论坛公告:应用容器安全指南(SP800-190)中文版   美国政府宣布禁用卡巴斯基软件   《中华人民共和国网络安全法》讨论帖   新手报到专用帖   【论坛公告】关于本站广告贴泛滥问题的整理通知   

当前时区为 UTC + 8 小时


发表新帖 回复这个主题  [ 11 篇帖子 ] 
作者 内容
 文章标题 : 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-02 13:38 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,299.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
以下是开源翻译项目《公共云计算安全与隐私指南(SP800-144)》(http://bbs.cisps.org/viewtopic.php?f=128&t=29613)第四章第二节的原文及译文对照,感谢odyssey辛勤和出色的翻译工作。请大家审阅译文并提出修改意见,我会给与提出修改意见者安全币奖励。

4.2 Compliance

4.2合规遵从

Compliance refers to an organization’s responsibility to operate in agreement with established laws, regulations, standards, and specifications. Various types of security and privacy laws and regulations exist within different countries at the national, state, and local levels, making compliance a potentially complicated issue for cloud computing. For example, at the end of 2010, the National Conference of State Legislatures reported that forty-six states have enacted legislation governing disclosure of security breaches of personal information, and that at least twenty-nine states have enacted laws governing the disposal of personal data held by businesses and/or government.

合规遵从是指组织有责任在运营中保持和已建立法律、法规、标准和规范的一致性。在不同国家的存在着国家层面、州层面和本地层面各种类型的安全和隐私法律及法规,这使得对于云计算而言合规遵从成为一个可能复杂的问题。例如,在2010年末全国州议会联合会报告46个州已经颁布治理个人信息安全事件披露的法规,并且至少29个州已经颁布法律来治理企业和/或政府对持有个人数据的处置工作。

Law and Regulations.
For U.S. Federal agencies, the major security and privacy compliance concerns include the Clinger-Cohen Act of 1996, the Office of Management and Budget (OMB) Circular No. A-130, particularly Appendix III, the Privacy Act of 1974, the E-Government Act of 2002 and its accompanying OMB guidance, and the Federal Information Security Management Act (FISMA) of 2002. Also of importance are National Archives and Records Administration (NARA) statutes, including the Federal Records Act (44 U.S.C. Chapters 21, 29, 31, 33) and NARA regulations (Title 36 of the Code of Federal Regulations, Chapter XII, Subchapter B).

法律和规定
美国联邦机构主要关注的安全和隐私合规包括:1996年颁布的克林格-卡亨法案,美国行政管理和预算局(Office of Management and Budget,OMB)通告第A-130号、特别是附录3的内容,1974年颁布的个人隐私法案,2002年颁布的电子政务法案以及伴随的OMB指导内容,还有2002年底联邦信息安全管理法案(Federal Information Security Management Act ,FISMA)。同样重要的还有国家档案和记录管理局(National Archives and Records Administration ,NARA)的法令,包括联邦记录法案(美国联邦法典44卷第21、29、31和33章)和NARA规定(联邦规章典集第36篇,第13章B子章节)。

The Clinger-Cohen Act assigns responsibilities for the efficiency, security, and privacy of computer systems within the federal government and establishes a comprehensive approach for executive agencies to improve the acquisition and management of their information resources. As part of OMB’s responsibilities under the Clinger-Cohen act, various circulars have been issued. Circular A-130 establishes policy for the management of Federal information resources, including procedural and analytic guidelines for implementing specific aspects of these policies. Appendix III of A-130 requires that adequate security is provided for all agency information that is collected, processed, transmitted, stored, or disseminated in general support systems and major applications.

克林格-卡亨法案分配职责负责联邦政府的计算机系统的效率、安全和隐私,并且为执行机构建立全面深入的方法以便提高后者对信息资源的获取及管理水平。作为在克林格-卡亨法案下OMB职责的部分,发布了各种通告。通告A-130号为联邦信息资源的管理建立策略,包括用于实施这些策略特定方面的流程和分析指导。A-130号通告的附录3部分要求对在一般性支持系统以及主要应用中收集、处理、传输、存储或传播的所有机构信息保证充分的安全。

The Privacy Act governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies and can be retrieved by a personal identifier (e.g., name). It requires each agency to publish notice of its systems of records (i.e., a system of records notice (SORN)) in the Federal Register and to allow individuals to request access to and correction of their records and information. The E-Government Act of 2002, among other things, requires federal agencies to complete a Privacy Impact Assessment (PIA) on all new or substantially changed technology that collects, maintains, or disseminates PII, and to make the results publicly available. M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, provides direction to agencies on conducting PIAs. A PIA is a structured review of an information system to identify and mitigate privacy risks, including risks to confidentiality, at every stage of the system lifecycle. It can also serve as a tool for individuals working on a program or accessing a system to understand how to best integrate privacy protections when working with PII.

隐私法案治理对个人信息的收集、维护、使用和传播,这些信息由联邦机构的记录系统所维护并且能够通过个人辨识信息(例如姓名)来检索。该法案要求每个机构在联邦公报中发布它的系统记录的注意事项,并且允许个人请求访问和纠正他们的记录和信息。其中2002年的电子政务法案要求联邦机构在所有新的或是本质上变更的技术上完成隐私影响评估(Privacy Impact Assessment,PIA),这些技术用于进行收集、维护或是传播个人身份信息(PII),并且让结果对公众可用。OMB用于执行2002年电子政务法案的隐私条款的指导内容,M-03-22章节为机构实行PIA提供方向。PIA是信息系统辨识和缓解隐私风险的结构化评审,包括信息系统生命周期每个阶段的保密性风险它还充当用于在项目中工作或是评估系统的个人工具,以便理解当工作涉及PII时如何最好地集成隐私保护。

FISMA requires federal agencies to adequately protect their information and information systems against unauthorized access, use, disclosure, disruption, modification, or destruction [HR2458]. That mandate includes protecting information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. That is, any external provider handling federal information or operating information systems on behalf of the federal government must meet the same security requirements as the source federal agency. The security requirements also apply to external subsystems storing, processing, or transmitting federal information and any services provided by, or associated with, the subsystem.

FISMA法案要求联邦机构充分地保护他们的信息和信息系统防范未授权的访问、使用、泄漏、毁坏、修改或是破坏。该法令包括保护由机构、或是机构的承包商或其它代表机构利益的组织使用或者运行的信息系统。那也就是说,任何处理联邦机构信息、或是代表联邦政府运作信息系统的外部服务提供商必须像联邦机构一样满足同样的安全要求。该安全要求也适用于存储、处理、传输联邦信息的外部子系统,以及所提供的服务或是相关的子系统。

Under the Federal Records Act and NARA regulations, agencies are responsible for managing federal records effectively throughout their lifecycle, including records in electronic information systems and in contracted environments. If a contractor holds federal records, the contractor must manage them in accordance with all applicable records management laws and regulations. Managing the records includes secure storage, retrievability, and proper disposition, including transfer of permanently valuable records to NARA in an acceptable format [Fer10].

在联邦记录法案和NARA规定下,机构有责任有效地管理联邦记录的整个生命周期,包括在电子信息系统和合约环境中的记录。如果承包商持有联邦记录,该承包商必须与所有可适用的记录管理法律和规定保持一致来管理这些记录。管理这些记录包括安全存储、可检索性和正确地处置,包括以可接受的格式永久性地将有价值的记录转移到NARA。

Other government and industry-association requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS), may apply to a particular organization. For example, the Veterans Health Administration falls under HIPAA regulations for private and public health care facilities, which apply to both employees and contractors [DVA]. HIPAA requires both technical and physical safeguards for controlling access to protected health information, which may create compliance issues for some cloud providers.

其它政府和行业相关的要求,例如健康保险携带和责任法案(Health Insurance Portability and Accountability Act ,HIPAA)以及支付卡行业数据安全标准(Payment Card Industry Data Security Standard ,PCI DSS),也能适用于特定的组织。例如属于HIPAA法案下用于私人和公共健康保健设施的退伍军人卫生管理局(Veterans Health Administration),其也适用于雇主和承包商。HIPAA要求对于控制对受保护健康信息的访问都提供技术和物理上的安全防护,这也为一些云服务提供商带来了合规遵从难题。

Cloud providers are becoming more sensitive to legal and regulatory concerns, and may be willing to commit to store and process data in specific jurisdictions and apply required safeguards for security and privacy. However, the degree to which they will accept liability in their service agreements, for exposure of content under their control, remains to be seen. Even so, organizations are ultimately accountable for the security and privacy of data held by a cloud provider on their behalf.

云服务提供商正在变得对法律和监管关注点更加敏感,并且可能愿意承诺在指定的管辖权内存储和处理数据,并且为安全和隐私应用要求的安全防护措施。然而对于在他们控制下的内容曝光而言,提供商们在服务协议会接受的责任程度仍是看得到的。即使如此,组织是最终要为代表他们的云服务提供商所持有数据的安全和隐私负责。

Data Location. One of the most common compliance issues facing an organization is data location [Bin09, Kan09, Ove10]. Use of an in-house computing center allows an organization to structure its computing environment and to know in detail where data is stored and what safeguards are used to protect the data. In contrast, a characteristic of many cloud computing services is that data is stored redundantly in multiple physical locations and detailed information about the location of an organization’s data is unavailable or not disclosed to the service consumer. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met. For example, NARA regulations (i.e., 36 CFR 1234) include facility requirements for the storage of federal records and stipulate a minimum height above and distance away from a flood plain. External audits and security certifications can alleviate this issue to some extent, but they are not a panacea [Mag10].

数据场所
组织面对的最常见的合规遵从问题之一是数据的存放场所。使用自建的云计算中心允许组织构建它自己的计算环境,并且详细地了解数据存放在那里和使用了什么安全防护措施保护数据。相比较而言,许多云计算服务的特色之一是数据在多个物理场所进行冗余存储,并且关于存放组织数据场所的详细信息对于消费者来说是不可用或是不透露的。这种情形使得确定是否有充分的安全防护措施到位,以及是否满足法律和规定的合规要求十分困难。例如,NARA规章包括对存储联邦记录设施的要求,并且明文规定远离洪泛区的最小高度和距离。外部的审核和安全证明能某种程度上缓解该问题,但它们不是万能良药。

When information crosses borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns (e.g., [CBC04, Wei11]). Consequently, constraints on the transborder flow of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations [Eis05].

当信息跨越边界时,管理法律、隐私以及规章制度可能变得含糊不清,并且引起各种各样的焦虑。因此,对敏感数据传输边界流的限制,以及能给于数据的防护要求已经成为国家和地区隐私及安全法律和法规的主题。

The main compliance concerns with transborder data flows include whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits [Eis05]. Technical, physical and administrative safeguards, such as access controls, often apply. For example, European data protection laws may impose additional obligations on the handling and processing of data transferred to the U.S. [DoC00]. These concerns can be alleviated if the cloud provider has some reliable means to ensure that an organization’s data is stored and processed only within specific jurisdictions.

对数据传输边界主要的合规关注包括收集数据所属的管辖权的法律允许该信息流动,是否这些法律持续应用于传输后的数据,以及是否目的地的法律带来额外的风险或是好处。经常是应用技术、物理和管理上的安全防护措施例如访问控制。例如,欧洲数据保护法律可能对传输到美国的数据强加额外的处理职责。如果云服务提供商有一些可靠的方法来确保组织的数据是只在特定的管辖区内存储和处理,可以缓和这些焦虑。
Electronic Discovery. Electronic discovery involves the identification, collection, processing, analysis, and production of Electronically Stored Information (ESI) in the discovery phase of litigation [Daw05]. Organizations also have other incentives and obligations to preserve and produce electronic documents, such as complying with audit and regulatory information requests, and for government organizations, complying with Freedom of Information Act (FOIA) requests. ESI includes not only electronic mail, attachments, and other data objects stored on a computer system or storage media, but also any associated metadata, such as dates of object creation or modification, and non-rendered file content (i.e., data that is not explicitly displayed for consumers).

电子发现
电子发现涉及到在诉讼的发现阶段对电子化存储信息(Electronically Stored Information, ESI)的辨识、收集、处理、分析和产生。组织也能有其它激励和职责来保留和产生电子文档,例如遵守审计和法规的信息要求、以及用于组织治理,遵守信息自由方案(Freedom of Information Act,FOIA)的要求。ESI不仅包括电子邮件、附件、已经存储在计算机系统或是存储媒介上的其它数据对象,还包括任何相关的原始数据,例如对象创建或修改的日期,以及不相关的文件内容(例如,没有明显地展示给顾客的数据)。

The capabilities and processes of a cloud provider, such as the form in which data is maintained and the electronic discovery-related tools available, affect the ability of the organization to meet its obligations in a cost effective, timely, and compliant manner [Mcd10]. For example, a cloud provider’s archival capabilities may not preserve the original metadata as expected, causing spoliation (i.e., the intentional, reckless, or negligent destruction, loss, material alteration, or obstruction of evidence that is relevant to litigation), which could negatively impact litigation. The cloud provider’s electronic discovery capabilities and processes must not compromise the privacy or security of the data and applications of the organization in satisfying the discovery obligations of other cloud consumers, and vice versa.

云服务提供商的能力和处理过程,例如数据以什么方式维护和可用的电子发现相关的工具,影响着组织以经济、及时和遵从的方式来满足它职责的能力。例如,云服务提供商的存档能力可能无法按照期望地那样保留原始的数据,造成损坏(例如,有意地、大意地、或是疏忽地毁坏、丢失、材料改变或是与诉讼有关证据的阻碍),这些可能消极地影响到诉讼。云服务提供商的电子发现能力和过程不能在到组织满足其它的云顾客发现职责时危害到数据及应用的隐私或是安全,反之亦然。


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-03 08:31 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,299.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
引用:
4.2 Compliance

Compliance refers to an organization’s responsibility to operate in agreement with established laws, regulations, standards, and specifications. Various types of security and privacy laws and regulations exist within different countries at the national, state, and local levels, making compliance a potentially complicated issue for cloud computing. For example, at the end of 2010, the National Conference of State Legislatures reported that forty-six states have enacted legislation governing disclosure of security breaches of personal information, and that at least twenty-nine states have enacted laws governing the disposal of personal data held by businesses and/or government.


4.2 合规

合规是指组织在运作方面符合既定法律、法规、标准和规范的责任。在不同的国家、地区和地方存在各种各样的关于安全和个人隐私方面的法律法规,这可能会使云计算在合规方面存在复杂问题。例如在2010年末,全美议会联合会的报告显示,46个州施行了对个人信息安全事件的披露进行监管的法律,至少29个州施行了对公司及政府个人信息的处置工作进行监管的法律。


--------本帖迄今已累计获得11安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-03 20:27 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,299.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
引用:
Law and Regulations. For U.S. Federal agencies, the major security and privacy compliance concerns include the Clinger-Cohen Act of 1996, the Office of Management and Budget (OMB) Circular No. A-130, particularly Appendix III, the Privacy Act of1974, the E-Government Act of 2002 and its accompanying OMB guidance, and the Federal Information Security Management Act (FISMA) of 2002. Also of importance are National Archives and Records Administration (NARA) statutes, including the Federal Records Act (44 U.S.C. Chapters 21, 29, 31, 33) and NARA regulations (Title 36 of the Code of Federal Regulations, Chapter XII, Subchapter B).


法律和法规 对于美国联邦机构来说,主要的安全和隐私方面的合规考虑包括《1996年Clinger-Cohen法案》、美国行政管理和预算局(OMB)A-130部门规章,特别是其附录叁、《1974年隐私法案》、《2002年电子政务法案》及其相关的OMB指引,以及《2002年联邦信息安全管理法案(FISM)》。其它重要的还有国家档案与文件署(NARA)的法规,包括《联邦记录法》(美国法典44篇21、29、31、33节)以及NARA的法规(美国联邦法规36篇第七节B分节)


--------本帖迄今已累计获得14安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-03 23:36 
离线
顶级用户

注册: 2008-05-24 12:30
最近: 2018-05-15 13:08
拥有: 17,902.90 安全币

奖励: 15343 安全币
在线: 22264 点
帖子: 943
4.2 Compliance
4.2合规遵从

Compliance refers to an organization’s responsibility to operate in agreement with established laws, regulations, standards, and specifications. Various types of security and privacy laws and regulations exist within different countries at the national, state, and local levels, making compliance a potentially complicated issue for cloud computing. For example, at the end of 2010, the National Conference of State Legislatures reported that forty-six states have enacted legislation governing disclosure of security breaches of personal information, and that at least twenty-nine states have enacted laws governing the disposal of personal data held by businesses and/or government.

合规遵从是指组织有责任在运营中保持和已建立法律、法规、标准和规范的一致性。在不同国家的存在着国家层面、州层面和本地层面各种类型的安全和隐私法律及法规,这使得对于云计算而言合规遵从成为一个可能复杂的问题。例如,在2010年末全国州议会联合会报告46个州已经颁布治理个人信息安全事件披露的法规,并且至少29个州已经颁布法律来治理企业和/或政府对持有个人数据的处置工作。

Law and Regulations.
For U.S. Federal agencies, the major security and privacy compliance concerns include the Clinger-Cohen Act of 1996, the Office of Management and Budget (OMB) Circular No. A-130, particularly Appendix III, the Privacy Act of 1974, the E-Government Act of 2002 and its accompanying OMB guidance, and the Federal Information Security Management Act (FISMA) of 2002. Also of importance are National Archives and Records Administration (NARA) statutes, including the Federal Records Act (44 U.S.C. Chapters 21, 29, 31, 33) and NARA regulations (Title 36 of the Code of Federal Regulations, Chapter XII, Subchapter B).

法律和规定
美国联邦机构主要关注的安全和隐私合规包括:1996年颁布的克林格-卡亨法案,美国行政管理和预算局(Office of Management and Budget,OMB)通告第A-130号、特别是附录3的内容,1974年颁布的个人隐私法案,2002年颁布的电子政务法案以及伴随的OMB指导内容,还有2002年底联邦信息安全管理法案(Federal Information Security Management Act ,FISMA)。同样重要的还有国家档案和记录管理局(National Archives and Records Administration ,NARA)的法令,包括联邦记录法案(美国联邦法典44卷第21、29、31和33章)和NARA规定(联邦规章典集第36篇,第13章B子章节)。

The Clinger-Cohen Act assigns responsibilities for the efficiency, security, and privacy of computer systems within the federal government and establishes a comprehensive approach for executive agencies to improve the acquisition and management of their information resources. As part of OMB’s responsibilities under the Clinger-Cohen act, various circulars have been issued. Circular A-130 establishes policy for the management of Federal information resources, including procedural and analytic guidelines for implementing specific aspects of these policies. Appendix III of A-130 requires that adequate security is provided for all agency information that is collected, processed, transmitted, stored, or disseminated in general support systems and major applications.

克林格-卡亨法案分配职责负责联邦政府的计算机系统的效率、安全和隐私,并且为执行机构建立全面深入的方法以便提高后者对信息资源的获取及管理水平。作为在克林格-卡亨法案下OMB职责的部分,发布了各种通告。通告A-130号为联邦信息资源的管理建立策略,包括用于实施这些策略特定方面的流程和分析指导。A-130号通告的附录3部分要求对在一般性支持系统以及主要应用中收集、处理、传输、存储或传播的所有机构信息保证充分的安全。

The Privacy Act governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies and can be retrieved by a personal identifier (e.g., name). It requires each agency to publish notice of its systems of records (i.e., a system of records notice (SORN)) in the Federal Register and to allow individuals to request access to and correction of their records and information. The E-Government Act of 2002, among other things, requires federal agencies to complete a Privacy Impact Assessment (PIA) on all new or substantially changed technology that collects, maintains, or disseminates PII, and to make the results publicly available. M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, provides direction to agencies on conducting PIAs. A PIA is a structured review of an information system to identify and mitigate privacy risks, including risks to confidentiality, at every stage of the system lifecycle. It can also serve as a tool for individuals working on a program or accessing a system to understand how to best integrate privacy protections when working with PII.

隐私法案治理对个人信息的收集、维护、使用和传播,这些信息由联邦机构的记录系统所维护并且能够通过个人辨识信息(例如姓名)来检索。该法案要求每个机构在联邦公报中发布它的系统记录的注意事项,并且允许个人请求访问和纠正他们的记录和信息。其中2002年的电子政务法案要求联邦机构在所有新的或是本质上变更的技术上完成隐私影响评估(Privacy Impact Assessment,PIA),这些技术用于进行收集、维护或是传播个人身份信息(PII),并且让结果对公众可用。OMB用于执行2002年电子政务法案的隐私条款的指导内容,M-03-22章节为机构实行PIA提供方向。PIA是信息系统辨识和缓解隐私风险的结构化评审,包括信息系统生命周期每个阶段的保密性风险它还充当用于在项目中工作或是评估系统的个人工具,以便理解当工作涉及PII时如何最好地集成隐私保护。

FISMA requires federal agencies to adequately protect their information and information systems against unauthorized access, use, disclosure, disruption, modification, or destruction [HR2458]. That mandate includes protecting information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. That is, any external provider handling federal information or operating information systems on behalf of the federal government must meet the same security requirements as the source federal agency. The security requirements also apply to external subsystems storing, processing, or transmitting federal information and any services provided by, or associated with, the subsystem.

FISMA法案要求联邦机构充分地保护他们的信息和信息系统防范未授权的访问、使用、泄漏、毁坏、修改或是破坏。该法令包括保护由机构、或是机构的承包商或其它代表机构利益的组织使用或者运行的信息系统。那也就是说,任何处理联邦机构信息、或是代表联邦政府运作信息系统的外部服务提供商必须像联邦机构一样满足同样的安全要求。该安全要求也适用于存储、处理、传输联邦信息的外部子系统,以及所提供的服务或是相关的子系统。

Under the Federal Records Act and NARA regulations, agencies are responsible for managing federal records effectively throughout their lifecycle, including records in electronic information systems and in contracted environments. If a contractor holds federal records, the contractor must manage them in accordance with all applicable records management laws and regulations. Managing the records includes secure storage, retrievability, and proper disposition, including transfer of permanently valuable records to NARA in an acceptable format [Fer10].

在联邦记录法案和NARA规定下,机构有责任有效地管理联邦记录的整个生命周期,包括在电子信息系统和合约环境中的记录。如果承包商持有联邦记录,该承包商必须与所有可适用的记录管理法律和规定保持一致来管理这些记录。管理这些记录包括安全存储、可检索性和正确地处置,包括以可接受的格式永久性地将有价值的记录转移到NARA。

Other government and industry-association requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS), may apply to a particular organization. For example, the Veterans Health Administration falls under HIPAA regulations for private and public health care facilities, which apply to both employees and contractors [DVA]. HIPAA requires both technical and physical safeguards for controlling access to protected health information, which may create compliance issues for some cloud providers.

其它政府和行业相关的要求,例如健康保险携带和责任法案(Health Insurance Portability and Accountability Act ,HIPAA)以及支付卡行业数据安全标准(Payment Card Industry Data Security Standard ,PCI DSS),也能适用于特定的组织。例如属于HIPAA法案下用于私人和公共健康保健设施的退伍军人卫生管理局(Veterans Health Administration),其也适用于雇主和承包商。HIPAA要求对于控制对受保护健康信息的访问都提供技术和物理上的安全防护,这也为一些云服务提供商带来了合规遵从难题。

Cloud providers are becoming more sensitive to legal and regulatory concerns, and may be willing to commit to store and process data in specific jurisdictions and apply required safeguards for security and privacy. However, the degree to which they will accept liability in their service agreements, for exposure of content under their control, remains to be seen. Even so, organizations are ultimately accountable for the security and privacy of data held by a cloud provider on their behalf.

云服务提供商正在变得对法律和监管关注点更加敏感,并且可能愿意承诺在指定的管辖权内存储和处理数据,并且为安全和隐私应用要求的安全防护措施。然而对于在他们控制下的内容曝光而言,提供商们在服务协议会接受的责任程度仍是看得到的。即使如此,组织是最终要为代表他们的云服务提供商所持有数据的安全和隐私负责。


--------本帖迄今已累计获得47安全币用户奖励--------


最后由 odyssey 编辑于 2012-02-03 23:40,总共编辑了 1 次

回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-03 23:37 
离线
顶级用户

注册: 2008-05-24 12:30
最近: 2018-05-15 13:08
拥有: 17,902.90 安全币

奖励: 15343 安全币
在线: 22264 点
帖子: 943
Data Location. One of the most common compliance issues facing an organization is data location [Bin09, Kan09, Ove10]. Use of an in-house computing center allows an organization to structure its computing environment and to know in detail where data is stored and what safeguards are used to protect the data. In contrast, a characteristic of many cloud computing services is that data is stored redundantly in multiple physical locations and detailed information about the location of an organization’s data is unavailable or not disclosed to the service consumer. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met. For example, NARA regulations (i.e., 36 CFR 1234) include facility requirements for the storage of federal records and stipulate a minimum height above and distance away from a flood plain. External audits and security certifications can alleviate this issue to some extent, but they are not a panacea [Mag10].

数据场所
组织面对的最常见的合规遵从问题之一是数据的存放场所。使用自建的云计算中心允许组织构建它自己的计算环境,并且详细地了解数据存放在那里和使用了什么安全防护措施保护数据。相比较而言,许多云计算服务的特色之一是数据在多个物理场所进行冗余存储,并且关于存放组织数据场所的详细信息对于消费者来说是不可用或是不透露的。这种情形使得确定是否有充分的安全防护措施到位,以及是否满足法律和规定的合规要求十分困难。例如,NARA规章包括对存储联邦记录设施的要求,并且明文规定远离洪泛区的最小高度和距离。外部的审核和安全证明能某种程度上缓解该问题,但它们不是万能良药。

When information crosses borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns (e.g., [CBC04, Wei11]). Consequently, constraints on the transborder flow of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations [Eis05].

当信息跨越边界时,管理法律、隐私以及规章制度可能变得含糊不清,并且引起各种各样的焦虑。因此,对敏感数据传输边界流的限制,以及能给于数据的防护要求已经成为国家和地区隐私及安全法律和法规的主题。

The main compliance concerns with transborder data flows include whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits [Eis05]. Technical, physical and administrative safeguards, such as access controls, often apply. For example, European data protection laws may impose additional obligations on the handling and processing of data transferred to the U.S. [DoC00]. These concerns can be alleviated if the cloud provider has some reliable means to ensure that an organization’s data is stored and processed only within specific jurisdictions.

对数据传输边界主要的合规关注包括收集数据所属的管辖权的法律允许该信息流动,是否这些法律持续应用于传输后的数据,以及是否目的地的法律带来额外的风险或是好处。经常是应用技术、物理和管理上的安全防护措施例如访问控制。例如,欧洲数据保护法律可能对传输到美国的数据强加额外的处理职责。如果云服务提供商有一些可靠的方法来确保组织的数据是只在特定的管辖区内存储和处理,可以缓和这些焦虑。
Electronic Discovery. Electronic discovery involves the identification, collection, processing, analysis, and production of Electronically Stored Information (ESI) in the discovery phase of litigation [Daw05]. Organizations also have other incentives and obligations to preserve and produce electronic documents, such as complying with audit and regulatory information requests, and for government organizations, complying with Freedom of Information Act (FOIA) requests. ESI includes not only electronic mail, attachments, and other data objects stored on a computer system or storage media, but also any associated metadata, such as dates of object creation or modification, and non-rendered file content (i.e., data that is not explicitly displayed for consumers).

电子发现
电子发现涉及到在诉讼的发现阶段对电子化存储信息(Electronically Stored Information, ESI)的辨识、收集、处理、分析和产生。组织也能有其它激励和职责来保留和产生电子文档,例如遵守审计和法规的信息要求、以及用于组织治理,遵守信息自由方案(Freedom of Information Act,FOIA)的要求。ESI不仅包括电子邮件、附件、已经存储在计算机系统或是存储媒介上的其它数据对象,还包括任何相关的原始数据,例如对象创建或修改的日期,以及不相关的文件内容(例如,没有明显地展示给顾客的数据)。

The capabilities and processes of a cloud provider, such as the form in which data is maintained and the electronic discovery-related tools available, affect the ability of the organization to meet its obligations in a cost effective, timely, and compliant manner [Mcd10]. For example, a cloud provider’s archival capabilities may not preserve the original metadata as expected, causing spoliation (i.e., the intentional, reckless, or negligent destruction, loss, material alteration, or obstruction of evidence that is relevant to litigation), which could negatively impact litigation. The cloud provider’s electronic discovery capabilities and processes must not compromise the privacy or security of the data and applications of the organization in satisfying the discovery obligations of other cloud consumers, and vice versa.

云服务提供商的能力和处理过程,例如数据以什么方式维护和可用的电子发现相关的工具,影响着组织以经济、及时和遵从的方式来满足它职责的能力。例如,云服务提供商的存档能力可能无法按照期望地那样保留原始的数据,造成损坏(例如,有意地、大意地、或是疏忽地毁坏、丢失、材料改变或是与诉讼有关证据的阻碍),这些可能消极地影响到诉讼。云服务提供商的电子发现能力和过程不能在到组织满足其它的云顾客发现职责时危害到数据及应用的隐私或是安全,反之亦然。


--------本帖迄今已累计获得44安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-04 10:14 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,299.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
The Clinger-Cohen Act assigns responsibilities for the efficiency, security, and privacy of computer systems within the federal government and establishes a comprehensive approach for executive agencies to improve the acquisition and management of their information resources. As part of OMB’s responsibilities under the Clinger-Cohen act, various circulars have been issued. Circular A-130 establishes policy for the management of Federal information resources, including procedural and analytic guidelines for implementing specific aspects of these policies. Appendix III of A-130 requires that adequate security is provided for all agency information that is collected, processed, transmitted, stored, or disseminated in general support systems and major applications.

《Clinger-Cohen法案》规定了联邦政府计算机系统在效率、安全和隐私方面的职责,为行政机构改进其信息资源的获取和管理工作建立了一整套办法。做为《Clinger-Cohen法案》所规定的职责的一部分,OMB发布了各种部门规章。A-130规章建立了联邦信息资源管理的策略,包括实施这些策略具体内容的规程类和分析类指南。A-130附录叁要求机构为其通用支持系统和核心应用中所收集、处理、传输、存储或分发的所有信息提供充分的安全保障。


--------本帖迄今已累计获得18安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-04 12:05 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,299.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
The Privacy Act governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies and can be retrieved by a personal identifier (e.g., name). It requires each agency to publish notice of its systems of records (i.e., a system of records notice (SORN)) in the Federal Register and to allow individuals to request access to and correction of their records and information. The E-Government Act of 2002, among other things, requires federal agencies to complete a Privacy Impact Assessment (PIA) on all new or substantially changed technology that collects, maintains, or disseminates PII, and to make the results publicly available. M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, provides direction to agencies on conducting PIAs. A PIA is a structured review of an information system to identify and mitigate privacy risks, including risks to confidentiality, at every stage of the system lifecycle. It can also serve as a tool for individuals working on a program or accessing a system to understand how to best integrate privacy protections when working with PII.

《隐私法案》对联邦机构记录系统中维护并能够通过个人识别符(如姓名)提取的个人信息的收集、维护、使用和分发进行监管。它要求每个机构在联邦公报中发布其记录系统通告(SORN),并允许个人对其相关记录和信息进行访问和提出修正。《2002年电子政务法案》等法规要求联邦机构对收集、维护或分发PII的所有新的或进行重要更新的技术系统完成隐私影响评估(PIA),并将其公之于众。OMB关于实施《2002年电子政务法案》隐私规定的指引M-03-22为机构进行PIA提供指导。PIA是对信息系统的结构化审查,用于识别和防范隐私风险,包括系统生命周期所有阶段的保密性风险。它还能够做为个人在项目工作或访问系统时的一种工具,用于理解在进行PII相关工作时的最佳隐私保护方法。


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-05 14:18 
离线
中级用户

注册: 2011-11-27 19:21
最近: 2013-10-02 10:02
拥有: 4,283.00 安全币

奖励: 934 安全币
在线: 8828 点
帖子: 69
phrack 写道:
The Clinger-Cohen Act assigns responsibilities for the efficiency, security, and privacy of computer systems within the federal government and establishes a comprehensive approach for executive agencies to improve the acquisition and management of their information resources.
《Clinger-Cohen法案》规定了联邦政府计算机系统在效率、安全和隐私方面的职责,为行政机构改进其信息资源的获取和管理工作建立了一整套办法。做为《Clinger-Cohen法案》所规定的职责的一部分,OMB发布了各种部门规章。


"克林格-卡亨法案分配职责负责联邦政府的计算机系统的效率、安全和隐私,并且为执行机构建立全面深入的方法以便提高后者对信息资源的获取及管理水平。" -odyssey

可否如下翻译这一句:

Option 1:《Clinger-Cohen法案》规定(/落实)了(各部门/机构)对联邦政府范围内计算机系统的效率、安全和隐私方面的维护职责.

Option 2:《Clinger-Cohen法案》对联邦政府范围内计算机系统的效率、安全和隐私方面的(维护)职责进行了分配.

这一法案主要是针对联邦政府各部门机构的责任落实(responsibility),制定规范或规定- 计算机系统的效率、安全和隐私。如以下OMB发布了规章等。


--------本帖迄今已累计获得33安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-08 16:34 
离线
初级用户

注册: 2010-03-03 10:31
最近: 2012-04-16 13:17
拥有: 150.00 安全币

奖励: 0 安全币
在线: 1123 点
帖子: 29
我可以把这些翻译考下来,然后发到公司的论坛里么?这样算不算用于商业?这些翻译真是不错!


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-08 16:47 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,299.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
SecCA 写道:
我可以把这些翻译考下来,然后发到公司的论坛里么?这样算不算用于商业?这些翻译真是不错!


我个人觉得只要不是直接用于营利目的(如出版),并注明转载来源,应该是没有问题的。我们翻译这些内容也是希望能够对大家有所帮助。不过不知道其他几位翻译者有什么看法,可以在这里讨论一下,以便在今后正式的翻译稿中对版权问题加以说明。


--------本帖迄今已累计获得3安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对合规的影响
帖子发表于 : 2012-02-08 17:07 
离线
顶级用户

注册: 2008-05-24 12:30
最近: 2018-05-15 13:08
拥有: 17,902.90 安全币

奖励: 15343 安全币
在线: 22264 点
帖子: 943
同意版主的看法,本来这些文章的版权也是属于NIST研究学院组织和作者的,大家也是志愿参与进来。引用时注明转载来源,不用于商业目的应该没啥吧。不过为了谨慎起见,建议版主还是发帖或是在本贴专门进行免责说明:大家仅是义务翻译供学习及讨论所用,文章原文及译文版权均归NIST研究院所有。如果有人擅自用于商业用途所导致的法律问题,由商业受益方全权负责,与本论坛和相关翻译志愿者无关。


--------本帖迄今已累计获得35安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 11 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 1 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
华安信达(CISPS.org) ©2003 - 2012