1 Gain customer trust through transparency with Service AssuranceMicrosoft 2016 12/15/2017 1:15 PM THR3006 Gain customer trust through transparency with Service Assurance Om Vaiti Senior Program Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2 Service assurance Understand Microsoft’s investments in security, compliance, and privacy Learn How does MICROSOFT protect your data Perform on demand risk assessments, and secure your tenant
3 Defense in depth Security Management Data User Application Host12/15/2017 Defense in depth Security Management Data Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption User Account management, training and awareness, screening Application Secure engineering (SDL), access control and monitoring, anti-malware Host Access control and monitoring, anti-malware, patch and configuration management Internal network Dual-factor authentication, intrusion detection, vulnerability scanning Network perimeter Edge routers, firewalls, intrusion detection, vulnerability scanning Facility Physical controls, video surveillance, access control © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4 Global compliance with focusTechReady 18 12/15/2017 1:15 PM Global compliance with focus Foundational ISO 27001 SOC 1 Type 2 SOC 2 Type 2 ISO 27018 Cloud Controls Matrix FedRAMP JAB P-ATO Industry 21 CFR Part 11 HIPAA / HITECH FIPS 140-2 FERPA DISA Level 2 CJIS IRS 1075 ITAR-ready Focused European Union Model Clauses United Kingdom G-Cloud Singapore MTCS Level 1 Australian Signals Directorate Japan Financial Services China Multi Layer Protection Scheme China CCCPPF New Zealand GCIO GB 18030 EU Safe Harbor ENISA IAF © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5 Built in Privacy Data Center Maps Data Maps Lockbox / Customer LockboxWhere is my data stored? Data Center Maps Data Maps Built in Privacy Who has access to my data? Customer Lockbox and Feature Innovation Lockbox / Customer Lockbox How I monitor Privacy effectiveness Activity Logging and Reporting Capabilities Service Assurance / Mgmt Activity API
6 On Demand Risk AssessmentWill the service be continuously monitored for SaaS compliance? Need Deeper Security Privacy and Compliance Insights in SaaS Compliance Need on-demand access to audit reports How Can I Protect My Cloud Tenant? How Microsoft Protects My Data? How I protect my tenant? Need to complete a Risk assessment before onboarding to service Will the service be Compliant with security and privacy regulations? Need ability to provide feedback Need to help to pass our own internal audit Will my sensitive data be secure enough? On Demand Risk Assessment
7 Introducing Service Assurance Platform12/15/2017 1:15 PM Introducing Service Assurance Platform © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
8 Service Assurance platformMicrosoft Ignite 2016 12/15/2017 1:15 PM Service Assurance platform Gaining your trust with transparency: helping you to stay secure and compliant Service Assurance provides you with insight into two of the most important questions around Microsoft Cloud’s security: How is your data protected by Microsoft? How can you protect your cloud tenant? You get to give us feedback – Please do! Service Assurance will help you to efficiently perform risk assessment, improve security, and increase usage of your Microsoft Cloud investments/subscriptions. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
9 Service Assurance: DiscoveryImproves trust by making information more accessible and tailored to you Deep Insights Transparency Discovery Discover information relevant to the customer Deep insights for conducting security assessments Unparalleled transparency across cloud providers
10 Service Assurance: Service compliance reports – live!Discover information that is relevant to you. Powerful combination of how you can manage security and governance of your data with how Microsoft Cloud is compliant with regulatory standards relevant to you Service compliance reports based on your industry as well as geography Service compliance reports across Microsoft Cloud stack – Azure, Dynamics CRM, and Office 365
11 Service Assurance: Deep InsightsImproves trust by making information more accessible and tailored to you Deep Insights Transparency Discovery Discover information relevant to the customer Deep insights for conducting security assessments Unparalleled transparency across cloud providers
12 Service Assurance: Trust Documents – Live!Deep insights to perform security assessments and protect data Deep insights into how Microsoft protects your data against threats as well as how you can protect their data by implementing controls owned by them Exclusive contents based on your participation in Microsoft programs FAQs, whitepapers, security control implementation guides, and risk management reports
13 Service Assurance: TransparencyImproves trust by making information more accessible and tailored to you Deep Insights Transparency Discovery Discover information relevant to the customer Deep insights for conducting security assessments Unparalleled transparency across cloud providers
14 Status of audited controlsSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Export Audited Controls Compliance Reports Standard Name Description Last Tested Number of control tested Test Results Trust Documents This standard provides you understanding of Office 365 manages the Security of your data, how our Information Security Management / Risk Management system is implemented, controlled and tested. ISO 27001 10/30/2015 247 No Findings Security Policies Data Management Reports This standard provides you understanding of Office 365 have implemented Controls to protect Personally Identifiable Information (PII) ISO 27018 11/31/2015 158 No Findings This is most comprehensive global information security control standard That provides guidance on how Office 365 have implemented, and tested 1000+ security, compliance, and privacy to protect your data NIST 02/23/2016 1120 16 low risk findings This is most comprehensive global information security control standard That provides guidance on how Office 365 have implemented, and tested 1000+ security, compliance, and privacy to protect your data SSAE 16 / SOC 1 07/31/2015 185 1 low risk finding This is most comprehensive global information security control standard That provides guidance on how Office 365 have implemented, and tested 1000+ security, compliance, and privacy to protect your data AT 101 / SOC 2 07/31/2015 230 2 low risk findings This is most comprehensive global information security control standard That provides guidance on how Office 365 have implemented, and tested 1000+ security, compliance, and privacy to protect your data CSA CCM 02/23/2016 155 No Findings
15 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number There were no findings reported Off Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents A.6 Organization of Information Security - 18 Controls Security Policies Data Management Reports A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls A.9 Access Control - 28 Controls A.10 Cryptography - 14 Controls A.11 Physical and Environmental Security - 11 Controls A.12 Operation Security - 23 Controls A.13 Communication Security - 16 Controls
16 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number There were no findings reported Off Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents A.6 Organization of Information Security - 18 Controls Security Policies Data Management Reports A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls A.9 Access Control - 28 Controls A.10 Cryptography - 14 Controls A.11 Physical and Environmental Security - 11 Controls A.12 Operation Security - 23 Controls A.13 Communication Security - 16 Controls
17 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number There were no findings reported Off Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 A.5.3 All information security responsibilities shall be defined and allocated. Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets A.5.4 A.5.5 Appropriate contacts with relevant authorities shall be maintained. A.5.6 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. A.6 Organization of Information Security - 18 Controls A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls
18 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number There were no findings reported Off Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 A.5.3 All information security responsibilities shall be defined and allocated. Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets A.5.4 A.5.5 Appropriate contacts with relevant authorities shall be maintained. A.5.6 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. A.6 Organization of Information Security - 18 Controls A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls
19 Trust Dashboard – ISO 27001 Security and Compliance Center Microsoft Ignite 2016 12/15/2017 1:15 PM Control Implementation and Testing Details A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. Control implementation details Testing performed to evaluate control effectiveness Control # Office 365 Control Framework # Test Status Trust Dashboard – ISO 27001 Home Below you can examine 13 information security control areas across which Office 365 has implemented 247 controls to protect confidentiality, integrity, and availability of your data. Further by clicking on individual controls you can examine detail implementation details, test plans, and testing status for these controls. Service Assurance Test Date Tested By A AP-01 Passed 11/31/2015 British Standards International Audited Controls Microsoft develops, documents, and distributes a security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Microsoft and Office 365 security policies exist in order to provide Office 365 staff and contractor staff with a current set of clear and concise information security policies. These policies provide direction for the appropriate protection of Office 365. The Office 365 information security policy has been reviewed, approved, and endorsed by Office 365 management. Each management-endorsed version of the Microsoft and Office 365 security policies and subsequent updates are distributed to the relevant stakeholders. These security policies are made available for review to new and existing Office 365 staff. Office 365 staff represent that they have reviewed, and agree to adhere to, policies stated within the Microsoft and Office 365 information security policy documents. Office 365 contractor staff also agree to adhere to the relevant policies stated within the Microsoft and Office 365 security policies. Should one of these parties not have access to this policy for any reason, the supervising Office 365 agent is responsible for distributing the policy to them. A customer facing version of the Microsoft security policy is made available for customer review through the Office 365 Security & Compliance Center and the Microsoft Cloud Service Trust Portal. Search controls by keyword or identification number View Only Controls with Findings There were no findings reported Off Compliance Reports Information Security Policies – 6 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 All information security responsibilities shall be defined and allocated. Examined the Microsoft and Office 365 information security policies and determined that Office 365 developed and documented a security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, viewed a screenshot of the accompanying approval signature page and confirmed that the documents were reviewed and approved. A demonstration of the SharePoint document repository provided during interviews with senior program managers confirmed that the policy and procedures documentation was managed, updated, and made available via SharePoint to Office 365 staff and contractor staff. Reviewed and validated that the policies listed below existed and confirmed that the documents address purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, a review of samples of the associated standard operating procedures confirmed that these documents provided additional granularity, policy clarification (engineering guidance), and articulated the details for what was expected from each Office 365 team. Microsoft Security Policy Office 365 Information Security Policy Office 365 Awareness & Training Policy Office 365 Audit & Logging Policy (Office 365 audit and accountability) Office 365 Security Assessment and Authorization Policy A.5.3 Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets A.5.4 A.5.5 Appropriate contacts with relevant authorities shall be maintained. A.5.6 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. Organization of Information Security - 18 Controls Human Resource Security - 10 Controls Asset Management - 15 Controls © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
20 Trust Dashboard – ISO 27001 Security and Compliance Center Microsoft Ignite 2016 12/15/2017 1:15 PM Control Implementation and Testing Details A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. Control implementation details Testing performed to evaluate control effectiveness Control # Office 365 Control Framework # Test Status Trust Dashboard – ISO 27001 Home Below you can examine 13 information security control areas across which Office 365 has implemented 247 controls to protect confidentiality, integrity, and availability of your data. Further by clicking on individual controls you can examine detail implementation details, test plans, and testing status for these controls. Service Assurance Test Date Tested By A AP-01 Passed 11/31/2015 British Standards International Audited Controls Microsoft develops, documents, and distributes a security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Microsoft and Office 365 security policies exist in order to provide Office 365 staff and contractor staff with a current set of clear and concise information security policies. These policies provide direction for the appropriate protection of Office 365. The Office 365 information security policy has been reviewed, approved, and endorsed by Office 365 management. Each management-endorsed version of the Microsoft and Office 365 security policies and subsequent updates are distributed to the relevant stakeholders. These security policies are made available for review to new and existing Office 365 staff. Office 365 staff represent that they have reviewed, and agree to adhere to, policies stated within the Microsoft and Office 365 information security policy documents. Office 365 contractor staff also agree to adhere to the relevant policies stated within the Microsoft and Office 365 security policies. Should one of these parties not have access to this policy for any reason, the supervising Office 365 agent is responsible for distributing the policy to them. A customer facing version of the Microsoft security policy is made available for customer review through the Office 365 Security & Compliance Center and the Microsoft Cloud Service Trust Portal. Search controls by keyword or identification number View Only Controls with Findings There were no findings reported Off Compliance Reports Information Security Policies – 6 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 All information security responsibilities shall be defined and allocated. Examined the Microsoft and Office 365 information security policies and determined that Office 365 developed and documented a security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, viewed a screenshot of the accompanying approval signature page and confirmed that the documents were reviewed and approved. A demonstration of the SharePoint document repository provided during interviews with senior program managers confirmed that the policy and procedures documentation was managed, updated, and made available via SharePoint to Office 365 staff and contractor staff. Reviewed and validated that the policies listed below existed and confirmed that the documents address purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, a review of samples of the associated standard operating procedures confirmed that these documents provided additional granularity, policy clarification (engineering guidance), and articulated the details for what was expected from each Office 365 team. Microsoft Security Policy Office 365 Information Security Policy Office 365 Awareness & Training Policy Office 365 Audit & Logging Policy (Office 365 audit and accountability) Office 365 Security Assessment and Authorization Policy A.5.3 Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets A.5.4 A.5.5 Appropriate contacts with relevant authorities shall be maintained. A.5.6 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. Organization of Information Security - 18 Controls Human Resource Security - 10 Controls Asset Management - 15 Controls © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
21 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Policies There were no findings reported Off Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents A.6 Organization of Information Security - 18 Controls Security Policies Data Management Reports A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls A.9 Access Control - 28 Controls A.10 Cryptography - 14 Controls A.11 Physical and Environmental Security - 11 Controls A.12 Operation Security - 23 Controls A.13 Communication Security - 16 Controls
22 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Policies There were no findings reported Off Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents A.6 Organization of Information Security - 18 Controls Security Policies Data Management Reports A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls A.9 Access Control - 28 Controls A.10 Cryptography - 14 Controls A.11 Physical and Environmental Security - 11 Controls A.12 Operation Security - 23 Controls A.13 Communication Security - 16 Controls
23 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Policies There were no findings reported Off Compliance Reports A.5 Information Security Policies – 2 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 A.6 Organization of Information Security - 1 Controls A.8 Human Resource Security - 2 Controls A.10 Asset Management - 3 Controls
24 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Policies There were no findings reported Off Compliance Reports A.5 Information Security Policies – 2 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 A.6 Organization of Information Security - 1 Controls A.8 Human Resource Security - 2 Controls A.10 Asset Management - 3 Controls
25 There were no findings reportedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number There were no findings reported Off Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents A.6 Organization of Information Security - 18 Controls Security Policies Data Management Reports A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls A.9 Access Control - 28 Controls A.10 Cryptography - 14 Controls A.11 Physical and Environmental Security - 11 Controls A.12 Operation Security - 23 Controls A.13 Communication Security - 16 Controls
26 Just view 5 findings notedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number Off Just view 5 findings noted Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents A.6 Organization of Information Security - 18 Controls Security Policies Data Management Reports A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls A.9 Access Control - 28 Controls A.10 Cryptography - 14 Controls A.11 Physical and Environmental Security - 11 Controls A.12 Operation Security - 23 Controls A.13 Communication Security - 16 Controls
27 Just view 5 findings notedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number Off Just view 5 findings noted Compliance Reports A.5 Information Security Policies – 6 Controls Trust Documents A.6 Organization of Information Security - 18 Controls Security Policies Data Management Reports A.7 Human Resource Security - 10 Controls A.8 Asset Management - 15 Controls A.9 Access Control - 28 Controls A.10 Cryptography - 14 Controls A.11 Physical and Environmental Security - 11 Controls A.12 Operation Security - 23 Controls A.13 Communication Security - 16 Controls
28 Just view 5 findings notedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number On Just view 5 findings noted Compliance Reports A.5 Information Security Policies – 2 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 A.6 Organization of Information Security - 1 Control A.8 Human Resource Security - 1 Control A.10 Asset Management - 1 Control
29 Just view 5 findings notedSecurity and Compliance Center Status of audited controls Home Use this page to understand the status of audited controls from global information security standards and regulations that Office 365 has implemented. Select the standards and regulations to view the controls and understand how independent third-party auditors tested them and what the results were. Service Assurance Audited Controls Search controls by keyword or identification number On Just view 5 findings noted Compliance Reports A.5 Information Security Policies – 2 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 A.6 Organization of Information Security - 1 Control A.8 Human Resource Security - 1 Control A.10 Asset Management - 1 Control
30 Trust Dashboard – ISO 27001 Security and Compliance CenterControl Implementation and Testing Details A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. Control implementation details Testing performed to evaluate control effectiveness Control # Office 365 Control Framework # Test Status Trust Dashboard – ISO 27001 Home Below you can examine 13 information security control areas across which Office 365 has implemented 247 controls to protect confidentiality, integrity, and availability of your data. Further by clicking on individual controls you can examine detail implementation details, test plans, and testing status for these controls. Service Assurance Test Date Tested By A AP-01 Finding 11/31/2015 British Standards International Audited Controls Search controls by keyword or identification number Office 365 Management Response for this finding View Only Controls with Findings There were no findings reported Off Overall risk of this findings was low. Office 365 combined information security training with information security policy distribution. By combining these two activities Office 365 was able to streamline, distribution and implementation of information security and user awareness objectives. Upon further discussion with auditors this findings will be agreed to be closed - pending auditors review on 9/30/2016. Compliance Reports A.5 Information Security Policies – 2 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports Microsoft develops, documents, and distributes a security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Microsoft and Office 365 security policies exist in order to provide Office 365 staff and contractor staff with a current set of clear and concise information security policies. These policies provide direction for the appropriate protection of Office 365. The Office 365 information security policy has been reviewed, approved, and endorsed by Office 365 management. Each management-endorsed version of the Microsoft and Office 365 security policies and subsequent updates are distributed to the relevant stakeholders. These security policies are made available for review to new and existing Office 365 staff. Office 365 staff represent that they have reviewed, and agree to adhere to, policies stated within the Microsoft and Office 365 information security policy documents. Office 365 contractor staff also agree to adhere to the relevant policies stated within the Microsoft and Office 365 security policies. Should one of these parties not have access to this policy for any reason, the supervising Office 365 agent is responsible for distributing the policy to them. A customer facing version of the Microsoft security policy is made available for customer review through the Office 365 Security & Compliance Center and the Microsoft Cloud Service Trust Portal. A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 A.6 Organization of Information Security - 1 Control A.8 Human Resource Security - 1 Control A.10 Asset Management - 1 Control Examined the Microsoft and Office 365 information security policies and determined that Office 365 developed and documented a security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, viewed a screenshot of the accompanying approval signature page and confirmed that the documents were reviewed and approved. A demonstration of the SharePoint document repository provided during interviews with senior program managers confirmed that the policy and procedures documentation was managed, updated, and made available via SharePoint to Office 365 staff and contractor staff. Reviewed and validated that the policies listed below existed and confirmed that the documents address purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, a review of samples of the associated standard operating procedures confirmed that these documents provided additional granularity, policy clarification (engineering guidance), and articulated the details for what was expected from each Office 365 team.
31 Trust Dashboard – ISO 27001 Security and Compliance CenterControl Implementation and Testing Details A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. Control implementation details Testing performed to evaluate control effectiveness Control # Office 365 Control Framework # Test Status Trust Dashboard – ISO 27001 Home Below you can examine 13 information security control areas across which Office 365 has implemented 247 controls to protect confidentiality, integrity, and availability of your data. Further by clicking on individual controls you can examine detail implementation details, test plans, and testing status for these controls. Service Assurance Test Date Tested By A AP-01 Finding 11/31/2015 British Standards International Audited Controls Search controls by keyword or identification number Office 365 Management Response for this finding View Only Controls with Findings There were no findings reported Off Overall risk of this findings was low. Office 365 combined information security training with information security policy distribution. By combining these two activities Office 365 was able to streamline, distribution and implementation of information security and user awareness objectives. Upon further discussion with auditors this findings will be agreed to be closed - pending auditors review on 9/30/2016. Compliance Reports A.5 Information Security Policies – 2 Controls Trust Documents Examine implementation, and periodic management review of Office 365 security policies to ensure we continue to secure your data with effective information security management / risk management system. Security Policies Data Management Reports Microsoft develops, documents, and distributes a security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Microsoft and Office 365 security policies exist in order to provide Office 365 staff and contractor staff with a current set of clear and concise information security policies. These policies provide direction for the appropriate protection of Office 365. The Office 365 information security policy has been reviewed, approved, and endorsed by Office 365 management. Each management-endorsed version of the Microsoft and Office 365 security policies and subsequent updates are distributed to the relevant stakeholders. These security policies are made available for review to new and existing Office 365 staff. Office 365 staff represent that they have reviewed, and agree to adhere to, policies stated within the Microsoft and Office 365 information security policy documents. Office 365 contractor staff also agree to adhere to the relevant policies stated within the Microsoft and Office 365 security policies. Should one of these parties not have access to this policy for any reason, the supervising Office 365 agent is responsible for distributing the policy to them. A customer facing version of the Microsoft security policy is made available for customer review through the Office 365 Security & Compliance Center and the Microsoft Cloud Service Trust Portal. A.5.1 A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.2 A.6 Organization of Information Security - 1 Control A.8 Human Resource Security - 1 Control A.10 Asset Management - 1 Control Examined the Microsoft and Office 365 information security policies and determined that Office 365 developed and documented a security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, viewed a screenshot of the accompanying approval signature page and confirmed that the documents were reviewed and approved. A demonstration of the SharePoint document repository provided during interviews with senior program managers confirmed that the policy and procedures documentation was managed, updated, and made available via SharePoint to Office 365 staff and contractor staff. Reviewed and validated that the policies listed below existed and confirmed that the documents address purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. In addition, a review of samples of the associated standard operating procedures confirmed that these documents provided additional granularity, policy clarification (engineering guidance), and articulated the details for what was expected from each Office 365 team.
32 Service Trust/Assurance PlatformGaining your trust with transparency: helping you to stay secure and compliant What does this mean? Whether you are evaluating Microsoft Cloud, doing your periodic risk assessment, or trying to gauge if you can use Microsoft Cloud in highly regulated environments, Service Assurance is your one-stop shop. It is our “transparent window” for current/prospective customers. On-demand risk assessments Service Assurance provides you in-depth information on Microsoft Cloud’s security, privacy, and compliance capabilities so that you understand how your data is protected. Understand controls Get control by control implementation details and test plan from testing performed by 3rd party independent auditors. Be secure and compliant Understand controls that you can implement to be secure and compliant. Understand how you can be compliant with regulations that matter to you by onboarding to Microsoft Cloud. Understand secure features of Microsoft Cloud.
33 Stay secure and compliantLog on to service assurance / stp Service Assurance – https://aka.ms/serviceassurance Service Trust Portal - https://aka.ms/stphelp Provide access to users from your org Please provide access to information security, compliance, legal, risk management, and audit teams from your org. Please provide feedback! All feedback is welcome – good & critical – we want to learn from you and improve
34 12/15/2017 1:15 PM Q & A © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
35 12/15/2017 1:15 PM Service Assurance Demo Service Assurance: https://aka.ms/serviceassurance Service Trust Portal: https://aka.ms/stphelp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
36 Deploy, ramp-up on new services and onboard new users with Microsoft FastTrack:
37 Join the Microsoft Tech Community to collaborate, share, and learn from the experts:
38 Please evaluate this session12/15/2017 1:15 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
39 12/15/2017 1:15 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
40 12/15/2017 1:15 PM Appendix © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
41 Resources - Directly available to customersService Assurance https://aka.ms/serviceassurance - available to paid and trial subscriptions Service Trust Portal https://aka.ms/stp - available to paid and trial Azure, Office 365, and Dynamics CRM subscriptions Service Descriptions and Admin Portals Service Descriptions - https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx Office 365 Security & Compliance Center – Trust Center Online Service Terms Ignite – Channel 9
42 “We like that you are always improving ways to protect accounts and associated data. Also, the user interface is very intuitive. Great product...easy to use!” “I believe this report has the potential to save us 40+ hours of field / customer time. So thank you for going the extra mile here.”
43 “Thank you for making this information available“Thank you for making this information available. It is useful for proving compliance with various regulations.” “This is a great resource and it’s really useful for us to give non-admins access to this information.”