1. Overview
1.1. Introduction
With the rapid growth of cloud computing, more and more enterprises, including financial institutions, choose to migrate their IT infrastructure to the cloud. Security compliance in the cloud has become a major factor to consider when enterprises choose to move to the cloud.
Due to the complexity of security specifications and cloud configuration details, it is difficult for enterprises to set up a comprehensively secure and compliant environment on the cloud according to compliance content. According to "The State of Cloud Security Risk, Compliance, and Misconfigurations" issued by the Cloud Security Alliance in September 2021, more than 60% of the surveyed enterprises believe that the main cause of network security incidents is their lack of knowledge and expertise in cloud security and compliance. Therefore, we hope to assist different types of enterprises in creating secure and compliant cloud environments through "Security Compliance Consulting and Implementation Services", thus improving their confidence in cloud security.
These services provide customers with corresponding consulting and implementation services based on the requirements of international security compliance consulting services.
Alibaba Cloud International Security Compliance Consulting and Implementation Services consist of six sub-services. Customers can purchase the services based on their business requirements:
Alibaba Cloud International Security Compliance Consulting and Implementation Services (Required. Choose one of the following two service packages.)
Consulting Service Package
Consulting and Implementation Service Package
The preceding two service packages (the Consulting Service Package and the Consulting and Implementation Service Package) are further subdivided into the simplified version, standard version and advanced version based on the number of control points listed in the regulatory requirements.
Any work or solution that is not defined in this statement of work (SOW) is excluded from the scope of this project.
2. Service scope
The following service scope is classified into two categories: the Alibaba Cloud International Security Compliance Consulting Service Package and the International Security Compliance Consulting and Implementation Service Package. In addition, the preceding two service packages (the Consulting Service Package and the Consulting and Implementation Service Package) are further subdivided into the simplified version, standard version and advanced version based on the number of control points listed in the regulatory requirements. The services can be delivered to meet different requirements for various types of customers.
3. Prerequisites
The customer shall submit a service request at least 15 business days before the customer places an order. This way, Alibaba Cloud can evaluate the business objectives of the customer and check the feasibility of the schedule to determine whether to accept the service request.
If the customer requires a large amount of resources, the customer shall submit a service request one month in advance. This way, Alibaba Cloud can communicate with suppliers to check whether the requested resources are available.
The customer shall provide Alibaba Cloud with all necessary documents, information, data, diagrams, system permissions, and remote access channels in a timely manner. All such information is subject to the confidentiality clauses attached to this statement of work. The customer shall guarantee that all information disclosed or to be disclosed to Alibaba Cloud is true, accurate, and not misleading.
For the International Security Compliance Consulting Service Package and the International Security Compliance Consulting and Implementation Service Package, the office location of Alibaba Cloud is not restricted by the project, and the service is mainly provided via telephone, DingTalk, mail, etc.
The service content of the International Security Compliance Consulting Service Package and the International Security Compliance Consulting and Implementation Service Package do not include the customer's applications on the cloud.
In the project delivery process, Alibaba Cloud designs the IT governance solution and troubleshoots the issues that occur during technical validation and the customer implements the solution designed by Alibaba Cloud.
Alibaba Cloud provides services between 09:00 and 18:00 (UTC+8) from Monday to Friday, except for national holidays in China.
The project managers designated by the customer and Alibaba Cloud shall use mutually agreed communication methods to transfer the written information required for the project. Available communication methods include DingTalk, fax, and email.
All project deliverables are in Chinese or English, and the working language is Chinese or English. All deliverables are submitted as electronic copies in Microsoft Office formats, including PowerPoint, Word, Excel, and Visio.
The customer and Alibaba Cloud shall work on the project in accordance with the work plan, staffing plan, and start and end dates that are agreed upon by both parties in advance. Alibaba Cloud shall not be liable for project delays that are caused by delays in the launch of the business systems of the customer.
If the customer or Alibaba Cloud needs to introduce a third party, the customer or Alibaba Cloud shall be responsible for signing contracts with the third party. Alibaba Cloud shall not be liable for the actions performed or delays caused by the subcontractors or vendors of the customer. The customer shall not be liable for the actions or delays caused by the subcontractors or vendors of Alibaba Cloud.
Neither party shall be liable for special, incidental, or indirect damages, or consequential economic damages (including loss of profits or discounts) under this contract, even if the party has been informed of the possibility of such damages.
4. Division of responsibilities
4.1. Customer and Alibaba Cloud
After the customer purchases the International Security Compliance Consulting and Implementation Services (Consulting Service Package + Consulting and Implementation Service Package), Alibaba Cloud will confirm the establishment of the services after review and communication.
The customer and Alibaba Cloud negotiate to confirm the business objectives and service scope of the International Security Compliance Consulting and Implementation Services.
The following table describes the division of responsibilities.
Service | Phase | Task details | Customer | Alibaba Cloud |
---|---|---|---|---|
Alibaba Cloud International Security Compliance Consulting and Implementation Services | Investigation of current situation | Through remote information collection and on-site communication, Alibaba Cloud shall understand the customer's current business situation on Alibaba Cloud, including the products and services that are used, and determine the security compliance requirements and standards that the customer shall meet. Alibaba Cloud shall initially identify the gap between the customer's existing environment and the corresponding requirements based on factors, such as the country and region where the enterprise is located, as well as industry and security risks. | A/S/C/I | R/I |
Interpretation of compliance requirements | In the early communication process, if the customer has any question about the security compliance requirements to be met, including how to meet the compliance requirements of access methods and operation records, Alibaba Cloud's security compliance team shall answer and explain the compliance solutions one by one to help the customer understand the corresponding security compliance standards. | A/S/C/I | R/I | |
Solution design | Based on the gap between the current situation of customer cloud usage and the corresponding security compliance requirements, and taking into account factors such as cloud usage, costs, and whether there are self-developed products, Alibaba Cloud shall design a set of solutions that meet the security compliance requirements on the cloud for the customer, while considering the scalability and sustainability of the customer's business. | A/S/C/I | R/I | |
Technical validation | After completing the solution design, Alibaba Cloud shall carry out technical validation on various aspects, such as whether the solution conflicts with the configurations of the current business system on the cloud, whether the solution conflicts with the on-premises IDC business system, whether the solution affects the adaptability of security products and the availability of IT infrastructure, to ensure the feasibility and implementability of the solution. | A/S/C/I | R/S/C/I | |
Solution implementation | If the customer purchases the implementation service, Alibaba Cloud shall assist the customer in the configuration and implementation of the solution, confirm the modification content and operation time of the relevant configuration, and ensure that the operation does not adversely affect the online business system. If the implementation of the solution needs to be delayed, Alibaba Cloud shall provide the required deployment demonstration and documentation. | A/S/C/I | R/S/C/I | |
Delivery testing | Alibaba Cloud shall confirm the deployment environment and configuration of the solution, complete environment inspection and review, ensure that the effect of the solution implementation meets the customer's expectations, and make the cloud system actually meet relevant security compliance requirements. | A/S/C/I | R/S/C/I |
Note: R stands for Responsible, A stands for Accountable, C stands for Consulted, I stands for Informed, and S stands for Support
4.1.1. Customer
The customer shall appoint a project manager with the required expertise and experience to communicate with Alibaba Cloud. The project manager has full authority to make decisions on all aspects of the project on behalf of the customer, and shall be directly responsible for the planning, coordination, supervision, and control of project implementation. The project manager shall also be responsible for troubleshooting and resolving the issues that occur during project implementation.
Based on the project situation, the customer's project manager shall coordinate the resources of all parties to lead the investigation and technical validation of the International Security Compliance Consulting and Implementation Services.
At the beginning of the project, the customer shall provide its internal material and specification documents related to the governance of the International Security Compliance Consulting and Implementation Services, and clearly state the implementation requirements.
4.1.2. Alibaba Cloud
Alibaba Cloud shall appoint an experienced technical manager to carry out the project management of the International Security Compliance Consulting and Implementation Services, introduce and manage Alibaba Cloud's project team personnel, and communicate with the customer's project manager.
Through the investigation of current situation, Alibaba Cloud shall understand the basic architecture of the customer system, business application scenarios, usage status of the International Security Compliance Consulting and Implementation Services, and other information for evaluation.
Alibaba Cloud shall design the solution of the International Security Compliance Consulting and Implementation Services based on the investigation of current situation, and assist the customer in understanding the requirements and standards of the International Security Compliance Consulting Services.
Alibaba Cloud shall cooperate with the customer to conduct technical validation of the solution of the International Security Compliance Consulting and Implementation Services, and assist in solving various issues encountered in the process of technical validation.
Alibaba Cloud shall cooperate with the customer to discover existing issues, and assist in analyzing the impact of configuration changes and provide suggestions for fixing issues.
Before delivery, Alibaba Cloud shall conduct testing on the International Security Compliance Consulting Services and provide suggestions for fixing corresponding issues.
4.1.3. Completion criteria
Completion Criteria for Alibaba Cloud International Security Compliance Consulting Service Package
The solution design of Alibaba Cloud International Security Compliance Consulting Services shall be completed and confirmed by the customer. The corresponding solution design and the technical validation of the solution shall be included.
Deliverables
"Design Solution of the International Security Compliance Consulting Services"
Completion Criteria for Alibaba Cloud International Security Compliance Consulting and Implementation Service Package
The solution design of Alibaba Cloud International Security Compliance Consulting and Implementation Services shall be completed and confirmed by the customer. The corresponding solution design, technical validation for the solution, solution implementation, pre-delivery testing, and suggestions for fixing issues shall be included.
Deliverables
"Design Solution of the International Security Compliance Consulting and Implementation Services"
"Implementation Report of the International Security Compliance Consulting and Implementation Services"
"Acceptance Report of the International Security Compliance Consulting and Implementation Services"
4.2. Service catalog
Service content: The International Security Compliance Consulting Services consist of the following services to meet the customer's business objectives.
Phase name | Service catalog | International Security Compliance Consulting Service Package | International Security Compliance Consulting and Implementation Service Package |
---|---|---|---|
Investigation of current situation | Investigation of Alibaba Cloud's business status and planning | Supported | Supported |
Interpretation of compliance requirements for the International Security Compliance Consulting Services | Supported | Supported | |
Solution design | Solution design of the International Security Compliance Consulting Services | Supported | Supported |
Technical validation | Technical validation of the International Security Compliance Consulting Service Solution | Supported | Supported |
Solution implementation | Implementation of the International Security Compliance Consulting Service Solution | Supported | |
Delivery testing | Delivery testing for the International Security Compliance Consulting Services | Supported |
In addition, the preceding two service packages (the Consulting Service Package and the Consulting and Implementation Service Package) are further subdivided into the simplified version, standard version and advanced version based on the number of control points listed in the regulatory requirements.
Service catalog | Difficulty | Number of control points |
---|---|---|
International Security Compliance Consulting Service Package | Simplified | 10 - 30 |
Standard | 31 - 150 | |
Advanced | > 150 | |
International Security Compliance Consulting and Implementation Service Package | Simplified | 10 - 30 |
Standard | 31 - 150 | |
Advanced | > 150 |
5. SLA
Provide the International Security Compliance Consulting Services.
Provide the customer with security compliance solutions, a DingTalk group for supporting technical validation, and on-site support based on demands during the service period.
Provide the "Design Solution of the International Security Compliance Consulting Services", "Design Solution of the International Security Compliance Consulting and Implementation Services", "Implementation Report of the International Security Compliance Consulting and Implementation Services", and "Acceptance Report of the International Security Compliance Consulting and Implementation Services" based on the corresponding service specifications.
6. Service process
The following flowchart shows the service process for the Alibaba Cloud International Security Compliance Consulting and Implementation Services.
7. Acceptance criteria
7.1.1. List of deliverables
No. | Delivery phase | Details | Deliverables | Deliverable type |
---|---|---|---|---|
1 | Solution design phase | Compliance design solution | "Design Solution of the International Security Compliance Consulting Services" or "Design Solution of the International Security Compliance Consulting and Implementation Services" | Documentation |
2 | Implementation phase | Solution implementation report | "Implementation Report of the International Security Compliance Consulting and Implementation Services" | Documentation |
3 | Acceptance phase | Solution acceptance document | "Acceptance Report of the International Security Compliance Consulting and Implementation Services" | Documentation |
7.2. Acceptance criteria
In the project delivery process, Alibaba Cloud shall provide consulting services regarding Alibaba Cloud International Security Compliance Consulting and Implementation Services and record important information in documents. In the acceptance phase, the customer shall focus on the quality of document content and confirm that the documents meet the requirements.
If the customer requires internal reviews before Alibaba Cloud submits the deliverables, the customer shall conduct and complete internal reviews before the agreed acceptance time.
If the document content needs to be modified after the reviews, Alibaba Cloud shall make the required modifications and submit the modified documents to the customer for acceptance. The customer shall appoint a representative to sign for confirmation. The customer shall click the Confirm Acceptance button on the service system page in the Alibaba Cloud Management Console.
Acceptance criteria for the International Security Compliance Consulting Service Package
The "Design Solution of the International Security Compliance Consulting Services" meets the customer's expectations.
Acceptance criteria for the International Security Compliance Consulting and Implementation Service Package
The "Design Solution of the International Security Compliance Consulting and Implementation Services" meets the customer's expectations.
The "Implementation Report of the International Security Compliance Consulting and Implementation Services" meets the customer's expectations.
The "Acceptance Report of the International Security Compliance Consulting and Implementation Services" meets the customer's expectations.
7.3. Acceptance plans
In accordance with the deliverables of each project phase described in Section 7.1 Acceptance List, project acceptance is based on the following acceptance plans. The customer agrees to accept the deliverables submitted by Alibaba Cloud based on these acceptance plans.
Acceptance plan for the International Security Compliance Consulting Service Package
No. | Acceptance milestone | Acceptance content | Acceptance completion |
---|---|---|---|
1 | The design and validation of the "Design Solution of the International Security Compliance Consulting Services" is completed. | "Design Solution of the International Security Compliance Consulting Services" | The customer confirms the acceptance of the solution. |
Acceptance plan for the International Security Compliance Consulting and Implementation Service Package
No. | Acceptance milestone | Acceptance content | Acceptance completion |
---|---|---|---|
1 | The design and validation of the "Design Solution of the International Security Compliance Consulting and Implementation Services" is completed. | "Design Solution of the International Security Compliance Consulting and Implementation Services" | The customer confirms the acceptance of the solution. |
2 | The validation of the "Implementation Report of the International Security Compliance Consulting and Implementation Services" is completed. | "Implementation Report of the International Security Compliance Consulting and Implementation Services" | The customer confirms the acceptance of the solution. |
3 | The validation of the "Acceptance Report of the International Security Compliance Consulting and Implementation Services" is completed. | "Acceptance Report of the International Security Compliance Consulting and Implementation Services" | The customer confirms the acceptance of the solution. |
8. Mark of project completion
The project is completed after the customer confirms the acceptance.