Auto-sync: 2026-04-22 04:02

2026-04-22 04:03:04 +08:00
parent 24218550d2
commit de096f2f88
232 changed files with 16604 additions and 514 deletions
--- a/wiki/concepts/Security-and-Compliance.md
+++ b/wiki/concepts/Security-and-Compliance.md
@@ -0,0 +1,72 @@
+---
+title: "Security and Compliance"
+type: concept
+tags: [security, compliance, itsm]
+date: 2025-03-01
+---
+
+## Definition
+
+安全与合规管理（Security and Compliance）是[[ITSM]]的核心流程之一，通过[[Zero-Trust-Architecture]]、自动化风险评估和[[Policy-as-Code]]等手段，确保IT服务满足安全和监管要求。
+
+## Security & Compliance Framework
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│              Security & Compliance Management                │
+├─────────────────────────────────────────────────────────────┤
+│  ┌───────────────┐  ┌───────────────┐  ┌───────────────┐  │
+│  │ Zero Trust    │  │ Risk Scoring  │  │ Compliance    │  │
+│  │ Architecture  │  │ (Automated)   │  │ Automation    │  │
+│  └───────────────┘  └───────────────┘  └───────────────┘  │
+│           ↓                ↓                  ↓              │
+│  ┌─────────────────────────────────────────────────────┐   │
+│  │              AI-based Threat Intelligence           │   │
+│  │   Behavior Analysis │ Anomaly Detection │ Response   │   │
+│  └─────────────────────────────────────────────────────┘   │
+└─────────────────────────────────────────────────────────────┘
+```
+
+## Modern Security & Compliance (ITSM 2.0)
+
+在[[ITSM 2.0]]中，安全与合规由AI和自动化驱动：
+
+### Key Components
+
+| 组件 | 描述 | 技术 |
+|------|------|------|
+| [[Zero-Trust-Architecture]] | 永不信任，始终验证 | IAM, MFA, 微分段 |
+| Automated Risk Scoring | 自动化风险评估 | ML Models |
+| AI Threat Intelligence | AI威胁情报 | Behavioral Analysis |
+| [[Policy-as-Code]] | 合规自动化 | OPA, Sentinel |
+| Compliance Automation | 审计自动化 | Continuous Monitoring |
+
+### Automated Compliance Pipeline
+
+```
+Code → Policy Check → Security Scan → Compliance Report → Audit
+  ↓         ↓             ↓              ↓              ↓
+ Git hooks  OPA       SAST/DAST     Auto-generate   Evidence
+            PaC       Security         Report          Pack
+```
+
+## Key Frameworks & Standards
+
+| 框架 | 描述 |
+|------|------|
+| [[ISO-27001]] | 信息安全管理体系 |
+| [[GDPR]] | 欧盟数据保护 |
+| [[HIPAA]] | 医疗健康数据保护 |
+| SOC 2 | 服务组织控制 |
+
+## Related Concepts
+
+- [[ITSM]] — 父框架
+- [[Zero-Trust-Architecture]] — 零信任架构
+- [[Policy-as-Code]] — 策略即代码
+- [[Cloud-Security]] — 云安全
+- [[Data-Governance]] — 数据治理
+
+## Sources
+
+- [[understanding-complete-itsm]] — Security & Compliance in Modern ITSM