雲端安全性原則和標準的功能Function of cloud security policy and standards

安全性原則和標準小組會撰寫、核准及發佈安全性原則和標準,以引導組織內的安全性決策。Security policy and standards teams author, approve, and publish security policy and standards to guide security decisions within the organization.

原則和標準應:The policies and standards should:

  • 以更詳細的方式反映組織的安全性策略,以引導各小組的組織做出決策Reflect the organizations security strategy at a detailed enough way to guide decisions in the organization by various teams
  • 在整個組織中提高生產力,同時降低組織商務與任務的風險Enable productivity throughout the organization while reducing risk to the organizations business and mission

安全性原則 應反映與組織安全性策略和風險承受度一致的長期持續性目標。Security policy should reflect long term sustainable objectives that align to the organizations security strategy and risk tolerance. 原則應該一律解決:Policy should always address:

  • 法規合規性需求和目前的合規性狀態 (符合需求、已接受的風險等等。 ) Regulatory compliance requirements and current compliance status (requirements met, risks accepted, and so on.)
  • 目前狀態的架構評量,以及技術設計、實施和強制執行的技術Architectural assessment of current state and what is technically possible to design, implement, and enforce
  • 組織文化和喜好設定Organizational culture and preferences
  • 業界最佳作法Industry best practices
  • 指派給適當商務專案關係人的安全性風險責任,負責其他風險和業務成果。Accountability of security risk assigned to appropriate business stakeholders who are accountable for other risks and business outcomes.

安全性標準 會定義處理常式和規則,以支援安全性原則的執行。Security standards define the processes and rules to support execution of the security policy.

現代化Modernization

雖然原則應該保持靜態,但標準應該是動態的,並且持續地進行修改,以隨時掌握雲端技術、威脅環境和商務競爭環境的變化步調。While policy should remain static, standards should be dynamic and continuously revisited to keep up with pace of change in cloud technology, threat environment, and business competitive landscape.

由於這種變動率很高,您應該仔細留意正在進行多少例外狀況,因為這可能表示需要調整標準 (或原則) 。Because of this high rate of change, you should keep a close eye on how many exceptions are being made as this may indicate a need to adjust standards (or policy).

安全性標準應該包含雲端採用的特定指引,例如:Security standards should include guidance specific to the adoption of cloud such as:

  • 安全使用雲端平臺來裝載工作負載Secure use of cloud platforms for hosting workloads
  • 安全地使用 DevOps 模型,以及在開發中包含雲端應用程式、Api 和服務Secure use of DevOps model and inclusion of cloud applications, APIs, and services in development
  • 使用身分識別周邊控制項來補充或取代網路周邊控制項Use of identity perimeter controls to supplement or replace network perimeter controls
  • 在將您的工作負載移至 IaaS 平臺之前定義您的分割策略Define your segmentation strategy prior to moving your workloads to IaaS platform
  • 標記和分類資產的敏感度Tagging and classifying the sensitivity of assets
  • 定義評估和確保您的資產正確設定和安全的流程Define process for assessing and ensuring your assets are configured and secured properly

小組撰寫和索引鍵關聯性Team composition and key relationships

雲端安全性原則和標準通常由下列角色類型提供。Cloud security policy and standards are commonly provided by the following types of roles. 組織原則應該會通知 (,並) 通知:The organizational policy should inform (and be informed by):

  • 安全性架構Security architectures
  • 合規性和風險管理小組Compliance and risk management teams
  • 營業單位的領導力和代表Business unit's leadership and representatives
  • 資訊科技Information technology
  • 審核和法律團隊Audit and legal teams

您應該根據組織中許多輸入/需求來調整原則,包括但不限於 安全性總覽圖表中所述的原則。The policy should be refined based on many inputs/requirements from across the organization, including but not restricted to those depicted in the security overview diagram.

下一步Next steps

請參閱 雲端安全性作業中心 (SOC) 的功能。Review the function of a cloud security operations center (SOC).