In my last blog I provided some insights into the Microsoft Service Trust Portal and Compliance Manager. In this blog I want to dig a bit deeper into the Compliance Manager Assessments. As we know, Assessments apply to one of the Microsoft cloud services and either a standard (for example ISO-27001-2013) or a regulation (for example GDPR). The Compliance Manager dashboard shows a snapshot of all current Assessments. As you can see from the below image, a compliance score is provided against these Assessments to provide an overview of your organisation’s compliance posture.
Figure 1 – Compliance Manager Dashboard (Image Credit: Microsoft)
When you open an assessment, you are shown the Microsoft cloud services that are covered by the assessment and the Microsoft Managed Controls and Customer Managed Controls. So, what are these Managed Controls you may ask? Good question. Microsoft the Managed Controls sections to provide detailed information on the standard or regulation covered by the assessment. If we look at the afor the Office 365 Microsoft service and the GDPR regulation (Let’s pick something making the news right now!), we can see that the controls assessed are divided into five areas. This is the same for both the Microsoft Managed Controls and the Customer Managed Controls.
Figure 2 – Compliance Manager Assessment (Image Credit: Dan Snape)
For the Microsoft Managed Controls, expanding an area shows which articles in the GDPR legislation the control applies to, how Microsoft complies with that control and information on compliance auditing, including how the control is tested, when the test occurred and who did the testing.
Figure 3 – Microsoft Managed Control (Image Credit: Dan Snape)
The Customer Managed Controls section is similar but you need to do a lot of the heavy lifting – Microsoft doesn’t do the compliance work for you.. Looking again at the Office 365 GDPR Assessment, you’ll see similar information on the control and details of the GDPR articles to which the control applies but here you need to add the information on how your organisation implements the control and validates that implementation.
Figure 4 – Customer Managed Control (Image Credit: Dan Snape)
The Customer Actions section is where this tool is worth its weight in gold. By using plain English to describe the intent of the control and the actions your organisation needs to take, you are provided a simple set of compliance actions without having to wade through mountains of legislation or standards documentation. As you work through the Customer Managed Controls, you update the current status and implementation date, set the details of any test results and the date the tests were performed and upload any appropriate documents, increasing your organisation’s compliance score as you go. You can even assign the control to other people in your organisation so that they manage the end to end process for that control.
When the auditors, regulators, senior management, or any other risk and compliance stakeholders in your organisation come knocking on your door, Compliance Manager includes an Excel export feature that enables you to create reports on the assessment details. You can also include all the supporting documentation that has been uploaded for controls in the reports.
In summary, with the afeature of Compliance Manager, you get instructions on how to go about complying with the a, be it a piece of legislation or a standard, as well as a portal to track compliance, including storing any related documentation. But don’t forget the fine print: Microsoft will not legally guarantee compliance if you follow their instructions, so seek legal advice if you need to. As always, please feel free to reach out if you have any questions or need some assistance.
Want these insights delivered straight to your inbox?
Enter your details to join Insentragram
ABOUT THE AUTHOR
Consultant, Cloud and Collaboration | Insentra
As a Solution Architect with almost 20 years experience in IT, I currently design and implement virtualised and cloud based solutions for our government and enterprise customers.
After starting out supporting end users in 1997, I made the progression to systems and server administration. In 2005, while working with one of IBM’s largest worldwide customers, I assisted with their first foray into virtualisation using VMware products. As a result of my early interest in virtualisation technology, I have become one of CGI Australia’s knowledge leaders in this space.
As virtualisation technology vendors transform their businesses to focus increasingly on cloud-based and hybrid models, I currently work with our customers to advise and assist them with design, implementation and migration strategies, focusing on Microsoft and VMware technologies.