经过3个月的奋斗,终于拿下来了PII!
申请过程
经历了一审,二审,七八次的来往case!
这里先把遇到的申请问题放出来,如果有人看,我把申请的过程后续也写出来
申请时候,这个中英文对照的网站帮了我不少 https://form.sp-api.net/ 所有问题中英文对照
一审问题
| 类型 | 问题原文 | 翻译 |
|---|---|---|
| 单选 | "Please select the option that best describes your organization Note that your answers represent your organization" | "请选择最能准确描述贵机构的选项。请注意,您的答复代表您所在的机构。" |
| 多选 | "Roles determine access to Selling Partner API. Role definitions can be found here Note: Restricted roles contain Personally Identifiable Information (PII) about Amazon Buyers, and you will be required to provide additional information about your data use and security controls." | "角色决定对销售伙伴 API 的访问权限。角色定义可以在 此处 中找到 请注意: 受限角色包含有关亚马逊买家的个人身份信息 (PII),而且您需要提供有关您的数据使用和安全控制的其他信息。" |
| 多选 | Which marketplaces do you intend to support? | 您打算支持哪些市场? |
| 填空 | Describe the application or feature(s) you intend to build using the functionality in the requested roles. | "描述您打算使用所请求角色中的功能来构建的应用程序或功能。" |
| 填空 | Describe why you require Personally Identifiable Information to build your application or feature. | 描述为什么您需要个人身份信息来构建您的应用程序或功能。 |
| 填空 | Describe how your application or feature(s) will benefit authorised users. | 描述您的应用程序或功能将如何使已授权用户受益。 |
| 单选 | Do you support online merchants today? | 您目前是否支持在线卖家? |
| 填空 | List the online channels that you support today | 列出您目前支持的在线渠道 |
| 单选 | How many employees does your organization have? | 贵公司有多少员工? |
| 单选 | "Do you intend to launch functionality requiring Personally Identifiable Information (PII) within 90 days?" | 您是否打算在90天内启动需要个人身份信息(PII)的功能? |
| 填空 | What differentiates your new feature/application from others applications in the category? | 您的新功能/应用程序与该分类中的其他应用程序有什么区别? |
| 填空 | Please describe any country-specific functionality that you provide. | 请描述您提供的任何国家/地区专属功能。 |
| 填空 | Please list the Amazon programs that you intend to support through your application or functionality. | 请列出您打算通过您的应用程序或功能支持的亚马逊计划。 |
| 单选 | Do you use network controls to prevent unauthorized access to Amazon Information? | 您是否使用网络控制来防止未经授权访问亚马逊信息? |
| 单选 | Do you restrict access to Amazon Information based on users’ job duties or business functions? | 您是否根据用户的工作职责或业务职能限制对亚马逊信息的访问? |
| 单选 | Do you encrypt Amazon Information in transit? | 您是否在传输过程中加密亚马逊信息? |
| 单选 | Do you have an incident response plan that covers monitoring, detection, and response for potential threats and Security Incidents? | 您是否有涵盖潜在威胁和安全事件的监控、检测和响应的事件响应计划? |
| 单选 | Does your incident response plan include reporting security incidents involving Amazon Information to 3p-security@amazon.com? | 您的事件响应计划是否包括向 3p-security@amazon.com 报告涉及亚马逊信息的安全事件? |
| 单选 | Are minimum password requirements established for personnel and systems? | 是否为人员和系统建立了最低密码要求? |
| 单选 | Are credentials (passwords, encryption keys, secret access keys) stored securely? In other words, you avoid keeping credentials in public repositories, sharing credentials, or hard coding credentials into applications. | 凭证(密码、加密密钥、秘密访问密钥)是否安全存储? 换言之,您可以避免将凭证保存在公共存储库中、共享凭证或将凭证硬编码到应用程序中。 |
| 填空 | List all outside parties with whom your organisation shares Amazon Information and describe how your organisation shares this information. | 列出您的机构与之共享亚马逊信息的所有外部方,并描述您的组织如何共享此信息。 |
| 填空 | List all non-Amazon MWS sources where you retrieve Amazon Information. | 列出您检索亚马逊信息时发现的所有非亚马逊 MWS 来源。 |
| 单选 | How long do you retain Personally Identifiable Information data? | 您将个人身份信息数据保留多长时间? |
| 单选 | Do you have a privacy and data handling policy? | 您有隐私和数据处理政策吗? |
| 单选 | Do you encrypt Personally Identifiable Information at rest? | 您是否对静态的个人身份信息进行加密? |
| 单选 | Do you use fine-grained access controls to restrict to Personally Identifiable Information? | 您是否使用细化访问控制来限制个人身份信息? |
| 单选 | Do you use audit logs to detect and alert on Security Incidents? | 您是否使用审计日志来检测安全事件并发出提醒? |
| 单选 | Are application changes evaluated in a dedicated test environment before pushing to production? | 在投入生产之前,是否在专用测试环境中评估应用程序更改? |
| 单选 | Do you conduct routine checks (e.g. through vulnerability scanning or penetration tests) of the application and network components (including hardware) that interact with PII at least every 180 days? | 您是否至少每 180 天对与 PII 交互的应用程序和网络组件(包括硬件)进行例行检查(例如通过漏洞扫描或渗透测试)? |
| 单选 | Do you scan application code for vulnerabilities prior to each release? | 您是否在每次发布之前扫描应用程序代码以查找漏洞? |
| 单选 | Do you have a formal change management process which defines responsibilities for testing, verifying, and approving changes, and restricts access to who may perform these actions? | 您是否有正式的变更管理流程来定义测试、验证和批准变更的职责,并限制谁可以执行这些操作? |
| 填空 | Describe the network protection controls used by your organisation to restrict public access to databases, file servers and desktop/developer endpoints. | 描述您的组织用来限制对数据库、文件服务器和桌面/开发人员端点的公共访问的网络保护控制。 |
| 填空 | Describe how your organisation individually identifies employees who have access to Amazon Information and restricts employee access to Amazon Information on a need-to-know basis. | 描述您的组织如何单独识别有权访问亚马逊信息的员工,并在需要知道的基础上限制员工访问亚马逊信息。 |
| 填空 | Describe the mechanism your organisation has in place to monitor and prevent Amazon Information from being accessed from employee personal devices (such as USB flash drives, mobile phones) and how you are alerted in the event that such incidents occur. | 描述您的组织为监控和防止从员工个人设备(例如 USB 闪存驱动器、手机)访问亚马逊信息而采取的机制,以及在发生此类事件时您如何收到警报。 |
| 填空 | Provide your organisation's privacy and data-handling policies to describe how Amazon data is collected, processed, stored, used, shared and disposed of. You may provide this in the form of a public website URL. | 提供贵机构的隐私和数据处理政策,说明如何收集、处理、存储、使用、共享和处置亚马逊数据。您可以通过公共网站 URL 提供此信息。 |
| 填空 | Describe where your organisation stores Amazon Information at rest and provide details on any encryption algorithm used. | 描述您的机构存储静态亚马逊信息的位置,并提供关于所使用的任何加密算法的详细信息。 |
| 填空 | Describe how your organisation backs up or archives Amazon Information and provide details on any encryption algorithm used. | 描述您的机构如何备份或存档亚马逊信息,并提供所使用的所有加密算法的详细信息。 |
| 填空 | Describe how your organisation monitors, detects and logs malicious activity in your application(s). | 描述您的机构如何监控、检测和记录应用程序中的恶意活动。 |
| 填空 | Summarise the steps taken within your organisation's incident response plan to handle database hacks, unauthorised access, and data leaks. | 总结贵机构在事件应对计划中执行的步骤如何解决数据库入侵、未经授权的访问以及数据泄露问题。 |
| 填空 | How do you enforce password management practices throughout the organisation as it relates to required length, complexity (upper/lower case, numbers, special characters) and expiry period? | 在密码所需长度、复杂性(大写/小写、数字、特殊字符)和有效期方面,您如何在整个组织中强制实施这些密码管理实践? |
| 填空 | How is Personally Identifiable Information (PII) protected during testing? | 测试期间如何为个人身份信息 (PII) 提供保护? |
| 填空 | What measures are taken to prevent exposure of credentials? | 采取了哪些措施来防止凭证泄露? |
| 填空 | How do you track remediation progress of findings identified from vulnerability scans and penetration tests? | 您如何追踪在漏洞扫描和渗透测试中发现的问题的修复进度? |
| 填空 | How do you address code vulnerabilities identified in the development lifecycle and during runtime? | 您如何处理在开发生命周期和运行期间发现的代码漏洞? |
| 填空 | Who is responsible for change management and how is their access granted? Please specify job title. | 谁负责变更管理?如何授予他们访问权限? 请指定职务。 |
二审问题
以下是按照 Markdown 顺序展示的内容:
- Network and Data Flow
Q1: Please provide your network and data flow diagrams.
中文翻译:请提供您的网络和数据流图。 - System Components
Q2: Please walk through interaction sequence for system components that handle PII data.
中文翻译:请逐步说明处理 PII 数据的系统组件的交互顺序。 - Data Governance
Q3: Data Governance - Are employees required to acknowledge your Privacy and Data Handling Policies? Is Security awareness Training provided? Please provide your employee contract that addresses data Handling, NDA, acceptable use etc.
中文翻译:数据治理 - 员工是否需要确认您的隐私和数据处理政策?是否提供安全意识培训?请提供涉及数据处理、保密协议(NDA)、可接受使用等的员工合同。 Secure Coding Practices
**Q4: Secure Coding Practices - Walk us through the SDLC process from testing to production? Is coding done in-house? Please provide the following:- Screenshot of test environment with dummy data
- Provide your SDLC policy
- Walk us through the process of how code is reviewed prior to release
- Provide example of scanning code for vulnerabilities prior to each release**
中文翻译:安全编码实践 - 请逐步说明从测试到生产的软件开发生命周期(SDLC)流程?编码是否在内部完成?请提供以下内容: - 带有虚拟数据的测试环境截图
- 提供您的 SDLC 政策
- 逐步说明代码在发布前如何被审查
- 提供每次发布前扫描代码漏洞的示例。
Asset Management
**Q5: Asset Management - Do you maintain and update an inventory of software and physical assets? Walk us through who (specific job titles) is responsible for change management.- Please share your asset inventory (means of tracking hardware such as laptops and software).
- Who is responsible for change management?**
中文翻译:资产管理 - 您是否维护并更新软件和物理资产的清单?请逐步说明谁(具体职务)负责变更管理。 - 请分享您的资产清单(跟踪硬件如笔记本电脑和软件的方式)。
- 谁负责变更管理?
Network Protection
**Q6: Network Protection - Please walk us through the Network control configurations on Web layer, application layer and database layer?- Please attach screenshot evidence showing that you have network protection tools in place (e.g. [e.g. Firewalls, VPN, ACL, security groups, protection against web attacks such as DDOS, etc.) If in AWS, this would be VPC configuration, WAF, Shield, Security Group rules, ACL configuration, etc)**
中文翻译:网络保护 - 请逐步说明 Web 层、应用层和数据库层的网络控制配置? - 请附上截图证明您已部署网络保护工具(例如防火墙、VPN、ACL、安全组、针对 Web 攻击如 DDOS 的保护等)。如果在 AWS 中,这将是 VPC 配置、WAF、Shield、安全组规则、ACL 配置等。
- Please attach screenshot evidence showing that you have network protection tools in place (e.g. [e.g. Firewalls, VPN, ACL, security groups, protection against web attacks such as DDOS, etc.) If in AWS, this would be VPC configuration, WAF, Shield, Security Group rules, ACL configuration, etc)**
Encryption in Transit
**Q6: Encryption in Transit - What are the different internal and external data transfers that take place? How do you monitor them?- Please provide evidence that your application is configured to communicate through HTTPS (minimum TLS 1.2 or later), for example through TLS certificates. For AWS this can be shown through what minimum SSL/TLS protocol CloudFront is configured to support. and through the AWS Certificate Manager.**
中文翻译:传输加密 - 有哪些不同的内部和外部数据传输?您如何监控它们? - 请提供证据证明您的应用程序配置为通过 HTTPS(最低 TLS 1.2 或更高版本)进行通信,例如通过 TLS 证书。对于 AWS,这可以通过 CloudFront 配置支持的最低 SSL/TLS 协议以及 AWS 证书管理器来展示。
- Please provide evidence that your application is configured to communicate through HTTPS (minimum TLS 1.2 or later), for example through TLS certificates. For AWS this can be shown through what minimum SSL/TLS protocol CloudFront is configured to support. and through the AWS Certificate Manager.**
Encryption at Rest
**Q7: Encryption at rest - Where are you storing Amazon data [especially if beyond 30 days]? Can you walk us through the encryption set up?- Please provide the database configuration (e.g. system setting and/or script) showing that PII data is encrypted at rest with at least AES 256 level of protection.**
中文翻译:静态加密 - 您在哪里存储亚马逊数据(尤其是超过 30 天的数据)?请逐步说明加密设置。 - 请提供数据库配置(例如系统设置和/或脚本),显示 PII 数据在静态时至少使用 AES 256 级别保护进行加密。
- Please provide the database configuration (e.g. system setting and/or script) showing that PII data is encrypted at rest with at least AES 256 level of protection.**
Access Management
**Q8: Access Management - Can you give us an overview of how your access management is designed for your organization? e.g., how do you authenticate and authorize, or decide on permissions for each user? How often is access reviewed?- Please provide your Access Control Policy
- Please provide User Diagram/Org Chart or Access Control Matrix
- Please provide your User Access Review (for example recurring meeting minutes/memo or other means to track that a scheduled review of access is performed)**
中文翻译:访问管理 - 您能否概述您的访问管理设计?例如,您如何对用户进行身份验证和授权,或决定每个用户的权限?访问权限多久审查一次? - 请提供您的访问控制政策
- 请提供用户图/组织结构图或访问控制矩阵
- 请提供您的用户访问审查(例如定期会议记录/备忘录或其他跟踪访问审查的方式)。
Least Privileged Principle
**Q9: Least Privileged Principle - Walk us through how you decide on permission for each user? If a user tries to perform a function outside their assigned role, what happens?- Please show that the application has unique roles and permissions assigned to users.**
中文翻译:最小权限原则 - 请逐步说明您如何决定每个用户的权限?如果用户尝试执行超出其分配角色的功能,会发生什么? - 请展示应用程序为用户分配的唯一角色和权限。
- Please show that the application has unique roles and permissions assigned to users.**
Password Management
**Q10: What is the authorization model implemented to integrate with MWS/SP-APIs? How are you authenticating into the network and application environment?- Please provide a screenshot of your password settings for your application and network
- Additionally, please provide evidence of secure means of establishing connections (e.g. VPN, MFA, SSH connection to servers)
- Can you provide the Seller setup guide to authorize your application? This can be linked or attached in the case.**
中文翻译:密码管理 - 您实施了哪种授权模型以与 MWS/SP-API 集成?您如何验证进入网络和应用程序环境? - 请提供您的应用程序和网络的密码设置截图
- 此外,请提供建立安全连接的证据(例如 VPN、MFA、SSH 连接到服务器)
- 您能否提供卖家设置指南以授权您的应用程序?这可以链接或附加在案例中。
Data Retention
**Q11: Data Retention - How are you archiving and retrieving data on need-by basis? How do you delete data? Please show retention/deletion settings.- Please provide the scheduled job/task that deletes PII data after 30 days
- If data is moved to cold storage after 30 days, please provide this evidence showing the task and how it is encrypted.**
中文翻译:数据保留 - 您如何按需归档和检索数据?您如何删除数据?请展示保留/删除设置。 - 请提供删除 30 天后 PII 数据的计划任务/作业
- 如果数据在 30 天后移至冷存储,请提供显示该任务及其加密方式的证据。
Logging and Monitoring
**Q12: Logging and Monitoring - What type of logging and monitoring mechanism you have in-place. Walk us through how you detect unauthorized access to your systems and what type of mitigation plan you have when there is a suspicious activity. Are logs protected against tampering?- Please provide the log configurations showing the type of alerts and monitoring that occurs in your environment (e.g. database, network, APIs).
- Please show the log retention setting
- Please provide a screenshot of the users who have elevated access to logs?
- Do logs contain PII?**
中文翻译:日志记录和监控 - 您部署了哪种日志记录和监控机制?请逐步说明您如何检测对系统的未经授权访问,以及在发生可疑活动时的缓解计划。日志是否受到防篡改保护? - 请提供日志配置,显示环境中发生的警报和监控类型(例如数据库、网络、API)。
- 请展示日志保留设置
- 请提供具有提升日志访问权限的用户的截图
- 日志是否包含 PII?
Incident Response
**Q13: Incident Response - Walk through the Incident Response Plan. What notification mechanisms are in place to notify you about an incident?- Please provide your Incident Response Plan; it should include notice to security@amazon.com in event of incident involving data obtained through Amazon APIs.
- Please summarize the steps taken from incident notification to remediation.**
中文翻译:事件响应 - 请逐步说明事件响应计划。有哪些通知机制用于通知您事件的发生? - 请提供您的事件响应计划;它应包括在涉及通过亚马逊 API 获取数据的事件时通知 security@amazon.com。
- 请总结从事件通知到修复的步骤。
Vulnerability Management
**Q14: Vulnerability Management - Walk us through vulnerability scanning/detection tools used and the process of remediating findings.- Please provide example reports from your vulnerability scan and penetration test results. This could be an executive summary/memo from the results.
- Please provide your Vulnerability Management Policy/Procedure, and an example of a resolved vulnerability (for example a ticket, project plan, resolved report etc.)**
中文翻译:漏洞管理 - 请逐步说明使用的漏洞扫描/检测工具以及修复发现的过程。 - 请提供漏洞扫描和渗透测试结果的示例报告。这可以是结果的执行摘要/备忘录。
- 请提供您的漏洞管理政策/程序,以及已解决漏洞的示例(例如工单、项目计划、解决报告等)。
一审问题中英文双语对照
先这样子。
如果有朋友需要一审的所有问题的回复,可以私信我 sfgoods
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。