论坛公告:应用容器安全指南(SP800-190)中文版   美国政府宣布禁用卡巴斯基软件   《中华人民共和国网络安全法》讨论帖   新手报到专用帖   【论坛公告】关于本站广告贴泛滥问题的整理通知   

当前时区为 UTC + 8 小时


发表新帖 回复这个主题  [ 8 篇帖子 ] 
作者 内容
 文章标题 : 【开源翻译项目】向公共云迁移之安全和隐私建议总结
帖子发表于 : 2012-02-12 08:20 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,297.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
以下是开源翻译项目《公共云计算安全与隐私指南(SP800-144)》(http://bbs.cisps.org/viewtopic.php?f=128&t=29613)第四章第十节的原文内容,请大家通过回帖提交翻译内容,不要求一次提交全部译文,按段落提交也可以,尽量翻译还没有人提交译文的部分,我会给与翻译者大量安全币奖励。

引用:
4.10 Summary of Recommendations
A number of significant security and privacy issues were covered in the previous subsections. Table 1 summarizes those issues and related recommendations for organizations to follow when planning, reviewing, negotiating, or initiating a public cloud service outsourcing arrangement.

Governance
Extend organizational practices pertaining to the policies, procedures, and standards used for application development and service provisioning in the cloud, as well as the design, implementation, testing, use, and monitoring of deployed or engaged services.

Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle.

Compliance
Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements.

Review and assess the cloud provider’s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements.

Ensure that the cloud provider’s electronic discovery capabilities and processes do not compromise the privacy or security of data and applications.

Trust
Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time.

Establish clear, exclusive ownership rights over data.

Institute a risk management program that is flexible enough to adapt to the constantly evolving and shifting risk landscape for the lifecycle of the system.

Continuously monitor the security state of the information system to support on-going risk management decisions.

Architecture
Understand the underlying technologies that the cloud provider uses to provision services, including the implications that the technical controls involved have on the security and privacy of the system, over the full system lifecycle and across all system components.

Identity and Access Management
Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization.

Software Isolation
Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization.

Data Protection
Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data.

Take into consideration the risk of collating organizational data with that of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value.

Fully understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider.

Availability
Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, and ensure that they meet the organization’s continuity and contingency planning requirements.

Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner.

Incident Response
Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization.

Ensure that the cloud provider has a transparent response process in place and sufficient mechanisms to share information during and after an incident.

Ensure that the organization can respond to incidents in a coordinated fashion with the cloud provider in accordance with their respective roles and responsibilities for the computing environment.


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移之安全和隐私建议总结
帖子发表于 : 2012-02-21 08:33 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,297.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
4.10 Summary of Recommendations

4.10 建议总结

A number of significant security and privacy issues were covered in the previous subsections. Table 1 summarizes those issues and related recommendations for organizations to follow when planning, reviewing, negotiating, or initiating a public cloud service outsourcing arrangement.

以上小节概述了一些重要的安全和隐私问题。表一总结了这些问题,并提出了组织在规划、审查、协商或发起公共云服务外包事务时应遵循的建议。

Governance
Extend organizational practices pertaining to the policies, procedures, and standards used for application development and service provisioning in the cloud, as well as the design, implementation, testing, use, and monitoring of deployed or engaged services.

治理
将组织的管理工作延伸到与云环境中的应用开发和服务提供有关的政策、规程和标准中,以及相关服务的设计、实施、测试和监控工作中。

Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle.

采用审计机制和工具确保组织的管理工作贯穿于系统整个生命周期过程中。


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移之安全和隐私建议总结
帖子发表于 : 2012-02-21 09:12 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,297.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
Compliance
Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements.

合规
Review and assess the cloud provider’s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements.

审查和评估云提供商所提供的产品和服务是否能够满足组织的相关要求,确保合同条款充分满足这些要求。

Ensure that the cloud provider’s electronic discovery capabilities and processes do not compromise the privacy or security of data and applications.

确保云提供商的电子发现机制和方法不会危害到数据及应用的隐私和安全。

Trust
Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time.

信任
确保服务安排包含充足的手段能够明确了解云提供商所部署的安全和隐私控制措施和方法,并能够持续了解其绩效。

Establish clear, exclusive ownership rights over data.

确立明晰的数据所有权;

Institute a risk management program that is flexible enough to adapt to the constantly evolving and shifting risk landscape for the lifecycle of the system.

建立足够灵活的风险管理项目以适应系统生命周期中不断发展变化的风险状况;

Continuously monitor the security state of the information system to support on-going risk management decisions.

持续监控信息系统的安全状态以支持持续的风险管理决策。


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移之安全和隐私建议总结
帖子发表于 : 2012-02-21 10:24 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,297.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
Architecture
Understand the underlying technologies that the cloud provider uses to provision services, including the implications that the technical controls involved have on the security and privacy of the system, over the full system lifecycle and across all system components.

架构
理解云提供商用来提供服务的底层技术,包括整个系统生命周期中,涉及到所有系统部件,与安全和隐私相关的技术控制措施的影响。

Identity and Access Management
Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization.

身份和访问管理
确保有足够的防范措施来保护鉴别、授权以及其它身份和服务管理功能,并确保其对组织是适合。


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移之安全和隐私建议总结
帖子发表于 : 2012-02-22 09:08 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,297.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
Software Isolation
Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization.

软件隔离
理解云提供商在多租户软件机构中部署的虚拟化及其它逻辑隔离技术,评估给组织带来的相关风险。

Data Protection
Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data.

数据保护
评估云提供商的数据管理方案是否适合对组织重要的数据,及其控制数据访问的能力,确保其能够保护存储、传输和使用中的数据以及妥善处置退出使用的数据。

Take into consideration the risk of collating organizational data with that of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value.

考虑其它组织威胁特征较高或具有很高聚合价值的数据与组织的数据共存可能带来的风险。

Fully understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider.

充分理解和权衡云环境中提供的密钥管理机制以及云提供商建立的相关流程可能存在的风险。


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移之安全和隐私建议总结
帖子发表于 : 2012-02-24 08:16 
离线
中级用户

注册: 2009-05-01 00:35
最近: 2014-10-18 21:56
拥有: 1,395.00 安全币

奖励: 297 安全币
在线: 3787 点
帖子: 83
引用:
Availability
Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, and ensure that they meet the organization’s continuity and contingency planning requirements.

Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner.


可用性
了解数据备份和恢复、灾难恢复 的合约条款以及程序的可用性。确保能满足组织的连续性应急规划要求.确保在严重灾难期间或长期中断后可以立即恢复关键业务 和组织的全部业务都能在最后及时的恢复正常运营 .


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移之安全和隐私建议总结
帖子发表于 : 2012-02-24 08:27 
离线
中级用户

注册: 2009-05-01 00:35
最近: 2014-10-18 21:56
拥有: 1,395.00 安全币

奖励: 297 安全币
在线: 3787 点
帖子: 83
引用:
Incident Response
Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization.

Ensure that the cloud provider has a transparent response process in place and sufficient mechanisms to share information during and after an incident.

Ensure that the organization can respond to incidents in a coordinated fashion with the cloud provider in accordance with their respective roles and responsibilities for the computing environment.




事件响应
理解事件响应的合约条款,以便能满足组织的要求。确保云服务商有一个透明的响应过程和完善的机制以便共享时间事件期间和之后的信息.确保组织能够对事件响应做出协调和云服务商之间按照不同的角色负责计算环境


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移之安全和隐私建议总结
帖子发表于 : 2013-03-15 16:01 
离线
初级用户

注册: 2009-06-30 16:39
最近: 2013-10-28 16:45
拥有: 218.00 安全币

奖励: 0 安全币
在线: 268 点
帖子: 24
这一节只差一句话了,我来补上:
Compliance
合规

Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements.

理解各类对组织的安全和隐私责任进行了规定,以及潜在的可能影响云计算的法律、规章,特别是那些涉及数据所处位置、隐私和安全控制,记录管理,电子举证要求的法律、规章。


--------本帖迄今已累计获得52安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 8 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 1 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
cron
华安信达(CISPS.org) ©2003 - 2012