Somo 1Usalama wa mtandao na miundombinu: kutenganishwa, zinadu, IDS/IPS, mazoea bora ya vikundi vya usalama vya winguInaelezea jinsi ya kulinda mitandao na miundombinu ya wingu kwa SaaS. Inashughulikia kutenganishwa, zinadu, vikundi vya usalama, IDS/IPS, ufikiaji wa bastion, na kuimarisha mipango ya usimamizi huku ikipatanisha na miundo ya wajibu wa pamoja.
Network zoning and tenant segmentationFirewall and security group rule designSecure remote admin and bastion patternsIDS/IPS deployment and tuning basicsCloud provider network security featuresSomo 2Udhibiti wa ufikiaji na usimamizi wa utambulisho: uthibitisho thabiti, haki ndogo, udhibiti wa ufikiaji unaotegemea jukumuInaelezea jinsi ya kubuni udhibiti wa ufikiaji kwa majukwaa ya SaaS kwa kutumia uthibitisho thabiti na haki ndogo. Inaelezea RBAC, ABAC, michakato ya joiner-mover-leaver, na ukaguzi wa ufikiaji wa mara kwa mara uliopatanishwa na udhibiti wa Annex A wa ISO 27001.
Identity lifecycle and JML process designStrong authentication and MFA enforcementRole-based and attribute-based access modelsLeast privilege and privileged access controlPeriodic access reviews and recertificationsSomo 3Usimamizi na kusikiliza matukio: kutambua, triage, kumudu, uchambuzi wa sababu kuu, mawasilianoInaelezea mzunguko wa maisha ya kusikiliza matukio kwa mazingira ya SaaS. Inaelezea kutambua, triage, kumudu, kuondoa, kurejesha, uchambuzi wa sababu kuu, mawasiliano, na uboreshaji wa baada ya tukio uliopatanishwa na ISO 27035.
Incident classification and severity levelsTriage, containment, and evidence handlingEradication, recovery, and service restorationRoot cause analysis and lessons learnedInternal and external incident communicationSomo 4Sifra na usimamizi wa ufunguo: usifishaji wa data wakati wa kupumzika na katika usafiri, usimamizi wa maisha ya ufunguoInashughulikia udhibiti wa sifra kwa data ya SaaS wakati wa kupumzika na katika usafiri. Inaelezea chaguo za algoriti, usanidi wa TLS, kutengeneza ufunguo, uhifadhi, kuzungusha, na kutenganishwa kwa majukumu kwa kutumia HSM au huduma za usimamizi wa ufunguo za wingu.
Data at rest encryption for SaaS storageTLS configuration and data in transit securityKey generation, storage, and rotation rulesUse of HSMs and cloud KMS servicesKey access control, logging, and escrowSomo 5Maendeleo salama na usimamizi wa mabadiliko: SDLC salama, ukaguzi wa msimbo, usimamizi wa utegemezi, milango ya usalama ya CI/CDInazingatia mazoea ya SDLC salama kwa bidhaa za SaaS. Inaelezea mahitaji ya usalama, uundaji wa tishio, ukaguzi wa msimbo, usimamizi wa utegemezi, milango ya usalama ya CI/CD, na usimamizi wa mabadiliko uliodhibitiwa na idhini sahihi na mipango ya kurudisha.
Defining security requirements in the SDLCThreat modeling for cloud SaaS featuresSecure code review and pair review practicesDependency and open source risk managementCI/CD security gates and change approvalsSomo 6Kuhifadhi, kurejesha, na mwendelezo wa biashara: mkakati wa kuhifadhi, wakati/walengo wa kurejesha, jaribioInaelezea jinsi ya kubuni, kutekeleza, na kujaribu udhibiti wa kuhifadhi na kurejesha kwa workloads za SaaS. Inazingatia RPO/RTO, kuhifadhi kisichobadilika, uhifadhi wa nje, na kupatanisha na malengo ya mwendelezo wa biashara na kurejesha kutokana na janga.
Defining RPO and RTO for SaaS servicesBackup scope, frequency, and retention rulesImmutable, offsite, and geo-redundant backupsBackup encryption, access control, and loggingBackup restore drills and BC/DR test planningSomo 7Kumbukumbu, ufuatiliaji, na tahadhari: kumbukumbu kuu, msingi wa SIEM, uhifadhi, uadilifu wa kumbukumbuInaelezea jinsi ya kubuni kumbukumbu kuu na ufuatiliaji kwa SaaS. Inashughulikia vyanzo vya kumbukumbu, uhifadhi, uadilifu, kuweka SIEM, kurekebisha tahadhari, na dashibodi zinazosaidia kutambua, uchunguzi, na mahitaji ya ripoti ya kufuata sheria.
Selecting and onboarding log sourcesLog normalization, parsing, and enrichmentLog retention, protection, and integritySIEM use cases and alert rule designMonitoring dashboards and KPIs for ISBsSomo 8Usimamizi wa hatari wa mtoa wa huduma ya tatu/wauzaji: tathmini ya wasambazaji, mikataba, mahitaji ya SLA/usalamaInashughulikia usimamizi wa maisha ya wauzaji wanaounga mkono huduma ya SaaS. Inaelezea uchunguzi, tathmini za hatari, vifungu vya mikataba, SLA, na ufuatiliaji unaoendelea ili kuhakikisha watoa huduma wa tatu wanateua matarajio ya ISO 27001 na usalama wa wingu.
Supplier classification and criticality levelsSecurity due diligence and risk assessmentsContractual security, privacy, and audit clausesDefining and monitoring security SLAsOngoing vendor monitoring and reassessmentSomo 9Usalama wa kiishara na mwenyeji: EDR, msingi wa kuimarisha, usimamizi wa usanidiInaelezea usalama wa kiishara na mwenyeji kwa seva, kontena, na vifaa vya usimamizi. Inashughulikia msingi wa kuimarisha, EDR, usimamizi wa usanidi, picha salama, na ufuatiliaji wa kufuata sheria kwa mali za wingu na on-premise.
Hardening baselines for servers and VMsEDR deployment and alert triage basicsSecure golden images and template controlConfiguration management and drift detectionAdmin workstation and jump host securitySomo 10Usimamizi wa udhaifu na virutubishi: orodha ya mali, skana za udhaifu, kuweka kipaumbele, SLA za marekebishoInaelezea jinsi ya kuendesha programu iliyopangwa ya usimamizi wa udhaifu. Inashughulikia orodha ya mali, skana za udhaifu, kuweka kipaumbele kulingana na hatari, SLA za marekebisho, kushughulikia ubaguzi, na ripoti kwa usimamizi na wakaguzi.
Building and maintaining asset inventoriesVulnerability scanning for cloud workloadsRisk-based prioritization and scoringPatch deployment windows and SLAsException handling and risk acceptance
