制定你的事件响应要求Develop your incident response requirements

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

尽管许多组织已经制定了事件响应 (IR) 计划,你应当检查以确保此计划包括移动设备以及当在这些设备上报告某个事件时需要执行什么步骤。While many organizations already have an incident response (IR) plan in place, you should check to make sure the plan includes mobile devices and what steps should be taken if an incident is reported on those devices. 如果你的公司刚刚增加移动解决方案,则很可能当前 IR 计划未涵盖移动设备。If your company is just now adding a mobility solution, it’s likely the current IR plan doesn’t cover mobile devices. 如果你的组织没有 IR 计划,则与你的安全团队紧密合作以了解要求,从而正确提出恰当的问题并针对你的需求选择最佳的 MDM 解决方案很重要。If your organization doesn’t have an IR plan, it is important to work closely with your security team to understand the requirements as you develop one, so you’ll know the right questions to ask when you’re choosing the best MDM solution for your needs.

提示

阅读响应 IT 安全事件以更好理解 IR 计划的最低要求。Read Responding to IT Security Incidents to better understand the minimum requirements for an IR plan.

在设计 MDM 解决方案时,请询问以下问题,确保在发生事件时可以管理移动设备。When designing your MDM solution, make sure you ask the following questions so you can make sure mobile devices can be managed if there’s an incident.

  • 你的组织是否有现有事件响应计划?Does your organization have an existing Incident Response Plan?
    • 如果是,它是否包含用于处理受损移动设备的进程和过程?If yes, does it include processes and procedures for handling compromised mobile devices?
  • 事件响应策略是否涵盖最终用户报告已丢失其移动设备的方案?Does the incident response policy cover scenarios where an end user reports that they’ve lost their mobile device?
    • 是否允许擦除整个设备以避免数据泄露?Is it permissible to erase the entire device to avoid data leakage?
      • 如果是,你的公司是否对驻留在移动设备上的数据具有备份策略?If it is, does your company have backup policy in place for data that resides on mobile devices?
  • 你的组织是否在公司拥有的设备和个人拥有的设备丢失时对其具有不同的过程?Does your organization have different procedures for company-owned devices and personally-owned devices in case they are lost?
    • 如果是,这些过程是什么?If yes, what are those procedures?
    • 这些过程是否会影响 MDM 解决方案的选择?Will those procedures affect the selection of the MDM solution?
  • 如果用户丢失其个人拥有的移动设备,但他们未授权公司擦除整个设备,MDM 解决方案是否允许选择性设备擦除?If a user loses their personally-owned mobile device but they don’t authorize your company to erase the entire device, does the MDM solution allow selective device wipes?
  • 当移动设备受到破坏,并且你需要阻止该设备将恶意应用扩散到公司网络时,MDM 解决方案是否允许你强制执行可快速包含受损设备的策略?When a mobile device is compromised and you need to prevent that device from spreading malicious apps to the corporate network, does the MDM solution allow you to enforce policies that can rapidly contain the compromised device?
  • MDM 解决方案是否允许你针对潜在攻击进行规划,以便采取预防措施来解决问题?Does the MDM solution allow you to plan for potential attacks so you can take proactive actions to address problems?
  • MDM 解决方案是否允许你使用管理控制台标识某个文件何时受恶意软件感染?Does the MDM solution allow you to identify when a file is infected with malware, by using a management console?