensing
licensing
经过验证的开源软件
Validated open-source software
Validated open-source software
4.6 了解云应用架构的细节
Comprehend the specifics of cloud application architecture
Comprehend the specifics of cloud application architecture
补充安全组件
Supplemental security components
Supplemental security components
web应用防火墙 (WAF)
web application firewall (WAF)
web application firewall (WAF)
数据库活动监控 (DAM)
Database Activity Monitoring (DAM)
Database Activity Monitoring (DAM)
可扩展标记语言 (XML) 防火墙
Extensible Markup Language (XML) firewalls
Extensible Markup Language (XML) firewalls
应用编程接口 (API) 网关
application programming interface (API) gateway
application programming interface (API) gateway
密码学
Cryptography
Cryptography
沙盒
Sandboxing
Sandboxing
应用程序虚拟化和编排
Application virtualization and orchestration
Application virtualization and orchestration
微服务
microservices
microservices
容器
containers
containers
4.7 设计适当的身份和访问管理 (IAM) 解决方案
Design appropriate identity and access management (IAM) solutions
Design appropriate identity and access management (IAM) solutions
联合身份
Federated identity
Federated identity
身份提供商 (IdP)
Identity providers (IdP)
Identity providers (IdP)
单点登录 (SSO)
Single sign-on (SSO)
Single sign-on (SSO)
多因子验证 (MFA)
Multi-factor authentication (MFA)
Multi-factor authentication (MFA)
云访问安全代理 (CASB)
Cloud access security broker (CASB)
Cloud access security broker (CASB)
密钥/凭据管理
Secrets management
Secrets management
D5 云安全运营
Cloud Security Operations
Cloud Security Operations
5.1 为云环境构建和实现物理和逻辑基础架构
Build and implement physical and logical infrastructure for cloud environment
Build and implement physical and logical infrastructure for cloud environment
硬件特定的安全配置要求
Hardware specific security configuration requirements
Hardware specific security configuration requirements
硬件安全模块 (HSM)
hardware security module (HSM)
hardware security module (HSM)
可信赖平台模块 (TPM)
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
管理工具的安装和配置
Installation and configuration of management tools
Installation and configuration of management tools
虚拟硬件特定的安全配置要求
Virtual hardware specific security configuration requirements
Virtual hardware specific security configuration requirements
网络
network
network
存储
storage
storage
内存
memory
memory
中央处理器 (CPU)
central processing unit (CPU)
central processing unit (CPU)
Hypervisor 类型 1 和 2
Hypervisor type 1 and 2
Hypervisor type 1 and 2
安装客户操作系统 (OS) 虚拟化工具集
Installation of guest operating system (OS) virtualization toolsets
Installation of guest operating system (OS) virtualization toolsets
5.2 运行和维护云环境的物理和逻辑基础架构
Operate and maintain physical and logical infrastructure for cloud environment
Operate and maintain physical and logical infrastructure for cloud environment
本地和远程访问的访问控制
Installation of guest operating system (OS) virtualization toolsets
Installation of guest operating system (OS) virtualization toolsets
远程桌面协议 (RDP)
Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP)
安全终端访问
secure terminal access
secure terminal access
安全外壳 (SSH)
Secure Shell (SSH)
Secure Shell (SSH)
基于控制台的访问机制
console-based access mechanisms
console-based access mechanisms
跳板机
jumpboxes
jumpboxes
虚拟客户端
virtual client
virtual client
安全网络配置
Secure network configuration
Secure network configuration
虚拟局域网 (VLAN)
virtual local area networks (VLAN)
virtual local area networks (VLAN)
传输层安全 (TLS)
Transport Layer Security (TLS)
Transport Layer Security (TLS)
动态主机配置协议 (DHCP)
Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP)
域名系统安全扩展 (DNSSEC)
Domain Name System Security Extensions (DNSSEC)
Domain Name System Security Extensions (DNSSEC)
虚拟专用网络 (VPN)
virtual private network (VPN)
virtual private network (VPN)
网络安全控制
Network security controls
Network security controls
防火墙
firewalls
firewalls
入侵检测系统 (IDS)
intrusion detection systems (IDS)
intrusion detection systems (IDS)
入侵防御系统 (IPS)
intrusion prevention systems (IPS)
intrusion prevention systems (IPS)
蜜罐
honeypots
honeypots
漏洞评估
vulnerability assessments
vulnerability assessments
网络安全组
network security groups
network security groups
堡垒主机
bastion host
bastion host
通过应用基线、监控和修复来强化操作系统 (OS)
Operating system (OS) hardening through
the application of baselines, monitoring and
remediation
Operating system (OS) hardening through
the application of baselines, monitoring and
remediation
Windows
Linux
VMware
补丁管理
Patch management
Patch management
基础设施即代码 (IaC) 策略
Infrastructure as Code (IaC) strategy
Infrastructure as Code (IaC) strategy
集群主机的可用性
Availability of clustered hosts
Availability of clustered hosts
分布式资源调度
distributed resource scheduling
distributed resource scheduling
动态优化
dynamic optimization
dynamic optimization
存储集群
storage clusters
storage clusters
维护模式
maintenance mode
maintenance mode
高可用性(HA)
high availability (HA)
high availability (HA)
客户操作系统 (OS) 的可用性
Availability of guest operating system (OS)
Availability of guest operating system (OS)
性能和容量监控
Performance and capacity monitoring
Performance and capacity monitoring
网络
network
network
计算
compute
compute
存储
storage
storage
响应时间
response time
response time
硬件监控
Hardware monitoring
Hardware monitoring
磁盘
disk
disk
中央处理器 (CPU)
central processing unit (CPU)
central processing unit (CPU)
风扇速度
fan speed
fan speed
温度
temperature
temperature
主机和客户操作系统 (OS) 备份和恢复功能的配置
Configuration of host and guest operating system
(OS) backup and restore functions
Configuration of host and guest operating system
(OS) backup and restore functions
管理平面
Management plane
Management plane
调度
scheduling
scheduling
编排
orchestration
orchestration
维护
maintenance
maintenance
5.3 实施运营控制和标准(例如,信息技术基础架构库 (ITIL)、国际标准组织/国际电子技术委员会
(ISO/IEC) 20000-1)
Implement operational controls and standards (e.g., Information Technology Infrastructure
Library (ITIL), International Organization for Standardization/International Electrotechnical
Commission (ISO/IEC) 20000-1)
(ISO/IEC) 20000-1)
Implement operational controls and standards (e.g., Information Technology Infrastructure
Library (ITIL), International Organization for Standardization/International Electrotechnical
Commission (ISO/IEC) 20000-1)
变更管理
Change management
Change management
连续性管理
Continuity management
Continuity management
信息安全管理
Information security management
Information security management
连续的服务改进管理
Continual service improvement management
Continual service improvement management
事故管理
Incident management
Incident management
问题管理
Problem management
Problem management
发布管理
Release management
Release management
部署管理
Deployment management
Deployment management
配置管理
Configuration management
Configuration management
服务等级管理
Service level management
Service level management
可用性管理
Availability management
Availability management
容量管理
Capacity management
Capacity management
5.4 支持数字取证
Support digital forensics
Support digital forensics
取证数据收集方法
Forensic data collection methodologies
Forensic data collection methodologies
证据管理
Evidence management
Evidence management
收集、获取和保存数字证据
Collect, acquire, and preserve digital evidence
Collect, acquire, and preserve digital evidence
5.5 管理与相关方的沟通
Manage communication with relevant parties
Manage communication with relevant parties
供应商
Vendors
Vendors
客户
Customers
Customers
合作伙伴
Partners
Partners
监管机构
Regulators
Regulators
其他利益相关者
Other stakeholders
Other stakeholders
5.6 管理安全运营
Manage security operations
Manage security operations
安全运营中心 (SOC)
Security operations center (SOC)
Security operations center (SOC)
安全控制的智能监控
Intelligent monitoring of security controls
Intelligent monitoring of security controls
防火墙
firewalls
firewalls
入侵检测系统 (IDS)
intrusion detection systems (IDS)
intrusion detection systems (IDS)
入侵防御系统 (IPS)
intrusion prevention systems (IPS)
intrusion prevention systems (IPS)
蜜罐
honeypots
honeypots
网络安全组
network security groups
network security groups
人工智能 (AI)
artificial intelligence (AI)
artificial intelligence (AI)
日志捕获和分析
Log capture and analysis
Log capture and analysis
安全信息和事件管理 (SIEM)
security information and event management (SIEM)
security information and event management (SIEM)
日志管理
log management
log management
事故管理
Incident management
Incident management
漏洞评估
Vulnerability assessments
Vulnerability assessments
D6 法律、风险和合规
Legal, Risk and Compliance
Legal, Risk and Compliance
6.1 明确云环境中的法律要求和独特风险
Articulate legal requirements and unique risks within the cloud environment
Articulate legal requirements and unique risks within the cloud environment
国际法律冲突
Conflicting international legislation
Conflicting international legislation
云计算特有的法律风险评估
Evaluation of legal risks specific to cloud computing
Evaluation of legal risks specific to cloud computing
法律框架和准则
Legal framework and guidelines
Legal framework and guidelines
eDiscovery
国际标准组织/国际电子技术委员会 (ISO/IEC) 27050
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27050
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27050
云安全联盟 (CSA) 指引
Cloud Security Alliance (CSA) Guidance
Cloud Security Alliance (CSA) Guidance
取证要求
Forensics requirements
Forensics requirements
6.2 了解隐私问题
Understand privacy issues
Understand privacy issues
合同规定的和受监管的私人数据之间的区别
Difference between contractual and regulated private data
Difference between contractual and regulated private data
受保护的健康信息 (PHI)
protected health information (PHI)
protected health information (PHI)
个人可识别信息 (PII)
personally identifiable information (PII)
personally identifiable information (PII)
与私人数据相关的国家特定立法
Country-specific legislation related to private data
Country-specific legislation related to private data
受保护的健康信息 (PHI)
protected health information (PHI)
protected health information (PHI)
个人可识别信息 (PII)
personally identifiable information (PII)
personally identifiable information (PII)
数据隐私的司法管辖区差异
Jurisdictional differences in data privacy
Jurisdictional differences in data privacy
标准隐私要求
Standard privacy requirements
Standard privacy requirements
国际标准组织/国际电子技术委员会 (ISO/IEC) 27018
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27018
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27018
普遍接受的隐私原则 (GAPP)
Generally Accepted Privacy Principles (GAPP)
Generally Accepted Privacy Principles (GAPP)
一般数据保护条例 (GDPR)
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
隐私影响评估 (PIA)
Privacy Impact Assessments (PIA)
Privacy Impact Assessments (PIA)
6.3 了解云环境的审计流程、方法和必要的调整
Understand audit process, methodologies,
and required adaptations for a cloud environment
Understand audit process, methodologies,
and required adaptations for a cloud environment
内部和外部审计控制
Internal and external audit controls
Internal and external audit controls
审计要求的影响
Impact of audit requirements
Impact of audit requirements
确定虚拟化和云的保障挑战
Identify assurance challenges of virtualization and cloud
Identify assurance challenges of virtualization and cloud
审计报告的类型
Types of audit reports
Types of audit reports
关于认证业务标准的声明 (SSAE)
Statement on Standards for Attestation Engagements (SSAE)
Statement on Standards for Attestation Engagements (SSAE)
服务组织控制 (SOC)
Service Organization Control (SOC)
Service Organization Control (SOC)
国际鉴证业务准则 (ISAE)
International Standard on Assurance Engagements (ISAE)
International Standard on Assurance Engagements (ISAE)
审计范围声明的限制
Restrictions of audit scope statements
Restrictions of audit scope statements
关于认证业务标准的声明 (SSAE)
Statement on Standards for Attestation Engagements (SSAE)
Statement on Standards for Attestation Engagements (SSAE)
国际鉴证业务准则 (ISAE)
International Standard on Assurance Engagements (ISAE)
International Standard on Assurance Engagements (ISAE)
差距分析
Gap analysis
Gap analysis
控制分析
control analysis
control analysis
基线
baselines
baselines
审计计划
Audit planning
Audit planning
内部信息安全管理系统
Internal information security management system
Internal information security management system
内部信息安全控制系统
Internal information security controls system
Internal information security controls system
策略
Policies
Policies
组织
organizational
organizational
功能
functional
functional
云计算
cloud computing
cloud computing
相关利益相关者的识别和参与
Identification and involvement of relevant stakeholders
Identification and involvement of relevant stakeholders
受到严格监管行业的特殊合规要求
Specialized compliance requirements for
highly-regulated industries
Specialized compliance requirements for
highly-regulated industries
北美电力可靠性公司/关键基础设施保护 (NERC / CIP)
North American Electric Reliability Corporation /
Critical Infrastructure Protection (NERC / CIP)
North American Electric Reliability Corporation /
Critical Infrastructure Protection (NERC / CIP)
健康保险便捷与责任法案 (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
经济与临床医疗保健信息科技 (HITECH) 法案
Health Information Technology for
Economic and Clinical Health (HITECH) Act
Health Information Technology for
Economic and Clinical Health (HITECH) Act
支付卡行业 (PCI)
Payment Card Industry (PCI)
Payment Card Industry (PCI)
分布式信息技术 (IT) 模型的影响
Impact of distributed information technology (IT) model
Impact of distributed information technology (IT) model
不同的地理位置
diverse geographical locations
diverse geographical locations
跨越法律管辖区
crossing over legal jurisdictions
crossing over legal jurisdictions
6.4 了解云对企业风险管理的影响
Understand implications of cloud to enterprise risk management
Understand implications of cloud to enterprise risk management
评估提供商风险管理计划
Assess providers risk management programs
Assess providers risk management programs
控制
controls
controls
方法
methodologies
methodologies
策略
policies
policies
风险概况
risk profile
risk profile
风险偏好
risk appetite
risk appetite
数据所有者/控制者与数据保管者/处理者之间的区别
Difference between data owner/controller vs. data custodian/processor
Difference between data owner/controller vs. data custodian/processor
监管透明度要求
Regulatory transparency requirements
Regulatory transparency requirements
违规通知
breach notification
breach notification
Sarbanes-Oxley (SOX)
一般数据保护条例 (GDPR)
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
风险处理
Risk treatment
Risk treatment
规避
avoid
avoid
减轻
mitigate
mitigate
转移
transfer
transfer
共享
share
share
接受
acceptance
acceptance
不同的风险框架
Different risk frameworks
Different risk frameworks
风险管理指标
Metrics for risk management
Metrics for risk management
风险环境评估
Assessment of risk environment
Assessment of risk environment
服务
service
service
供应商
vendor
vendor
基础架构
infrastructure
infrastructure
业务
business
business
6.5 了解外包和云合同设计
Understand outsourcing and cloud contract design
Understand outsourcing and cloud contract design
业务要求
Business requirements
Business requirements
服务等级协议(SLA)
service-level agreement (SLA)
service-level agreement (SLA)
主服务协议(MSA)
master service agreement (MSA)
master service agreement (MSA)
工作陈述(SOW)
statement of work (SOW)
statement of work (SOW)
供应商管理
Vendor management
Vendor management
供应商评估
vendor assessments
vendor assessments
供应商锁定风险
vendor lock-in risks
vendor lock-in risks
供应商生存能力
vendor viability
vendor viability
托管
escrow
escrow
合同管理
Contract management
Contract management
审计权
right to audit
right to audit
指标
metrics
metrics
定义
definitions
definitions
终止
termination
termination
诉讼
litigation
litigation
保证
assurance
assurance
合规
compliance
compliance
访问云/数据
access to cloud/data
access to cloud/data
网络风险保险
cyber risk insurance
cyber risk insurance
供应链管理
Supply-chain management
Supply-chain management
国际标准组织/国际电子技术委员会 (ISO/IEC) 27036
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27036
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27036
收藏
职业:暂无
0 条评论
下一页
为你推荐
查看更多
