2024云控制矩陣4.0（中英版 Audit&Assurance-A&A審計&AuditandAssurancePolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainauditandassurancepoliciesandproceduresandstandards.Reviewandupdatethepoliciesandproceduresatleastannually.ConductindependentauditandassuranceassessmentsaccordingtorelevantstandardsatleastRiskBasedPlanningPerformindependentauditandassuranceassessmentsaccordingtorisk-basedplansandDefineandimplementanAuditManagementprocesstosupportauditplanning,riskanalysis,securitycontrolassessment,conclusion,remediationschedules,reportgeneration,andreviewofpastreportsandsupportingevidence.Establish,document,approve,communicate,apply,evaluateandmaintainarisk-basedcorrectiveactionplantoremediateauditfindings,reviewandreportremediationstatustorelevantstakeholders.ApplicationandInterfaceSecurityPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforapplicationsecuritytoprovideguidancetotheappropriateplanning,deliveryandsupportoftheorganization'sapplicationsecuritycapabilities.Reviewandupdatethepoliciesandproceduresatleastannually.Establish,documentandmaintainbaselinerequirementsforsecuringdifferentDefineandimplementtechnicalandoperationalmetricsinalignmentwithbusinessobjectives,securityrequirements,andcomplianceSecureApplicationDesignandDefineandimplementaSDLCprocessforapplicationdesign,development,deployment,andoperationinaccordancewithsecurityrequirementsdefinedbytheImplementatestingstrategy,includingcriteriaforacceptanceofnewinformationsystems,upgradesandnewversions,whichprovidesapplicationsecurityassuranceandmaintainscompliancewhileenablingorganizationalspeedofdeliverygoals.Automatewhenapplicableandpossible.Establishandimplementstrategiesandcapabilitiesforsecure,standardized,andcompliantapplicationdeployment.AutomatewhereDefineandimplementaprocesstoremediateapplicationsecurityvulnerabilities,automatingremediationwhen-BusinessContinuityManagementPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainbusinesscontinuitymanagementandoperationalresiliencepoliciesandprocedures.Reviewandupdatethepoliciesandproceduresatleastannually.RiskAssessmentandImpactDeterminetheimpactofbusinessdisruptionsandriskstoestablishcriteriafordevelopingbusinesscontinuityandoperationalresiliencestrategiesandEstablishstrategiestoreducetheimpactof,withstand,andrecoverfrombusinessdisruptionswithinriskEstablish,document,approve,communicate,apply,evaluateandmaintainabusinesscontinuityplanbasedontheresultsoftheoperationalresiliencestrategiesandDevelop,identify,andacquiredocumentationthatisrelevanttosupportthebusinesscontinuityandoperationalresilienceprograms.Makethedocumentationavailabletoauthorizedstakeholdersandreviewperiodically.ExerciseandtestbusinesscontinuityandoperationalresilienceplansatleastannuallyoruponsignificantEstablishcommunicationwithstakeholdersandparticipantsinthecourseofbusinesscontinuityandresiliencePeriodicallybackupdatastoredinthecloud.Ensuretheconfidentiality,integrityandavailabilityofthebackup,andverifydatarestorationfrombackupforDisasterResponseEstablish,document,approve,communicate,apply,evaluateandmaintainadisasterresponseplantorecoverfromnaturalandman-madedisasters.Updatetheplanatleastannuallyoruponsignificantchanges.ResponsePlanExercisethedisasterresponseplanannuallyoruponsignificantchanges,includingifpossiblelocalemergency-Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresformanagingtherisksassociatedwithapplyingchangestoorganizationassets,includingapplication,systems,infrastructure,configuration,etc.,regardlessofwhethertheassetsaremanagedinternallyorexternally(i.e.,outsourced).Reviewandupdatethepoliciesandproceduresatleastannually.（即外包）Followadefinedqualitychangecontrol,approvalandtestingprocesswithestablishedbaselines,testing,andreleaseManagetherisksassociatedwithapplyingchangestoorganizationassets,includingapplication,systems,infrastructure,configuration,etc.,regardlessofwhethertheassetsaremanagedinternallyorexternally(i.e.,outsourced).ChangeIncludeprovisionslimitingchangesdirectlyimpactingCSCsownedenvironments/tenantstoexplicitlyauthorizedrequestswithinservicelevelagreementsbetweenCSPsandDetectionofBaselineImplementdetectionmeasureswithproactivenotificationincaseofchangesdeviatingfromtheestablishedImplementaprocedureforthemanagementofexceptions,includingemergencies,inthechangeandconfigurationprocess.AligntheprocedurewiththerequirementsofGRC-04:PolicyExceptionProcess.DefineandimplementaprocesstoproactivelyrollbackchangestoapreviousknowngoodstateincaseoferrorsorsecurityEncryptionandKeyManagementPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforCryptography,EncryptionandKeyManagement.Reviewandupdatethepoliciesandproceduresatleastannually.CEKRolesandDefineandimplementcryptographic,encryptionandkeymanagementrolesandDataProvidecryptographicprotectiontodataat-restandin-transit,usingcryptographiclibrariescertifiedtoapprovedUseencryptionalgorithmsthatareappropriatefordataprotection,consideringtheclassificationofdata,associatedrisks,andusabilityoftheencryptionEstablishastandardchangemanagementprocedure,toaccommodatechangesfrominternalandexternalsources,forreview,approval,implementationandcommunicationofcryptographic,encryptionandkeymanagementtechnologychanges.EncryptionChangeCostBenefitManageandadoptchangestocryptography-,encryption-,andkeymanagement-relatedsystems(includingpoliciesandprocedures)thatfullyaccountfordownstreameffectsofproposedchanges,includingresidualrisk,cost,andbenefitsanalysis.EncryptionRiskEstablishandmaintainanencryptionandkeymanagementriskprogramthatincludesprovisionsforriskassessment,risktreatment,riskcontext,monitoring,andCSCKeyManagementCapabiilityCSPsmustprovidethecapabilityforCSCstomanagetheirowndataencryptionAuditencryptionandkeymanagementsystems,policies,andprocesseswithafrequencythatisproportionaltotheriskexposureofthesystemwithauditoccurringpreferablycontinuouslybutatleastannuallyandafteranysecurityevent(s).KeyGenerateCryptographickeysusingindustryacceptedcryptographiclibrariesspecifyingthealgorithmstrengthandtherandomnumbergeneratorKeyManagecryptographicsecretandprivatekeysthatareprovisionedforauniqueKeyRotatecryptographickeysinaccordancewiththecalculatedcryptoperiod,whichincludesprovisionsforconsideringtheriskofinformationdisclosureandlegalandregulatoryKeyDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestorevokeandremovecryptographickeyspriortotheendofitsestablishedcryptoperiod,whenakeyiscompromised,oranentityisnolongerpartoftheorganization,whichincludeprovisionsforlegalandregulatoryrequirements.KeyDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestodestroykeysstoredoutsideasecureenvironmentandrevokekeysstoredinHardwareSecurityModules(HSMs)whentheyarenolongerneeded,whichincludeprovisionsforlegalandregulatoryrequirements.KeyDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestocreatekeysinapre-activatedstatewhentheyhavebeengeneratedbutnotauthorizedforuse,whichincludeprovisionsforlegalandregulatoryrequirements.KeyDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestomonitor,reviewandapprovekeytransitionsfromanystateto/fromsuspension,whichincludeprovisionsforlegalandregulatoryrequirements.KeyDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestodeactivatekeysatthetimeoftheirexpirationdate,whichincludeprovisionsforlegalandregulatoryrequirements.KeyDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestomanagearchivedkeysinasecurerepositoryrequiringleastprivilegeaccess,whichincludeprovisionsforlegalandregulatoryrequirements.KeyDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestousecompromisedkeystoencryptinformationonlyincontrolledcircumstance,andthereafterexclusivelyfordecryptingdataandneverforencryptingdata,whichincludeprovisionsforlegalandregulatoryrequirements.KeyDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestoassesstherisktooperationalcontinuityversustheriskofthekeyingmaterialandtheinformationitprotectsbeingexposedifcontrolofthekeyingmaterialislost,whichincludeprovisionsforlegalandregulatoryrequirements.Define,implementandevaluateprocesses,proceduresandtechnicalmeasuresinorderforthekeymanagementsystemtotrackandreportallcryptographicmaterialsandchangesinstatus,whichincludeprovisionsforlegalandregulatoryrequirements.DatacenterSecurity-DCSOff-SiteEquipmentDisposalPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforthesecuredisposalofequipmentusedoutsidetheorganization'spremises.Iftheequipmentisnotphysicallydestroyedadatadestructionprocedurethatrendersrecoveryofinformationimpossiblemustbeapplied.Reviewandupdatethepoliciesandproceduresatleastannually.Off-SiteTransferAuthorizationPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresfortherelocationortransferofhardware,software,ordata/informationtoanoffsiteoralternatelocation.Therelocationortransferrequestrequiresthewrittenorcryptographicallyverifiableauthorization.Reviewandupdatethepoliciesandproceduresatleastannually.SecureAreaPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresformaintainingasafeandsecureworkingenvironmentinoffices,rooms,andfacilities.Reviewandupdatethepoliciesandproceduresatleastannually.SecureMediaTransportationPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforthesecuretransportationofphysicalmedia.Reviewandupdatethepoliciesandproceduresatleastannually.AssetsClassifyanddocumentthephysical,andlogicalassets(e.g.,applications)basedontheorganizationalbusinessAssetsCataloguingandCatalogueandtrackallrelevantphysicalandlogicalassetslocatedatalloftheCSP'ssiteswithinasecuredControlledAccessImplementphysicalsecurityperimeterstosafeguardpersonnel,data,andinformationsystems.Establishphysicalsecurityperimetersbetweentheadministrativeandbusinessareasandthedatastorageandprocessingfacilitiesareas.UseequipmentidentificationasamethodforconnectionSecureAreaAllowonlyauthorizedpersonnelaccesstosecureareas,withallingressandegresspointsrestricted,documented,andmonitoredbyphysicalaccesscontrolmechanisms.Retainaccesscontrolrecordsonaperiodicbasisasdeemedappropriatebytheorganization.Implement,maintain,andoperatedatacentersurveillancesystemsattheexternalperimeterandatalltheingressandegresspointstodetectunauthorizedingressandegressTraindatacenterpersonneltorespondtounauthorizedingressoregressDefine,implementandevaluateprocesses,proceduresandtechnicalmeasuresthatensurearisk-basedprotectionofpowerandtelecommunicationcablesfromathreatofinterception,interferenceordamageatallfacilities,officesandrooms.Implementandmaintaindatacenterenvironmentalcontrolsystemsthatmonitor,maintainandtestforcontinualeffectivenessthetemperatureandhumidityconditionswithinacceptedindustrystandards.SecureSecure,monitor,maintain,andtestutilitiesservicesforcontinualeffectivenessatplannedKeepbusiness-criticalequipmentawayfromlocationssubjecttohighprobabilityforenvironmentalriskSecurityandPrivacyPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresfortheclassification,protectionandhandlingofdatathroughoutitslifecycle,andaccordingtoallapplicablelawsandregulations,standards,andrisklevel.Reviewandupdatethepoliciesandproceduresatleastannually.SecureApplyindustryacceptedmethodsforthesecuredisposalofdatafromstoragemediasuchthatdataisnotrecoverablebyanyforensicDataCreateandmaintainadatainventory,atleastforanysensitivedataandpersonalDataClassifydataaccordingtoitstypeandsensitivityDataFlowCreatedataflowdocumentationtoidentifywhatdataisprocessed,storedortransmittedwhere.Reviewdataflowdocumentationatdefinedintervals,atleastannually,andafteranychange.DataOwnershipandDocumentownershipandstewardshipofallrelevantdocumentedpersonalandsensitivedata.PerformreviewatleastDataProtectionbyDesignandDevelopsystems,products,andbusinesspracticesbaseduponaprincipleofsecuritybydesignandindustrybestDataPrivacybyDesignandDevelopsystems,products,andbusinesspracticesbaseduponaprincipleofprivacybydesignandindustrybestpractices.Ensurethatsystems'privacysettingsareconfiguredbydefault,accordingtoallapplicablelawsandregulations.DataProtectionImpactConductaDataProtectionImpactAssessment(DPIA)toevaluatetheorigin,nature,particularityandseverityoftherisksupontheprocessingofpersonaldata,accordingtoanyapplicablelaws,regulationsandindustrybestpractices.SensitiveDataDefine,implementandevaluateprocesses,proceduresandtechnicalmeasuresthatensureanytransferofpersonalorsensitivedataisprotectedfromunauthorizedaccessandonlyprocessedwithinscopeaspermittedbytherespectivelawsandregulations.PersonalDataAccess,Reversal,RectificationandDefineandimplement,processes,proceduresandtechnicalmeasurestoenabledatasubjectstorequestaccessto,modification,ordeletionoftheirpersonaldata,accordingtoanyapplicablelawsandregulations.LimitationofPurposeinPersonalDataDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestoensurethatpersonaldataisprocessedaccordingtoanyapplicablelawsandregulationsandforthepurposesdeclaredtothedatasubject.Define,implementandevaluateprocesses,proceduresandtechnicalmeasuresforthetransferandsub-processingofpersonaldatawithintheservicesupplychain,accordingtoanyapplicablelawsandregulations.DisclosureofDataSub-Define,implementandevaluateprocesses,proceduresandtechnicalmeasurestodisclosethedetailsofanypersonalorsensitivedataaccessbysub-processorstothedataownerpriortoinitiationofthatprocessing.LimitationofProductionDataObtainauthorizationfromdataowners,andmanageassociatedriskbeforereplicatingorusingproductiondatainnon-productionDataRetentionandDataretention,archivinganddeletionismanagedinaccordancewithbusinessrequirements,applicablelawsandDefineandimplement,processes,proceduresandtechnicalmeasurestoprotectsensitivedatathroughoutit'sDisclosureTheCSPmusthaveinplace,anddescribetoCSCstheproceduretomanageandrespondtorequestsfordisclosureofPersonalDatabyLawEnforcementAuthoritiesaccordingtoapplicablelawsandregulations.TheCSPmustgivespecialattentiontothenotificationproceduretointerestedCSCs,unlessotherwiseprohibited,suchasaprohibitionundercriminallawtopreserveconfidentialityofalawenforcementinvestigation.DataDefineandimplement,processes,proceduresandtechnicalmeasurestospecifyanddocumentthephysicallocationsofdata,includinganylocationsinwhichdataisprocessedorbackedup.Governance,RiskandComplianceGRCGovernanceProgramPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforaninformationgovernanceprogram,whichissponsoredbytheleadershipoftheorganization.Reviewandupdatethepoliciesandproceduresatleastannually.RiskManagementEstablishaformal,documented,andleadership-sponsoredEnterpriseRiskManagement(ERM)programthatincludespoliciesandproceduresforidentification,evaluation,ownership,treatment,andacceptanceofcloudsecurityandprivacyrisks.ReviewallrelevantorganizationalpoliciesandassociatedproceduresatleastannuallyorwhenasubstantialchangeoccurswithintheEstablishandfollowanapprovedexceptionprocessasmandatedbythegovernanceprogramwheneveradeviationfromanestablishedpolicyDevelopandimplementanInformationSecurityProgram,whichincludesprogramsforalltherelevantdomainsoftheDefineanddocumentrolesandresponsibilitiesforplanning,implementing,operating,assessing,andimprovinggovernanceSpecialInterestEstablishandmaintaincontactwithcloud-relatedspecialinterestgroupsandotherrelevantentitiesinlinewithbusinessHumanResourcesHRSBackgroundScreeningPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforbackgroundverificationofallnewemployees(includingbutnotlimitedtoremoteemployees,contractors,andthirdparties)accordingtolocallaws,regulations,ethics,andcontractualconstraintsandproportionaltothedataclassificationtobeaccessed,thebusinessrequirements,andacceptablerisk.Reviewandupdatethepoliciesandproceduresatleastannually.AcceptableUseofTechnologyPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresfordefiningallowancesandconditionsfortheacceptableuseoforganizationally-ownedormanagedassets.Reviewandupdatethepoliciesandproceduresatleastannually.CleanDeskPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresthatrequireunattendedworkspacestonothaveopenlyvisibleconfidentialdata.Reviewandupdatethepoliciesandproceduresatleastannually.RemoteandHomeWorkingPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandprocedurestoprotectinformationaccessed,processedorstoredatremotesitesandlocations.Reviewandupdatethepoliciesandproceduresatleastannually.AssetEstablishanddocumentproceduresforthereturnoforganization-ownedassetsbyterminatedEstablish,document,andcommunicatetoallpersonneltheproceduresoutliningtherolesandresponsibilitiesconcerningchangesinEmployeessigntheemployeeagreementpriortobeinggrantedaccesstoorganizationalinformationsystems,resourcesandTheorganizationincludeswithintheemploymentagreementsprovisionsand/ortermsforadherencetoestablishedinformationgovernanceandsecurityPersonnelRolesandDocumentandcommunicaterolesandresponsibilitiesofemployees,astheyrelatetoinformationassetsandIdentify,document,andreview,atplannedintervals,requirementsfornon-disclosure/confidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetails.Establish,document,approve,communicate,apply,evaluateandmaintainasecurityawarenesstrainingprogramforallemployeesoftheorganizationandprovideregulartrainingupdates.PersonalandSensitiveDataAwarenessandProvideallemployeeswithaccesstosensitiveorganizationalandpersonaldatawithappropriatesecurityawarenesstrainingandregularupdatesinorganizationalprocedures,processes,andpoliciesrelatingtotheirprofessionalfunctionrelativetotheorganization.ComplianceUserMakeemployeesawareoftheirrolesandresponsibilitiesformaintainingawarenessandcompliancewithestablishedpoliciesandproceduresandapplicablelegal,statutory,orregulatorycomplianceobligations.IdentityandAccessManagementPolicyandEstablish,document,approve,communicate,implement,apply,evaluateandmaintainpoliciesandproceduresforidentityandaccessmanagement.Reviewandupdatethepoliciesandproceduresatleastannually.StrongPasswordPolicyandEstablish,document,approve,communicate,implement,apply,evaluateandmaintainstrongpasswordpoliciesandprocedures.Reviewandupdatethepoliciesandproceduresatleastannually.Manage,store,andreviewtheinformationofsystemidentities,andlevelofSeparationofEmploytheseparationofdutiesprinciplewhenimplementinginformationsystemLeastEmploytheleastprivilegeprinciplewhenimplementinginformationsystemUserAccessDefineandimplementauseraccessprovisioningprocesswhichauthorizes,records,andcommunicatesaccesschangestodataandUserAccessChangesandDe-provisionorrespectivelymodifyaccessofmovers/leaversorsystemidentitychangesinatimelymannerinordertoeffectivelyadoptandcommunicateidentityandaccessmanagementpolicies.UserAccessReviewandrevalidateuseraccessforleastprivilegeandseparationofdutieswithafrequencythatiscommensuratewithorganizationalriskSegregationofPrivilegedAccessDefine,implementandevaluateprocesses,proceduresandtechnicalmeasuresforthesegregationofprivilegedaccessrolessuchthatadministrativeaccesstodata,encryptionandkeymanagementcapabilitiesandloggingcapabilitiesaredistinctandseparated.ManagementofPrivilegedAccessDefineandimplementanaccessprocesstoensureprivilegedaccessrolesandrightsaregrantedforatimelimitedperiod,andimplementprocedurestopreventtheculminationofsegregatedprivilegedaccess.CSCsApprovalforAgreedPrivilegedAccessDefine,implementandevaluateprocessesandproceduresforcustomerstoparticipate,whereapplicable,inthegrantingofaccessforagreed,highrisk(asdefinedbytheorganizationalriskassessment)privilegedaccessroles.SafeguardLogsDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestoensurethelogginginfrastructureisread-onlyforallwithwriteaccess,includingprivilegedaccessroles,andthattheabilitytodisableitiscontrolledthroughaprocedurethatensuresthesegregationofdutiesandbreakglassprocedures.Define,implementandevaluateprocesses,proceduresandtechnicalmeasuresthatensureusersareidentifiablethroughuniqueIDsorwhichcanassociateindividualstotheusageofuserIDs.StrongDefine,implementandevaluateprocesses,proceduresandtechnicalmeasuresforauthenticatingaccesstosystems,applicationanddataassets,includingmultifactorauthenticationforatleastprivilegeduserandsensitivedataaccess.Adoptdigitalcertificatesoralternativeswhichachieveanequivalentlevelofsecurityforsystemidentities.PasswordsDefine,implementandevaluateprocesses,proceduresandtechnicalmeasuresforthesecuremanagementofDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestoverifyaccesstodataandsystemfunctionsisInformationprocessingInformation/Dataexchange,usage,portability,integrity,andpersistenceReviewandupdatethepoliciesandproceduresatleastannually.Provideapplicationinterface(s)toCSCssothattheyprogrammaticallyretrievetheirdatatoenableinteroperabilityandImplementcryptographicallysecureandstandardizednetworkprotocolsforthemanagement,importandexportofAgreementsmustincludeprovisionsspecifyingCSCsaccesstodatauponcontractterminationandwillDataLengthoftimethedatawillbeScopeofthedataretainedandmadeavailabletotheDatadeletionInfrastructureandVirtualizationSecurityPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforinfrastructureandvirtualizationsecurity.Reviewandupdatethepoliciesandproceduresatleastannually.CapacityandResourcePlanandmonitortheavailability,quality,andadequatecapacityofresourcesinordertodelivertherequiredsystemperformanceasdeterminedbytheNetworkMonitor,encryptandrestrictcommunicationsbetweenenvironmentstoonlyauthenticatedandauthorizedconnections,asjustifiedbythebusiness.Reviewtheseconfigurationsatleastannually,andsupportthembyadocumentedjustificationofallallowedservices,protocols,ports,andcompensatingcontrols.OSHardeningandBaseHardenhostandguestOS,hypervisororinfrastructurecontrolplaneaccordingtotheirrespectivebestpractices,andsupportedbytechnicalcontrols,aspartofasecurityDesign,develop,deployandconfigureapplicationsandinfrastructuressuchthatCSPandCSC(tenant)useraccessandintra-tenantaccessisappropriatelysegmentedandsegregated,monitoredandrestrictedfromothertenants.MigrationtoCloudUsesecureandencryptedcommunicationchannelswhenmigratingservers,services,applications,ordatatocloudenvironments.Suchchannelsmustincludeonlyup-to-dateandapprovedprotocols.Identifyanddocumenthigh-riskNetworkDefine,implementandevaluateprocesses,proceduresanddefense-in-depthtechniquesforprotection,detection,andtimelyresponsetonetwork-basedLoggingandMonitoring-LOGLoggingandMonitoringPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforloggingandmonitoring.Reviewandupdatethepoliciesandproceduresatleastannually.AuditLogsDefine,implementandevaluateprocesses,proceduresandtechnicalmeasurestoensurethesecurityandretentionofauditIdentifyandmonitorsecurity-relatedeventswithinapplicationsandtheunderlyinginfrastructure.Defineandimplementasystemtogeneratealertstoresponsiblestakeholdersbasedonsucheventsandcorrespondingmetrics.AuditLogsAccessandRestrictauditlogsaccesstoauthorizedpersonnelandmaintainrecordsthatprovideuniqueaccessAuditLogsMonitoringandMonitorsecurityauditlogstodetectactivityoutsideoftypicalorexpectedpatterns.Establishandfollowadefinedprocesstoreviewandtakeappropriateandtimelyactionsondetectedanomalies.ClockUseareliabletimesourceacrossallrelevantinformationprocessingEstablish,documentandimplementwhichinformationmeta/datasystemeventsshouldbelogged.Reviewandupdatethescopeatleastannuallyorwheneverthereisachangeinthethreatenvironment.LogLogTheinformationsystemprotectsauditrecordsfromunauthorizedaccess,modification,andEstablishandmaintainamonitoringandinternalreportingcapabilityovertheoperationsofcryptographic,encryptionandkeymanagementpolicies,processes,procedures,andLogandmonitorkeylifecyclemanagementeventstoenableauditingandreportingonusageofcryptographicAccessControlMonitorandlogphysicalaccessusinganauditableaccesscontrolFailuresandAnomaliesDefine,implementandevaluateprocesses,proceduresandtechnicalmeasuresforthereportingofanomaliesandfailuresofthemonitoringsystemandprovideimmediatenotificationtotheaccountableparty.Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforSecurityIncidentManagement,E-Discovery,andCloudForensics.Reviewandupdatethepoliciesandproceduresatleastannually.Establish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresforthetimelymanagementofsecurityincidents.Reviewandupdatethepoliciesandproceduresatleastannually.,IncidentResponseEstablish,document,approve,communicate,apply,evaluateandmaintainasecurityincidentresponseplan,whichincludesbutisnotlimitedto:relevantinternaldepartments,impactedCSCs,andotherbusinesscriticalrelationships(suchassupply-chain)thatmaybeimpacted.TestandupdateasnecessaryincidentresponseplansatplannedintervalsoruponsignificantorganizationalorenvironmentalchangesforEstablishandmonitorinformationsecurityincidentEventTriageDefine,implementandevaluateprocesses,proceduresandtechnicalmeasuressupportingbusinessprocessestotriagesecurity-relatedDefineandimplement,processes,proceduresandtechnicalmeasuresforsecuritybreachnotifications.Reportsecuritybreachesandassumedsecuritybreachesincludinganyrelevantsupplychainbreaches,asperapplicableSLAs,lawsandregulations.PointsofContactMaintainpointsofcontactforapplicableregulationauthorities,nationalandlocallawenforcement,andotherlegaljurisdictionalSSRMPolicyandEstablish,document,approve,communicate,apply,evaluateandmaintainpoliciesandproceduresfortheapplicationoftheSharedSecurityResponsibilityModel(SSRM)withintheorganization.Reviewandupdatethepoliciesandproceduresatleastannually.Apply,document,implementandmanagetheSSRMthroughoutthesupplychainforthecloudserviceSSRMProvideSSRMGuidancetotheCSCdetailinginformationabouttheSSRMapplicabilitythroughoutthesupplySSRMControlDelineatethesharedownershipandapplicabilityofallCSACCMcontrolsaccordingtotheSSRMforthecloudserviceReviewandvalidateSSRMdocumentationforallcloudservicesofferingstheorganizationSSRMControlImplement,operate,andauditorassesstheportionsoftheSSRMwhichtheorganizationisresponsibleDevel