云控制矩阵 4.0（中英版） 中文翻译版说明 本文由云安全联盟大中华区（CSA GCR）CCM4.0翻译专家组对《Cloud Controls Matrix v4》进行翻译审校。 翻译审校工作专家（以下排名按字母先后排序） 陈皓 顾伟 高轶峰 胡友杰 苏泰泉 沈勇 王永霞 于新元 赵锐 ©2021云安全联盟大中华区–保留所有权利。 你可以在你的电脑上下载、储存、展示、查看及打印，或者访问云安全联盟大中华区官网（https://www.c-csa.cn）。但必须遵守以下条件：（a）本文仅可用作个人、信息获取，非商业用途； （b）不得以任何方式篡改本文内容； （c）本文不得转发； （d）该商标、版权或其他声明不得删除。 在遵循中华人民共和国著作权法相关条款情况下合理使用本文内容，使用时请注明引用于云安全联盟大中华区。 CLOUD CONTROLS MATRIX VERSION 4.0 云控制矩阵 4.0 Control Title 控制措施Control ID 控制编号Updated Control Specification 更新的控制措施规范 Audit & Assurance - A&A 审计&保障 Audit and Assurance Policy and Procedures 审计与保障的策略及规程A&A-01Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually. 建立、记录、批准、沟通、应用、评估和维护审计和保障策略、规程和标准。至少每年一次审查和更新公司的策略和规程。 Independent Assessments 独立评估A&A-02Conduct independent audit and assurance assessments according to relevant standards at least annually. 每年至少一次，根据相关标准进行独立审计和保障评估 Risk Based Planning Assessment 基于风险规划评估A&A-03Perform independent audit and assurance assessments according to risk-based plans and policies. 根据基于风险的计划和策略执行独立的审计和保证评估 Requirements Compliance 符合性需求A&A-04Verify compliance with all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit. 验证符合所有适用于审计的相关标准、法规、法律/合同和法定要求 Audit Management Process 审计管理过程A&A-05Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence. 定义和实施审计管理过程，以支持审计计划、风险分析、安全控制评估、结论、补救计划、报告生成，以及对过去报告和相关证据的审查。 Remediation 补救A&A-06Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders. 建立、记录、批准、沟通、应用、评估和维护基于风险的纠正行动计划，以修正审计发现，审查并向相关利益相关者报告修正状况。 Application & Interface Security - AIS 应用程序和接口安全 Application and Interface Security Policy and Procedures 应用和接口安全策略和规程AIS-01Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at least annually. 建立、记录、批准、沟通、申请、评估和维护应用程序安全策略和规程，为组织的应用程序安全能力的适当规划、交付和支持提供指导。每年至少一次审查和更新公司的策略和规 程。 Application Security Baseline Requirements 应用程序安全基线需求AIS-02Establish, document and maintain baseline requirements for securing different applications. 建立、记录和维护保护不同应用程序的基线要求。 Application Security Metrics 应用程序安全指标AIS-03Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations. 根据业务目标、安全需求和合规义务， 定义和实施技术和运行的指标。 Secure Application Design and Development 应用程序安全设计和开发AIS-04Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization. 根据组织定义的安全需求，定义并实现应用程序设计、开发、部署和运行的SDLC过程 Automated Application Security Testing 自动应用程序安全测试AIS-05Implement a testing strategy, including criteria for acceptance of new information systems, upgrades and new versions, which provides application security assurance and maintains compliance while enabling organizational speed of delivery goals. Automate when applicable and possible. 实现一个测试战略，包括新的信息系统、升级和新版本的接受准则，这提供了应用程序的安全保障，并在实现组织交付速度目标的同时保持遵从性。在适用和可能的情况下，自动 化。 Automated Secure Application Deployment 自动应用程序安全部署AIS-06Establish and implement strategies and capabilities for secure, standardized, and compliant application deployment. Automate where possible. 为安全、标准化和兼容的应用程序部署建立和实施战略和能力。尽可能自动化。 ©2021 云安全联盟大中华区-版权所有 第 2 页 官网：WWW.C-CSA.CN 邮箱：[email protected] 公众号：CSAGCR