合规性分数计算Compliance score calculation

本文内容: 了解合规性管理器如何计算组织的合规性分数。In this article: Learn how Compliance Manager calculates a compliance score for your organization. 本文介绍了如何解释分数、数据保护基线评估包括哪些内容、持续监视以及不同类型的操作如何管理和 评分This article explains how to interpret your score, what the Data Protection Baseline assessment includes, continuous monitoring, and how different types of actions are managed and scored.

重要

来自合规性管理器的建议不应解释为合规性保证。Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance. 由你根据法规环境评估和验证客户控制措施的有效性。It is up to you to evaluate and validate the effectiveness of customer controls per your regulatory environment. 这些服务受联机服务条款中的 条款和条件限制These services are subject to the terms and conditions in the Online Services Terms. 另请参阅 Microsoft 365 安全与合规许可指南See also Microsoft 365 licensing guidance for security and compliance.

如何读取合规性分数How to read your compliance score

合规性管理器仪表板显示整体合规性分数。The Compliance Manager dashboard displays your overall compliance score. 此分数用于衡量在控件中完成建议改进操作的进度。This score measures your progress in completing recommended improvement actions within controls. 分数可帮助你了解当前的合规性状态。Your score can help you understand your current compliance posture. 它还可以帮助您根据操作可降低风险的可能性确定操作优先级。It can also help you prioritize actions based on their potential to reduce risk.

分数值在三个级别分配:A score value is assigned at three levels:

  1. 改进操作分数:每项操作对分数的影响各不相同,具体取决于所涉及的潜在风险Improvement action score: each action has a different impact on your score depending on the potential risk involved

  2. 控制分数:此分数是完成控件中的改进操作所赚取的分数的总和。Control score: this score is the sum of points earned by completing improvement actions within the control. 当控件满足以下两个条件时,此总和将全部应用于总体合规性分数:This sum is applied in its entirety to your overall compliance score when the control meets both of the following conditions:

    • 实现状态 等于 "已实现 " 或"备用实现", 并且Implementation Status equals Implemented or Alternative Implementation, and
    • 测试结果等于****通过Test Result equals Passed.
  3. 评估分数:此分数是控制分数的总和。Assessment score: this score is the sum of your control scores. 它使用操作分数进行计算。It is calculated using action scores. 你的组织管理的每个 Microsoft 操作和每个改进操作都计算一次,无论控件中引用它多久一次。Each Microsoft action and each improvement action managed by your organization is counted once, regardless of how often it is referenced in a control.

总体合规性分数使用操作分数计算,其中每个 Microsoft 操作计算一次,管理的每个技术操作计算一次,并且您管理的每个非技术操作按组计算一次。The overall compliance score is calculated using action scores, where each Microsoft action is counted once, each technical action you manage is counted once, and each non-technical action you manage is counted once per group. 此逻辑旨在最准确地描述如何在组织中实施和测试操作。This logic is designed to provide the most accurate accounting of how actions are implemented and tested in your organization. 你可能会注意到,这可能会导致整体合规性分数与评估分数的平均值不同。You may notice that this can cause your overall compliance score to differ from the average of your assessment scores. 阅读下文中 有关操作如何进行评分的详细信息Read more below about how actions are scored.

基于 Microsoft 365 数据保护基线的初始分数Initial score based on Microsoft 365 data protection baseline

合规性管理器根据 Microsoft 365 数据保护基线提供初始分数。Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. 此基线是一组控制措施,其中包括数据保护和一般数据管理的关键法规和标准。This baseline is a set of controls that includes key regulations and standards for data protection and general data governance. 此基线主要来自 NIST CSF (国家标准和技术网络安全协会) 和 ISO (国际标准化组织) ,以及 FedRAMP (联邦风险和授权管理计划) 以及欧盟) 的 GDPR (一般数据保护条例。This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization), as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union).

根据提供给所有组织的默认数据保护基线评估计算初始分数。Your initial score is calculated according to the default Data Protection Baseline assessment provided to all organizations. 首次访问时,合规性管理器已收集来自 Microsoft 365 解决方案的信号。Upon your first visit, Compliance Manager is already collecting signals from your Microsoft 365 solutions. 你可以一目了然地查看组织相对于关键数据保护标准和法规的表现,并查看建议的改进措施。You’ll see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take.

由于每个组织都有特定需求,因此合规性管理器需要你设置和管理评估,以帮助尽可能全面减少和减少风险。Because every organization has specific needs, Compliance Manager relies on you to set up and manage assessments to help minimize and mitigate risk as comprehensively as possible.

合规性管理器如何持续评估控制措施How Compliance Manager continuously assesses controls

合规性管理器自动扫描你的 Microsoft 365 环境并检测你的系统设置,持续自动更新你的技术操作状态。Compliance Manager automatically scans through your Microsoft 365 environment and detects your system settings, continuously and automatically updating your technical action status. Microsoft 安全分数是执行监视的基础引擎。Microsoft Secure Score is the underlying engine that performs the monitoring.

你的操作状态每 24 小时在仪表板上更新一次。Your action status is updated on your dashboard every 24 hours. 按照建议实现控件后,通常会看到第二天更新了控件状态。Once you follow a recommendation to implement a control, you’ll typically see the control status updated the next day.

例如,如果你在 Azure AD 门户 (MFA) 多重身份验证,合规性管理器将检测该设置,并反映在控制访问解决方案详细信息中。For example, if you turn on multi-factor authentication (MFA) in the Azure AD portal, Compliance Manager detects the setting and reflects it in the control access solution details. 相反,如果未打开 MFA,合规性管理器会将其标记为建议的操作。Conversely, if you didn’t turn on MFA, Compliance Manager flags that as a recommended action for you to take.

详细了解安全 分数及其工作方式Learn more about Secure Score and how it works.

操作类型和点Action types and points

合规性管理器跟踪两种类型的操作:Compliance Manager tracks two types of actions:

  1. 您的改进操作:组织管理的操作。Your improvement actions: actions that your organization manages.
  2. Microsoft 操作:Microsoft 管理的操作。Microsoft actions: actions that Microsoft manages.

这两种类型的操作都有完成时计入总体分数的分数。Both types of actions have points that count toward your overall score when completed.

技术和非技术操作Technical and non-technical actions

操作按操作在本质上是技术操作还是非技术操作进行分组。Actions are grouped by whether they are technical or non-technical in nature. 每项操作对评分的影响因类型不同而不同。The scoring impact of each action differs by type.

  • 技术操作 通过与解决方案技术交互实现 (例如,更改配置) 。Technical actions are implemented by interacting with the technology of a solution (for example, changing a configuration). 技术操作点针对每个操作授予一次,无论它属于多少个组。The points for technical actions are granted once per action, regardless of how many groups it belongs to.

  • 非技术操作 由您的组织进行管理,并且以除使用解决方案技术外的其他方式实现。Non-technical actions are managed by your organization and implemented in ways other than working with the technology of a solution. 有两种类型的非技术操作:文档操作****和操作操作There are two types of non-technical actions: documentation and operational. 这些操作分数将应用于组级别的合规性分数。The points for these actions are applied to your compliance score at a group level. 这意味着,如果某个操作存在于多个组中,则每次在一个组中实现该操作时,您都会收到该操作的点值。This means that if an action exists in multiple groups, you will receive the action's point value each time you implement it within a group.

如何对技术和非技术操作进行评分的示例:Example of how technical and non-technical actions are scored:

假设有一个技术操作,其值 3 分存在于 5 个组中,并且有一个非技术操作,其值 3 分存在于相同的 5 个组中。Let's say you have a technical action worth 3 points that exists in 5 groups, and you have a non-technical action worth 3 points that exists in the same 5 groups.

如果成功实施技术操作,则收到的总点数为 3。If you successfully implement the technical action, the total number of points you receive is 3. 这是因为只需为租户实现一次操作。This is because you only need to implement the action once for your tenant. 技术操作的实施和测试状态将在该操作的所有实例中及其所属的每个组中显示相同。The implementation and test status for the technical action will show the same in all instances of that action, in every group it belongs to.

如果在 5 个组中分别成功实现非技术操作,则收到的总点数为 15。If you successfully implement the non-technical action in each of the 5 groups, the total number of points you receive is 15. 这是因为您需要在每个组中实现操作。This is because you need to implement the action in each group. 非技术操作的实施和测试状态因各组单独实现而不同。The implementation and test status for the non-technical action will differ across groups because the action is implemented separately within each of its groups.

此评分逻辑旨在最准确地描述如何在组织中实施和测试操作。This scoring logic is designed to provide the most accurate accounting of how actions are implemented and tested in your organization.

如何确定分数值How score values are determined

根据操作是必需还是随意,以及操作是预防型、检测型还是纠正型,为操作分配分数值。Actions are assigned a score value based on whether they’re mandatory or discretionary, and whether they’re preventative, detective, or corrective.

强制和随意操作Mandatory and discretionary actions

  • 不能有意 或无意地绕过强制操作。Mandatory actions can't be bypassed, either intentionally or accidentally. 强制操作的示例是集中管理的密码策略,用于设置密码长度、复杂性和过期要求。An example of a mandatory action is a centrally managed password policy that sets requirements for password length, complexity, and expiration. 用户必须遵循这些要求来访问系统。Users must follow these requirements to access the system.

  • 随意操作 依赖用户了解并遵守策略。Discretionary actions rely upon users to understand and adhere to a policy. 例如,要求用户在离开计算机时锁定计算机的策略是一项随意操作,因为它依赖用户。For example, a policy requiring users to lock their computer when they leave it is a discretionary action because it relies on the user.

预防性、检测性以及纠正性操作Preventative, detective, and corrective actions

  • 预防性措施 可应对特定风险。Preventative actions address specific risks. 例如,使用加密保护静态信息是抵御攻击和泄露的预防性措施。For example, protecting information at rest using encryption is a preventative action against attacks and breaches. 职责分离是管理利益冲突和防范欺诈的预防性措施。Separation of duties is a preventative action to manage conflict of interest and guard against fraud.

  • 检测操作 主动监视系统,以识别代表风险的异常状况或行为,或可用于检测入侵或泄露的情况或行为。Detective actions actively monitor systems to identify irregular conditions or behaviors that represent risk, or that can be used to detect intrusions or breaches. 示例包括系统访问审核和特权管理操作。Examples include system access auditing and privileged administrative actions. 法规合规性审核是一种检测性操作,用于查找流程问题。Regulatory compliance audits are a type of detective action used to find process issues.

  • 纠正措施 尝试将安全事件的负面影响降至最低,采取纠正措施以减少立即影响,并尽可能撤消损害。Corrective actions try to keep the adverse effects of a security incident to a minimum, take corrective action to reduce the immediate effect, and reverse the damage if possible. 隐私事件响应是一种纠正措施,可限制损坏,在泄露后将系统恢复为可操作状态。Privacy incident response is a corrective action to limit damage and restore systems to an operational state after a breach.

每个操作在合规性管理器中都有一个分配的值,该值基于它所代表的风险:Each action has an assigned value in Compliance Manager based on the risk it represents:

类型Type 分配的分数Assigned score
预防性强制Preventative mandatory 2727
预防性随意Preventative discretionary 9 9
检测强制Detective mandatory 33
检测随意Detective discretionary 11
更正强制Corrective mandatory 33
更正随意Corrective discretionary 11

合规性管理器操作点值Compliance Manager action point values