Can you comply? Here are the top 10 areas for compliance in Microsoft 365
Compliance is among the toughest challenges for businesses in the digital age. Aside from existing federal and industry-specific compliance standards, new global regulations are being instated. As we’re seeing with preparation for General Data Protection Regulation (GDPR), which goes into effect May 25th, 2018, regulations are challenging to navigate and generally hard to follow.
What does compliance mean?
Essentially, compliance means you are following the law, industry or company-set standards and regulations. Why is this important? Conformity of handling data, ease of audits, handling mitigation, security, privacy, and more.
In the past, businesses have largely left compliance up to their lawyer’s team, allowing companies to set and forget. However, in the age of digital transformation, this tactic won’t cut it. Why is compliance so challenging? It goes far beyond filling out paper work now. Many companies have disparate data, scattered across multiple locations, much of which is unknown to them. When you have to start storing different types of data in compliance with varying standards, this can prove a challenge.
Microsoft has designed the Microsoft 365 suite to help customers be in control of aligning their business to comply with the obligations of global, regional, and industry standards. To ensure that you stay up-to-date with the evolving industry standards Microsoft has formed a specialist compliance team that continuously tracks standards and regulations to develop common control sets to build into the service.
Microsoft’s Top 10 Areas of Compliance
Here is a list of Microsoft’s Top 10 compliance areas of Microsoft 365 and how the package helps partners and customers follow obligations under each area (If you want to learn more about GDPR, go here!):
- Data processing terms
Microsoft provides customers with additional contractual assurances through their data processing terms regarding Microsoft handling and safeguarding of customer data. Agreeing to those terms commits Microsoft to over forty specific security commitments collected from regulations worldwide. The commitments in the data processing terms are available to customers by default.
- Federal Information Security Management Act (FISMA)
FISMA requires US federal agencies to develop, document, and implement controls to secure their information and information systems. Federal Risk and Authorization Program (FedRAMP) is a federal risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services.
- Health Insurance Portability and Accountability Act (HIPAA)
Regarding the processing of electronic protected health information, Microsoft 365 provides physical, administrative, and technical safeguards to help customers comply with HIPAA.
- ISO 27001-
One of the best security benchmarks available to the world. Many Office 365 products have been verified to meet rigorous set of physical, logical, process and management controls defined by ISO 27001:2013. This also includes ISO 27018 Privacy controls in the most recent audit. Inclusion of these new ISO 27018 controls in the ISO assessment will further help Office 365 validate to customers the level of protection it provides to protect the privacy of customer data.
- European Union (EU) Model Clauses
The EU Data Protection Directive, a key instrument of EU privacy and human rights law, requires our customers in the EU to legitimize the transfer of personal data outside of the EU. The EU model clauses are recognized as a preferred method for legitimizing the transfer of personal data outside the EU for cloud computing environments. This direcctive involves investing and building the operational controls and processes required to meet the exacting requirements of the EU model clauses. Unless a cloud service provider is willing to agree to the EU model clauses, a customer might lack confidence that it can comply with the EU Data Protection Directive’s requirements for the transfer of personal data from the EU to jurisdictions that do not provide “adequate protection” for personal data.
- ISO 27018
Microsoft is the first major cloud service provider to be independently verified as complying with ISO 27018, which establishes a uniform, international approach to protecting the privacy of personal information stored in the cloud. Microsoft’s compliance with ISO 27018 means that they only process personal information in accordance with customer instructions, they are transparent about what happens to customer data, they provide strong security protections for personal information in the cloud, customer data will not be used for advertising, and they inform customers about government access to their data.
- Family Educational Rights and Privacy Act (FERPA)
FERPA imposes requirements on US educational organizations regarding the use or disclosure of student education records, including email and attachments. Microsoft agrees to use and disclose restrictions imposed by FERPA that limit their use of student education records, including agreeing to not scan emails or documents for advertising purposes.
- Statement on Standards for Attestation Engagements No. 16 (SSAE 16)
Microsoft has been audited by independent third parties and can provide SSAE16 SOC1 type I and Type !! and SOC2 Type II reports on how the service implements controls.
- Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act requires financial institutions to put processes in place to protect their clients’ nonpublic personal information’s. GLBA enforces policies to protect information’s from foreseeable threats in security and data integrity. Customers subject to GLBA can use Office 365 and comply with GLBA requirements.
- Health Information Trust Alliance (HITRUST)
The Office 365 team, in partnership with an independent assessor, has completed an assessment to evaluate their compliance with HITRUST. Viewed as an important standard by US healthcare organizations, HITRUST has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.
Microsoft 365 handles all of these compliance standards and regulations along with a litany of others. Using Data Loss Prevention (DLP), Azure Information Protection, Default Policies and the Compliance Center, Microsoft 365 partners and customers can stay compliant easier. Stay tuned for updates on accessing and enabling these features.
To learn more about how the Microsoft 365 suite provides you with the tools necessary for compliance to standard regulations you can sign up for our Microsoft 365 Security courses for an in-depth look at products and features.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.