{"id":1562,"date":"2018-08-01T01:00:00","date_gmt":"2018-08-01T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/service-trust-portal\/"},"modified":"2018-08-01T01:00:00","modified_gmt":"2018-08-01T01:00:00","slug":"service-trust-portal","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/secure-workplace\/service-trust-portal\/","title":{"rendered":"Service Trust Portal"},"content":{"rendered":"

It seems that every year a new piece of major legislation passes that causes businesses to stop and really think about the way they address compliance. Many small and mid-sized organisations don\u2019t have the resources to either employ dedicated staffing departments to track and audit legislative compliance or outsource their compliance requirements to specialist organisations.<\/p>\n

If that\u2019s the case for you, Microsoft may be able to help.\u00a0 The\u00a0<\/span>Microsoft Service Trust Portal<\/a>\u00a0<\/span>(STP) provides a variety of content, tools and other resources about Microsoft security, privacy and compliance practices. Along with that, they provide information on how their online services can help organisations maintain and track compliance with various standards, laws, and regulations. While the STP is a free resource, access to the really cool stuff (cool for compliance nerds anyway!) requires a Microsoft Cloud Services account in the form of a paid subscription to Office 365 or a free Microsoft account.<\/p>\n

Detailing the amount of information available in the STP is beyond the scope of this blog, but I did want to highlight the Compliance Manager component. Compliance Manager is a workflow-based risk assessment tool designed to help you manage regulatory compliance within what Microsoft describes as their \u201cshared responsibility model\u201d for cloud services. This model highlights the fact that there are commitments that Microsoft makes, and that there are responsibilities you have has the cloud service administrator.<\/p>\n

COMPLIANCE MANAGER<\/span><\/h3>\n

The Compliance Manager dashboard provides a Compliance Score and a summary of your data protection and compliance posture as measured against various standards and data protection regulations. It includes recommended actions to improve data protection and compliance for your organisation and allows you to capture all your compliance processes and artefacts in a single location.<\/p>\n

\"\"<\/p>\n

Figure 1 \u2013 Compliance Manager Dashboard Source: Microsoft<\/p>\n

Compliance Manager uses Assessments and Compliance Scores as the basis for managing your compliance activities. Assessments apply to one of the Microsoft cloud services and either a standard (ie ISO-27001-2013) or a regulation (ie GDPR).<\/p>\n

When you first login to Compliance Manger, the ISO 27001:2013, ISO 27018:2014 and GDPR for the Azure cloud service and ISO 27001:2013, NIST 800-53, and GDPR for the Office 365 cloud service Assessments are automatically added. At the time of writing, the cloud services available are Azure, Office 365, Dynamics and Professional Services.<\/p>\n

Compliance Score within Compliance Manager helps you to figure out what actions you can take to improve your organisation\u2019s compliance posture. It is a risk-based score that is calculated on Assessment activity. It looks at whether each assessed control is Preventive, Detective, or Corrective and whether it is Mandatory or Discretionary. It also considers the impact of control failure on the confidentiality, integrity, and availability of data, and factors in the legal and regulatory risks arising from control failure.<\/p>\n

\"\"<\/p>\n

Figure 2 \u2013 Compliance Manager Compliance Score Source: Microsoft<\/p>\n

Each Assessment provides information on the Microsoft Cloud Service and standard\/regulation that is covered and is divided into Microsoft Managed Actions and Customer Managed Actions.<\/p>\n

\"\"<\/p>\n

Figure 3 \u2013 Compliance Manager Assessments Source: Microsoft<\/p>\n

The Microsoft Managed Controls section of the Assessment provides details on each of the controls assessed, how Microsoft implemented and tested the control, and when and who assessed compliance.<\/p>\n

While that information is important for businesses, it\u2019s the Customer Managed Controls section that offers real value for organisations. This section provides you with recommended actions that your organisation can take along with tools to facilitate data protection and compliance management. Each family of controls includes control IDs, titles and descriptions, and the Compliance Score for the control. Each control also includes workflow, tracking, and evidence gathering features that enable you to:<\/p>\n