type2修訂建議-反饋全部

1、12 月 23 日已建議：from 1 October 2013 to 30 September 2014，標注 ST、TH消刪除。上應該保留，建議取反饋：建議不修改。的寫作標準是一般不適用 ST 和 TH 的，另外參考了中行歐洲中心、美洲中心的 3402，也使用的不帶標注 ST 和 TH 的寫法，故建議不修改。The Device and Environment Team (DET-BJ) is responsible for the overall planning ofcomputer room environmental control of the Data Center and f

2、or establishing the corresponding management policies plans?！皃olicies plans”兩個復數？反饋：已修改修改為：“The Device and Environment Team (DET-BJ) is responsible for the overallplanning of computer room environmental control of the Data Center and for establishing the corresponding management policies, plans and

3、procedures”Linux systems are not managed by SAS, users are authenticated by sic passwordvia SSH protocol?！癓inux systems are not managed by SAS”描述有點歧義：Linux都沒被 SAS 管理，應該用定語。反饋：已修改修改為：“For Linux systemst are not managed by SAS, users are authenticatedby sic password via SSH protocol”The Data Center sy

4、nchronises the application systems in the local and remotedisaster recovery environments with the oneshe production environment based onthe system disaster recovery strategies.“the application systems“應該同步，但操作系統(tǒng)（含數據庫）是否也應該同步？反饋：經與科技部商議，該控制點已刪除“to ensuret IT system operations were operated as expecte

5、d“是否可修改為”toensuret IT system operations were operated as expected“反饋：已修改6.1.3修改為“to determine whether thet IT systems were operated as expected”Inspected a selection of the program check lists?！皃rogram check lists“含義不太理解反饋：已修改 6.2.4修改為“Inspected a selection of project acceptance registration forms”I

6、nspected ensure。ensure 用法有問題，應該使用確認、確定,例如 determine whether，此句型非常多，建議修改。舉例：Inspected service level management policies to ensuresigning of service level agreementt the development andInspected a selection of theresponsibilitiesernal SLAs and SOWsto ensureternalacquired the related non-disclosure agr

7、eements to ensuret the external IT serviceemployees signed the non-disclosure agreements。獲取本身不能確保反饋：已改為 determine12 月 24 日建議：For a selection of redundancy user IDs, observed the redundancy user IDs in systemto ensuret the IDs were not existed何不存在？he system.不太理解，前面 2 個步驟有，為反饋：已修改修改為：“Inspected produc

8、tion system user acs review form to determine whetherDenterformed user ID and user acs right inspection on an annual basis.”表，確認數據中心每年對用戶 ID 與相應中文改為：“獲取并檢查生產系統(tǒng)用戶權限用戶情況進行檢查?！盕or a selection of the production changes, and inspected the relevant testing reportsto ensuret the production changes were tes

9、ted and reviewed（. 1）and 用法有問題，應該去掉。（2）the 用法亦有問題，因不是特指或專有名詞，可以拿掉。For a selection of the production changes, and inspected the relevantreportst-evaluationFor a selection of the production changes, and inspected the change request records, For a selection of the project initialization applications re

10、lated to overseas IT systems(Asia Pacific region), and inspected the related project initialization notificationsFor a selection of the vendors from the vendor list, inspected the contracts signedFor a selection of the new user application forms of the Notes system, inspected toensureFor a selection

11、 of the approved change requests, and inspected the relevantproduction change implemenion plansFor a selection of the IT system, obtained the database partition descriptions toFor a selection of the application systems, observed log configuration of theapplication反饋：已修改去掉“the”和“and”。For a selection

12、of the new user application forms of the Notes system, inspected toensuret the applications were approved by BOC HO executive office. Inspected 什么？后面應該跟賓語反饋：已修改 6.4.10修改為：”For a selection of the new user application forms of the Notes system,inspected the application form to determine whether the ap

13、plications were approvedby BOC HO executive office.”For a selection of the vers of application systemshe production environment,observed the vernumbers of the application systems in the local disasterrecovery environment to ensuret the vernumbers were consistent.建議：For aselection of the verobserved

14、the vers of application systems in the production environment,numbers of the application systems in the localdisasterrecovery environment to ensuret the vernumbers were consistent.反饋：經與信息科技部商議，該控制點已刪除12 月 25 日新提出建議：The creation of the user IDs and the user privileges review were in line authorized r

15、ights were executed by different employees.語法有疑問。with the反饋：已修改 6.4.3修改為：”User ID creation and user privileged review were perform by employees.”相應中文改為：“賬號創(chuàng)建和對系統(tǒng)權限審閱由不同人完成?！眃ifferentAll IT systems users of the Data Center apply for rights according to User IDUniqueness principle, Authorization on De

16、mand principle, Need to Know and LeastPrivilege principle. The user creation and rights modification of the Denter areauthorized by the heads of applicantand the authorizing team.與中文版有差異，申請權限是否需要考慮 User ID Uniqueness？反饋：已修改刪除User ID Uniqueness principle,For a selection of responsibility changed user

17、s and the responsibilities descriptions,observed their account and rightshe system on-site to ensuret the original userrights were adjusted and the existing user rights were in line with the responsibilities descriptions 。responsibility changed users 英文含義不明( 責任改變了用戶？)，responsibilities descryptions 英

18、文似乎不太這樣用，job descriptions?反饋：已修改 6.4.6For a selection of employees whose jobt were changed, obtained the employeesnew job description, observed the employees system rights to determine whethersystem user rights are align with the employees job descriptions.相應中文改為“獲取崗位調動，從中選取崗位變動，并獲取其新的崗位職責描述，現場觀察用戶在

19、系統(tǒng)中的賬號及權限，確認現限與其崗位職責描述一致?！盕or a selection of terminated users, observed the users accounts and rightshesystem on-site to ensuret the users accounts were deleted.建議修改為 For aselection of terminated users, observed the users accounts and rightson-site to ensuret the users accounts were deleted.he syste

20、m反饋：已修改 6.4.6修改為：“For a selection of employees whose employment was terminated, observed the employees system accounts to determine whether users accounts were deletedhe system.”相應中文改為“獲取離職認離職用戶賬號已被刪除?！?，選取離職，現場觀察用戶在系統(tǒng)中的賬號，確For the network deviwere not supported by RADIUS, the user is required to use

21、 asic password，句法有疑問，應該使用定語反饋：已修改 6.4.9 For the network deviwhich were not supported by RADIUS, the user is requiredto use a sic password,Inspected the acs control list from the firewall configuration to ensuret officeenvironment users could not connect to the external network.用戶不能連接到外部網絡？office env

22、ironment users 有點中文直譯，英文可能不這樣寫。反饋：已修改Inspected the acs control list from firewall configuration to determine whether theoffice terminals could not connect to the external network.“獲取并檢查開放用戶 ID 申請表，確認用戶已使用完畢?！泵枋觯词菇Y合前面控制措施）不是很清晰，為何看申請表就能確認使用完畢？反饋：ID 申請表中會對用戶的關閉時間進行。12 月 25 日下午For a selection of the v

23、ers of application systemshe production environment,observed the vernumbers of the application systems in the local disasterrecovery environment to ensure怎能確保本地與災備一致？t the vernumbers were consistent.只觀察本地，反饋：經與科技部商議，該控制點已刪除Observed the RACF profile to ensuret RACF security management module wasdeplo

24、yed to control acs right of mainframe system.前面一段已經包括這些內容，是否需要重復（Inspected the Data Center acs control technique specification toensuret RACF security management module was deployed to control acs rightof mainframe system, and the specification was approved and formally released.）反饋：建議不修改Inspected 的

25、測試方法是審閱文檔，observed 的測試方法是查看實際的 RACF profile，這是兩種不同的測試方法。Inquired of the D platform system us譯enter management about the security configuration of the openassword. the open platform system usassword 有點中文直反饋：已修改 6.4.18已修改為：“Inquired of the D open platform users.”enter management the password configura

26、tion of現場觀察 WIN系統(tǒng)域控服務器的用戶配置策略，確認 WIN系統(tǒng)通過域控服務器的安全策略對用戶權限進行控制。反饋：已修改現場觀察 WIN系統(tǒng)域控服務器的用戶配置策略，確認 WIN系統(tǒng)通過域控服務器的安全策略對用戶權限進行控制?！癟he Data Center establishes the network security technique standard to specifyconfiguration requirements for switches, routers, firewalls,rudetection andother network devi. Network

27、 deviare regularly inspected by the Denterand configured in accordance with configuration requirements.” Network deviareregularly inspected by the Data Center and configured in accordance withconfiguration requirements，使用 and 把兩件關系不大的事情聯系到一起，而且順序不對（應該先配置，后檢查）。建議考慮修改為 The Denter establishes the netwo

28、rksecurity technique standard to specify configuration requirements for switches,routers, firewalls,rudetection and other network devi. Network deviaretregularly inspected by the Data Center regularly and configured to ensure networkdeviareconfiguredinaccordancewithconfigurationstandardrequirements.

29、相應中文亦可調整反饋：已修改 6.4.21已修改為：“Network deviare configured in accordance with configurationrequirements.” 網絡設備的配置檢查由控制點 6.4.23 覆蓋。12 月 29 日新加inspected a selection of ZOS script results of EY to ensuret the password settingsof mainframe system were in line with the password standard. (1)ZOS 應為 z/OS;(2)z/O

30、S 是名詞，最好在詞匯表里面說明一下;(3) 外行不易理解 script results of EY，請考慮是否可以修改，類似情況還有 Linux、AIX、Windows。反饋：已：6.4.16 z/OS: For a selection of in-scope mainframe systems, inspected the passwords settings to determine whether they were configured according to the password standard.相應中文改為：獲取并檢查主機系統(tǒng)用戶口令配置，確認符合口令配置標準。6.4.1

31、8 AIX: For a selection of in-scope open platform systems to determine whether they were configured according to the password standard.相應中文改為：獲取并檢查開放系統(tǒng)用戶口令配置，確認符合口令配置標準。6.4.20 Windows: For a selection of in-scope WIN platform systems to determine whether they were configured according to the password

32、 standard.相應中文改為：獲取并檢查 WIN系統(tǒng)用戶口令配置，確認符合口令配置標準。Using open platform management system (SAS, Server Automation System) tomanage the acs to all the AIX systems and a portion of the Linux systems (thesystems). The有動詞及主語（2）Linux 是是否會好一點？systems are connected to SAS。（1）句子不完整，好象沒名詞，最好在詞匯表里面說明一下（3）Using 換為部署

33、反饋：已修改 6.4.17 如下：(1), (3) The Denter deploys Server Automation System (SAS, Server AutomationSystem) to manage the acs to all the AIX systems and a portion of the Linuxsystems (thesystems).(2)Linux: A Computer Operating SystemThe Denter establishes performance and capacity management procedures tosp

34、ecify the pros ofperformance and capacity plan setting, indicators monitoringandysing, and performance and capacity plan adjusting。plan setting 是否可以解讀為規(guī)劃制定？反饋： Plan setting 是規(guī)劃制定。為更好理解，6.3.1：The Denter establishes performance and capacity management procedures tospecify the promonitoring ands of per

35、formance and capacity plan formulating, indicatorsysing, and performance and capacity plan adjusting.有關數據遷移控制目標現在拿掉了，但在評估期間和今后還會存在數據遷移，例如MUREX 上線，這是一項變更活動（變更：包括批次項目投產，生產系統(tǒng)上線、大版本升級、架構調整、遷移和下線，以及其他對生產系統(tǒng)會造成影響的變更），只是遷移發(fā)生在數據中心。建議信息科技部考慮是否需要酌情保留一點內容。反饋：請科技部給出意見Teams of the Denter using external IT servipe

36、rform monthly evaluations ofthe quality of work and the on-site performance of the external IT service employees, which serves as a basis for their assessment.（1）3 個 of，關系理解起來有點復雜（2）which 代表什么不太明顯（評估行為？）。反饋：已修改 6.2.9 如下：The performance of external servithe on-site performance of thenel was assessed

37、from two aspects: 1)nel; 2) monthly evaluation given by the DataCenter teamt uses the external IT servi.The Denter monitors performance and capacity indicators in real time or periodicbasis. periodic basis 是否應為 onriodic basis (非 in) ?反饋：已修改 6.3.3 如下：The Denter monitors performance and capacity indic

38、ators in real time or on aperiodic basis.on-site inspected users system right, on-site observed the connection of theseterminals to,。on-site 多用做形容詞，后面接動詞不太常見，可再斟酌。反饋：已修改把類似句子中的 on-site 調整到句末，做形容詞用。如： Inspected users system right on-site; observed the connection of these terminals on-siteFor a select

39、ion of systems, logged in to the systems with an overseas branch(oraffiliate) application user ID, inspected the application dahat was acsible to theuser, ensuret the user could only acs data from his/her ownanization bymatching the branch(or affiliate) code of the user and the branch(or affiliate)

40、code ofthe data acsed. overseas branch(or affiliate) application user ID 有點中文直譯。反饋：已修改 6.4.4 如下：For a selection of application systems, logged in to the applications with anoverseas branch (or affiliate) user ID, inspected the application datat wasacsible to the user to determine whether user could

41、only acs data from his/herownanization by matching the branch (or affiliate) code of the user and the branch(or affiliate) code of the data acsed.The Denter deletes the users ID as the user termination。（1）The 似沒有必要用，非特指（2）描述表達的意思不明白：數據中心刪除用戶 ID 作為用戶終結，as 是否應該引出一個狀語從句？反饋：已修改 6.4.6 如下：The DCenter.ente

42、r deletes the users ID as the user terminates employmenthe Datainquired of the Data Center management about the desensitization procedure of production data as using the production data for testing。as using the production data for testing 用法有無問題，as 是否需要引出一個從句，或者考慮 inquired of the Data Center managem

43、ent about the desensitization procedure of production data as usingthe production data for testing？反饋：已修改 6.6.7 如下：Inquired of the Data Center management about the desensitization procedure ofproduction data used for testing.“選取數據中心網絡拓撲圖中的服務器，現場觀察并確認服務器均部署在拓撲圖的指定位置”，測試方法理解起來稍有，是否拓撲圖中已經標出在交換機特定端口上連接某

44、臺服務器(名稱)，現場驗證端口連線到該臺服務器?反饋：建議不修改與數據中心對此做過，數據中心確認可通過比對服務器在拓撲圖中的位置，并現場查看服務器在實際環(huán)境中的部署，以確認實際情況與拓撲圖間的一致性。The Denter establishes review procedure to review system user accounts anduser activitieskly. The Data Center team which authorized user account isresponsible to review the appropriateness of user acc

45、ount and user activities描述與中文不完全一致：數據中心已建立系統(tǒng)用戶活動的定期審閱流程，kly.團隊每周對系統(tǒng) ID 的操作情況進行，包括用戶是否合理，用戶操作是否合規(guī)，并對發(fā)現的操作或異常事件及時追查或上報。英文蘊涵是全查。反饋：已修改 6.4.14 如下：The Denter establishes review procedure to review system user accounts anduser activitieskly. The Denter team which authorized the user accounts isle check of

46、 the user account and user activities.responsible to conductkly s“數據中心通過 RACF 安全管理組件實現對主機系統(tǒng)的控制。RACF 通過控制用戶集與角色集的關聯關系控制用戶在主機系統(tǒng)的權限。另外，通過主機數據庫通過（？）控制角色集與數據庫集的關聯關系，可實現對不同角色對數據庫資源權限的控制。用戶登錄主機系統(tǒng)后即可在其權限內的數據庫資源”。除用戶集與權限的關聯關系，兩次關聯實現完角色集的關聯關系外，還有角色集與受保護資源整的基于角色的控制，用戶-角色-資源。反饋：已修改。6.4.15 如下：數據中心通過 RACF 安全管理組件實

47、現對主機系統(tǒng)的控制。RACF 通過控制用戶集與角色集的關聯關系控制用戶在主機系統(tǒng)的權限。另外，主機數據庫通過控制角色集與數據庫集的關聯關系，可實現不同角色對數據庫資源進行的權限控制。Observed the RACF profiles to ensuret RACF security management module wasdeployed to control acs right of mainframe system.反饋：已修改。6.4.15 如下：Observed the RACF profiles to determine whether RACF security managem

48、entmodule was deployed to manage the control acs right to mainframe systems.Inspected theysis on IT security and implemenion suggestions of overseas ITsystemsegration project in BOC (Asia Pacific regions) to ensuret BOCencrypted the Vital level data was encrypted by algorithm of RSA (2048 key), 3DES

49、(128 key)or AES (128 key).（1）與中文版似不完全一致：獲取并檢查中國海外系統(tǒng)整合項目（亞太批次）專題分析及實施建議；反饋：已修改。6.6.10 如下：Inspected the IT securityysis and implemenion suggestions of overseasIT systemsegration project of BOC (Asia Pacific regions) to determinewhether the Vital level data was encrypted by algorithm of RSA (2048 key),

50、 3DES(128 key) or AES (128 key).獲取并檢查中國海外系統(tǒng)整合項目（亞太批次專題分析及實施建議，確認中國對“關鍵”數據使用了 RSA2048 位、3DES128 位或 AES128 位算法進行加密。只檢查文檔，難以得出已實施建議的控制的結論，應該是要求吧。反饋：已修改。6.6.10 如下：獲取并檢查中國海外系統(tǒng)整合項目（亞太批次專題分析及實施建議，進行加密，加密算法為確認中國要求使用硬件加密機對“關鍵”級數據RSA2048 位、3DES128 位或 AES128 位算法。只有才能日志文件，以防止日志被、刪除或覆蓋。此條描述像控制目標，不太像控制措施。反饋：已修改。6

51、.9.7 如下：刪除“以防止日志被相應刪除英文部分內容、刪除或覆蓋”Controls provide reasonable arancet data is regularly backed up, backupstorage media is clearly identified in safe plawhich can be acsed only byauthorized employees and backup data recovery testing is performed on a regularbasis. backup storage media is clearly iden

52、tified in safe pla與中文“備份介質被明確標識并保存于安全場所”似乎不一致，在安全地方標識未蘊涵保存在安全地方。反饋：已修改 6: Control Objective 8 如下：Controls provide reasonable arancet data is regularly backed up, backupstorage media is clearly labeled and stored in safe plawhich can be acsed onlyby authorized employees. Backup data recovery testing

53、is performed on a regularbasis.The anti-anti-software of the terminal are synchronised with thedatabase of theserver to ensuret thedatabase verof the terminal keeps beingupdated.與中文版本不一致，沒有表示出“每天”頻率。反饋：已修改 6.4.28 如下：The anti-of the anti-software of the terminal are synchronized daily with thedatabas

54、eserver to ensuret thedatabase verof the terminal keepsbeing updated.對應中文數據中心的終端防的更新。：每天與防服務器的庫同步，以確保終端庫版本2014 年 12 月 30 日新增建議：The D control acenter deploys implements the security strategy ofs to WIN platform systems,server to反饋：同意意見，已修改 6.4.19The Denter deploys firewalls, IDS, IPS, monitoring tool

55、 for network anomaly andother security devi據中心已部署了to detect and prevent networkrus.與中文不完全一致：數，包括、IDS、IPS、網絡異常工具等，對網絡入侵行為進行監(jiān)測和阻斷。monitoring tool 描述與 firewalls, IDS, IPS 是什么關系？IDS,IPS 及 firewalls 也屬于網絡異常工具。反饋：已修改 6.4.27 如下The Denter deploys firewalls, IDS, IPS, and other security devito detect andprev

56、ent networkrus.The Data Center inspects the changed network device configuration on aklybasis to ensure the configuration meet the configuration requirements. network deviceconfiguration network device configuration 有點中文直譯,不太常見。多次出現。反饋：已修改 6.4.23 如下The Denter inspects the changed configuration setti

57、ngs of network devion akly basis to ensure the configuration meet the configuration requirements.另：將中 network device configuration 改為 configuration settings of network deviInquired of the Data Center management about the deployment of the devifor.（1）protecting networkrus and the monitoring and respo

58、nse to deviprotecting 有多意，這里會否引起保護的歧義？（2）and the monitoring，monitoring與前面哪個詞并列？若與 protecting，前面不應有the.看中文是應與deployment 并列，但其非動名詞(3) and response, response 是個名詞，與前面哪個詞并列？反饋：已修改 6.4.27 如下Inquired of the Danti-malware devienter management about the deployment of network, as well as device monitoring an

59、d response activities.對應中文：詢問數據中心管理網絡防惡設備的部署情況，以及對設備的監(jiān)測及響應情況。The employee on duty of computer roominformation and the requestor is authorized bymonitoring records the requestors ephone.與中文不完全一致：機房監(jiān)。the requestor is authorized by，與 The employee on duty of控室值班進行登記，并注明該是ephone 是獨立描述一個事實：請求者是通過computer room monitoring records the requestors information 并列。反饋：已修改 6.11.9 如下The employee on duty of computer room monitoring records the requestorsinformation. The requestor was authorized byrecords.ephone was clearly shown in theObse