在製藥領域中使用電腦化系統的企業和組織,在用雲過程中需要滿足中國GMP附錄《電腦化系統》標準。本合規包模板提供了標準細則與阿里雲的產品設定的對應關係。本文為您介紹中國GMP附錄合規包中的預設規則。
規則名稱 | 規則描述 | 建議項編號 | 建議項說明 |
Action Trail中存在開啟狀態的跟蹤,且跟蹤全部地區和全部事件類型,視為“合規”。如果是資來源目錄成員帳號,當管理員有建立應用到所有成員帳號的跟蹤時,視為“合規”。 |
| Risk management must span the entire lifecycle of a computerized system. Patient safety, data integrity, and product quality must be taken into account. As a quality risk management, risk management must be applied to confirm the required verification scope and control level of data integrity based on your written risk evaluation result. A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. | |
使用Security Center企業版或者更進階別的版本,視為“合規”。 |
| Risk management must span the entire lifecycle of a computerized system. Patient safety, data integrity, and product quality must be taken into account. As a quality risk management, risk management must be applied to confirm the required verification scope and control level of data integrity based on your written risk evaluation result. You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. | |
通過在主機上安裝Security Center外掛程式,提供主機的安全防護服務。如果有安裝Security Center外掛程式,視為“合規”。非運行中狀態的執行個體不適用本規則,視為“不適用”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
ECS執行個體在Security Center無指定類型和等級的待修複漏洞,視為“合規”。非運行中狀態的執行個體不適用本規則,視為“不適用”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
ECS執行個體狀態不是已停止狀態,視為“合規”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
彈性公網已綁定到ECS或者NAT執行個體,非閑置狀態,視為“合規”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
檢查閑置安全性群組,安全性群組綁定的ECS執行個體數量大於0,視為“合規”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
RDS執行個體開啟記錄備份,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
PolarDB叢集記錄備份保留周期大於等於指定天數,視為“合規”。參數預設值30天。未開啟記錄備份或備份保留周期小於指定天數,視為“不合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Redis執行個體開啟增量備份,視為“合規”。本規則只適用於類型為Tair的執行個體,非Tair類型的執行個體,視為“不適用”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Elasticsearch執行個體開啟了自動備份,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ADB叢集開啟記錄備份,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
MongoDB執行個體開啟記錄備份,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
為NAS檔案系統建立備份計劃,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ECS磁碟設定了自動快照策略,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
OceanBase叢集開啟Database Backup,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
如果沒有開啟版本控制,會導致資料被覆蓋或刪除時無法恢複。如果開啟版本控制則,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
如果沒有開啟同城冗餘儲存,會導致當出現某個機房不可用時,OSS服務無法提供一致性服務,影響資料恢複目標。OSS儲存空間開啟同城冗餘儲存,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
DTS執行個體下同步任務源庫和目標庫均使用SSL安全連結,視為“合規”。任務類型為非同步類型的DTS執行個體不適用本規則,視為“不適用”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
DTS執行個體下遷移任務源庫和目標庫均使用SSL安全連結,視為“合規”。任務類型為非遷移類型的DTS執行個體不適用本規則,視為“不適用”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
檢測CDN網域名稱是否啟用TLS1.3,啟用,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
Elasticsearch執行個體使用HTTPS傳輸協議,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
Function Compute函數綁定到自訂網域名且開啟TLS指定版本,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
PolarDB叢集設定了SSL加密,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
Redis執行個體設定SSL加密,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
API Gateway中開啟公網訪問的API請求方式設定為HTTPS,視為“合規”。只限制內網調用的API不適用此規則,視為“不適用”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
RDS執行個體的資料安全性設定開啟SSL認證,視為“合規”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
使用中的ECS資料磁碟已開啟加密,視為“合規”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
RDS執行個體的資料安全性設定開啟TDE加密,視為“合規”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
VPN串連使用的密碼編譯演算法不為None,視為“合規”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
Elasticsearch執行個體資料節點開啟雲端硬碟加密,視為“合規”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
PolarDB叢集開啟TDE,視為“合規”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
Redis執行個體使用自訂密鑰開啟TDE加密,視為“合規”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
Log Service日誌庫設定了資料加密,視為“合規”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
ECS自動快照原則設定快照保留天數大於設定的天數,視為“合規”。預設值:7天。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
RDS執行個體開啟刪除保護,視為“合規”。付費類型為訂用帳戶的執行個體不支援該功能,視為“不適用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
PolarDB叢集開啟刪除保護,視為“合規”。預付費類型的叢集,視為“不適用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ECS執行個體開啟釋放保護,視為“合規”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
HBase叢集開啟刪除保護,視為“合規”。預付費類型的叢集,視為“不適用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
MongoDB執行個體開啟釋放保護,視為“合規”。預付費類型的執行個體,視為“不適用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Redis執行個體開啟釋放保護,視為“合規”。預付費類型的執行個體,視為“不適用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
SLB執行個體開啟釋放保護,視為“合規”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
運行中的ECS執行個體安裝CloudMonitor外掛程式而且外掛程式狀態為運行中,視為“合規”。非運行中狀態的執行個體不適用本規則,視為“不適用”。 | 5.21 | You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. | |
RDS執行個體開啟歷史事件記錄,視為“合規”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
阿里雲帳號開啟MFA,視為“合規”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
開啟控制台訪問功能的RAM使用者登入設定中必須開啟多因素認證或者已啟用MFA,視為“合規”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
OSS儲存空間的ACL策略禁止公用讀寫,視為“合規”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
OSS Bucket授權策略中未授予匿名帳號任何讀寫權限,視為“合規”。若OSS Bucket未設定任何授權策略,視為“合規”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
ECS執行個體被授予了執行個體RAM角色,視為“合規”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
Function Compute服務配置了服務角色,視為“合規”。避免因暴露阿里雲帳號密鑰,造成安全風險。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
啟用ACK叢集的RRSA功能,視為“合規”。RRSA功能可以在叢集內實現Pod維度OpenAPI許可權隔離,從而實現雲資源存取權限的細粒度隔離,降低安全風險。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
RAM使用者未同時開啟控制台訪問和API調用訪問,視為“合規”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
MSE叢集開放公網訪問時開啟鑒權,視為“合規”。未開啟公網訪問時,視為“合規”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
RAM使用者AccessKey的最後使用時間距今天數小於參數設定的天數,視為“合規”。預設值:90天。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
RAM使用者密碼策略中各項配置滿足參數設定的值,視為“合規”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
如果RAM使用者在最近90天有登入行為,視為“合規”。如果RAM使用者的最近登入時間為空白,則檢查更新時間,當更新時間小於等於90天時,視為“合規”。未開啟控制台訪問的使用者,視為“不適用”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
RAM使用者下AccessKey的建立時間距離檢查時間不超過指定天數,視為“合規”。預設值:90天。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
Redis執行個體開啟審計日誌,視為“合規”。不支援開啟審計日誌的相關版本執行個體,視為“不適用”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
MongoDB執行個體開啟審計日誌,視為“合規”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
OSS儲存空間的日誌管理中開啟日誌轉存,視為“合規”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
已接入WAF2.0進行防護的網域名稱均開啟日誌採集,視為“合規”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
RDS Mysql類型執行個體開啟SQL審計且日誌保留天數大於等於指定值,視為“合規”。預設值:180天。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
ADB叢集開啟SQL審計日誌,視為“合規”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
SLB傳統型Server Load Balancer執行個體開啟訪問日誌,視為“合規”。未啟用7層監聽的執行個體不支援開啟訪問日誌,視為“不適用”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
RDS執行個體為多可用性區域執行個體,視為“合規”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Redis執行個體為多可用性區域執行個體,視為“合規”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
SLB執行個體為多可用性區域執行個體,視為“合規”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ALB執行個體為多可用性區域執行個體,視為“合規”。如果只選擇了一個可用性區域,當這個可用性區域出現故障時,會影響ALB執行個體,進而影響業務穩定性。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
使用多可用性區域的MongoDB執行個體,視為“合規”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Auto Scaling組關聯至少兩個交換器,視為“合規”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
終端節點服務配置多個可用性區域,視為“合規”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
PolarDB叢集開啟儲存熱備叢集,資料分布在多個可用性區域,視為“合規”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
SLB負載平衡的虛擬伺服器組掛載資源分布在多個可用性區域,視為“合規”。虛擬伺服器組無掛載任何資源時不適用本規則,視為“不適用”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ALB負載平衡的伺服器組掛載資源分布在多個可用性區域,視為“合規”。ALB伺服器組無掛載任何資源時不適用本規則,視為“不適用”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. |