SECU
安全控制框架 2024
控制项模式安全控制框架(SCF)是一个全面的网络安全控制框架,包含超过1000个控制要求,覆盖隐私、网络安全、数据保护、业务连续性等多个领域。SCF旨在帮助组织满足多个法规和标准的合规要求。
版本: 2024•覆盖状态: 完整覆盖 (2478/2478)•控制项/量表/总计: 1239/1239/2478•当前展示: 28 / 1239•33 个分类
TPM-03.1组织是否利用定制的采购策略、合同工具和采购方法来购买独特的系统、系统组件或服务?控制项
第三方管理 / 收购策略、工具和方法
存在利用定制采购策略、合同工具和采购方法来购买独特系统、系统组件或服务的机制。
评估
评估状态:
评估备注:
TPM-03.4组织是否制定并实施备件策略以确保关键部件的充足供应以满足运营需求?控制项
第三方管理 / 货源充足
现有机制制定和实施备件战略,以确保关键部件的充足供应,以满足运营需求。
评估
评估状态:
评估备注:
TPM-05.7组织是否在合同中包含因未能满足网络安全和/或数据隐私控制合同标准而导致的“中断条款”?控制项
第三方管理 / 中断条款
对于未能满足网络安全和/或数据隐私控制的合同标准,存在在合同中包含“中断条款”的机制。
评估
评估状态:
评估备注:
TPM-04.3Does the organization ensure that the interests of external service providers are consistent with and reflect organizational interests?控制项
第三方管理 / 利益冲突
存在确保外部服务提供商的利益与组织利益一致并反映组织利益的机制。
评估
评估状态:
评估备注:
TPM-05.2Does the organization ensure cybersecurity and data privacy requirements are included in contracts that flow-down to applicable sub-contractors and suppliers?控制项
第三方管理 / Contract Flow-Down Requirements
现有机制可确保网络安全和数据隐私要求包含在流向适用的分包商和供应商的合同中。
评估
评估状态:
评估备注:
TPM-04.2Does the organization require External Service Providers (ESPs) to identify and document the business need for ports, protocols and other services it requires to operate its processes and technologies?控制项
第三方管理 / External Connectivity Requirements - Identification of Ports, Protocols and Services
现有机制要求外部服务提供商 (ESP) 识别并记录运营其流程和技术所需的端口、协议和其他服务的业务需求。
评估
评估状态:
评估备注:
TPM-05.6Does the organization obtain a First-Party Declaration (1PD) from applicable External Service Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity and data privacy controls, including any flow-down requirements to subcontractors?控制项
第三方管理 / First-Party Declaration (1PD)
存在从适用的外部服务提供商 (ESP) 获取第一方声明 (1PD) 的机制,该声明保证遵守网络安全和数据隐私控制的特定法律、监管和合同义务,包括对分包商的任何流程要求。
评估
评估状态:
评估备注:
TPM-03.2Does the organization utilize security safeguards to limit harm from potential adversaries who identify and target the organization's supply chain?控制项
第三方管理 / Limit Potential Harm
存在利用安全保障措施来限制识别和瞄准组织供应链的潜在对手造成的伤害的机制。
评估
评估状态:
评估备注:
TPM-10Does the organization control changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party?控制项
第三方管理 / Managing Changes To Third-Party Services
存在控制供应商对服务的变更的机制,同时考虑到第三方范围内的业务信息、系统和流程的关键性。
评估
评估状态:
评估备注:
TPM-07Does the organization monitor for evidence of unauthorized exfiltration or disclosure of organizational information?控制项
第三方管理 / Monitoring for Third-Party Information Disclosure
存在监控未经授权泄露或披露组织信息的证据的机制。
评估
评估状态:
评估备注:
TPM-03.3Does the organization address identified weaknesses or deficiencies in the security of the supply chain控制项
第三方管理 / Processes To Address Weaknesses or Deficiencies
存在解决供应链安全中已发现的弱点或缺陷的机制
评估
评估状态:
评估备注:
TPM-05.4Does the organization document and maintain a Responsible, Accountable, Supportive, Consulted and Informed (RASCI) matrix, or similar documentation, to delineate assignment for cybersecurity and data privacy controls between internal stakeholders and External Service Providers (ESPs)?控制项
第三方管理 / Responsible, Accountable, Supportive, Consulted and Informed (RASCI) Matrix
存在记录和维护负责任、负责、支持、咨询和知情 (RASCI) 矩阵或类似文档的机制,以描述内部利益相关者和外部服务提供商 (ESP) 之间的网络安全和数据隐私控制分配。
评估
评估状态:
评估备注:
TPM-08Does the organization monitor, regularly review and audit External Service Providers (ESPs) for compliance with established contractual requirements for cybersecurity and data privacy controls?控制项
第三方管理 / Review of Third-Party Services
现有机制可监控、定期审查和评估外部服务提供商 (ESP) 是否符合既定的网络安全和数据隐私控制合同要求。
评估
评估状态:
评估备注:
TPM-05.1Does the organization compel External Service Providers (ESPs) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected systems, applications and/or services that the organization utilizes?控制项
第三方管理 / Security Compromise Notification Agreements
现有机制迫使外部服务提供商 (ESP) 提供有关供应链中实际或潜在损害的通知,这些损害可能会影响或已经对组织使用的系统、应用程序和/或服务产生不利影响。
评估
评估状态:
评估备注:
TPM-03Does the organization evaluate security risks associated with the services and product supply chain?控制项
第三方管理 / Supply Chain Protection
存在评估与服务和产品供应链相关的安全风险的机制。
评估
评估状态:
评估备注:
TPM-05.8Does the organization obtain an attestation from an independent Third-Party Assessment Organization (3PAO) that provides assurance of conformity with specified statutory, regulatory and contractual obligations for cybersecurity and data privacy controls, including any flow-down requirements to contractors and subcontractors?控制项
第三方管理 / Third-Party Attestation (3PA)
现有机制可获取独立第三方评估组织 (3PAO) 的证明,该组织可保证遵守网络安全和数据隐私控制的特定法律、监管和合同义务,包括对承包商和分包商的任何流程要求。
评估
评估状态:
评估备注:
TPM-05.3Does the organization ensure External Service Providers (ESPs) use unique authentication factors for each of its customers?控制项
第三方管理 / Third-Party Authentication Practices
现有机制可确保外部服务提供商 (ESP) 对每个客户使用唯一的身份验证因素。
评估
评估状态:
评估备注:
TPM-05Does the organization require contractual requirements for cybersecurity and data privacy requirements with third-parties, reflecting the organization's needs to protect its systems, processes and data?控制项
第三方管理 / Third-Party Contract Requirements
现有机制要求与第三方签订网络安全和数据隐私要求的合同要求,反映组织保护其系统、流程和数据的需求。
评估
评估状态:
评估备注:
TPM-02Does the organization identify, prioritize and assess suppliers and partners of critical systems, components and services using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services?控制项
第三方管理 / Third-Party Criticality Assessments
现有机制可以使用供应链风险评估流程,根据其在支持高价值服务交付方面的重要性来识别、优先排序和评估关键系统、组件和服务的供应商和合作伙伴。
评估
评估状态:
评估备注:
TPM-09Does the organization address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements?控制项
第三方管理 / Third-Party Deficiency Remediation
存在一些机制来解决在对供应链要素进行独立或组织评估期间发现的弱点或缺陷。
评估
评估状态:
评估备注:
TPM-11Does the organization ensure response/recovery planning and testing are conducted with critical suppliers/providers?控制项
第三方管理 / Third-Party Incident Response and Recovery Capabilities
现有机制可确保与关键供应商/提供商一起进行响应/恢复计划和测试。
评估
评估状态:
评估备注:
TPM-01.1Does the organization maintain a current, accurate and complete list of External Service Providers (ESPs) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's systems, applications, services and data?控制项
第三方管理 / Third-Party Inventories
现有机制用于维护可能影响组织系统、应用程序、服务和数据的机密性、完整性、可用性和/或安全性 (CIAS) 的外部服务提供商 (ESP) 的当前、准确和完整列表。
评估
评估状态:
评估备注:
TPM-01Does the organization facilitate the implementation of third-party management controls?控制项
第三方管理 / Third-Party Management
存在促进第三方管理控制实施的机制。
评估
评估状态:
评估备注:
TPM-06Does the organization control personnel security requirements including security roles and responsibilities for third-party providers?控制项
第三方管理 / Third-Party Personnel Security
存在控制人员安全要求的机制,包括第三方提供商的安全角色和责任。
评估
评估状态:
评估备注:
TPM-04.4Does the organization restrict the location of information processing/storage based on business requirements?控制项
第三方管理 / Third-Party Processing, Storage and Service Locations
存在根据业务需求限制信息处理/存储位置的机制。
评估
评估状态:
评估备注:
TPM-04.1Does the organization conduct a risk assessment prior to the acquisition or outsourcing of technology-related services?控制项
第三方管理 / Third-Party Risk Assessments and Approvals
在收购或外包技术相关服务之前存在进行风险评估的机制。
评估
评估状态:
评估备注:
TPM-05.5Does the organization perform recurring validation of the Responsible, Accountable, Supportive, Consulted and Informed (RASCI) matrix, or similar documentation, to ensure cybersecurity and data privacy control assignments accurately reflect current business practices, compliance obligations, technologies and stakeholders?控制项
第三方管理 / Third-Party Scope Review
存在对责任、问责、支持、咨询和知情 (RASCI) 矩阵或类似文档进行定期验证的机制,以确保网络安全和数据隐私控制任务准确反映当前的业务实践、合规义务、技术和利益相关者。
评估
评估状态:
评估备注:
TPM-04Does the organization mitigate the risks associated with third-party access to the organization's systems and data?控制项
第三方管理 / Third-Party Services
现有机制可以减轻与第三方访问组织系统和数据相关的风险。
评估
评估状态:
评估备注: