73 lines
3.4 KiB
Markdown
73 lines
3.4 KiB
Markdown
---
|
||
title: "Security and Compliance"
|
||
type: concept
|
||
tags: [security, compliance, itsm]
|
||
date: 2025-03-01
|
||
---
|
||
|
||
## Definition
|
||
|
||
安全与合规管理(Security and Compliance)是[[ITSM]]的核心流程之一,通过[[Zero-Trust-Architecture]]、自动化风险评估和[[Policy-as-Code]]等手段,确保IT服务满足安全和监管要求。
|
||
|
||
## Security & Compliance Framework
|
||
|
||
```
|
||
┌─────────────────────────────────────────────────────────────┐
|
||
│ Security & Compliance Management │
|
||
├─────────────────────────────────────────────────────────────┤
|
||
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │
|
||
│ │ Zero Trust │ │ Risk Scoring │ │ Compliance │ │
|
||
│ │ Architecture │ │ (Automated) │ │ Automation │ │
|
||
│ └───────────────┘ └───────────────┘ └───────────────┘ │
|
||
│ ↓ ↓ ↓ │
|
||
│ ┌─────────────────────────────────────────────────────┐ │
|
||
│ │ AI-based Threat Intelligence │ │
|
||
│ │ Behavior Analysis │ Anomaly Detection │ Response │ │
|
||
│ └─────────────────────────────────────────────────────┘ │
|
||
└─────────────────────────────────────────────────────────────┘
|
||
```
|
||
|
||
## Modern Security & Compliance (ITSM 2.0)
|
||
|
||
在[[ITSM 2.0]]中,安全与合规由AI和自动化驱动:
|
||
|
||
### Key Components
|
||
|
||
| 组件 | 描述 | 技术 |
|
||
|------|------|------|
|
||
| [[Zero-Trust-Architecture]] | 永不信任,始终验证 | IAM, MFA, 微分段 |
|
||
| Automated Risk Scoring | 自动化风险评估 | ML Models |
|
||
| AI Threat Intelligence | AI威胁情报 | Behavioral Analysis |
|
||
| [[Policy-as-Code]] | 合规自动化 | OPA, Sentinel |
|
||
| Compliance Automation | 审计自动化 | Continuous Monitoring |
|
||
|
||
### Automated Compliance Pipeline
|
||
|
||
```
|
||
Code → Policy Check → Security Scan → Compliance Report → Audit
|
||
↓ ↓ ↓ ↓ ↓
|
||
Git hooks OPA SAST/DAST Auto-generate Evidence
|
||
PaC Security Report Pack
|
||
```
|
||
|
||
## Key Frameworks & Standards
|
||
|
||
| 框架 | 描述 |
|
||
|------|------|
|
||
| [[ISO-27001]] | 信息安全管理体系 |
|
||
| [[GDPR]] | 欧盟数据保护 |
|
||
| [[HIPAA]] | 医疗健康数据保护 |
|
||
| SOC 2 | 服务组织控制 |
|
||
|
||
## Related Concepts
|
||
|
||
- [[ITSM]] — 父框架
|
||
- [[Zero-Trust-Architecture]] — 零信任架构
|
||
- [[Policy-as-Code]] — 策略即代码
|
||
- [[Cloud-Security]] — 云安全
|
||
- [[Data-Governance]] — 数据治理
|
||
|
||
## Sources
|
||
|
||
- [[understanding-complete-itsm]] — Security & Compliance in Modern ITSM
|