合規性分數計算Compliance score calculation

本文內容: 瞭解合規性管理員如何計算組織的合規性分數。In this article: Learn how Compliance Manager calculates a compliance score for your organization. 本文說明如何 轉譯您的分數資料保護基準評估 包含的內容、 連續監控,以及 如何管理和計分不同類型的動作This article explains how to interpret your score, what the Data Protection Baseline assessment includes, continuous monitoring, and how different types of actions are managed and scored.

重要

「合規性管理員」的建議不得加以轉譯,以保證法規遵從性。Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance. 您可以根據法規環境評估和驗證客戶控制措施的效能。It is up to you to evaluate and validate the effectiveness of customer controls per your regulatory environment. 這些服務須遵守 線上服務條款中的條款及條件。These services are subject to the terms and conditions in the Online Services Terms. 另請參閱 Microsoft 365 授權指南以取得安全性和合規性See also Microsoft 365 licensing guidance for security and compliance.

如何閱讀您的合規性分數How to read your compliance score

合規性管理員儀表板會顯示您的整體合規性分數。The Compliance Manager dashboard displays your overall compliance score. 這個分數會度量您在完成控制項中建議的改進動作時的進度。This score measures your progress in completing recommended improvement actions within controls. 您的分數可協助您瞭解目前的相容性狀況。Your score can help you understand your current compliance posture. 它也可協助您根據其可能降低風險的可能性來排定動作優先順序。It can also help you prioritize actions based on their potential to reduce risk.

分數值會指派給三個層級:A score value is assigned at three levels:

  1. 改進動作分數:每項動作對您的分數有不同的影響,取決於可能的風險Improvement action score: each action has a different impact on your score depending on the potential risk involved

  2. 控制分數:此分數是在控制項內完成改進動作所取得的點數總和。Control score: this score is the sum of points earned by completing improvement actions within the control. 當控制項同時滿足下列兩個條件時,此總和會整體套用到整體合規性分數:This sum is applied in its entirety to your overall compliance score when the control meets both of the following conditions:

    • 實施狀態 等於 [已 實現 ] 或 [ 替代] 實施,以及Implementation Status equals Implemented or Alternative Implementation, and
    • 通過****測試結果equals。Test Result equals Passed.
  3. 評估分數:此分數是控制項分數的總和。Assessment score: this score is the sum of your control scores. 它是以動作分數計算。It is calculated using action scores. 每個 Microsoft 動作和您組織所管理的每個改進動作都會計算一次,不論它在控制項中的參照頻率為何。Each Microsoft action and each improvement action managed by your organization is counted once, regardless of how often it is referenced in a control.

整體符合性分數是以動作分數計算,其中每個 Microsoft 動作都會計算一次,每個您管理的技術動作都會計算一次,而您管理的每個非技術動作都會針對每個群組計算一次。The overall compliance score is calculated using action scores, where each Microsoft action is counted once, each technical action you manage is counted once, and each non-technical action you manage is counted once per group. 此邏輯的設計目的是要提供在您的組織中執行和測試動作的最準確會計。This logic is designed to provide the most accurate accounting of how actions are implemented and tested in your organization. 您可能會注意到,這可能會導致您的整體合規性分數與評估分數的平均不同。You may notice that this can cause your overall compliance score to differ from the average of your assessment scores. 請閱讀下列有關 如何對動作進行計分的詳細資訊。Read more below about how actions are scored.

以 Microsoft 365 資料保護基準為基礎的初始分數Initial score based on Microsoft 365 data protection baseline

合規性管理員為您提供根據 Microsoft 365 資料保護基準的初始分數。Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. 此基準是一組控制項,包含資料保護和一般資料控管的重要規章和標準。This baseline is a set of controls that includes key regulations and standards for data protection and general data governance. 此基線主要從 NIST CSF,主要從 NIST (中繪製元素。) 和 ISO (國際性組織的標準化) ,以及 FedRAMP (聯邦風險和授權管理計畫) 和 GDPR (歐盟) 的一般資料保護法規。This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization), as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union).

根據提供給所有組織的預設資料保護基準評估,計算您的初始分數。Your initial score is calculated according to the default Data Protection Baseline assessment provided to all organizations. 在您第一次造訪時,合規性管理員已經從您的 Microsoft 365 解決方案收集信號。Upon your first visit, Compliance Manager is already collecting signals from your Microsoft 365 solutions. 您將會很快看到組織相對於重要資料保護標準與法規的執行方式,並查看建議採取的改進動作。You’ll see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take.

因為每個組織都有特定需求,所以合規性管理員必須視您設定及管理評估,以盡可能將風險降至最低並盡可能降低。Because every organization has specific needs, Compliance Manager relies on you to set up and manage assessments to help minimize and mitigate risk as comprehensively as possible.

合規性管理員如何持續評估控制項How Compliance Manager continuously assesses controls

合規性管理員會自動透過您的 Microsoft 365 環境進行掃描,並偵測您的系統設定,持續並自動更新您的技術動作狀態。Compliance Manager automatically scans through your Microsoft 365 environment and detects your system settings, continuously and automatically updating your technical action status. Microsoft Secure 得分是執行監控的基礎引擎。Microsoft Secure Score is the underlying engine that performs the monitoring.

您的儀表板每24小時就會更新一次動作狀態。Your action status is updated on your dashboard every 24 hours. 一旦您遵循執行控制項的建議,您通常會在下一天看到控制項狀態已更新。Once you follow a recommendation to implement a control, you’ll typically see the control status updated the next day.

例如,如果您在 Azure AD 入口網站中開啟多重要素驗證 (MFA) ,合規性管理員會偵測設定,並將其反映在控制存取解決方案的詳細資料中。For example, if you turn on multi-factor authentication (MFA) in the Azure AD portal, Compliance Manager detects the setting and reflects it in the control access solution details. 相反地,如果您未開啟 MFA,合規性管理員旗標為您採取建議的動作。Conversely, if you didn’t turn on MFA, Compliance Manager flags that as a recommended action for you to take.

深入瞭解 安全性分數及其運作方式Learn more about Secure Score and how it works.

動作類型和點Action types and points

合規性管理員追蹤兩種類型的動作:Compliance Manager tracks two types of actions:

  1. 您的改善動作:您的組織管理的動作。Your improvement actions: actions that your organization manages.
  2. Microsoft 動作: microsoft 管理的動作。Microsoft actions: actions that Microsoft manages.

這兩種類型的動作都會在完成時算作整體分數。Both types of actions have points that count toward your overall score when completed.

技術和非技術動作Technical and non-technical actions

動作的分組方式不論是技術或非技術性質。Actions are grouped by whether they are technical or non-technical in nature. 每個動作的計分影響依類型而有所不同。The scoring impact of each action differs by type.

  • 技術動作 的實施方式是與方案的技術互動 (例如,變更設定) 。Technical actions are implemented by interacting with the technology of a solution (for example, changing a configuration). 每個動作只會授與技術動作點一次,不論其所屬的群組數目為何。The points for technical actions are granted once per action, regardless of how many groups it belongs to.

  • 非技術動作 是由您的組織管理,並以不使用解決方案技術的方式來執行。Non-technical actions are managed by your organization and implemented in ways other than working with the technology of a solution. 非技術動作的類型有兩種: 運作There are two types of non-technical actions: documentation and operational. 這些動作的點會套用至群組層級的合規性分數。The points for these actions are applied to your compliance score at a group level. 這表示如果有多個群組中的動作,當您每次在群組中執行它時,您會收到該動作的 point 值。This means that if an action exists in multiple groups, you will receive the action's point value each time you implement it within a group.

技術和非技術動作計分的範例:Example of how technical and non-technical actions are scored:

假設您的技術動作相當於5群組中的3點,而您的非技術動作值得三分,但在相同5個群組中有。Let's say you have a technical action worth 3 points that exists in 5 groups, and you have a non-technical action worth 3 points that exists in the same 5 groups.

如果您成功執行技術動作,您收到的點數總數為3。If you successfully implement the technical action, the total number of points you receive is 3. 這是因為您只需要針對租使用者執行一次該動作。This is because you only need to implement the action once for your tenant. 技術動作的「實施」和「測試」狀態會在該動作的所有實例中顯示相同的專案。The implementation and test status for the technical action will show the same in all instances of that action, in every group it belongs to.

如果您已在5個群組中成功地執行非技術動作,您收到的點數總數為15。If you successfully implement the non-technical action in each of the 5 groups, the total number of points you receive is 15. 這是因為您必須在每個群組中執行動作。This is because you need to implement the action in each group. 非技術動作的實施和測試狀態會因群組而異,因為其各個群組內會分開執行該動作。The implementation and test status for the non-technical action will differ across groups because the action is implemented separately within each of its groups.

這個計分邏輯的設計目的是為了提供在組織中執行和測試動作的最準確的會計。This scoring logic is designed to provide the most accurate accounting of how actions are implemented and tested in your organization.

決定計分值的方式How score values are determined

會根據動作為強制或選擇性,以及是否為預防性、偵探或糾正動作,指派分數值。Actions are assigned a score value based on whether they’re mandatory or discretionary, and whether they’re preventative, detective, or corrective.

強制和自由的動作Mandatory and discretionary actions

  • 不能故意或無意中略過強制執行的動作Mandatory actions can't be bypassed, either intentionally or accidentally. 強制執行動作的範例是一個集中管理的密碼原則,可設定密碼長度、複雜性和到期的需求。An example of a mandatory action is a centrally managed password policy that sets requirements for password length, complexity, and expiration. 使用者必須遵循這些需求,才能存取系統。Users must follow these requirements to access the system.

  • 自由動作 會依據使用者來瞭解和遵循原則。Discretionary actions rely upon users to understand and adhere to a policy. 例如,如果原則要求使用者在其保留時鎖定其電腦,則其為自由的動作,因為它會因使用者而異。For example, a policy requiring users to lock their computer when they leave it is a discretionary action because it relies on the user.

預防性、偵探和修正動作Preventative, detective, and corrective actions

  • 預防動作 會解決特定風險。Preventative actions address specific risks. 例如,使用加密來保護靜止的資訊,是防範攻擊和違規行為的預防措施。For example, protecting information at rest using encryption is a preventative action against attacks and breaches. 劃分職責是一項預防性動作,可管理利益衝突並防範欺詐行為。Separation of duties is a preventative action to manage conflict of interest and guard against fraud.

  • 偵探動作 主動監視系統,以找出未規律的條件或行為,以找出風險或可能用來偵測入侵或違規的行為。Detective actions actively monitor systems to identify irregular conditions or behaviors that represent risk, or that can be used to detect intrusions or breaches. 範例包括系統存取審核和特權管理動作。Examples include system access auditing and privileged administrative actions. 法規遵從性審核是一種可用於尋找處理常式問題的偵探動作類型。Regulatory compliance audits are a type of detective action used to find process issues.

  • 糾正動作 會嘗試將安全性事件的不利影響降至最低,採取糾正動作來降低立即效果,並盡可能將損毀。Corrective actions try to keep the adverse effects of a security incident to a minimum, take corrective action to reduce the immediate effect, and reverse the damage if possible. 隱私權事件回應是一種糾正動作,可在損毀後,將損毀和還原系統限制在運作狀態。Privacy incident response is a corrective action to limit damage and restore systems to an operational state after a breach.

在合規性管理員中,每個動作都會以其所代表的風險指派值:Each action has an assigned value in Compliance Manager based on the risk it represents:

TypeType 指派分數Assigned score
預防性強制Preventative mandatory 727
預防自由Preventative discretionary 9 9
偵探強制Detective mandatory 3
偵探自由Detective discretionary 11
必要修正Corrective mandatory 3
隨機糾正Corrective discretionary 11

合規性管理員動作點值Compliance Manager action point values