Many of the biggest risks in cloud usage have to do with compliance requirements. The penalties for being lax about privacy, security, and data protection include huge fines and the loss of business privileges. Businesses working with information covered by enforced standards and regulations need constantly updated assessments of how well they are complying and what actions they need to take.
Microsoft Compliance Manager makes it easier for organizations using services such as Office 365 to assess their risk level under applicable regulations and standards. It provides a workflow for defining controls, identifying required actions, and measuring the state of compliance.
What Does Microsoft Compliance Manager Do?
By using Compliance Manager, you can manage the information to measure compliance through a central dashboard and obtain information confirming progress and identifying issues.
It measures the level of compliance for of each assessment you define, giving an overall score as well as identifying specific concerns. It uses the shared responsibility model for Microsoft cloud services. However, some issues are the user’s responsibility, some are up to the cloud provider, and others require both parties to take responsibility. The controls which ensure compliance need to reflect that division.
Managing compliance in a network means addressing many competing demands for attention. The dashboard lets the operator view standards, regulations, assessments, and test results from one place. Thus, this lets you prioritize issues and decide which ones need urgent attention.
Compliance Manager supports assigning actions and roles to users, with authorizations limited to what is necessary. Large teams can work together on assessments while minimizing the chances of unapproved changes or information leaks.
Organizations working with sensitive information need to pay constant attention to compliance requirements. Ones that fall under HIPAA and ITAR face severe penalties if they’re found negligent. Anyone handling credit card payments needs to conform to PCI requirements. Companies that do business in Europe need to pay attention to GDPR. Compliance Manager allows a separate assessment for each requirement, however many are needed.
The Components of a Compliance Manager
Microsoft Compliance Manager creates workflows out of components that define units of information and action. Knowing what the components are and what they do is the first step in understanding how the system works. After all, they form a hierarchy, with assessments packaging controls and action items together, and groups keeping related assessments in a set.
A control describes an integrated set of actions and procedures for managing an activity associated with a standard. It typically includes multiple actions, which different people may be responsible for.
Microsoft defines a set of controls for each of its cloud services. Other controls are customer-managed, and your organization has the responsibility for carrying them out. Further, shared controls are partially Microsoft’s responsibility and partially your organization’s. Lastly, customer-managed controls include workflow management functionality.
Related controls are organized into families. A family is usually built around a particular regulation or standard. Authorized users can call up a family to work with it as a set. In fact, all controls have certain descriptive fields:
- Control ID: The control’s name, taken from the corresponding regulation or standard.
- Control title: The title of the control, taken from the same place.
- Article ID: This field is used just for GDPR controls and identifies the applicable GDPR article number.
- Descriptive text: This provides a more detailed explanation. Where the text can’t be included for copyright reasons, the field contains a link.
Controls are components of an assessment, which specifies the actions necessary to comply with a particular standard. Assessments are automatically generated for Office 365 compliance with IOS 27001, NIST 800-53, and GDPR. Likewise, functionally is an assessment is a container for controls.
Each assessment specifies the set of Microsoft services to which it applies and includes the controls applicable to them. It holds the current assessment score, which is based on the status of its controls. As controls are implemented, the score will go up. Indeed, examining the status of each control in an assessment shows how far along compliance is and what remains to be done.
An assessment can be exported to an Excel file for inclusion in reports and informational updates.
The next level up in the hierarchy is the group, which is a container for organizing assessments. Groups can be organized by any criteria, including the business structure, time period, set of standards applied, or anything else. Furthermore, assessments in a group can share workflow tasks and control-related information. Updates to information on the a control’s implementation, testing, and status will automatically be synchronized to all assessments in a group which share that control.
Groups are created by assigning an assessment to a new group. They can’t be created independently of an assessment. The assignment of an assessment to a group is permanent until it is archived.
Customer-managed controls include action items, which must be completed for the control to be fulfilled. They are assigned to users, and more than one person may be involved in the same item. For example, one person could be responsible for carrying out the action and another for testing the implementation. However, each item has just one owner.
What a user can do with an action item depends on the assigned role.
Assessments and action items can have metadata called “dimensions,” in the form of key-value pairs. Some dimensions, such as “action type,” are pre-defined. The user can define other dimensions or modify existing ones. Each action has a scoring value which contributes to the compliance score when completed.
Documents can be uploaded in the Compliance Manager, as evidence that controls and action items have been completed. They can include screenshots, other images, reports of actions taken, script output, and logs. For instance, business associate agreements will help to document HIPAA/HITECH compliance. They are securely stored in Microsoft Cloud Storage in the United States, with backup in other regions. An exported assessment includes links to the pertinent documents. Archived assessments don’t retain these links, since the documents may not remain available indefinitely.
Roles and Permissions
Many users are involved in achieving compliance, and they have varying levels of trust and responsibility. Giving everyone administrative privileges would make the system insecure, even if they’re all individually trustworthy. Microsoft Compliance Manager supports role-based access, but it has to be set up. By default, all users have access. Microsoft personnel never have access unless the organization specifically assigns it.
Once role-based access is enabled, all new users have guest access unless assigned more than that. It’s important to assign users to roles, because a role’s restrictions take effect only when someone is assigned that role. (This avoids inadvertently locking everyone out of a capability.) For example, if no one has been assigned the role which allows reading assessment data, then all users can read it.
Using a template makes it easier to set up an assessment. Pre-configured templates are included with the Compliance Manager for widely used standards. Additionally, new templates can be created by modifying existing ones or by importing information through a spreadsheet. The following templates are included:
- ISO 27001
- ISO 27018
- NIST 800-53
- NIST 800-171
- Cybersecurity Framework
- CSA Cloud Control Matrix
- FFIEC Information Security Booklet
- HIPAA and HITECH
- FedRAMP Moderate
Each template defines a set of controls and action items for a given product under a particular standard or regulation.
The Compliance Score
Each assessment carries a compliance score, which will change as controls are implemented and action items carried out. The score indicates the extent to which the included controls are adopted. Each control is worth a certain number of points, which are added to the score when it is implemented. A control’s points are an all-or-nothing contribution; there’s no partial credit.
The compliance score is integrated with Microsoft Secure Score. Action items can individually be configured for synchronization with Secure Score. When associated security features are activated in accordance with a synchronized action item, Secure Score notifies Compliance Manager, which adds the points to the compliance score.
Of course, a high score doesn’t guarantee anything in itself. Being compliant depends on actions and results. A high score is a valuable indicator to the extent that the assessment includes a complete set of controls and they are scored accurately.
Learn More About a Compliance Manager
Microsoft’s cloud services make many things easier, but businesses that use them bear the responsibility of protecting sensitive data and keeping their accounts secure. Sharing information through Microsoft Teams is a major help to collaboration, but it’s important to follow all applicable standards to maintain security and privacy. The same applies to all cloud services.
In the United States, state privacy laws such as the California Consumer Privacy Act are taking on growing importance. International regulations such as GDPR affect everyone who does wide-ranging business.
If you need CMMC or NIST 800-171 compliance, AgileAdvisor is a full cloud compliance service for Microsoft 365.
Using Microsoft Compliance Manager adds a very useful tool to the kit which lets you ensure that your organization’s cloud security and privacy practices live up to all applicable requirements. To learn how we can help you succeed in the cloud, contact us today.