安全控制 V2:治理和策略Security Control V2: Governance and Strategy

治理和策略提供的指导可确保使用一致的安全策略和记录在案的治理方法来指导和维持安全保障,包括为不同的云安全功能、统一的技术策略以及支持策略和标准建立角色和责任。Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.

GS-1:定义资产管理和数据保护策略GS-1: Define asset management and data protection strategy

Azure IDAzure ID CIS 控制 v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
GS-1GS-1 2、132, 13 SC、ACSC, AC

确保制定和传达明确的用于对系统和数据进行持续监视和保护的策略。Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. 确定业务关键数据和系统的发现、评估、保护和监视优先级。Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 与业务风险相符的数据分类标准Data classification standard in accordance with the business risks

  • 安全组织对风险和资产清单的洞察力Security organization visibility into risks and asset inventory

  • 安全组织对 Azure 服务使用的审批Security organization approval of Azure services for use

  • 资产在其生命周期中的安全性Security of assets through their lifecycle

  • 与组织数据分类相符的必需访问控制策略Required access control strategy in accordance with organizational data classification

  • 使用 Azure 原生的和第三方的数据保护功能Use of Azure native and third party data protection capabilities

  • 传输中数据用例和静态数据用例的数据加密要求Data encryption requirements for in-transit and at-rest use cases

  • 合适的加密标准Appropriate cryptographic standards

有关详细信息,请参阅以下资源:For more information, see the following references:

责任 :客户Responsibility : Customer

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

GS-2:定义企业分段策略GS-2: Define enterprise segmentation strategy

Azure IDAzure ID CIS 控制 v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
GS-2GS-2 4、9、164, 9, 16 AC、CA、SCAC, CA, SC

建立企业级策略,以便使用标识、网络、应用程序、订阅、管理组和其他控件的组合对资产访问权限进行分段。Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.

仔细权衡安全分离需求与为需要彼此通信并访问数据的系统启用日常操作的需求。Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.

确保跨控制类型(包括网络安全、标识和访问模型、应用程序权限/访问模型,以及人机过程控制)一致地实现分段策略。Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.

责任 :客户Responsibility : Customer

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

GS-3:定义安全状况管理策略GS-3: Define security posture management strategy

Azure IDAzure ID CIS 控制 v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
GS-3GS-3 20、3、520, 3, 5 RA、CM、SCRA, CM, SC

持续衡量并缓解你的个人资产及其托管环境的风险。Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. 确定高价值资产和暴露程度高的受攻击面(例如已发布的应用程序、网络入口和出口点、用户和管理员终结点等)的优先级。Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.

责任 :客户Responsibility : Customer

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

GS-4:协调组织角色、职责和责任GS-4: Align organization roles, responsibilities, and accountabilities

Azure IDAzure ID CIS 控制 v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
GS-4GS-4 空值N/A PL、PMPL, PM

确保为安全组织中的角色和职责制定并传达清晰的策略。Ensure you document and communicate a clear strategy for roles and responsibilities in your security organization. 优先考虑提供涉及安全决策的明确责任,对每个人进行共同职责模式培训,并为技术团队传授保护云的技术。Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.

责任 :客户Responsibility : Customer

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

GS-5:定义网络安全策略GS-5: Define network security strategy

Azure IDAzure ID CIS 控制 v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
GS-5GS-5 99 CA、SCCA, SC

制定 Azure 网络安全方法,作为组织的整体安全访问控制策略的一部分。Establish an Azure network security approach as part of your organization’s overall security access control strategy.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 集中化的网络管理和安全职责Centralized network management and security responsibility

  • 符合企业分段策略的虚拟网络分段模型Virtual network segmentation model aligned with the enterprise segmentation strategy

  • 各种威胁和攻击场景中的补救策略Remediation strategy in different threat and attack scenarios

  • Internet 边缘及入口和出口策略Internet edge and ingress and egress strategy

  • 混合云和本地互连策略Hybrid cloud and on-premises interconnectivity strategy

  • 最新的网络安全项目(例如网络关系图、参考网络体系结构)Up-to-date network security artifacts (e.g. network diagrams, reference network architecture)

有关详细信息,请参阅以下资源:For more information, see the following references:

责任 :客户Responsibility : Customer

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

GS-6:定义标识和特权访问策略GS-6: Define identity and privileged access strategy

Azure IDAzure ID CIS 控制 v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
GS-6GS-6 16、416, 4 AC、AU、SCAC, AU, SC

制定 Azure 标识和特权访问方法,作为组织的整体安全访问控制策略的一部分。Establish an Azure identity and privileged access approaches as part of your organization’s overall security access control strategy.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 集中化的标识和身份验证系统及其与其他内部和外部标识系统的互连A centralized identity and authentication system and its interconnectivity with other internal and external identity systems

  • 各种用例和条件中的强身份验证方法Strong authentication methods in different use cases and conditions

  • 保护权限高的用户Protection of highly privileged users

  • 异常用户活动监视和处理Anomaly user activities monitoring and handling

  • 用户标识和访问评审及协调流程User identity and access review and reconciliation process

有关详细信息,请参阅以下资源:For more information, see the following references:

责任 :客户Responsibility : Customer

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

GS-7:定义日志记录和威胁响应策略GS-7: Define logging and threat response strategy

Azure IDAzure ID CIS 控制 v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
GS-7GS-7 1919 IR、AU、RA、SCIR, AU, RA, SC

制定日志记录和威胁响应策略,以快速检测并缓解威胁,同时满足合规性要求。Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. 优先为分析师提供高质量警报和无缝体验,以便他们能够专注于威胁,而不是执行集成和手动步骤。Prioritize providing analysts with high quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 安全运营 (SecOps) 组织的角色和职责The security operations (SecOps) organization’s role and responsibilities

  • 符合 NIST 或其他行业框架要求的明确定义的事件响应流程A well-defined incident response process aligning with NIST or another industry framework

  • 日志捕获和保留,用于支持威胁检测、事件响应和合规性需求Log capture and retention to support threat detection, incident response, and compliance needs

  • 使用 SIEM、原生 Azure 功能和其他源,集中查看和关联有关威胁的信息Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources

  • 与客户、供应商和公开的利益相关方之间的通信和通知计划Communication and notification plan with your customers, suppliers, and public parties of interest

  • 使用 Azure 原生的和第三方的平台进行事件处理,例如日志记录和威胁检测、取证以及攻击补救和根除Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication

  • 处理事件和事件后活动的流程,例如经验教训和证据保留Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention

有关详细信息,请参阅以下资源:For more information, see the following references:

责任 :客户Responsibility : Customer

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):

GS-8:定义备份和恢复策略GS-8: Define backup and recovery strategy

Azure IDAzure ID CIS 控制 v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
GS-8GS-8 1010 CPCP

为你的组织制定 Azure 备份和恢复策略。Establish an Azure backup and recovery strategy for your organization.

此策略应包括针对以下元素的记录在案的指南、策略和标准:This strategy should include documented guidance, policy, and standards for the following elements:

  • 符合你的业务恢复目标的恢复时间目标 (RTO) 和恢复点目标 (RPO) 定义Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives

  • 应用程序和基础结构设置中的冗余设计Redundancy design in your applications and infrastructure setup

  • 使用访问控制和数据加密来保护备份Protection of backup using access control and data encryption

有关详细信息,请参阅以下资源:For more information, see the following references:

责任 :客户Responsibility : Customer

客户安全利益干系人了解详细信息):Customer Security Stakeholders (Learn more):