type2修订建议-反馈全部

1、12 月 23 日已建议：from 1 October 2013 to 30 September 2014，标注 ST、TH消删除。上应该保留，建议取反馈：建议不修改。的写作标准是一般不适用 ST 和 TH 的，另外参考了中行欧洲中心、美洲中心的 3402，也使用的不带标注 ST 和 TH 的写法，故建议不修改。The Device and Environment Team (DET-BJ) is responsible for the overall planning ofcomputer room environmental control of the Data Center and f

2、or establishing the corresponding management policies plans。“policies plans”两个复数？反馈：已修改修改为：“The Device and Environment Team (DET-BJ) is responsible for the overallplanning of computer room environmental control of the Data Center and for establishing the corresponding management policies, plans and

3、procedures”Linux systems are not managed by SAS, users are authenticated by sic passwordvia SSH protocol。“Linux systems are not managed by SAS”描述有点歧义：Linux都没被 SAS 管理，应该用定语。反馈：已修改修改为：“For Linux systemst are not managed by SAS, users are authenticatedby sic password via SSH protocol”The Data Center sy

4、nchronises the application systems in the local and remotedisaster recovery environments with the oneshe production environment based onthe system disaster recovery strategies.“the application systems“应该同步，但操作系统（含数据库）是否也应该同步？反馈：经与科技部商议，该控制点已删除“to ensuret IT system operations were operated as expecte

5、d“是否可修改为”toensuret IT system operations were operated as expected“反馈：已修改6.1.3修改为“to determine whether thet IT systems were operated as expected”Inspected a selection of the program check lists。“program check lists“含义不太理解反馈：已修改 6.2.4修改为“Inspected a selection of project acceptance registration forms”I

6、nspected ensure。ensure 用法有问题，应该使用确认、确定,例如 determine whether，此句型非常多，建议修改。举例：Inspected service level management policies to ensuresigning of service level agreementt the development andInspected a selection of theresponsibilitiesernal SLAs and SOWsto ensureternalacquired the related non-disclosure agr

7、eements to ensuret the external IT serviceemployees signed the non-disclosure agreements。获取本身不能确保反馈：已改为 determine12 月 24 日建议：For a selection of redundancy user IDs, observed the redundancy user IDs in systemto ensuret the IDs were not existed何不存在？he system.不太理解，前面 2 个步骤有，为反馈：已修改修改为：“Inspected produc

8、tion system user acs review form to determine whetherDenterformed user ID and user acs right inspection on an annual basis.”表，确认数据中心每年对用户 ID 与相应中文改为：“获取并检查生产系统用户权限用户情况进行检查。”For a selection of the production changes, and inspected the relevant testing reportsto ensuret the production changes were tes

9、ted and reviewed（. 1）and 用法有问题，应该去掉。（2）the 用法亦有问题，因不是特指或专有名词，可以拿掉。For a selection of the production changes, and inspected the relevantreportst-evaluationFor a selection of the production changes, and inspected the change request records, For a selection of the project initialization applications re

10、lated to overseas IT systems(Asia Pacific region), and inspected the related project initialization notificationsFor a selection of the vendors from the vendor list, inspected the contracts signedFor a selection of the new user application forms of the Notes system, inspected toensureFor a selection

11、 of the approved change requests, and inspected the relevantproduction change implemenion plansFor a selection of the IT system, obtained the database partition descriptions toFor a selection of the application systems, observed log configuration of theapplication反馈：已修改去掉“the”和“and”。For a selection

12、of the new user application forms of the Notes system, inspected toensuret the applications were approved by BOC HO executive office. Inspected 什么？后面应该跟宾语反馈：已修改 6.4.10修改为：”For a selection of the new user application forms of the Notes system,inspected the application form to determine whether the ap

13、plications were approvedby BOC HO executive office.”For a selection of the vers of application systemshe production environment,observed the vernumbers of the application systems in the local disasterrecovery environment to ensuret the vernumbers were consistent.建议：For aselection of the verobserved

14、the vers of application systems in the production environment,numbers of the application systems in the localdisasterrecovery environment to ensuret the vernumbers were consistent.反馈：经与信息科技部商议，该控制点已删除12 月 25 日新提出建议：The creation of the user IDs and the user privileges review were in line authorized r

15、ights were executed by different employees.语法有疑问。with the反馈：已修改 6.4.3修改为：”User ID creation and user privileged review were perform by employees.”相应中文改为：“账号创建和对系统权限审阅由不同人完成。”differentAll IT systems users of the Data Center apply for rights according to User IDUniqueness principle, Authorization on De

16、mand principle, Need to Know and LeastPrivilege principle. The user creation and rights modification of the Denter areauthorized by the heads of applicantand the authorizing team.与中文版有差异，申请权限是否需要考虑 User ID Uniqueness？反馈：已修改删除User ID Uniqueness principle,For a selection of responsibility changed user

17、s and the responsibilities descriptions,observed their account and rightshe system on-site to ensuret the original userrights were adjusted and the existing user rights were in line with the responsibilities descriptions 。responsibility changed users 英文含义不明( 责任改变了用户？)，responsibilities descryptions 英

18、文似乎不太这样用，job descriptions?反馈：已修改 6.4.6For a selection of employees whose jobt were changed, obtained the employeesnew job description, observed the employees system rights to determine whethersystem user rights are align with the employees job descriptions.相应中文改为“获取岗位调动，从中选取岗位变动，并获取其新的岗位职责描述，现场观察用户在

19、系统中的账号及权限，确认现限与其岗位职责描述一致。”For a selection of terminated users, observed the users accounts and rightshesystem on-site to ensuret the users accounts were deleted.建议修改为 For aselection of terminated users, observed the users accounts and rightson-site to ensuret the users accounts were deleted.he syste

20、m反馈：已修改 6.4.6修改为：“For a selection of employees whose employment was terminated, observed the employees system accounts to determine whether users accounts were deletedhe system.”相应中文改为“获取离职认离职用户账号已被删除。”，选取离职，现场观察用户在系统中的账号，确For the network deviwere not supported by RADIUS, the user is required to use

21、 asic password，句法有疑问，应该使用定语反馈：已修改 6.4.9 For the network deviwhich were not supported by RADIUS, the user is requiredto use a sic password,Inspected the acs control list from the firewall configuration to ensuret officeenvironment users could not connect to the external network.用户不能连接到外部网络？office env

22、ironment users 有点中文直译，英文可能不这样写。反馈：已修改Inspected the acs control list from firewall configuration to determine whether theoffice terminals could not connect to the external network.“获取并检查开放用户 ID 申请表，确认用户已使用完毕。”描述（即使结合前面控制措施）不是很清晰，为何看申请表就能确认使用完毕？反馈：ID 申请表中会对用户的关闭时间进行。12 月 25 日下午For a selection of the v

23、ers of application systemshe production environment,observed the vernumbers of the application systems in the local disasterrecovery environment to ensure怎能确保本地与灾备一致？t the vernumbers were consistent.只观察本地，反馈：经与科技部商议，该控制点已删除Observed the RACF profile to ensuret RACF security management module wasdeplo

24、yed to control acs right of mainframe system.前面一段已经包括这些内容，是否需要重复（Inspected the Data Center acs control technique specification toensuret RACF security management module was deployed to control acs rightof mainframe system, and the specification was approved and formally released.）反馈：建议不修改Inspected 的

25、测试方法是审阅文档，observed 的测试方法是查看实际的 RACF profile，这是两种不同的测试方法。Inquired of the D platform system us译enter management about the security configuration of the openassword. the open platform system usassword 有点中文直反馈：已修改 6.4.18已修改为：“Inquired of the D open platform users.”enter management the password configura

26、tion of现场观察 WIN系统域控服务器的用户配置策略，确认 WIN系统通过域控服务器的安全策略对用户权限进行控制。反馈：已修改现场观察 WIN系统域控服务器的用户配置策略，确认 WIN系统通过域控服务器的安全策略对用户权限进行控制。“The Data Center establishes the network security technique standard to specifyconfiguration requirements for switches, routers, firewalls,rudetection andother network devi. Network

27、 deviare regularly inspected by the Denterand configured in accordance with configuration requirements.” Network deviareregularly inspected by the Data Center and configured in accordance withconfiguration requirements，使用 and 把两件关系不大的事情联系到一起，而且顺序不对（应该先配置，后检查）。建议考虑修改为 The Denter establishes the netwo

28、rksecurity technique standard to specify configuration requirements for switches,routers, firewalls,rudetection and other network devi. Network deviaretregularly inspected by the Data Center regularly and configured to ensure networkdeviareconfiguredinaccordancewithconfigurationstandardrequirements.

29、相应中文亦可调整反馈：已修改 6.4.21已修改为：“Network deviare configured in accordance with configurationrequirements.” 网络设备的配置检查由控制点 6.4.23 覆盖。12 月 29 日新加inspected a selection of ZOS script results of EY to ensuret the password settingsof mainframe system were in line with the password standard. (1)ZOS 应为 z/OS;(2)z/O

30、S 是名词，最好在词汇表里面说明一下;(3) 外行不易理解 script results of EY，请考虑是否可以修改，类似情况还有 Linux、AIX、Windows。反馈：已：6.4.16 z/OS: For a selection of in-scope mainframe systems, inspected the passwords settings to determine whether they were configured according to the password standard.相应中文改为：获取并检查主机系统用户口令配置，确认符合口令配置标准。6.4.1

31、8 AIX: For a selection of in-scope open platform systems to determine whether they were configured according to the password standard.相应中文改为：获取并检查开放系统用户口令配置，确认符合口令配置标准。6.4.20 Windows: For a selection of in-scope WIN platform systems to determine whether they were configured according to the password

32、 standard.相应中文改为：获取并检查 WIN系统用户口令配置，确认符合口令配置标准。Using open platform management system (SAS, Server Automation System) tomanage the acs to all the AIX systems and a portion of the Linux systems (thesystems). The有动词及主语（2）Linux 是是否会好一点？systems are connected to SAS。（1）句子不完整，好象没名词，最好在词汇表里面说明一下（3）Using 换为部署

33、反馈：已修改 6.4.17 如下：(1), (3) The Denter deploys Server Automation System (SAS, Server AutomationSystem) to manage the acs to all the AIX systems and a portion of the Linuxsystems (thesystems).(2)Linux: A Computer Operating SystemThe Denter establishes performance and capacity management procedures tosp

34、ecify the pros ofperformance and capacity plan setting, indicators monitoringandysing, and performance and capacity plan adjusting。plan setting 是否可以解读为规划制定？反馈： Plan setting 是规划制定。为更好理解，6.3.1：The Denter establishes performance and capacity management procedures tospecify the promonitoring ands of per

35、formance and capacity plan formulating, indicatorsysing, and performance and capacity plan adjusting.有关数据迁移控制目标现在拿掉了，但在评估期间和今后还会存在数据迁移，例如MUREX 上线，这是一项变更活动（变更：包括批次项目投产，生产系统上线、大版本升级、架构调整、迁移和下线，以及其他对生产系统会造成影响的变更），只是迁移发生在数据中心。建议信息科技部考虑是否需要酌情保留一点内容。反馈：请科技部给出意见Teams of the Denter using external IT servipe

36、rform monthly evaluations ofthe quality of work and the on-site performance of the external IT service employees, which serves as a basis for their assessment.（1）3 个 of，关系理解起来有点复杂（2）which 代表什么不太明显（评估行为？）。反馈：已修改 6.2.9 如下：The performance of external servithe on-site performance of thenel was assessed

37、from two aspects: 1)nel; 2) monthly evaluation given by the DataCenter teamt uses the external IT servi.The Denter monitors performance and capacity indicators in real time or periodicbasis. periodic basis 是否应为 onriodic basis (非 in) ?反馈：已修改 6.3.3 如下：The Denter monitors performance and capacity indic

38、ators in real time or on aperiodic basis.on-site inspected users system right, on-site observed the connection of theseterminals to,。on-site 多用做形容词，后面接动词不太常见，可再斟酌。反馈：已修改把类似句子中的 on-site 调整到句末，做形容词用。如： Inspected users system right on-site; observed the connection of these terminals on-siteFor a select

39、ion of systems, logged in to the systems with an overseas branch(oraffiliate) application user ID, inspected the application dahat was acsible to theuser, ensuret the user could only acs data from his/her ownanization bymatching the branch(or affiliate) code of the user and the branch(or affiliate)

40、code ofthe data acsed. overseas branch(or affiliate) application user ID 有点中文直译。反馈：已修改 6.4.4 如下：For a selection of application systems, logged in to the applications with anoverseas branch (or affiliate) user ID, inspected the application datat wasacsible to the user to determine whether user could

41、only acs data from his/herownanization by matching the branch (or affiliate) code of the user and the branch(or affiliate) code of the data acsed.The Denter deletes the users ID as the user termination。（1）The 似没有必要用，非特指（2）描述表达的意思不明白：数据中心删除用户 ID 作为用户终结，as 是否应该引出一个状语从句？反馈：已修改 6.4.6 如下：The DCenter.ente

42、r deletes the users ID as the user terminates employmenthe Datainquired of the Data Center management about the desensitization procedure of production data as using the production data for testing。as using the production data for testing 用法有无问题，as 是否需要引出一个从句，或者考虑 inquired of the Data Center managem

43、ent about the desensitization procedure of production data as usingthe production data for testing？反馈：已修改 6.6.7 如下：Inquired of the Data Center management about the desensitization procedure ofproduction data used for testing.“选取数据中心网络拓扑图中的服务器，现场观察并确认服务器均部署在拓扑图的指定位置”，测试方法理解起来稍有，是否拓扑图中已经标出在交换机特定端口上连接某

44、台服务器(名称)，现场验证端口连线到该台服务器?反馈：建议不修改与数据中心对此做过，数据中心确认可通过比对服务器在拓扑图中的位置，并现场查看服务器在实际环境中的部署，以确认实际情况与拓扑图间的一致性。The Denter establishes review procedure to review system user accounts anduser activitieskly. The Data Center team which authorized user account isresponsible to review the appropriateness of user acc

45、ount and user activities描述与中文不完全一致：数据中心已建立系统用户活动的定期审阅流程，kly.团队每周对系统 ID 的操作情况进行，包括用户是否合理，用户操作是否合规，并对发现的操作或异常事件及时追查或上报。英文蕴涵是全查。反馈：已修改 6.4.14 如下：The Denter establishes review procedure to review system user accounts anduser activitieskly. The Denter team which authorized the user accounts isle check of

46、 the user account and user activities.responsible to conductkly s“数据中心通过 RACF 安全管理组件实现对主机系统的控制。RACF 通过控制用户集与角色集的关联关系控制用户在主机系统的权限。另外，通过主机数据库通过（？）控制角色集与数据库集的关联关系，可实现对不同角色对数据库资源权限的控制。用户登录主机系统后即可在其权限内的数据库资源”。除用户集与权限的关联关系，两次关联实现完角色集的关联关系外，还有角色集与受保护资源整的基于角色的控制，用户-角色-资源。反馈：已修改。6.4.15 如下：数据中心通过 RACF 安全管理组件实

47、现对主机系统的控制。RACF 通过控制用户集与角色集的关联关系控制用户在主机系统的权限。另外，主机数据库通过控制角色集与数据库集的关联关系，可实现不同角色对数据库资源进行的权限控制。Observed the RACF profiles to ensuret RACF security management module wasdeployed to control acs right of mainframe system.反馈：已修改。6.4.15 如下：Observed the RACF profiles to determine whether RACF security managem

48、entmodule was deployed to manage the control acs right to mainframe systems.Inspected theysis on IT security and implemenion suggestions of overseas ITsystemsegration project in BOC (Asia Pacific regions) to ensuret BOCencrypted the Vital level data was encrypted by algorithm of RSA (2048 key), 3DES

49、(128 key)or AES (128 key).（1）与中文版似不完全一致：获取并检查中国海外系统整合项目（亚太批次）专题分析及实施建议；反馈：已修改。6.6.10 如下：Inspected the IT securityysis and implemenion suggestions of overseasIT systemsegration project of BOC (Asia Pacific regions) to determinewhether the Vital level data was encrypted by algorithm of RSA (2048 key),

50、 3DES(128 key) or AES (128 key).获取并检查中国海外系统整合项目（亚太批次专题分析及实施建议，确认中国对“关键”数据使用了 RSA2048 位、3DES128 位或 AES128 位算法进行加密。只检查文档，难以得出已实施建议的控制的结论，应该是要求吧。反馈：已修改。6.6.10 如下：获取并检查中国海外系统整合项目（亚太批次专题分析及实施建议，进行加密，加密算法为确认中国要求使用硬件加密机对“关键”级数据RSA2048 位、3DES128 位或 AES128 位算法。只有才能日志文件，以防止日志被、删除或覆盖。此条描述像控制目标，不太像控制措施。反馈：已修改。6

51、.9.7 如下：删除“以防止日志被相应删除英文部分内容、删除或覆盖”Controls provide reasonable arancet data is regularly backed up, backupstorage media is clearly identified in safe plawhich can be acsed only byauthorized employees and backup data recovery testing is performed on a regularbasis. backup storage media is clearly iden

52、tified in safe pla与中文“备份介质被明确标识并保存于安全场所”似乎不一致，在安全地方标识未蕴涵保存在安全地方。反馈：已修改 6: Control Objective 8 如下：Controls provide reasonable arancet data is regularly backed up, backupstorage media is clearly labeled and stored in safe plawhich can be acsed onlyby authorized employees. Backup data recovery testing

53、is performed on a regularbasis.The anti-anti-software of the terminal are synchronised with thedatabase of theserver to ensuret thedatabase verof the terminal keeps beingupdated.与中文版本不一致，没有表示出“每天”频率。反馈：已修改 6.4.28 如下：The anti-of the anti-software of the terminal are synchronized daily with thedatabas

54、eserver to ensuret thedatabase verof the terminal keepsbeing updated.对应中文数据中心的终端防的更新。：每天与防服务器的库同步，以确保终端库版本2014 年 12 月 30 日新增建议：The D control acenter deploys implements the security strategy ofs to WIN platform systems,server to反馈：同意意见，已修改 6.4.19The Denter deploys firewalls, IDS, IPS, monitoring tool

55、 for network anomaly andother security devi据中心已部署了to detect and prevent networkrus.与中文不完全一致：数，包括、IDS、IPS、网络异常工具等，对网络入侵行为进行监测和阻断。monitoring tool 描述与 firewalls, IDS, IPS 是什么关系？IDS,IPS 及 firewalls 也属于网络异常工具。反馈：已修改 6.4.27 如下The Denter deploys firewalls, IDS, IPS, and other security devito detect andprev

56、ent networkrus.The Data Center inspects the changed network device configuration on aklybasis to ensure the configuration meet the configuration requirements. network deviceconfiguration network device configuration 有点中文直译,不太常见。多次出现。反馈：已修改 6.4.23 如下The Denter inspects the changed configuration setti

57、ngs of network devion akly basis to ensure the configuration meet the configuration requirements.另：将中 network device configuration 改为 configuration settings of network deviInquired of the Data Center management about the deployment of the devifor.（1）protecting networkrus and the monitoring and respo

58、nse to deviprotecting 有多意，这里会否引起保护的歧义？（2）and the monitoring，monitoring与前面哪个词并列？若与 protecting，前面不应有the.看中文是应与deployment 并列，但其非动名词(3) and response, response 是个名词，与前面哪个词并列？反馈：已修改 6.4.27 如下Inquired of the Danti-malware devienter management about the deployment of network, as well as device monitoring an

59、d response activities.对应中文：询问数据中心管理网络防恶设备的部署情况，以及对设备的监测及响应情况。The employee on duty of computer roominformation and the requestor is authorized bymonitoring records the requestors ephone.与中文不完全一致：机房监。the requestor is authorized by，与 The employee on duty of控室值班进行登记，并注明该是ephone 是独立描述一个事实：请求者是通过computer room monitoring records the requestors information 并列。反馈：已修改 6.11.9 如下The employee on duty of computer room monitoring records the requestorsinformation. The requestor was authorized byrecords.ephone was clearly shown in theObse