SECU
安全控制框架 2024
控制项模式安全控制框架(SCF)是一个全面的网络安全控制框架,包含超过1000个控制要求,覆盖隐私、网络安全、数据保护、业务连续性等多个领域。SCF旨在帮助组织满足多个法规和标准的合规要求。
版本: 2024•覆盖状态: 完整覆盖 (2478/2478)•控制项/量表/总计: 1239/1239/2478•当前展示: 15 / 1239•33 个分类
WEB-04Does the organization deploy reasonably-expected security controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service?控制项
Web Security / Client-Facing Web Services
存在部署合理预期的安全控制的机制,以保护基于互联网的服务存储、传输或处理的客户端数据的机密性和可用性。
评估
评估状态:
评估备注:
WEB-05Does the organization provide individuals with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management?控制项
Web Security / Cookie Management
根据 cookie 管理的适用法律要求,现有机制可以向个人提供有关 cookie 的清晰、准确的信息。
评估
评估状态:
评估备注:
WEB-11Does the organization ensure output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks?控制项
Web Security / Output Encoding
现有机制可确保对 Web 应用程序生成的所有内容执行输出编码,以减少跨站点脚本和其他注入攻击的可能性。
评估
评估状态:
评估备注:
WEB-14Does the organization routinely review the content on publicly accessible systems for sensitive/regulated data and remove such information, if discovered?控制项
Web Security / Publicly Accessible Content Reviews
存在定期审查可公开访问系统上的敏感/受监管数据内容的机制,并在发现此类信息时删除这些信息。
评估
评估状态:
评估备注:
WEB-10Does the organization ensure all web application content is delivered using cryptographic mechanisms (e.g., TLS)?控制项
Web Security / Secure Web Traffic
存在确保所有 Web 应用程序内容均使用加密机制(例如 TLS)交付的机制。
评估
评估状态:
评估备注:
WEB-06Does the organization implement Strong Customer Authentication (SCA) for consumers to reasonably prove their identity?控制项
Web Security / Strong Customer Authentication (SCA)
存在实施强客户身份验证 (SCA) 的机制,以便消费者合理证明其身份。
评估
评估状态:
评估备注:
WEB-01.1Does the organization prevent unauthorized code from being present in a secure page as it is rendered in a client’s browser?控制项
Web Security / Unauthorized Code
存在一些机制来防止未经授权的代码在客户端浏览器中呈现时出现在安全页面中。
评估
评估状态:
评估备注:
WEB-02Does the organization utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports?控制项
Web Security / Use of Demilitarized Zones (DMZ)
存在利用非军事区 (DMZ) 来限制某些服务、协议和端口上授权设备的入站流量的机制。
评估
评估状态:
评估备注:
WEB-09Does the organization ensure all input handled by a web application is validated and/or sanitized?控制项
Web Security / Validation and Sanitization
存在确保 Web 应用程序处理的所有输入都经过验证和/或清理的机制。
评估
评估状态:
评估备注:
WEB-03Does the organization deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats?控制项
Web Security / Web Application Firewall (WAF)
存在部署 Web 应用程序防火墙 (WAF) 的机制,为特定于应用程序的威胁提供深度防御保护。
评估
评估状态:
评估备注:
WEB-08Does the organization ensure a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs?控制项
Web Security / Web Application Framework
现有机制可确保使用强大的 Web 应用程序框架来帮助开发安全的 Web 应用程序,包括 Web 服务、Web 资源和 Web API。
评估
评估状态:
评估备注:
WEB-12Does the organization ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users?控制项
Web Security / Web Browser Security
现有机制可确保 Web 应用程序实现 Content-Security-Policy、HSTS 和 X-Frame-Options 响应标头,以保护 Web 应用程序及其用户。
评估
评估状态:
评估备注:
WEB-01Does the organization facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures?控制项
Web Security / Web Security
现有机制可促进企业范围内网络管理政策以及相关标准、控制和程序的实施。
评估
评估状态:
评估备注:
WEB-07Does the organization ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process?控制项
Web Security / Web Security Standard
现有机制可确保开放 Web 应用程序安全项目 (OWASP) 应用程序安全验证标准纳入组织的安全系统开发生命周期 (SSDLC) 流程。
评估
评估状态:
评估备注:
WEB-13Does the organization detect and respond to Indicators of Compromise (IoC) for unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive / regulated data?控制项
Web Security / Website Change Detection
现有机制可以检测和响应存储、处理和/或传输敏感/受监管数据的网站上未经授权的更改、添加、删除或更改的妥协指标 (IoC)。
评估
评估状态:
评估备注: