Describe compliance features in Microsoft 365 – Describe the Trust, Privacy, Risk, and Compliance Solutions of Microsoft 365

1 June, 2022 Kajol Ahluwalia 0 Comments 3 categories

Describe compliance features in Microsoft 365

As organizations adopt new services, move through organizational changes such as mergers or divestitures, and conduct routine operations such as employee onboarding and offboarding, they need to make sure that they are managing their risk and compliance appropriately.

Microsoft Purview risk and compliance solutions

Microsoft Purviewis an enterprise solution that unifies the Azure Purview and Microsoft 365 compliance products under a single family. Microsoft Purview includes the following broad features:

  • Unified access to compliance and risk solutions
  • Identification, classification, and protection of sensitive data
  • Regulatory compliance tracking and reporting
  • Insider risk management

Compliance features in Microsoft 365

Microsoft 365 includes many features to enable maintaining or improving compliance postures and tracking progress toward particular benchmarks or regulations. Compliance Manager, part of the Purview compliance solution set, allows you to conduct assessments, validate controls, and store documentation supporting your compliance journey.

Compliance Manager

Compliance Manager enables organizations to review and understand, under a shared responsibility model, whose controls are being maintained by the provider (that is, Microsoft) and which controls or whose actions must be completed by the customer.

A sample of the Compliance Manager dashboard is shown in Figure 10.1:

Figure 10.1 – Compliance Manager dashboard

Reorganization

To bring compliance activities into a single portal, Microsoft has integrated the standalone Compliance Manager into the Microsoft Purview compliance portal (https://compliance. microsoft.com).

Compliance Manager displays the controls (or audit items) for a given certification. It identifies which controls are managed by Microsoft and which controls the customer needs to review to confirm that they are being applied in their own organization. For each control, there is a description of what needs to be accomplished. Customers can use these descriptions to help during the assessment process.

Additionally, Compliance Manager allows organizations to upload their own documents in support of their attestation of compliance. As a result of completing their required actions and attestations, organizations will be able to raise their compliance score. It is a risk-based scoring mechanism that measures progress in completing actions that help reduce risk.

Compliance Manager has several templates, pre-populated with controls that are managed by both Microsoft and the customer. The default templates, included in all subscriptions (as of the time of writing), are listed as follows:

  • International Organization for Standardization (ISO) 27001:2013
  • The European Union (EU) General Data Protection Regulation (GDPR)
  • National Institute of Standards and Technology (NIST) 800-53 Revisions 4 and 5
  • Microsoft  DataProtection Baseline

Additional templates, such as the ones in the following list, are available with specific premium or government subscriptions. Premium templates may be purchased as well:

  • ISO 27108:2014
  • ISO 27701:2019
  • NIST 800-171
  • NIST Cybersecurity Framework (CSF)
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1
  • The Federal Financial Institutions Examination Council (FFIEC) Information Security booklet
  • The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH; sometimes abbreviated to HITEC) Act
  • Federal Risk and Authorization Management Program (FedRAMP)
  • The California Consumer Privacy Act (CCPA)
  • The Information Security Registered Assessors Program (IRAP)/Australian Government Information Security Manual (ISM)

You can add any of these templates to Compliance Manager, as well as being able to build or import your own templates using Microsoft Excel.

Custom Compliance Manager Templates

Compliance Manager templates are formatted in a Microsoft Excel workbook—not a standard comma-separated values (CSV) file. The Excel workbook must have several tabs, including tabsfor Assessment, ControlFamily, Actions, and Owner. You can learn more about the structure of compliance templates at https://docs.microsoft.com/en-us/microsoft-365/ compliance/working-with-compliance-manager#templates.

Compliance Manager allows organizations to assign and track compliance-related activities, such as managing evidence or artifacts that can later be provided to auditors. While Compliance Manager does not guarantee that an organization is compliant with a given standard or regulation, it certainly helps customers along the compliance journey.

To learn more about configuring Compliance Manager templates and controls, see https://docs. microsoft.com/en-us/microsoft-365/compliance/compliance-manager-overview.

Category: Microsoft Defender for Endpoint, Microsoft MS-900, Priva Subject Rights Request

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts