Facilitate your compliance work with a new tool from Microsoft
In day-to-day life of a company compliance is a necessary evil. According to research, there are more than 200 updates from 750 regulatory bodies every day – a huge burden for the employees to stay up-to-date with all these changes. Even when compliance and privacy officers know the legal guidelines and internal policies well enough, they don’t know which technology solutions can help them to meet the conditions. On the other hand, IT professionals know about the technology and how to use features like Data Loss Prevention and e-Discovery, but they don’t know how to go about with managing these features and compliance regulations.
The lack of connection between the Compliance and IT departments is another barrier for successful work. In the meantime, it is still not enough just to understand the rules and bring your environment into accordance with them, you have to demonstrate results to the auditors. Collecting all this data for the report is quite a challenge and a very time-consuming process.
Sounds familiar? Don’t get stressed out, you are not left out in the cold alone. When you move to the cloud, you set your foot on the territory of a joint responsibility between you and your service provider.
And as you see here, your degree of responsibility varies and is defined by the services you consume. If you’re utilizing something like Office 365, or Dynamics 365, your provider takes care of most compliance requirements. To arrange for the rest, a handy tool named Compliance Manager is just the ticket. The picture below shows what services and standards are supported (and more are planned to be added):
What can this tool do for you?It is designed to meet all the challenges described above, it can:
- Asses company’s risk profile – with a single dashboard, organizations can see multiple assessments and measure their performance with a Compliance Score;
- Give out information on how your provider puts into action controls under its responsibility and tests them by independent third-party auditors;
- Provide recommended action plan and step-by-step instructions to take care of customer managed controls and bring your environment in line with the rules and standards;
- Provide one place for all employees, responsible for conformity issues, to monitor, assign, note and view each other’s actions;
- Allow organizations to export incredibly detailed reports to be further demonstrated to auditors and regulators.
Please remember though that this tool is intended to help you, but not to do the work instead of you. It only provides recommendations, and following these recommendations is not a guarantee of compliance. You get tools and information to perform self-service risk assessments, but ensuring that your company adheres to legal standards and in-house policies remains your personal responsibility.
How can you get this tool?
Compliance Manager can be found on a Service Trust Portal web page (STP). Let’s start from a little navigation around this site. It’s a free resource, where you can find various documentation, white papers and instructions that may be helpful to protect your infrastructure. There is currently a privacy area on this site, that explains what GDPR is and what you can do to have effective data rights management strategies enforced and become GDPR compliant. STP also started highlighting very good external resources concerning compliance, so you will surely find it very useful.
To accesses Compliance Manager, you will have to login to your cloud services or create a trial tenant and get this tool very quickly and completely free of charge.
When may this be useful to you?
There are different cases, when this tool can be applicable:
- when you are doing your due diligence, and evaluate Microsoft Cloud against other cloud service providers, information from STP helps to understand, how Microsoft Cloud will support your security and risk policies;
- once you have moved to cloud, this tool will help to protect your data and stay compliant;
- if you are in the regulated industry, you can have a one-stop portal where you can get all the information that you need to perform your annual risk assessment;
- if you are renewing cloud and want to understand how Microsoft Cloud can continue to support your industry and regional needs, you will get that information on STP as well.
See Compliance Manager in action
This tool allows you to create assessments. Some of them are already there, but you can continue and create more tiles on the dashboard, to evaluate the regulations that matter to you, your region, and your industry. Simply click “Add assessment”, use existing group or create a new one and enter its name.
Then you can select whether you need data from your existing group. Let’s say in 2017 you have created assessment, and you have collected all the results and desk plans. You can one time copy all the desk plans and evidence, that you have gathered, and implement into your next year assessment so that you don’t have to recreate that, simply upload it into your new assessment.
Once you copy the existing assessment, you’ll be asked, which Microsoft product you want to evaluate (in this example, we are going to select Office 365) against what certification (we will choose HIPAA).
When you are done, a new tile appears on the dashboard.
This group tile, you created, is showing 65 actions implemented by service provider and 36 actions recommended to the organization. Each of these is scored, and the score is signifying that out of 495 total HIPAA score thanks to your provider, you already achieved 308 score. Now if you take all the remaining 36 actions, you are going to get the full score. This score indicates, how close or how far you are to making sure that you are compliant with the particular regulation.
What discoveries assessment prepares?
When you click, for example, on “Office 365-GDPR” tile, you can find a lot of valuable materials inside. First part displays all the services compliant with GDPR (this list will be different for various assessments).
It is followed by the provider’s part of compliance work with very detailed description of what was implemented and how it was examined by third party independent auditors.
What about your responsibility?
The last section provides not only description of a rule, but also actions you can take, and Microsoft Cloud features that can be employed to implement it and become compliant with it. For example, let’s take control about securing application services on public networks. This control maps to Article (32) (1) (a) and Article (5) (1) (f) of GDPR requirements, but the actions, that you take for this control also gives you the ability to comply with 5 other certifications and get score across all of them. Such coordination is possible thanks to one single control framework and is intended to optimize the amount of work that you need to do across all the standards.
As you move on and go for “More”, you will see the above mentioned actual detailed customer actions that your organization is recommended to do to satisfy these control requirements. Customer actions have two distinct categories:
- procedural actions (explaining what the responsibility is for the organization);
- technical configuration involving various Microsoft Cloud features (with links to bate your curiosity on how to implement certain control, for example, Office 365 message encryption for GDPR control, we are discussing here).
What can you do to become compliant?
After privacy officer went through this information, he/she can take decisive actions and… assign this control to your tenant admin or security operation folks:) At this very page priority can be selected and that’s very useful when you’re assigning multiple tasks to the same people and you want to give them a heads up as to which ones are more important. Priority can be chosen either based on a compliance score that guides you and gives you a baseline to prioritize what control you need to implement first or based on your company’s risk profile.
Once privacy officer selects the priority, leaves his/her notes, and hits “Assign”, the e-mail is sent to your tenant admin or security operation person.
Email contains a link to the Compliance Manager and after authentication IT specialist will see the scope of work, he/she need to complete. Actions of IT specialist could vary from anything like implementing and reviewing business policies to implementing and configuring technology features within the cloud. Once the assignment is done, the status can be switched from “Planned” to “Implemented”, and the current date entered.
To provide evidence that the work was completed, IT specialist uploads the policy document, a screenshot, a group policy export or some other configuration settings (under “Manage Documents”). These documents are restricted to only authorized users of this tool.
Now the task can be reassigned back to the compliance officer to verify the implementation of that control and mark it as either passed or failed. When the task is reassigned, it will disappear from admin’s action items. Compliance officer examines information and evidence, provided by IT pro and after a satisfactory review changes the status to “passed”. On the dashboard changes will be visible not only for the GDPR control that was actioned upon, but for NIST and three ISO controls, connected with it, as well.
All this valuable information, that was discussed above can be exported to a single report. It will contain implementation details and test plans for all controls as well as the evidence that you have uploaded. This enlightening document can be shown to your external or internal auditors or regulators to demonstrate end to end compliance on top of Microsoft Cloud.
How the permissions are managed?
At the outset, any user in a cloud tenant has access to this tool. There’s no tenant data there before organizations add any information or upload evidence. Neither it has any connection to the tenant’s security configuration and cannot detect things in the tenant’s environment. Organizations can assign five permission roles by clicking “Settings”. After users are designated with the role, the initial permissions are removed, and they can act only according to the new role.
It is surely worth to widen your stuff with one more Compliance Manager, but a digital one. This tool is a great assistant and adviser, it won’t do the work for you, but it will make it “weightless” by providing all the necessary information, instructions and place for fruitful collaboration for employees involved in the compliance process. So, use it for your own benefit!