It seems that every year a new piece of major legislation passes that causes businesses to stop and really think about the way they address compliance. Many small and mid-sized organisations don’t have the resources to either employ dedicated staffing departments to track and audit legislative compliance or outsource their compliance requirements to specialist organisations.
If that’s the case for you, Microsoft may be able to help. The Microsoft Service Trust Portal (STP) provides a variety of content, tools and other resources about Microsoft security, privacy and compliance practices. Along with that, they provide information on how their online services can help organisations maintain and track compliance with various standards, laws, and regulations. While the STP is a free resource, access to the really cool stuff (cool for compliance nerds anyway!) requires a Microsoft Cloud Services account in the form of a paid subscription to Office 365 or a free Microsoft account.
Detailing the amount of information available in the STP is beyond the scope of this blog, but I did want to highlight the Compliance Manager component. Compliance Manager is a workflow-based risk assessment tool designed to help you manage regulatory compliance within what Microsoft describes as their “shared responsibility model” for cloud services. This model highlights the fact that there are commitments that Microsoft makes, and that there are responsibilities you have has the cloud service administrator.
COMPLIANCE MANAGER
The Compliance Manager dashboard provides a Compliance Score and a summary of your data protection and compliance posture as measured against various standards and data protection regulations. It includes recommended actions to improve data protection and compliance for your organisation and allows you to capture all your compliance processes and artefacts in a single location.
Figure 1 – Compliance Manager Dashboard Source: Microsoft
Compliance Manager uses Assessments and Compliance Scores as the basis for managing your compliance activities. Assessments apply to one of the Microsoft cloud services and either a standard (ie ISO-27001-2013) or a regulation (ie GDPR).
When you first login to Compliance Manger, the ISO 27001:2013, ISO 27018:2014 and GDPR for the Azure cloud service and ISO 27001:2013, NIST 800-53, and GDPR for the Office 365 cloud service Assessments are automatically added. At the time of writing, the cloud services available are Azure, Office 365, Dynamics and Professional Services.
Compliance Score within Compliance Manager helps you to figure out what actions you can take to improve your organisation’s compliance posture. It is a risk-based score that is calculated on Assessment activity. It looks at whether each assessed control is Preventive, Detective, or Corrective and whether it is Mandatory or Discretionary. It also considers the impact of control failure on the confidentiality, integrity, and availability of data, and factors in the legal and regulatory risks arising from control failure.
Figure 2 – Compliance Manager Compliance Score Source: Microsoft
Each Assessment provides information on the Microsoft Cloud Service and standard/regulation that is covered and is divided into Microsoft Managed Actions and Customer Managed Actions.
Figure 3 – Compliance Manager Assessments Source: Microsoft
The Microsoft Managed Controls section of the Assessment provides details on each of the controls assessed, how Microsoft implemented and tested the control, and when and who assessed compliance.
While that information is important for businesses, it’s the Customer Managed Controls section that offers real value for organisations. This section provides you with recommended actions that your organisation can take along with tools to facilitate data protection and compliance management. Each family of controls includes control IDs, titles and descriptions, and the Compliance Score for the control. Each control also includes workflow, tracking, and evidence gathering features that enable you to:
- Assign implementation or verification tasks to individuals within your organisation;
- Enter implementation details, test plan information, test details, implementation, and test dates, and test results;
- Upload evidence to verify compliance activities and control implementations.
Each activity performed in an Assessment increases your organisations overall Compliance Score. Once completed, the Assessment results are reflected on the Assessment Dashboard, along with a final Compliance Score for the Assessment.
ALL GOOD, BUT A COUPLE OF GOTCHAS…
There are a few things that you need to be aware of before you start.
Firstly, by default, all users have access to the data entered and uploaded into the Compliance Manager. If this is not appropriate for your organisation you can assign appropriate roles to your users via the Admin tab.
Secondly, any data entered or uploaded into the Compliance Manager is stored in the United States on Tier C Microsoft Cloud Storage (for details on Microsoft’s Tier C compliance commitments, see this document).
Finally, it’s important you take note of Microsoft’s disclaimer that following the recommendations is not necessarily a guarantee of compliance, and you should seek legal advice if needed.
Figure 4- Compliance Manager Disclaimer Source: Provided
If you are drinking from the firehose that is your compliance responsibilities, why not take a break and check out the Microsoft Secure Trust Portal and Compliance Manager. Of course, don’t hesitate to reach out if you need further assistance.
