ISO 27001 共用服務藍圖範例的控制項對應Control mapping of the ISO 27001 Shared Services blueprint sample

下列文章將詳細說明 Azure 藍圖 ISO 27001 共用服務藍圖範例與 ISO 27001 控制項的對應情形。The following article details how the Azure Blueprints ISO 27001 Shared Services blueprint sample maps to the ISO 27001 controls. 如需控制項的詳細資訊,請參閱 ISO 27001For more information about the controls, see ISO 27001.

以下是與 ISO 27001:2013 控制項的對應。The following mappings are to the ISO 27001:2013 controls. 使用右側的導覽區可直接跳到特定的控制項對應。Use the navigation on the right to jump directly to a specific control mapping. 許多對應的控制項都是以 Azure 原則方案進行實作的。Many of the mapped controls are implemented with an Azure Policy initiative. 若要檢閱完整方案,請在 Azure 入口網站中開啟 [原則],然後選取 [定義] 頁面。To review the complete initiative, open Policy in the Azure portal and select the Definitions page. 然後,找出並選取 [預覽] 稽核 ISO 27001:2013 控制項並部署特定的 VM 延伸模組,以支援稽核需求 內建原則方案。Then, find and select the [Preview] Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements built-in policy initiative.

重要

下列每個控制措施都與一或多個 Azure 原則定義相關聯。Each control below is associated with one or more Azure Policy definitions. 這些原則可協助您使用工具存取合規性;不過,控制措施和一或多個原則之間,通常不是一對一或完整對應。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure 原則中的 符合規範 只是指原則本身,這不保證您符合控制措施所有需求的規範。As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,合規性標準包含目前未由任何 Azure 原則定義解決的控制措施。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure 原則中的合規性只是整體合規性狀態的部分觀點。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 此合規性藍圖範例的控制措施與 Azure 原則定義之間的關聯,可能會隨著時間而改變。The associations between controls and Azure Policy definitions for this compliance blueprint sample may change over time. 若要檢視變更歷程記錄,請參閱 GitHub 認可歷程記錄 (英文)。To view the change history, see the GitHub Commit History.

A.6.1.2 權責區分A.6.1.2 Segregation of duties

只有一個 Azure 訂用帳戶擁有者時,無法建立系統管理備援。Having only one Azure subscription owner doesn't allow for administrative redundancy. 相反地,若有過多 Azure 訂用帳戶擁有者,因擁有者帳戶遭到入侵而產生缺口的可能性就會增加。Conversely, having too many Azure subscription owners can increase the potential for a breach via a compromised owner account. 此藍圖指派了兩項 Azure 原則定義,可稽核 Azure 訂用帳戶的擁有者數目,藉以協助您維護適當數量的 Azure 訂用帳戶擁有者。This blueprint helps you maintain an appropriate number of Azure subscription owners by assigning two Azure Policy definitions that audit the number of owners for Azure subscriptions. 管理訂用帳戶擁有者權限可協助您實作適當的權責區分。Managing subscription owner permissions can help you implement appropriate separation of duties.

  • 應針對您的訂用帳戶指定最多 3 位擁有者A maximum of 3 owners should be designated for your subscription
  • 應將一個以上的擁有者指派給您的訂用帳戶There should be more than one owner assigned to your subscription

A.8.2.1 資訊分類A.8.2.1 Classification of information

Azure 的 SQL 弱點評量服務可協助您探索資料庫中所儲存的敏感性資料,並納入該資料的分類建議。Azure's SQL Vulnerability Assessment service can help you discover sensitive data stored in your databases and includes recommendations to classify that data. 此藍圖會指派 Azure 原則定義,以稽核在修復 SQL 弱點評量掃描期間所識別出的弱點。This blueprint assigns an Azure Policy definition to audit that vulnerabilities identified during SQL Vulnerability Assessment scan are remediated.

  • 應修復 SQL 資料庫的弱點Vulnerabilities on your SQL databases should be remediated

A.9.1.2 存取網路和網路服務A.9.1.2 Access to networks and network services

Azure 角色型存取控制 (Azure RBAC) 可協助管理有權存取 Azure 資源的人員。Azure role-based access control (Azure RBAC) helps to manage who has access to Azure resources. 此藍圖指派了七項 Azure 原則定義以協助您控制對 Azure 資源的存取。This blueprint helps you control access to Azure resources by assigning seven Azure Policy definitions. 這些原則會稽核資源類型和組態的使用方式是否可能會允許更寬鬆資源存取。These policies audit use of resource types and configurations that may allow more permissive access to resources. 了解有哪些資源違反這些原則可協助您採取修正動作,以確保 Azure 資源僅限定給經授權的使用者存取。Understanding resources that are in violation of these policies can help you take corrective actions to ensure access Azure resources is restricted to authorized users.

  • 從帳戶沒有密碼的 Linux VM 顯示稽核結果Show audit results from Linux VMs that have accounts without passwords
  • 從允許不使用密碼從帳戶遠端連線的 Linux VM 顯示稽核結果Show audit results from Linux VMs that allow remote connections from accounts without passwords
  • 儲存體帳戶應移轉至新的 Azure Resource Manager 資源Storage accounts should be migrated to new Azure Resource Manager resources
  • 虛擬機器應移轉到新的 Azure Resource Manager 資源Virtual machines should be migrated to new Azure Resource Manager resources
  • 稽核不是使用受控磁碟的 VMAudit VMs that do not use managed disks

A.9.2.3 管理特殊權限的存取權A.9.2.3 Management of privileged access rights

此藍圖指派了四項 Azure 原則定義,用以稽核具有擁有者及/或寫入權限的外部帳戶,和具有擁有者及/或寫入權限、且未啟用多重要素驗證的帳戶,以協助您限制及控制特殊權限的存取權。This blueprint helps you restrict and control privileged access rights by assigning four Azure Policy definitions to audit external accounts with owner and/or write permissions and accounts with owner and/or write permissions that don't have multi-factor authentication enabled. Azure 角色型存取控制 (Azure RBAC) 可協助管理有權存取 Azure 資源的人員。Azure role-based access control (Azure RBAC) helps to manage who has access to Azure resources. 此藍圖還指派了三項 Azure 原則定義,用以稽核將 Azure Active Directory 驗證用於 SQL Server 和 Service Fabric 的情形。This blueprint also assigns three Azure Policy definitions to audit use of Azure Active Directory authentication for SQL Servers and Service Fabric. 使用 Azure Active Directory 驗證可針對資料庫使用者及其他 Microsoft 服務,簡化權限管理及集中管理身分識別。Using Azure Active Directory authentication enables simplified permission management and centralized identity management of database users and other Microsoft services. 此藍圖也指派了一項 Azure 原則定義來稽核自訂 Azure RBAC 規則的使用情形。This blueprint also assigns an Azure Policy definition to audit the use of custom Azure RBAC rules. 了解自訂 Azure RBAC 規則的實作之處,有助於您確認需求和適當的實作,因為自訂的 Azure RBAC 規則很容易發生錯誤。Understanding where custom Azure RBAC rules are implement can help you verify need and proper implementation, as custom Azure RBAC rules are error prone.

  • 應在您訂用帳戶上具有擁有者權限的帳戶上啟用 MFAMFA should be enabled on accounts with owner permissions on your subscription
  • 應在您訂用帳戶上具有寫入權限的帳戶上啟用 MFAMFA should be enabled accounts with write permissions on your subscription
  • 具有擁有者權限的外部帳戶應該從您的訂用帳戶中移除External accounts with owner permissions should be removed from your subscription
  • 應從訂用帳戶移除具有寫入權限的外部帳戶External accounts with write permissions should be removed from your subscription
  • 應針對 SQL 伺服器佈建 Azure Active Directory 管理員An Azure Active Directory administrator should be provisioned for SQL servers
  • Service Fabric 叢集應只能使用 Azure Active Directory 進行用戶端驗證Service Fabric clusters should only use Azure Active Directory for client authentication
  • 稽核自訂 RBAC 規則的使用方式Audit usage of custom RBAC rules

A.9.2.4 管理使用者的秘密驗證資訊A.9.2.4 Management of secret authentication information of users

此藍圖指派了三項 Azure 原則定義來稽核未啟用多重要素驗證的帳戶。This blueprint assigns three Azure Policy definitions to audit accounts that don't have multi-factor authentication enabled. 多重要素驗證有助於確保帳戶即使有部分驗證資訊遭到入侵,仍然安全無虞。Multi-factor authentication helps keep accounts secure even if one piece of authentication information is compromised. 藉由監視未啟用多重要素驗證的帳戶,您將可識別較可能遭到入侵的帳戶。By monitoring accounts without multi-factor authentication enabled, you can identify accounts that may be more likely to be compromised. 此藍圖也指派了兩項 Azure 原則定義來稽核 Linux VM 密碼檔案權限,以在其設定不正確時發出警示。This blueprint also assigns two Azure Policy definitions that audit Linux VM password file permissions to alert if they're set incorrectly. 此設定可讓您採取更正措施,以確保驗證器不會遭到入侵。This setup enables you to take corrective action to ensure authenticators aren't compromised.

  • 應在您訂用帳戶上具有擁有者權限的帳戶上啟用 MFAMFA should be enabled on accounts with owner permissions on your subscription
  • 應在您訂用帳戶上具有讀取權限的帳戶上啟用 MFAMFA should be enabled on accounts with read permissions on your subscription
  • 應在您訂用帳戶上具有寫入權限的帳戶上啟用 MFAMFA should be enabled accounts with write permissions on your subscription
  • 從密碼檔權限未設為 0644 的 Linux VM 顯示稽核結果Show audit results from Linux VMs that do not have the passwd file permissions set to 0644

A.9.2.5 檢閱使用者存取權限A.9.2.5 Review of user access rights

Azure 角色型存取控制 (Azure RBAC) 可協助您管理有權存取 Azure 中資源的人員。Azure role-based access control (Azure RBAC) helps you manage who has access to resources in Azure. 您可以使用 Azure 入口網站,檢閱可存取 Azure 資源的人員及其權限。Using the Azure portal, you can review who has access to Azure resources and their permissions. 此藍圖指派了四項 Azure 原則定義來稽核應優先檢閱的帳戶,包括已停用的帳戶和已提高權限的外部帳戶。This blueprint assigns four Azure Policy definitions to audit accounts that should be prioritized for review, including depreciated accounts and external accounts with elevated permissions.

  • 已取代帳戶應該從您的訂用帳戶中移除Deprecated accounts should be removed from your subscription
  • 具有擁有者權限的已取代帳戶應該從您的訂用帳戶中移除Deprecated accounts with owner permissions should be removed from your subscription
  • 具有擁有者權限的外部帳戶應該從您的訂用帳戶中移除External accounts with owner permissions should be removed from your subscription
  • 應從訂用帳戶移除具有寫入權限的外部帳戶External accounts with write permissions should be removed from your subscription

A.9.2.6 移除或調整存取權限A.9.2.6 Removal or adjustment of access rights

Azure 角色型存取控制 (Azure RBAC) 可協助您管理有權存取 Azure 中資源的人員。Azure role-based access control (Azure RBAC) helps you manage who has access to resources in Azure. 使用 Azure Active Directory 和 Azure RBAC,可更新使用者角色以反映組織變更。Using Azure Active Directory and Azure RBAC, you can update user roles to reflect organizational changes. 必要時可以封鎖帳戶的登入 (或移除帳戶),而立即移除對 Azure 資源的存取權限。When needed, accounts can be blocked from signing in (or removed), which immediately removes access rights to Azure resources. 此藍圖指派了兩項 Azure 原則定義來稽核應考慮移除的停用帳戶。This blueprint assigns two Azure Policy definitions to audit depreciated account that should be considered for removal.

  • 已取代帳戶應該從您的訂用帳戶中移除Deprecated accounts should be removed from your subscription
  • 具有擁有者權限的已取代帳戶應該從您的訂用帳戶中移除Deprecated accounts with owner permissions should be removed from your subscription

A.9.4.2 安全登入程序A.9.4.2 Secure log-on procedures

此藍圖指派了三項 Azure 原則定義來稽核未啟用多重要素驗證的帳戶。This blueprint assigns three Azure Policy definitions to audit accounts that don't have multi-factor authentication enabled. Azure AD Multi-Factor Authentication 會藉由要求第二種形式的驗證來提供額外的安全性,並提供增強式驗證。Azure AD Multi-Factor Authentication provides additional security by requiring a second form of authentication and delivers strong authentication. 藉由監視未啟用多重要素驗證的帳戶,您將可識別較可能遭到入侵的帳戶。By monitoring accounts without multi-factor authentication enabled, you can identify accounts that may be more likely to be compromised.

  • 應在您訂用帳戶上具有擁有者權限的帳戶上啟用 MFAMFA should be enabled on accounts with owner permissions on your subscription
  • 應在您訂用帳戶上具有讀取權限的帳戶上啟用 MFAMFA should be enabled on accounts with read permissions on your subscription
  • 應在您訂用帳戶上具有寫入權限的帳戶上啟用 MFAMFA should be enabled accounts with write permissions on your subscription

A.9.4.3 密碼管理系統A.9.4.3 Password management system

此藍圖指派了 10 項 Azure 原則定義,用以稽核未強制執行最低強度和其他密碼需求的 Windows VM,以協助您強制執行強式密碼。This blueprint helps you enforce strong passwords by assigning 10 Azure Policy definitions that audit Windows VMs that don't enforce minimum strength and other password requirements. 確知有哪些 VM 違反密碼強度原則可協助您採取更正措施,以確保所有 VM 使用者帳戶的密碼均符合原則。Awareness of VMs in violation of the password strength policy helps you take corrective actions to ensure passwords for all VM user accounts are compliant with policy.

  • 從未啟用密碼複雜度設定的 Windows VM 顯示稽核結果Show audit results from Windows VMs that do not have the password complexity setting enabled
  • 從最大密碼存留期不是 70 天的 Windows VM 顯示稽核結果Show audit results from Windows VMs that do not have a maximum password age of 70 days
  • 從最小密碼存留期不是 1 天的 Windows VM 顯示稽核結果Show audit results from Windows VMs that do not have a minimum password age of 1 day
  • 從最小密碼長度未限制為 14 個字元的 Windows VM 顯示稽核結果Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
  • 從允許重複使用前 24 個舊密碼的 Windows VM 顯示稽核結果Show audit results from Windows VMs that allow re-use of the previous 24 passwords

A.10.1.1 使用密碼編譯控制項的原則A.10.1.1 Policy on the use of cryptographic controls

此藍圖指派了 13 項 Azure 原則定義,據以強制執行特定的密碼編譯控制項及稽核弱式密碼編譯設定的使用,以協助您強制執行密碼編譯控制項的使用原則。This blueprint helps you enforce your policy on the use of cryptograph controls by assigning 13 Azure Policy definitions that enforce specific cryptograph controls and audit use of weak cryptographic settings. 了解您的 Azure 資源在哪些層面可能使用非最佳化的密碼編譯組態,有助於您採取更正措施,以確保資源會根據您的資訊安全性原則進行設定。Understanding where your Azure resources may have non-optimal cryptographic configurations can help you take corrective actions to ensure resources are configured in accordance with your information security policy. 具體而言,此藍圖所指派的原則會要求 Blob 儲存體帳戶和 Data Lake Storage 帳戶必須加密;SQL 資料庫必須進行透明資料加密;稽核儲存體帳戶、SQL 資料庫、虛擬機器磁碟和自動化帳戶變數是否缺少加密;稽核儲存體帳戶、函式應用程式、Web 應用程式、API 應用程式和 Redis 快取的連線是否不安全;稽核弱式虛擬機器密碼加密;稽核未加密的 Service Fabric 通訊。Specifically, the policies assigned by this blueprint require encryption for blob storage accounts and data lake storage accounts; require transparent data encryption on SQL databases; audit missing encryption on storage accounts, SQL databases, virtual machine disks, and automation account variables; audit insecure connections to storage accounts, Function Apps, Web App, API Apps, and Redis Cache; audit weak virtual machine password encryption; and audit unencrypted Service Fabric communication.

  • 函式應用程式應只可經由 HTTPS 存取Function App should only be accessible over HTTPS
  • Web 應用程式應只可經由 HTTPS 存取Web Application should only be accessible over HTTPS
  • API 應用程式應只可經由 HTTPS 存取API App should only be accessible over HTTPS
  • 從未使用可逆加密來儲存密碼的 Windows VM 顯示結果Show audit results from Windows VMs that do not store passwords using reversible encryption
  • 應在虛擬機器上套用磁碟加密Disk encryption should be applied on virtual machines
  • 應加密自動化帳戶變數Automation account variables should be encrypted
  • 只允許對您 Azure Cache for Redis 的安全連線Only secure connections to your Azure Cache for Redis should be enabled
  • 應啟用儲存體帳戶的安全傳輸Secure transfer to storage accounts should be enabled
  • Service Fabric 叢集應將 ClusterProtectionLevel 屬性設定為 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
  • 應在 SQL 資料庫上啟用透明資料加密Transparent Data Encryption on SQL databases should be enabled

A.12.4.1 事件記錄A.12.4.1 Event logging

此藍圖指派了七項 Azure 原則定義來稽核 Azure 資源的記錄設定,以協助您確保會記錄系統事件。This blueprint helps you ensure system events are logged by assigning seven Azure Policy definitions that audit log settings on Azure resources. 診斷記錄能讓您了解 Azure 資源內所執行的作業。Diagnostic logs provide insight into operations that were performed within Azure resources.

  • 稽核 Dependency Agent 部署 - 未列出的 VM 映像 (OS)Audit Dependency agent deployment - VM Image (OS) unlisted
  • 稽核虛擬機器擴展集中的 Dependency Agent 部署 - 未列出的 VM 映像 (OS)Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted
  • [預覽]:稽核記錄分析代理程式部署 - 未列出的 VM 映像 (OS)[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted
  • 稽核虛擬機器擴展集中的 Log Analytics 代理程式部署 - 未列出的 VM 映像 (OS)Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted
  • 稽核診斷設定Audit diagnostic setting
  • 應啟用 SQL 伺服器上的稽核Auditing on SQL server should be enabled

A.12.4.3 系統管理員與操作員的記錄A.12.4.3 Administrator and operator logs

此藍圖指派了七項 Azure 原則定義來稽核 Azure 資源的記錄設定,以協助您確保會記錄系統事件。This blueprint helps you ensure system events are logged by assigning seven Azure Policy definitions that audit log settings on Azure resources. 診斷記錄能讓您了解 Azure 資源內所執行的作業。Diagnostic logs provide insight into operations that were performed within Azure resources.

  • 稽核 Dependency Agent 部署 - 未列出的 VM 映像 (OS)Audit Dependency agent deployment - VM Image (OS) unlisted
  • 稽核虛擬機器擴展集中的 Dependency Agent 部署 - 未列出的 VM 映像 (OS)Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted
  • [預覽]:稽核記錄分析代理程式部署 - 未列出的 VM 映像 (OS)[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted
  • 稽核虛擬機器擴展集中的 Log Analytics 代理程式部署 - 未列出的 VM 映像 (OS)Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted
  • 稽核診斷設定Audit diagnostic setting
  • 應啟用 SQL 伺服器上的稽核Auditing on SQL server should be enabled

A.12.4.4 時鐘同步處理A.12.4.4 Clock synchronization

此藍圖指派了七項 Azure 原則定義來稽核 Azure 資源的記錄設定,以協助您確保會記錄系統事件。This blueprint helps you ensure system events are logged by assigning seven Azure Policy definitions that audit log settings on Azure resources. Azure 記錄會依賴已同步處理的內部時鐘,來對所有資源內的事件建立與時間相互關聯的記錄。Azure logs rely on synchronized internal clocks to create a time-correlated record of events across resources.

  • 稽核 Dependency Agent 部署 - 未列出的 VM 映像 (OS)Audit Dependency agent deployment - VM Image (OS) unlisted
  • 稽核虛擬機器擴展集中的 Dependency Agent 部署 - 未列出的 VM 映像 (OS)Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted
  • [預覽]:稽核記錄分析代理程式部署 - 未列出的 VM 映像 (OS)[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted
  • 稽核虛擬機器擴展集中的 Log Analytics 代理程式部署 - 未列出的 VM 映像 (OS)Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted
  • 稽核診斷設定Audit diagnostic setting
  • 應啟用 SQL 伺服器上的稽核Auditing on SQL server should be enabled

A.12.5.1 在作業系統上安裝軟體A.12.5.1 Installation of software on operational systems

自適性應用程式控制是 Azure 資訊安全中心提供的解決方案,可協助您控制哪些應用程式可在您位於 Azure 中的 VM 上執行。Adaptive application control is solution from Azure Security Center that helps you control which applications can run on your VMs located in Azure. 此藍圖指派了一項 Azure 原則定義,用以監視允許的應用程式集所進行的變更。This blueprint assigns an Azure Policy definition that monitors changes to the set of allowed applications. 這項功能可協助您控制 Azure VM 上軟體和應用程式的安裝。This capability helps you control installation of software and applications on Azure VMs.

  • 您的電腦應啟用自適性應用程式控制,以定義安全應用程式Adaptive application controls for defining safe applications should be enabled on your machines

A.12.6.1 管理技術弱點A.12.6.1 Management of technical vulnerabilities

此藍圖指派了五項 Azure 原則定義,用以監視 Azure 資訊安全中心內的遺漏系統更新、作業系統弱點、SQL 弱點和虛擬機器弱點,藉此來協助您管理資訊系統弱點。This blueprint helps you manage information system vulnerabilities by assigning five Azure Policy definitions that monitor missing system updates, operating system vulnerabilities, SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security Center. Azure 資訊安全中心提供報告功能,可讓您即時深入檢視已部署 Azure 資源的安全性狀態。Azure Security Center provides reporting capabilities that enable you to have real-time insight into the security state of deployed Azure resources.

  • 在 Azure 資訊安全中心中監視缺少的 Endpoint ProtectionMonitor missing Endpoint Protection in Azure Security Center
  • 您應在機器上安裝系統更新System updates should be installed on your machines
  • 您應在機器上修復安全性組態的弱點Vulnerabilities in security configuration on your machines should be remediated
  • 應修復 SQL 資料庫的弱點Vulnerabilities on your SQL databases should be remediated
  • 弱點評量解決方案應修復弱點Vulnerabilities should be remediated by a Vulnerability Assessment solution

A.12.6.2 軟體安裝的限制A.12.6.2 Restrictions on software installation

自適性應用程式控制是 Azure 資訊安全中心提供的解決方案,可協助您控制哪些應用程式可在您位於 Azure 中的 VM 上執行。Adaptive application control is solution from Azure Security Center that helps you control which applications can run on your VMs located in Azure. 此藍圖指派了一項 Azure 原則定義,用以監視允許的應用程式集所進行的變更。This blueprint assigns an Azure Policy definition that monitors changes to the set of allowed applications. 軟體安裝的限制有助於降低引入軟體弱點的可能性。Restrictions on software installation can help you reduce the likelihood of introduction of software vulnerabilities.

  • 您的電腦應啟用自適性應用程式控制,以定義安全應用程式Adaptive application controls for defining safe applications should be enabled on your machines

A.13.1.1 網路控制A.13.1.1 Network controls

此藍圖指派了一項 Azure 原則定義來監視使用寬鬆規則的網路安全性群組,以協助您管理和控制網路。This blueprint helps you manage and control networks by assigning an Azure Policy definition that monitors network security groups with permissive rules. 太寬鬆的規則可能會允許非預期的網路存取,您應加以檢閱。Rules that are too permissive may allow unintended network access and should be reviewed. 此藍圖還指派了三項 Azure 原則定義,以監視未受保護的端點、應用程式和儲存體帳戶。This blueprint also assigns three Azure Policy definitions that monitor unprotected endpoints, applications, and storage accounts. 不受防火牆保護的端點和應用程式,以及存取不受限制的儲存體帳戶,都可能允許資訊系統內所包含的資訊受到非預期的存取。Endpoints and applications that aren't protected by a firewall, and storage accounts with unrestricted access can allow unintended access to information contained within the information system.

  • 應限制透過網際網路面向端點存取Access through Internet facing endpoint should be restricted
  • 儲存體帳戶應限制網路存取Storage accounts should restrict network access

A.13.2.1 資訊傳輸原則和程序A.13.2.1 Information transfer policies and procedures

此藍圖指派了兩項 Azure 原則定義來稽核不安全的儲存體帳戶和 Redis 快取連線,以協助您確保 Azure 服務的資訊傳輸安全無虞。The blueprint helps you ensure information transfer with Azure services is secure by assigning two Azure Policy definitions to audit insecure connections to storage accounts and Redis Cache.

  • 只允許對您 Azure Cache for Redis 的安全連線Only secure connections to your Azure Cache for Redis should be enabled
  • 應啟用儲存體帳戶的安全傳輸Secure transfer to storage accounts should be enabled

後續步驟Next steps

您已檢閱過 ISO 27001 共用服務藍圖的控制項對應,接下來請瀏覽下列文章以了解架構及如何部署此範例:Now that you've reviewed the control mapping of the ISO 27001 Shared Services blueprint, visit the following articles to learn about the architecture and how to deploy this sample:

有關藍圖及其使用方式的其他文件:Additional articles about blueprints and how to use them: