microsoft , office 365 , privacy and compliance , | 2016/02/08 at 12:40am

How to assess security, compliance and privacy capabilities in Office 365

We are committed to providing our customers with best practice IT solutions and transparency for these solutions.

In keeping with both Insync Technology and Microsoft’s commitment to provide our customers the utmost transparency, we wanted to share this detailed overview of how Office 365 controls map to the security, privacy, compliance and risk management controls, defined in the Cloud Security Alliance Cloud Control Matrix (CSA CCM).

About CSA

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, associations, governments and corporate and individual members who are dedicated to defining and raising awareness of best practices that help ensure a secure cloud computing environment. The CSA CCM Security, Trust & Assurance Registry (STAR) is considered the gold standard while performing risk assessment and due diligence against cloud service providers. As part of their efforts to provide customers with in-depth insights into their security, compliance and privacy controls, Microsoft regularly publish self-assessments of Microsoft AzureMicrosoft Dynamics CRM Online and Office 365.

The CCM details operational concepts and principles relating to security and privacy that span 16 IT operational domains (shown below). The mapping document clearly demonstrates how the Office 365 controls address the CSA operational concepts and recommendations as noted below. We hope this helps you efficiently perform your Office 365 due diligence when evaluating Office 365, onboarding Office 365 or renewing your subscriptions.

CSA CCM — IT cloud domains
Application and interface security Audit assurance and compliance
Business continuity management and operational resilience Change control and configuration management
Datacenter security Data security and information lifecycle management
Encryption and key management Governance and risk management
Human resources Identity and access management
Infrastructure and virtualization security Interoperability and portability
Mobile security Threat and vulnerability management
Supply chain management, transparency and accountability Security incident management, eDiscovery and cloud forensics

The CCM standardizes security and operational risk management controls and procedures and seeks to normalize security expectations, cloud taxonomies and terminologies, as well as generally improve security measures implemented in the cloud. The CCM responses included in the document also align with Microsoft’s ISO 27001, 27018 and SOC attestations and are scoped to the following Office 365 services that are hosted in Microsoft datacenters:

  • Exchange Online
  • Exchange Online Protection
  • SharePoint Online including OneDrive for Business
  • Skype for Business
  • Office Online
  • Office Services Infrastructure
  • Suite User Experience
  • Domain Name Service
  • Security Workload Environment

You can download the document at Office 365 Mapping of Cloud Security Alliance Cloud Control Matrix. If you are interested in more in-depth security, compliance and privacy-related information about Microsoft Cloud Services (Office 365, Microsoft Azure and Microsoft Dynamics CRM Online), sign in to the Service Trust Portal—onboarding instructions for the Service Trust Portal are at O365 Service Trust.

If you would like assistance in understanding the security, compliance or privacy capabilities in any Microsoft product, please feel free to contact us for more information.

The post How to assess security, compliance and privacy capabilities in Office 365 appeared first on Office Blogs