The lack of connection between the Compliance and IT departments is another barrier for successful work. In the meantime, it is still not enough just to understand the rules and bring your environment into accordance with them; you have to demonstrate results to the auditors. Collecting all this data for the report is quite a challenge and a very time-consuming process.

Sound familiar? Don't get stressed out. You are not alone. When you move to the cloud, you set your foot on the territory of a joint responsibility between you and your service provider.

And as you see here, your degree of responsibility varies and is defined by the services you consume. If you're utilizing something like Microsoft 365, or Dynamics 365, your provider takes care of most compliance requirements. To arrange for the rest, a handy tool named Compliance Manager is just the ticket. The picture below shows what services and standards are supported (and more are planned to be added):

What can this tool do for you?

It is designed to meet all the challenges described above. It can:

1. Asses a company's risk profile. With a single dashboard, organizations can see multiple assessments and measure their performance with a Compliance Score;
2. Give information on how your provider puts into action controls under its responsibility and tests them by independent third-party auditors;
3. Provide a recommended action plan and step-by-step instructions to take care of customer-managed controls and bring your environment in line with the rules and standards;
4. Provide one place for all employees responsible for conformity issues to monitor, assign, note, and view each other's actions;
5. Allow organizations to export incredibly detailed reports to be further demonstrated to auditors and regulators.

Please remember though that this tool is intended to help you, not do the work for you. It only provides recommendations, and following these recommendations is not a guarantee of compliance. You get tools and information to perform self-service risk assessments, but ensuring that your company adheres to legal standards and in-house policies remains your personal responsibility.

How can you get this tool?

Compliance Manager can be found on a Service Trust Portal web page (STP). Let's start with a little navigation around this site. It's a free resource where you can find various documentation, white papers, and instructions that may be helpful in protecting your infrastructure. There is currently a privacy area on this site that explains what GDPR is and what you can do to have effective data rights management strategies enforced and become GDPR compliant. STP has also started highlighting very good external resources concerning compliance, so you will surely find it very useful.

To access Compliance Manager, you will have to login to your cloud services or create a trial tenant and get this tool very quickly and completely free of charge.

When may this be useful to you?

There are different cases when this tool can be applicable:

1. When you are doing your due diligence and evaluate Microsoft Cloud against other cloud service providers, information from STP helps to understand how Microsoft Cloud will support your security and risk policies.
2. Once you have moved to the cloud, this tool will help to protect your data and stay compliant.
3. If you are in the regulated industry, you can have a one-stop portal where you can get all the information you need to perform your annual risk assessment.
4. If you are renewing the cloud and want to understand how Microsoft Cloud can continue to support your industry and regional needs, you will get that information on STP as well.

See Compliance Manager in action

This tool allows you to create assessments. Some of them are already there, but you can continue to create more tiles on the dashboard to evaluate the regulations that matter to you, your region, and your industry. Simply click "Add assessment" and use an existing group or create a new one and enter its name.

Then you can select whether you need data from your existing group. Let's say in 2017 you created an assessment, and you have collected all the results and desk plans. You can copy all the desk plans and evidence that you have gathered and implement it into your next year's assessment so you don't have to recreate it. Simply upload it into your new assessment.

Once you copy the existing assessment, you'll be asked which Microsoft product you want to evaluate (in this example, we are going to select Microsoft 365) against what certification (we will choose HIPAA).

When you are done, a new tile appears on the dashboard.

This group tile you created is showing 65 actions implemented by the service provider and 36 actions recommended to the organization. Each of these is scored, and the score signifies that out of the 495 total HIPAA score, thanks to your provider, you have already achieved a score of 308. Now if you take the remaining 36 actions, you are going to get the full score. This score indicates how close or how far you are from making sure that you are compliant with the particular regulation.

What discoveries does the assessment prepare?

When you click on, for example, the "Office 365-GDPR" tile, you can find a lot of valuable materials inside. The first part displays all the services compliant with GDPR (this list will be different for various assessments).

It is followed by the provider's part of compliance work, with a very detailed description of what was implemented and how it was examined by independent third-party auditors.

What about your responsibility?

The last section provides not only a description of a rule, but also actions you can take and Microsoft Cloud features that can be employed to implement it and become compliant with it. For example, let's take control of securing application services on public networks. This control maps to Article (32) (1) (a) and Article (5) (1) (f) of GDPR requirements, but the actions that you take for this control also give you the ability to comply with five other certifications and get a score across all of them. This coordination is possible thanks to one single control framework and is intended to optimize the amount of work that you need to do across all the standards.

As you move on and go for more, you will see the above-mentioned actual detailed customer actions that your organization is recommended to do to satisfy these control requirements. Customer actions have two distinct categories:

1. Procedural actions (explaining what the responsibility is for the organization);
2. Technical configuration involving various Microsoft Cloud features (with links to satisfy your curiosity on how to implement certain controls, for example, Microsoft 365 message encryption for GDPR control, which we discuss here).

What can you do to become compliant?

After your privacy officer goes through this information, he/she can take decisive actions and assign this control to your tenant admin or security operation folks. Priority can be selected, and that's very useful when you're assigning multiple tasks to the same people and you want to give them a heads-up as to which ones are more important. Priority can be chosen either based on a compliance score that guides you and gives you a baseline to prioritize what control you need to implement first or based on your company's risk profile.

Once the privacy officer selects the priority, leaves his/her notes, and hits "Assign," the e-mail is sent to your tenant admin or security operation person.

the email contains a link to the Compliance Manager and after authentication, the IT specialist will see the scope of work he/she needs to complete. Actions of the IT specialist could vary from anything like implementing and reviewing business policies to implementing and configuring technology features within the cloud. Once the assignment is done, the status can be switched from "Planned" to "Implemented" and the current date entered.

To provide evidence that the work was completed, the IT specialist uploads the policy document, a screenshot, a group policy export, or some other configuration setting (under "Manage Documents"). These documents are restricted to only authorized users of this tool.

Now the task can be reassigned back to the compliance officer to verify the implementation of that control and mark it as either passed or failed. When the task is reassigned, it will disappear from the admin's action items. The compliance officer examines the information and evidence provided by the IT pro and after a satisfactory review, changes the status to "passed." On the dashboard, changes will be visible not only for the GDPR control that was actioned upon, but for NIST and three ISO controls connected with it as well.

Reporting

All this valuable information that was discussed above can be exported to a single report. It will contain implementation details and test plans for all controls, as well as the evidence that you have uploaded. This enlightening document can be shown to your external or internal auditors or regulators to demonstrate end-to-end compliance on top of Microsoft Cloud.

How are the permissions managed?

At the outset, any user in a cloud tenant has access to this tool. There's no tenant data there before organizations add any information or upload evidence. Neither does it have any connection to the tenant's security configuration and cannot detect things in the tenant's environment. Organizations can assign five permission roles by clicking "Settings." After users are designated with the role, the initial permissions are removed and they can act only according to the new role.

Conclusion

It is surely worth it to broaden your staff with one more compliance manager, but a digital one. This tool is a great assistant and adviser; it won't do the work for you, but it will make it "weightless" by providing all the necessary information, instructions, and a place for fruitful collaboration for employees involved in the compliance process. So, use it for your own benefit!

2019-02-28

Similar posts