ciso-review

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

/cs:ciso-review — CISO Forcing Questions

/cs:ciso-review — CISO强制质询问题

Command:

/cs:ciso-review <plan>

The risk-paranoid threat-modeler. Six questions before any production change that touches customer data or compliance scope.

命令：

/cs:ciso-review <plan>

这是一款风险审慎的威胁建模工具。针对任何涉及客户数据或合规范围的生产变更，提出六个必问问题。

When to Run

适用场景

Before deploying any system that touches PII / PHI / cardholder data
Before signing a new vendor with data access
Before a compliance audit (SOC 2, ISO 27001, HIPAA, GDPR)
Before any architecture decision crossing trust boundaries
After any near-miss incident

在部署任何涉及PII / PHI / 持卡人数据的系统之前
在与拥有数据访问权限的新供应商签约之前
在合规审计（SOC 2、ISO 27001、HIPAA、GDPR）之前
在任何跨越信任边界的架构决策之前
在发生任何未遂安全事件之后

The Six CISO Questions

六个CISO质询问题

1. Threat Model

1. 威胁模型

What's the STRIDE threat model for this system, and which threat is most likely?

Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege.
Pick the top 3 by likelihood × impact.

该系统的STRIDE威胁模型是什么，哪种威胁发生概率最高？

涵盖欺骗（Spoofing）、篡改（Tampering）、抵赖（Repudiation）、信息泄露（Info Disclosure）、拒绝服务（DoS）、权限提升（Elevation of Privilege）。
根据「可能性×影响」选出排名前三的威胁。

2. Blast Radius

2. 影响范围

If this is fully compromised, what data is exposed and how many users are affected?

Worst case in plain English.
Quantify in dollars via FAIR-based ALE.

如果系统完全被攻陷，会泄露哪些数据，影响多少用户？

用直白语言描述最坏情况。
通过基于FAIR的ALE量化损失金额。

3. Detection

3. 检测机制

What signals indicate compromise, and how long until they're triggered (MTTD)?

Logs alone are not detection.
Define the detection rule, the alert, and the on-call.

哪些信号表明系统已被攻陷，触发这些信号需要多长时间（MTTD）？

仅日志不算有效检测机制。
明确检测规则、告警方式及值班负责人。

4. Response

4. 响应流程

Is there an IR runbook for this scenario, and has it been tabletop-tested?

If no runbook: build one before ship.
If untested: tabletop before ship.

针对该场景是否有事件响应（IR）运行手册，且是否经过桌面演练？

若无运行手册：上线前必须制定。
若未演练：上线前必须完成桌面演练。

5. Regulatory Window

5. 监管通报窗口

What's the regulator notification window if this scenario occurs?

GDPR: 72h. HIPAA: 60d. State breach laws vary.
Pre-write the customer comms template.

如果该场景发生，监管机构的通报时限是多久？

GDPR：72小时。HIPAA：60天。各州数据泄露法规要求不同。
预先撰写客户沟通模板。

6. Vendor & Supply Chain

6. 供应商与供应链

Which third-party vendors are in scope, and what's their security posture?

Subprocessor list current?
DPAs in place?
Last security review per vendor?

哪些第三方供应商在合规范围内，他们的安全状况如何？

子处理器列表是否最新？
是否已签署数据处理协议（DPA）？
每个供应商的最近一次安全评审是什么时候？

Workflow

工作流程

bash

python ../../../skills/ciso-advisor/scripts/risk_quantifier.py
python ../../../skills/ciso-advisor/scripts/compliance_tracker.py

bash

python ../../../skills/ciso-advisor/scripts/risk_quantifier.py
python ../../../skills/ciso-advisor/scripts/compliance_tracker.py

Output Format

输出格式

markdown

undefined

markdown

undefined

CISO Review: <plan>

CISO评审：<plan>

Date: YYYY-MM-DD

日期： YYYY-MM-DD

Threat Model

威胁模型

Top threat: <STRIDE category> — <description>
Likelihood: H/M/L | Impact: H/M/L
ALE: $X / year

首要威胁：<STRIDE类别> — <描述>
可能性：高/中/低 | 影响：高/中/低
ALE：每年$X

Blast Radius

影响范围

Data exposed (worst case): <description>
Users affected: N
Estimated cost: $X

泄露的数据（最坏情况）：<描述>
受影响用户数：N
预估损失：$X

Detection

检测机制

MTTD target: X hours
Current MTTD: X hours
Detection rule: <name>

MTTD目标：X小时
当前MTTD：X小时
检测规则：<名称>

Response

响应流程

IR runbook: ✅ / ❌
Last tabletop: <date>

IR运行手册：✅ / ❌
最近一次桌面演练：<date>

Regulatory

监管合规

Frameworks in scope: SOC 2 / ISO 27001 / HIPAA / GDPR
Notification window: X hours/days

涉及的框架：SOC 2 / ISO 27001 / HIPAA / GDPR
通报窗口：X小时/天

Vendors

供应商情况

New vendors added: N
DPAs signed: N / N
Security reviews complete: N / N

新增供应商数：N
已签署DPA：N / N
已完成安全评审：N / N

Verdict

评审结论

🟢 SHIP | 🟡 MITIGATE THEN SHIP | 🔴 BLOCK

undefined

🟢 可上线 | 🟡 缓解风险后上线 | 🔴 禁止上线

undefined

Routing

关联命令

```
/cs:cto-review
```
— architecture alignment
```
/cs:gc-review
```
— DPA, regulatory implications
```
/cs:decide
```
— log risk acceptance
```
/cs:boardroom
```
— for CRITICAL risks

```
/cs:cto-review
```
— 架构一致性评审
```
/cs:gc-review
```
— DPA、监管影响评审
```
/cs:decide
```
— 记录风险接受情况
```
/cs:boardroom
```
— 针对重大风险