Enterprises and organizations that use computerized systems in the pharmaceutical manufacturing industry must comply with the guidelines for computerized systems in the Good Manufacturing Practice (GMP) for Drugs standard when cloud services are used. The CNGMPComplianceCheck compliance package template provides the relationships between the details of the standard and the settings of Alibaba Cloud products. This topic describes the default rules of the CNGMPComplianceCheck compliance package template.
Rule name | Rule description | Requirement No. | Requirement description |
If an active trail exists in ActionTrail and all types of events that are generated in all regions are tracked, the evaluation result is considered compliant. If the administrator of a resource directory has created a trail that applies to all members, the evaluation result is considered compliant. |
| Risk management must span the entire lifecycle of a computerized system. Patient safety, data integrity, and product quality must be taken into account. As a quality risk management, risk management must be applied to confirm the required verification scope and control level of data integrity based on your written risk evaluation result. A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. | |
If Security Center Enterprise Edition or a more advanced edition is used, the evaluation result is considered compliant. |
| Risk management must span the entire lifecycle of a computerized system. Patient safety, data integrity, and product quality must be taken into account. As a quality risk management, risk management must be applied to confirm the required verification scope and control level of data integrity based on your written risk evaluation result. You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. | |
Ensure Security Center protection is enabled for running ECS instances | You can install a Security Center agent on an Elastic Compute Service (ECS) instance to provide security protection services. If a Security Center agent is installed on each ECS instance, the evaluation result is considered compliant. The rule takes effect only for the ECS instances that are running. | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. |
If no unfixed vulnerabilities of a specific type or a specific level are detected by Security Center on an ECS instance, the evaluation result is considered compliant. The rule takes effect only for the ECS instances that are running. | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
If no ECS instance is in the Stopped state, the evaluation result is considered compliant. | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
If each elastic IP address (EIP) is attached to an ECS instance or a NAT gateway, the evaluation result is considered compliant. | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
If at least one ECS instance is added to each security group, the evaluation result is Compliant. | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
If the log backup feature is enabled for each ApsaraDB RDS instance, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
The log backup retention for PolarDB clusters meets the specified requirements | If the retention period for the log backups of each PolarDB cluster is no less than the specified number of days, the evaluation result is considered compliant. Default value: 30. Unit: days. If the log backup feature is disabled or the backup retention period is less than the specified number of days, the evaluation result is considered non-compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. |
If the incremental backup feature is enabled for each ApsaraDB for Redis instance, the evaluation result is considered compliant. The rule takes effect only for Tair instances. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the automatic backup feature is enabled for each Elasticsearch cluster, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the log backup feature is enabled for each AnalyticDB cluster, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the log backup feature is enabled for each ApsaraDB for MongoDB instance, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If a backup plan is created for each File Storage NAS file system, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If an automatic snapshot policy is specified for each ECS disk, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the database backup feature is enabled for each ApsaraDB for OceanBase cluster, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the versioning feature is disabled, data may fail to be restored when the data is overwritten or deleted. If the versioning feature is enabled, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the zone-redundant storage (ZRS) feature is disabled, Object Storage Service (OSS) cannot provide consistent services and ensure data recovery when a data center becomes unavailable. If the ZRS feature is enabled for each OSS bucket, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
DTS sync tasks require SSL encryption for connections to the source and destination databases | If SSL secure connections are used for the source and destination databases of each synchronization task on a Data Transmission Service (DTS) instance, the evaluation result is considered compliant. The rule takes effect only for synchronization tasks. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. |
DTS migration jobs connect to source and destination databases using SSL | If SSL secure connections are used for the source and destination databases of each migration task on a DTS instance, the evaluation result is considered compliant. The rule takes effect only for migration tasks. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. |
If the Transport Layer Security (TLS) 1.3 protocol is enabled for each CDN domain name, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
If HTTPS is enabled for each Elasticsearch instance, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
If each function in Function Compute is bound to a custom domain name and TLS of a specific version is enabled for the function, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
If the SSL encryption feature is enabled for each PolarDB cluster, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
If SSL encryption is enabled for each ApsaraDB for Redis instance, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
If the request method of each API that allows Internet access in API Gateway is set to HTTPS, the evaluation result is considered compliant. The rule does not take effect for the APIs that allow only internal access. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
If the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is considered compliant. |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
If the encryption feature is enabled for each ECS data disk that is in use, the evaluation result is considered compliant. | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is considered compliant. | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
If an encryption algorithm is enabled for each VPN connection, the evaluation result is considered compliant. | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
Disk encryption is enabled on Elasticsearch instance data nodes | If disk encryption is enabled for the data nodes of each Elasticsearch cluster, the evaluation result is considered compliant. | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. |
If the TDE feature is enabled in the data security settings of each PolarDB cluster, the evaluation result is considered compliant. | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
If a custom key is used to enable TDE for each ApsaraDB for Redis instance, the evaluation result is considered compliant. | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
If data encryption is enabled for each Logstore in Simple Log Service, the evaluation result is considered compliant. | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
ECS automatic snapshots are retained for the required number of days | If the auto snapshots of ECS instances are retained for a period no less than the specified number of days, the evaluation result is considered compliant. Default value: 7. Unit: days. | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. |
If the deletion protection feature is enabled for each RDS instance, the evaluation result is considered compliant. The rule does not take effect for subscription ApsaraDB RDS instances. |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the deletion protection feature is enabled for each PolarDB cluster, the evaluation result is considered compliant. The rule does not take effect for subscription PolarDB clusters. |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the release protection feature is enabled for each ECS instance, the evaluation result is considered compliant. |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the deletion protection feature is enabled for each ApsaraDB for HBase cluster, the evaluation result is considered compliant. The rule does not take effect for subscription ApsaraDB for HBase clusters. |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the release protection feature is enabled for each ApsaraDB for MongoDB instance, the evaluation result is considered compliant. The rule does not take effect for subscription MongoDB instances. |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the release protection feature is enabled for each ApsaraDB for Redis instance, the evaluation result is considered compliant. The rule does not take effect for subscription ApsaraDB for Redis instances. |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the release protection feature is enabled for each Server Load Balancer (SLB) instance, the evaluation result is considered compliant. |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
The CloudMonitor agent is installed on running ECS instances | If the CloudMonitor agent is installed on each running ECS instance and the agent is running as expected, the evaluation result is considered compliant. The rule takes effect only for the ECS instances that are running. | 5.21 | You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. |
If the event history feature is enabled for each ApsaraDB RDS instance, the evaluation result is considered compliant. | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
If multi-factor authentication (MFA) is enabled for each Alibaba Cloud account, the evaluation result is considered compliant. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
If MFA is enabled in the logon settings of each Resource Access Management (RAM) user that is allowed to access consoles, the evaluation result is considered compliant. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
If the access control list (ACL) policy of each OSS bucket denies read and write access from the Internet, the evaluation result is considered compliant. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
An OSS bucket must not grant permissions to anonymous accounts | If no read and write permissions are granted to anonymous accounts in each authorization policy that is configured for an OSS bucket, the evaluation result is considered compliant. If no authorization policy is configured for each OSS bucket, the evaluation result is considered compliant. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. |
If a RAM role is assigned to each ECS instance, the evaluation result is considered compliant. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
If a service-linked role is configured for Function Compute, the evaluation result is considered compliant. This rule prevents the AccessKey pairs of an Alibaba Cloud account from being exposed to security risks. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
If the RAM Roles for Service Accounts (RRSA) feature is enabled for each Container Service for Kubernetes (ACK) cluster, the evaluation result is considered compliant. RRSA ensures pod-based API access isolation. This way, you can implement fine-grained isolation of access permissions on cloud resources and reduce security risks. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
If only one of the console access and API access features is enabled for each RAM user, the evaluation result is considered compliant. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
Authentication is required for MSE clusters with public network access | If authentication is enabled for each Microservices Engine (MSE) cluster that allows public access, the evaluation result is considered compliant. If each MSE cluster denies public access, the evaluation result is considered compliant. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. |
If the period between the most recent time when each RAM user used an AccessKey pair and the current time is less than the specified number of days, the evaluation result is considered compliant. Default value: 90. Unit: days. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
If the settings of password policies that are configured for each RAM user meet specified values, the evaluation result is considered compliant. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
Checks whether a RAM user has logged in within a specified period | If each RAM user logged on to the system at least once within the previous 90 days, the evaluation result is considered compliant. If a RAM user was updated within the previous 90 days, the evaluation result is considered compliant regardless of whether the RAM user recently logged on to the system. The rule takes effect only for RAM users for which the console access feature is enabled. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. |
If the period between the time when the AccessKey pair of each RAM user was created and the current time is no more than the specified number of days, the evaluation result is considered compliant. Default value: 90. Unit: days. | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
A Redis instance is considered compliant if audit logs are enabled. This rule does not apply to instance versions that do not support audit logs. They are considered not applicable. | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
If the audit logging feature is enabled for each MongoDB instance, the evaluation result is considered compliant. | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
If the logging feature is enabled for each OSS bucket on the Logs page, the evaluation result is considered compliant. | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
If the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF) V2.0, the evaluation result is considered compliant. | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
The SQL audit log retention period for an RDS instance meets the specified requirement | If the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and the retention period of the SQL audit logs of the instance is longer than or equal to the specified number of days, the evaluation result is considered compliant. Default value: 180. Unit: days. | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. |
If the SQL explorer and audit feature is enabled for each AnalyticDB for MySQL cluster, the evaluation result is considered compliant. | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
If the access log feature is enabled for each SLB instance, the evaluation result is considered compliant. The rule takes effect only for SLB instances for which Layer 7 monitoring is enabled. | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
If each ApsaraDB RDS instance uses the multi-zone architecture, the evaluation result is considered compliant. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If each ApsaraDB for Redis instance uses the multi-zone architecture, the evaluation result is considered compliant. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If each SLB instance uses the multi-zone architecture, the evaluation result is considered compliant. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If each ALB instance uses the multi-zone architecture, the evaluation result is considered compliant. If a failure occurs on an ALB instance when you deploy the instance in only one zone, business may be disrupted. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If each MongoDB instance uses the multi-zone architecture, the evaluation result is considered compliant. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
An Auto Scaling group must be associated with at least two vSwitches | If at least two vSwitches are associated with each scaling group, the evaluation result is considered compliant. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. |
If multiple zones are configured for each endpoint service, the evaluation result is considered compliant. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
If the hot standby cluster feature is enabled for each PolarDB cluster and data of the cluster is distributed across multiple zones, the evaluation result is considered compliant. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Adding resources from multiple zones to an SLB vServer group | If the associated resources of the vServer groups of each SLB instance are distributed across multiple zones, the evaluation result is considered compliant. The rule takes effect only for SLB instances whose vServer groups have associated resources. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. |
ALB server groups should have resources distributed across multiple zones | If the associated resources of the server groups of each ALB instance are distributed across multiple zones, the evaluation result is considered compliant. The rule takes effect only for ALB instances whose server groups have associated resources. | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. |