開始使用 Microsoft 365 合規性的快速工作Quick tasks for getting started with Microsoft 365 compliance

如果您是 Microsoft 365 合規性的新功能,並想瞭解從何處著手,本文提供基本操作指引,並優先處理重要的合規性工作。If you're new to Microsoft 365 compliance and wondering where to start, this article provides guidance on the basics and prioritizes important compliance tasks. 本文可協助您快速著手管理及監控資料、保護資訊,並將 Insider 風險最小化。This article will help you quickly get started with managing and monitoring your data, protecting information, and minimizing insider risks.

如果您在算出如何以最佳方式管理風險、保護您的資料,並維持與新遠端員工符合法規與標準,本文也很有説明。This article is also helpful if you're figuring out how best to manage risks, protect your data, and remain compliant with regulations and standards with a newly remote workforce. 員工現在以新的方式共同合作並彼此聯繫,這表示您現有的合規性程式與控制措施可能需要調整。Employees are now collaborating and connecting with each other in new ways, and this means your existing compliance processes and controls may need to adapt. 識別和管理貴組織中這些新的合規性風險,對於保護您的資料並將威脅與風險最小化至關重要。Identifying and managing these new compliance risks within your organization is critical to safeguarding your data and minimizing threats and risks.

在您完成這些基本合規性工作之後,請考慮執行其他 Microsoft 365 合規性解決方案來擴大貴組織的合規性涵蓋範圍。After you’ve completed these basic compliance tasks, consider expanding compliance coverage in your organization by implementing additional Microsoft 365 compliance solutions.

工作 1:設定合規性許可權Task 1: Configure compliance permissions

管理貴組織中誰具有 Microsoft 365 合規性中心的存取權,以查看內容並執行管理工作非常重要。It’s important to manage who in your organization has access to the Microsoft 365 compliance center to view content and perform management tasks. Microsoft 365 提供合規性以及使用 Microsoft 365 規範中心內工具的特定系統管理角色。Microsoft 365 provides administrative roles specific to compliance and for using the tools included in the Microsoft 365 compliance center.

首先,將合規性許可權指派給貴組織人員,這樣他們才能執行這些工作,並防止未經授權的人員存取其責任以外的區域。Start by assigning compliance permissions to the people in your organization so that they can perform these tasks and to prevent unauthorized people from having access to areas outside of their responsibilities. 在您開始設定及執行 Microsoft 365 中包含的合規性解決方案之前,請務必先將適當的人員指派給合規性資料系統管理員和合規性系統管理員角色。You’ll want to make sure that you’ve assigned the proper people to the Compliance data administrator and the Compliance administrator admin roles before you start to configure and implement compliance solutions included with Microsoft 365. 您也需要將使用者指派給 Azure Active Directory 全域讀取者角色,以在合規性管理員中查看資料。You’ll also need to assign users to the Azure Active Directory global reader role to view data in Compliance Manager.

有關設定許可權及將人員指派給系統管理員角色的逐步指引,請參閱安全性& 中心的許可權For step-by-step guidance to configure permissions and assign people to admin roles, see Permissions in the Security & Compliance Center.

工作 2:知道您的合規性狀態Task 2: Know your state of compliance

如果您不知道您在哪裡,就很難知道要前往何處。It’s difficult to know where to go if you don’t know where you are. 滿足您的合規性需求包括瞭解您的目前風險層級,以及這些改變時期可能需要哪些更新。Meeting your compliance needs includes understanding your current level of risk and what updates may be needed in these ever changing times. 無論您的組織是合規性要求的新使用者,或對於規範您產業的標準和法規有深入的經驗,您改善合規性最好的方式就是了解貴組織的目前情況。Whether your organization is new to compliance requirements or has deep experience with standards and regulations that govern your industry, the single best thing you can do to improve compliance is to understand where your organization stands.

Microsoft 合規性管理員 可協助瞭解貴組織的合規性狀態,並突顯可能需要改進的區域。Microsoft Compliance Manager can help you understand your organization's compliance posture and highlight areas that may need improvement. 合規性管理員使用集中式儀表板來計算以風險為基礎的分數,衡量完成有助於降低資料保護和法規標準相關風險的動作進度。Compliance Manager uses a centralized dashboard to calculate a risk-based score, measuring your progress in completing actions that help reduce risks around data protection and regulatory standards. 您也可以使用合規性管理員工具來追蹤您的所有風險評定。You can also use Compliance Manager as a tool to track all your risk assessments. 它提供工作流程功能,可透過共同工具,有效率地完成您的風險評定。It provides workflow capabilities to help you efficiently complete your risk assessments through a common tool.

有關開始使用合規性管理員的逐步指引,請參閱合規性管理員 入門For step-by-step guidance to get started with Compliance Manager, see Get started with Compliance Manager.

重要

安全性與合規性是大多陣列織緊密整合在一起。Security and compliance are tightly integrated for most organizations. 貴組織必須處理基本安全性、威脅防護,以及身分識別與存取管理區域,協助提供針對安全性與合規性的深入防護方式。It’s important that your organization addresses basic security, threat protection, and identity and access management areas to help provide a defense in-depth approach to both security and compliance.

Microsoft 365 安全性中心檢查您的 Microsoft 365 安全分數,並完成下列文章所述的工作:Check your Microsoft 365 Secure Score in the Microsoft 365 security center and completing the tasks outlined in the following articles:

工作 3:為貴組織啟用稽核Task 3: Enable auditing for your organization

現在您決定好貴組織的目前狀態,以及哪些人可以管理合規性功能,接下來就是確定您擁有資料,可以進行合規性調查並產生組織中網路與使用者活動的報告。Now that you've determined your organization's current state and who can manage compliance functions, the next step is to make sure you have the data to conduct compliance investigations and generate reports for network and user activities in your organization. 啟用稽核也是本文稍後說明的合規性解決方案的重要先決條件。Enabling auditing is also an important prerequisite for compliance solutions covered later in this article.

稽核記錄提供的深入資訊是一項寶貴的工具,可協助比對合規性要求的解決方案,可協助您管理及監控需要改進的合規性領域。Insights provided by the audit log are a valuable tool in helping to match your compliance requirements to solutions that can help you manage and monitor compliance areas needing improvement. 稽核記錄必須先啟用,才能記錄活動,您才能搜尋稽核記錄。Audit logging must be enabled before activities are recorded and before you can search the audit log. 啟用時,貴組織的使用者和系統管理活動會記錄在稽核記錄中,並保留 90 天,最多保留一年 ,視指派給使用者授權的不同。When enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users.

有關開啟稽核的逐步指示,請參閱開啟或關閉稽核記錄 搜尋For step-by-step instructions to turn on auditing, see Turn audit log search on or off.

工作 4:建立相關政策以提醒您潛在的合規性問題Task 4: Create policies to alert you about potential compliance issues

Microsoft 提供數個內建警示原則,可協助識別系統管理許可權濫用、惡意識別活動、潛在外部和內部威脅,以及資訊管理風險。Microsoft provides several built-in alert policies that help identify admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. 預設會開啟這些設定,但您可能需要設定自訂警示,協助管理貴組織特定的合規性要求。These policies are turned on by default, but you may need to configure custom alerts to help manage compliance requirements specific to your organization.

使用警示策略和警示儀表板工具建立自訂警示策略,並查看當使用者執行符合該政策條件的活動時所產生的警示。Use alert policy and alert dashboard tools to create custom alert policies and view the alerts generated when users perform activities that match the policy conditions. 部分範例可能會使用警示策略來追蹤影響貴組織中合規性要求、許可權和資料遺失事件的使用者和系統管理員活動。Some examples could be to use alert policies to track user and admin activities affecting compliance requirements, permissions, and data loss incidents in your organization.

有關建立自訂警示策略的逐步指引,請參閱安全性與合規性中心的警示 政策For step-by-step guidance to create custom alert policies, see Alert policies in the security and compliance center.

工作 5:分類及保護機密資料Task 5: Classify and protect sensitive data

為了完成其工作,組織中的人員會與組織內外的其他人員共同合作。這表示內容不再會停留在防火牆後,它會漫遊在裝置、應用程式和服務的各處。而當內容漫遊時,您會希望以符合組織的商務及合規性原則的安全、受保護的方式漫遊。To get their work done, people in your organization collaborate with others both inside and outside the organization. This means that content no longer stays behind a firewall—it can roam everywhere, across devices, apps, and services. And when it roams, you want it to do so in a secure, protected way that meets your organization's business and compliance policies.

敏感度標籤 讓您分類及保護貴組織的資料,同時確保使用者生產力及其共同作業能力沒有障礙。Sensitivity labels let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered. 使用敏感度標籤來強制執行加密和使用限制,以使用視覺標記,並保護跨平臺和裝置、內部部署和雲端的資訊。Use sensitivity labels to enforce encryption and usage restrictions apply visual markings, and protect information across platforms and devices, on-premises and in the cloud.

有關設定和使用敏感度標籤的逐步指引,請參閱開始使用 敏感度標籤For step-by-step guidance to configure and use sensitivity labels, see Get started with sensitivity labels. 有關敏感度標籤授權資訊,請參閱 Microsoft 365安全性與合規性&指南。For sensitivity label licensing information, see Microsoft 365 licensing guidance for security & compliance.

工作 6:設定保留原則Task 6: Configure a retention policy

保留 策略 可讓您主動決定是否要保留內容、刪除內容,或兩者同時保留,然後在指定的保留期間結束時刪除內容。A retention policy lets you proactively decide whether to retain content, delete content, or both—retain and then delete the content at the end of a specified retention period. 您可能需要採取這些動作來遵守產業法規和內部政策,並降低訴訟或安全性外泄時的風險。These actions might be needed to comply with industry regulations and internal policies, as well as reduce your risk in the event of litigation or a security breach.

當內容受保留原則所影響時,人員可以繼續編輯及處理內容,就像沒有變更一樣。When content is subject to a retention policy, people can continue to edit and work with the content as if nothing's changed. 內容會保留在其原始位置。The content is retained in place, in its original location. 但如果有人編輯或刪除受保留原則保護的內容,原始內容的一份副本會儲存到安全的位置,當該內容的保留政策生效時,該內容會保留在這裡。But if someone edits or deletes content that's subject to the retention policy, a copy of the original content is saved to a secure location where it's retained while the retention policy for that content is in effect.

您可以針對 Microsoft 365 環境中多個位置快速設定保留原則,例如 Exchange 郵件、SharePoint 網站、OneDrive 帳戶和 Microsoft 365 群組。You can quickly put a retention policy in place for multiple locations in your Microsoft 365 environment such as Exchange mail, SharePoint sites, OneDrive accounts, and Microsoft 365 groups. 此政策可自動包含的信箱或網站數量沒有限制。There are no limits to the number of mailboxes or sites this policy can automatically include. 但如果您需要取得更多選擇性選項,您可以針對特定位置進行保留原則,並包含或排除網站或使用者。But if you need to get more selective, you can do so by configuring a retention policy for specific locations and include or exclude sites or users.

有關設定保留原則的逐步指引,請參閱建立 及設定保留原則For step-by-step guidance to configure a retention policy, see Create and configure retention policies. 如果您才剛開始在 Microsoft 365 中進行設定保留,請參閱 開始使用保留原則及保留標籤If you're new to configuring retention in Microsoft 365, see Get started with retention policies and retention labels.

工作 7:設定敏感性資訊和令人反感的語言政策Task 7: Configure sensitive information and offensive language policies

保護敏感性資訊,以及偵測工作場所騷擾事件並採取行動,是遵守內部政策與標準的重要一部分。Protecting sensitive information and detecting and acting on workplace harassment incidents is an important part of compliance with internal policies and standards. Microsoft 365 中的通訊合規性可協助快速偵測、捕捉電子郵件和 Microsoft Teams 通訊並採取補救動作,協助您將這些風險降至最低。Communication compliance in Microsoft 365 helps minimize these risks by helping you quickly detect, capture, and take remediation actions for email and Microsoft Teams communications. 這些包括包含不專業、威脅、騷擾和在組織內外共用敏感性資訊的不當通訊。These include inappropriate communications containing profanity, threats, and harassment and communications that share sensitive information inside and outside of your organization.

預先定義的令人反感 語言 和反騷擾政策範本可讓您掃描內部與外部通訊以尋找政策比對結果,以便讓指定的檢定者檢定。A pre-defined Offensive language and anti-harassment policy template allows you to scan internal and external communications for policy matches so they can be examined by designated reviewers. 評論者可以調查貴組織中掃描的電子郵件、Microsoft Teams、Yammer 或協力廠商通訊,並採取適當的補救動作,以確保他們符合貴組織的標準。Reviewers can investigate scanned email, Microsoft Teams, Yammer, or third-party communications in your organization and take appropriate remediation actions to make sure they're compliant with your organization's standards.

預先定義的敏感性資訊政策範本可協助快速建立用於掃描電子郵件和 Microsoft Teams 通訊的範本,其中包含已定義的敏感性資訊類型或關鍵字,以確保重要資料不會與不應該存取的人共用。The pre-defined Sensitive information policy template helps you quickly create a policy to scan email and Microsoft Teams communications containing defined sensitive information types or keywords to help make sure that important data isn't shared with people that shouldn't have access. 這些活動可能包括有關機密專案的未經授權的通訊,或有關 Insider 交易或其他拼貼活動的產業特定規則。These activities could include unauthorized communication about confidential projects or industry-specific rules on insider trading or other collusion activities.

有關規劃及設定通訊合規性的逐步指引,請參閱通訊合規性規劃及開始使用通訊合規性For step-by-step guidance to plan and configure communication compliance, see Plan for communication compliance and Get started with communication compliance. 有關通訊合規性授權資訊,請參閱安全性與合規性 的 Microsoft 365 &指南For communication compliance licensing information, see Microsoft 365 licensing guidance for security & compliance.

工作 8:查看機密專案的情況Task 8: See what's happening with your sensitive items

敏感度標籤、敏感性資訊類型、保留標籤和策略,以及可訓練的分類器,可用來分類和標示 Exchange、SharePoint 和 OneDrive 中的機密專案,如您先前所看過的一樣。Sensitivity labels, sensitive information types, retention labels and policies and trainable classifiers can be used to classify and label sensitive items across Exchange, SharePoint, and OneDrive as you've seen in the previous tasks. 快速工作旅程的最後一個步驟是查看已標示哪些專案,以及您的使用者會針對這些機密專案採取哪些動作。The last step in your quick task journey is to see which items have been labeled and what actions your users are taking on those sensitive items. 內容瀏覽器和活動瀏覽器提供此可見度。content explorer and activity explorer provide this visibility.

內容總管Content explorer

內容流覽程式可讓您以原始格式,來查看所有已分類為機密資訊類型或屬於特定分類之專案,以及所有已使用敏感度或保留標籤的專案。Content explorer allows you to view, in their native format, all the items that have been classified as a sensitive information type or belonging to a certain classification by a trainable classifier, as well as all items that have sensitivity or retention label applied.

有關使用內容總管的逐步指引,請參閱瞭解您的資料 - 資料分類概觀,以及開始使用 內容總管For step-by-step guidance to using content explorer, see Know your data - data classification overview, and Get started with content explorer.

活動 ExplorerActivity explorer

活動 Explorer 可協助監控分類和標示的機密專案已完成的工作,包括:Activity explorer helps you monitor what's being done with your classified and labeled sensitive items across:

  • SharePointSharePoint
  • ExchangeExchange
  • OneDriveOneDrive

有超過 30 個不同的篩選可使用,其中包括:There are over 30 different filters available for use, some are:

  • 日期範圍date range
  • 活動類型activity type
  • 位置location
  • 使用者user
  • 敏感度標籤sensitivity label
  • 保留標籤retention label
  • 檔案路徑file path
  • DLP 原則DLP policy

有關使用活動 Explorer 的逐步指引,請參閱開始使用活動 Explorer。For step-by-step guidance to using activity explorer, see Get started with activity explorer.

後續步驟Next steps

現在,您為貴組織已針對合規性管理基本操作,請考慮 Microsoft 365 中的下列合規性解決方案,來説明您保護敏感性資訊,並偵測並解決其他內部人員風險。Now that you’ve configured the basics for compliance management for your organization, consider the following compliance solutions in Microsoft 365 to help you protect sensitive information and detect and act on additional insider risks.

設定保留標記Configure retention labels

保留原則在容器層級會適用于 SharePoint 網站和 Exchange 信箱等位置,保留標記可針對保留和刪除原則設定更特定的目標。While retention policies apply at the container level to locations such as SharePoint sites and Exchange mailboxes, retention labels allow for more specific targeting for your retention and deletion policies. 例如,在檔或電子郵件訊息層級,使用者除了系統管理員自動申請之外,也可以手動進行申請。For example, at the document or email message level that end users can apply manually in addition to automatic application by administrators. 您也可以將保留標籤套用至 SharePoint 中的文件庫、資料夾或檔集,以便所有儲存在該位置的檔繼承預設保留標籤。You can also apply a retention label to a document library, folder, or document set in SharePoint, so that all documents that are stored in that location inherit the default retention label.

此外,保留標記可 支援記錄管理 ,以將內容標記為記錄。Additionally, retention labels support records management to mark content as a record. 當發生這種情況時,標籤會針對協助貴組織遵守法規要求所需之內容施加額外限制。When this happens, the label places additional restrictions on the content that might be needed to help your organization comply with regulatory requirements.

有關建立及發佈保留標籤的逐步指引,請參閱下列指引:For step-by-step guidance to create and publish retention labels, see the following guidance:

若要開始使用記錄管理,請參閱開始使用 記錄管理To get started with records management, see Get started with records management.

識別及定義敏感性資訊類型Identify and define sensitive information types

根據組織資料中資訊中包含的模式定義敏感性資訊類型。Define sensitive information types based on the pattern contained in information in your organization’s data. 使用 內建的敏感性資訊類型 可協助識別及保護信用卡號碼、銀行帳戶號碼、護照號碼等。Use built-in sensitive information types help identify and protect credit card numbers, bank account numbers, passport numbers, and more. 或建立您 組織 特定的自訂敏感度資訊類型。Or create your own custom sensitivity information types specific to your organization.

有關定義自訂敏感性資訊類型的逐步指引,請參閱安全性與合規性中心中的建立自訂 &類型For step-by-step guidance to define custom sensitive information types, see Create a custom sensitive information type in the Security & Compliance Center.

防止資料遺失Prevent data loss

DLP (防護) 讓您識別、監控及自動保護整個 Microsoft 365 組織的敏感性資訊。Data loss prevention (DLP) policies allow you to identify, monitor, and automatically protect sensitive information across your Microsoft 365 organization. 使用 DLP 策略識別 Microsoft 服務中的機密專案、避免意外共用機密專案,以及協助使用者瞭解如何符合規範,而不會中斷其工作流程。Use DLP policies to identify sensitive items across Microsoft services, prevent the accidental sharing of sensitive items, and help users learn how to stay compliant without interrupting their workflow.

有關設定 DLP 策略的逐步指引,請 建立、測試和調整 DLP 政策For step-by-step guidance to configure DLP policies, Create, test, and tune a DLP policy. 有關資料遺失管理授權資訊,請參閱安全性與合規性 的 Microsoft 365 &指南For data loss management licensing information, see Microsoft 365 licensing guidance for security & compliance.

偵測並防範 Insider 風險Detect and act on insider risks

員工越來越能夠跨各種平臺與服務建立、管理及共用資料。More and more, employees have increasing access to create, manage, and share data across a broad spectrum of platforms and services. 在大多數的情況下,組織在識別及減輕全組織風險的同時,也符合合規性需求和員工隱私權標準,其資源與工具有限。In most cases, organizations have limited resources and tools to identify and mitigate organization-wide risks while also meeting compliance requirements and employee privacy standards. 這些風險可能包括離職員工的資料竊取,以及不小心過度共用或惡意目的而將資訊洩漏到組織外部。These risks may include data theft by departing employees and data leaks of information outside your organization by accidental oversharing or malicious intent.

Microsoft 365 中的 Insider Risk management使用完整服務及協力廠商標記,可協助您快速識別、分類及處理有風險的使用者活動。Insider risk management in Microsoft 365 uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on risky user activity. 使用 Microsoft 365 和 Microsoft Graph 中的記錄,Insider 風險管理可讓您定義特定政策,以識別風險標記並採取行動,以減少這些風險。By using logs from Microsoft 365 and Microsoft Graph, insider risk management allows you to define specific policies to identify risk indicators and to take action to mitigate these risks.

有關規劃及設定 Insider 風險管理策略的逐步指引,請參閱 Insider 風險管理 規劃及開始使用 Insider 風險管理For step-by-step guidance to plan and configure insider risk management policies, see Plan for insider risk management and Get started with insider risk management. 有關內部人員風險管理授權的資訊,請參閱安全性與合規性 的 Microsoft 365&指南。For insider risk management licensing information, see Microsoft 365 licensing guidance for security & compliance.