Cloud Controls Matrix (CCM) V1.2 by CSA
こんにちは、丸山満彦です。Cloud Security Alliacne released Cloud Control Matrix Ver1.2.
■CSA
・2011.08.26 Cloud Security Alliance Releases Cloud Controls Matrix v1.2
No. |
Control
Area |
N |
Control |
Control
ID |
1 |
Compliance |
1 |
Audit Planning |
CO-01 |
2 |
Independent Audits |
CO-02 |
||
3 |
Third Party Audits |
CO-03 |
||
4 |
Contact / Authority Maintenance |
CO-04 |
||
5 |
Information System Regulatory
Mapping |
CO-05 |
||
6 |
Intellectual Property |
CO-06 |
||
2 |
Data
Governance |
7 |
Ownership / Stewardship |
DG-01 |
8 |
Classification |
DG-02 |
||
9 |
Handling / Labeling / Security
Policy |
DG-03 |
||
10 |
Retention Policy |
DG-04 |
||
11 |
Secure Disposal |
DG-05 |
||
12 |
Non-Production Data |
DG-06 |
||
13 |
Information Leakage |
DG-07 |
||
14 |
Risk Assessments |
DG-08 |
||
3 |
Facility
Security |
15 |
Policy |
FS-01 |
16 |
User Access |
FS-02 |
||
17 |
Controlled Access Points |
FS-03 |
||
18 |
Secure Area Authorization |
FS-04 |
||
19 |
Unauthorized Persons Entry |
FS-05 |
||
20 |
Off-Site Authorization |
FS-06 |
||
21 |
Off-Site Equipment |
FS-07 |
||
22 |
Asset Management |
FS-08 |
||
4 |
Human Resources
Security |
23 |
Background Screening |
HR-01 |
24 |
Employment Agreements |
HR-02 |
||
25 |
Employment Termination |
HR-03 |
||
5 |
Information
Security |
26 |
Management Program |
IS-01 |
27 |
Management Support / Involvement |
IS-02 |
||
28 |
Policy |
IS-03 |
||
29 |
Baseline Requirements |
IS-04 |
||
30 |
Policy Reviews |
IS-05 |
||
31 |
Policy Enforcement |
IS-06 |
||
32 |
User Access Policy |
IS-07 |
||
33 |
User Access Restriction /
Authorization |
IS-08 |
||
34 |
User Access Revocation |
IS-09 |
||
35 |
User Access Reviews |
IS-10 |
||
36 |
Training / Awareness |
IS-11 |
||
37 |
Industry Knowledge / Benchmarking |
IS-12 |
||
38 |
Roles / Responsibilities |
IS-13 |
||
39 |
Management Oversight |
IS-14 |
||
40 |
Segregation of Duties |
IS-15 |
||
41 |
User Responsibility |
IS-16 |
||
42 |
Workspace |
IS-17 |
||
43 |
Encryption |
IS-18 |
||
44 |
Encryption Key Management |
IS-19 |
||
45 |
Vulnerability / Patch Management |
IS-20 |
||
46 |
Anti-Virus / Malicious Software |
IS-21 |
||
47 |
Incident Management |
IS-22 |
||
48 |
Incident Reporting |
IS-23 |
||
49 |
Incident Response Legal
Preparation |
IS-24 |
||
50 |
Incident Response Metrics |
IS-25 |
||
51 |
Acceptable Use |
IS-26 |
||
52 |
Asset Returns |
IS-27 |
||
53 |
eCommerce Transactions |
IS-28 |
||
54 |
Audit Tools Access |
IS-29 |
||
55 |
Diagnostic / Configuration Ports
Access |
IS-30 |
||
56 |
Network / Infrastructure Services |
IS-31 |
||
57 |
Portable / Mobile Devices |
IS-32 |
||
58 |
Source Code Access Restriction |
IS-33 |
||
59 |
Utility Programs Access |
IS-34 |
||
6 |
Legal |
60 |
Non-Disclosure Agreements |
LG-01 |
61 |
Third Party Agreements |
LG-02 |
||
7 |
Operations
Management |
62 |
Policy |
OP-01 |
63 |
Documentation |
OP-02 |
||
64 |
Capacity / Resource Planning |
OP-03 |
||
65 |
Equipment Maintenance |
OP-04 |
||
8 |
Risk
Management |
66 |
Program |
RI-01 |
67 |
Assessments |
RI-02 |
||
68 |
Mitigation / Acceptance |
RI-03 |
||
69 |
Business / Policy Change Impacts |
RI-04 |
||
70 |
Third Party Access |
RI-05 |
||
9 |
Release
Management |
71 |
New Development / Acquisition |
RM-01 |
72 |
Production Changes |
RM-02 |
||
73 |
Quality Testing |
RM-03 |
||
74 |
Outsourced Development |
RM-04 |
||
75 |
Unauthorized Software
Installations |
RM-05 |
||
10 |
Resiliency |
76 |
Management Program |
RS-01 |
77 |
Impact Analysis |
RS-02 |
||
78 |
Business Continuity Planning |
RS-03 |
||
79 |
Business Continuity Testing |
RS-04 |
||
80 |
Environmental Risks |
RS-05 |
||
81 |
Equipment Location |
RS-06 |
||
82 |
Equipment Power Failures |
RS-07 |
||
83 |
Power / Telecommunications |
RS-08 |
||
11 |
Security
Architecture |
84 |
Customer Access Requirements |
SA-01 |
85 |
User ID Credentials |
SA-02 |
||
86 |
Data Security / Integrity |
SA-03 |
||
87 |
Application Security |
SA-04 |
||
88 |
Data Integrity |
SA-05 |
||
89 |
Production / Non-Production
Environments |
SA-06 |
||
90 |
Remote User Multi-Factor
Authentication |
SA-07 |
||
91 |
Network Security |
SA-08 |
||
92 |
Segmentation |
SA-09 |
||
93 |
Wireless Security |
SA-10 |
||
94 |
Shared Networks |
SA-11 |
||
95 |
Clock Synchronization |
SA-12 |
||
96 |
Equipment Identification |
SA-13 |
||
97 |
Audit Logging / Intrusion
Detection |
SA-14 |
||
98 |
Mobile Code |
SA-15 |
Comments