CLOUD CONTROLS MATRIX VERSION 4.0 云控制矩阵 4.0Control Title控制措施Control ID控制编号Updated Control Specification更新的控制措施规范Audit & Assurance - A&A 审计&保障Audit and Assurance Policy and Procedures审计与保障的策略及规程A&A-01Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually.建立、记录、批准、沟通、应用、评估和维护审计和保障策略、规程和标准。至少每年一次审查和更新公司的策略和规程。Independent Assessments独立评估A&A-02Conduct independent audit and assurance assessments according to relevant standards at least annually.每年至少一次,根据相关标准进行独立审计和保障评估Risk Based Planning Assessment基于风险规划评估A&A-03Perform independent audit and assurance assessments according to risk-based plans and policies.根据基于风险的计划和策略执行独立的审计和保证评估Requirements Compliance符合性需求A&A-04Verify compliance with all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit.验证符合所有适用于审计的相关标准、法规、法律/合同和法定要求Audit Management Process审计管理过程A&A-05Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence.定义和实施审计管理过程,以支持审计计划、风险分析、安全控制评估、结论、补救计划、报告生成,以及对过去报告和相关证据的审查。Remediation补救A&A-06Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders.建立、记录、批准、沟通、应用、评估和维护基于风险的纠正行动计划,以修正审计发现,审查并向相关利益相关者报告修正状况。Application & Interface Security - AIS 应用程序和接口安全Application and Interface Security Policy and Procedures应用和接口安全策略和规程AIS-01Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at least annually.建立、记录、批准、沟通、申请、评估和维护应用程序安全策略和规程,为组织的应用程序安全能力的适当规划、交付和支持提供指导。每年至少一次审查和更新公司的策略和规程。Application Security Baseline Requirements应用程序安全基线需求AIS-02Establish, document and maintain baseline requirements for securing different applications.建立、记录和维护保护不同应用程序的基线要求。Application Security Metrics应用程序安全指标AIS-03Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations.根据业务目标、安全需求和合规义务, 定义和实施技术和运行的指标。Secure Application Design and Development应用程序安全设计和开发AIS-04Define and implement a SDLC process for application design, development, de...
