>> Hi, everyone.
My name is Om Vaiti and I am
a Principal Program Manager on
the Office 365 Engineering Team.
And I lead the development of
Service Trust Portal and Compliance Manager.
>> Hi, I'm Scott Schnoll,
Senior Program Manager in the Office
365 customer experience team,
and I led the development of
the Microsoft information and customer guidance
in Compliance Manager.
In this video, we are going to cover
the key capabilities of Compliance Manager,
how we calculate compliance score
and then show you a demo of the product.
After this session you'll know how
to use Compliance Manager to
simplify and streamline
your regulatory compliance processes.
>> Let's start with the pinpoints in this area.
As we discussed in the first video in this series,
the overall compliance journey is
a process that starts with understanding regulations
and continues through to
demonstrating compliance to auditors.
There are three pinpoints
we would like to highlight here.
According to research, there are
more than 200 updates from
750 regulatory bodies everyday.
It's such a big burden on
compliance professionals to stay
up-to-date for all these changes.
And even when they can track all these changes,
sometimes they don't have enough knowledge to
define internal controls and meet these requirements.
Based on the research, 65 percent
of companies think designing and implementing
internal controls as one of the biggest hurdles
to achieve GDPR and other regulatory compliances.
Most of the times, compliance officers and
privacy officers know the regulations and standards well,
but they don't know which technology solutions
can help them to meet the requirements.
On the other hand, IT
professionals know about the technology.
They know how to use features like
Data Loss Prevention and Discovery,
but they don't know how to go
about with managing those features add regulations.
So there is also lack of connection
between the Compliance and IT departments.
The last pinpoint I want to highlight
here is that the companies are spending
a lot of time creating and amending
reports to demonstrate their compliance
posture to their auditors.
From the research, we see that more than 30 percent of
companies spend more than four hours
a week to work on reporting.
It is very time consuming.
>> Yeah. We've spoken with a lot of
customers at length about these challenges.
And in response, we've released
a Microsoft cloud solution to help
organizations simplify their compliance journey.
And it's called Compliance Manager.
Compliance Manager is now available for Azure,
Dynamics 365, and
Office 365 Business and Enterprise subscribers.
It enables organizations to
manage their compliance activities
in one place and provides three key capabilities.
The first is ongoing risk assessment.
With a single dashboard,
organizations can see multiple assessments and measure
the compliance performance for
a cloud service against a regulation and standard.
Now, since the cloud uses a shared responsibility model,
we'll show you the control implementation progress
for both Microsoft and the customer.
For each assessment, you'll
also get a compliance score.
Om, tell us more about how
we calculate the compliance score.
>> Sure. The compliance score is a risk-based score.
It is assigned based on the level of risk
involved due to a non-compliance or control failure.
For each of the controls within an assessment,
we assign a score
between 1-10 based on the essense of control,
the level of risk under various kinds of threat,
and whether there is an external driver for that control.
The overall compliance score for an assessment is
the accumulation of possible points
for each control in the assessment.
The compliance score consists of the number of
points that you receive by
implementing Customer Managed Controls
out of total number of
possible points if all managed
controls in an assessment are implemented.
Note, that all possible points for
the Microsoft Managed Controls are
already applied to the Compliance Score
because those controls have been both implemented
and independently tested for
all Microsoft Cloud Services.
For the first part, essence of the control,
we characterize each control in
six types based on whether it
is mandatory or discretionary
and whether it is preventative,
detective, or corrective control.
Mandatory controls are the controls
that users can bypass.
For example, once we design a password policy,
users need to follow the policy and can't ignore it.
Discretionary control, on the other hand,
are those which rely on users to be accountable.
For instance, companies can encourage employees to lock
their screens when they are not at
their desk or not in front of their laptop,
but users can bypass the control if they
don't pay enough attention to this control.
For the other dimension of essence of control,
we categorized each control by whether it prevents,
detects, or connects failures or incidences.
For example, protecting information
and the rest with encryption is
a preventative control to
protect data from attackers and breach.
Information system monitoring is
a detective control to monitor the system.
Privacy incidence response is a corrective control to
recover the system back
to the operational state after impact.
We categorize each of the controls into six categories
and assign the level of risk based
on the table on the right-hand side that you see here.
For the second part of the score,
we assign the level of risk based
on the related threats for each control.
Threat can affects three things in our system:
the confidentiality of information stored in the system,
the integrity of information,
and finally, the availability
of the network or the service.
There are four kinds of threats: a
malicious threat initiated by internal employees,
or an accidental threat by internal employee actions,
or malicious threats initiated by external attackers,
and threats caused by accidental actions
taken by external users or customers.
We assign a level of risk to each threat scenario for
each control due to
either a non-compliance or a control failure.
The last part of the compliance score
is about external drivers.
We assign a level of risk based
on whether we have legal obligation,
compliance obligation, or a public commitment
for the content of each control.
This one is more for Microsoft Managed Controls.
Considering the essence of
the control, the threat scenarios
and the effects, as well as external drivers,
we calculate the score for each control.
The Compliance Score helps organizations to gain
visibility to their compliance performance
with a risk-based score.
And thus, they can prioritize
control implementation and better plan
to achieve organization compliance.
It will also give them ability
to prioritize any control failures.
So you can ensure that if you have ten failures,
you will be able to prioritize
which failures you need to fix first.
>>Thanks, Om. That was a great discussion
of the details of Compliance Score.
Next, I like to talk about
the actionable insights within Compliance Manager.
This is where Microsoft provides organizations with
detailed information about how we
have implemented controls under our responsibility and
how they were tested by independent third party auditors.
We also provide organizations
with recommended actions and step by
step guidance on how they can
implement the controls managed by the organization.
Compliance Manager helps organizations
build the connections between
Microsoft's Data Protection Solutions
and the regulatory requirements that matter.
These solutions can be found in
the Office 365 Security Compliance Center,
the Azure Security Center,
and the Windows Defender Security
Center among other places.
Now, primary benefit of
Compliance Manager is to simplify compliance.
We provide organizations with the dashboard with
rich information and we give them tools to assign,
track, and record their compliance activities.
After implementing controls, organizations
can export richly detailed reports of
the information and evidence they upload
into Compliance Manager and they can use
those reports to demonstrate
compliance activities to auditors and regulators.
Please remember though that Compliance Manager
only provides recommendations.
Following Microsoft's recommendations is
not a guarantee of compliance,
but Compliance Manager provides tools and information and
enables organizations to
perform self-service risk assessments.
Organizations are responsible for
evaluating and validating
their own control and implementation.
>> Thank you Scott for introducing
the key capabilities of Compliance Manager.
To help you better understand
how to use Compliance Manager,
let's have a look at our demo environment.
Okay. So let's talk
about how Compliance Manager can really help you.
When you come to STP, you click on the menu item
"Compliance Manager" and when you come
here you will see the Compliance Manager dashboard.
Now for this demo purposes,
we are going to have a role play, Om,
me will be a compliance officer,
and Scott will be,
Allen the IT pro in our organization.
And we're going to show you how
a compliance officer and Allen,
the IT pro are going to interact with each other,
and quickly make sure that they
can understand what needs to be done for the control,
implement that, and then demonstrate compliance of
that control very easily in a simplified process.
So Om,
as a compliance officer
comes to Compliance Manager dashboard,
and he quickly sees there are
three default Compliance Manager
assessment tiles created for
Office 365 and
two default Compliance Manager assessment
ties says created for Azure.
You will quickly see
that these tiles for Office 365 GDPR,
Office 365 NIST 800-53,
and Office 365 ISO 27001:
2013 already has score assigned to it.
And this score is coming from Microsoft managed actions,
already implemented and tested by
third party independent auditors by Microsoft.
So for example if a GDPR,
Microsoft has already taken care of
48 out of 48 actions that Microsoft
is responsible for in
the joint responsibility model that we talked about,
and customers are responsible for 61 actions,
and me as a Compliance Officer,
will able to understand what those actions are.
In NIST you would see that Microsoft has taken care of
760 out of 760 actions that it is owned by Microsoft,
and only 215 actions need to be taken good by me as
a Compliance Officer or Scott or Allen as a IT pro.
And same thing for ISO 27000 1.
Now let's look at the example of how
you as a Compliance Officer can create new assessment.
So you go to our assessment tab,
and over here you have choice to use
existing group or you have choice to create a new group.
So here we are able to create
new group called 2018 Assessment US.
Once I create new group,
I basically gets option,
are you sure you want to
copy off data from existing group?
I can choose to get the copy
from existing group which is "Default Group" or not.
In this case I'm going to choose to get the copy of data,
if there are any controls tested,
that control implemented in detail and test plan and
management response would be copied to
the new group as well as a one time activity.
Here I'm going to select default group
from copy to and then with
will hit "Next" Now I'm going to
create New Assessment for Office 365.
And for Office 365, we currently have choices
of all these data protection standards
and regularity compliance standards.
I'm going to select "HIPAA". And
I'm going to select "Add to Dashboard."
Now, if you will see immediately Compliance Manager creates
our assessment tile under the group that
you have defined for Office 365 HIPAA.
And if you see for this standard,
60 functions have already been taken care by Microsoft,
and the score is showing
the risk-based score that is
occured to because Microsoft
has already taken action for you.
And you also see that there are
36 actions that you need to take.
So that's how you can create new assessments.
You can use the group functionality
within Compliance Manager.
And this functionality you can
use for various different ways,
you can use it for creating
different groups for different business units
that your organization may have,
or you can create different groups for year on
year assessment that will do for a particular standard.
So use the group's functionality if it is
very flexible as suits to your organizational needs.
Now, we are going to take example of
Office 365 GDPR assessment tile and kind of
a walk you through how you can
use the Compliance Manager assessment.
So when I click "Office 365 GDPR" I get to
see in scope cloud services
which are compliant with GDPR.
And you will see the list
routing if you choose the various different assessment.
For example, visit 800-53
you will see a different list of
a particular cloud services that are
compliant with NIST 800-53 data protection standard.
So this gives you a quick list
of all the services that are compliant with GDPR.
Now the next you are able to see
all the controls that has
Microsoft implemented and tested.
So for example if you go to
the data protection by
design and by default control area,
you will see that there are
various different controls that are kind of defined here.
And you'll be able to see and see
the implementation details for that control.
And you will be able to see
the test plan for that particular control.
And this is the exact implementation detail
that was shared to our third party independent auditors.
And this is the exact test plan that was
tested by our third party independent auditors.
And since in some cases the test go in detail,
you'll able to click on "read more" and see
all the details around how
the third party independent auditor tested this control.
And then you'll also be able to see the test results,
when that test was performed,
who that test was performed by.
And this detail is used for me as a privacy or
Compliance Officer to perform
a risk assessment on Microsoft cloud,
in this case Office 365
and getting full transparency and details around how
all the controls that are Microsoft's responsibility are
implemented and tested by
third party independent auditors.
So that's about Microsoft manage controls.
Then, more importantly,
we have started sharing customer managed controls.
These controls are your responsibility
in a joint responsibility model.
And not only we are telling you what
those controls are and which areas that controls are,
but we are going to show you for each of those controls,
what exact actions you can take,
and what different Microsoft Cloud
features that you can use to
implement and be compliant
with those controls and the requirements.
So for example, I'm going to take control 6.10.1.2,
which is about securing application services
on the public networks.
And this control maps to
Article (32) (1) (a) and Article (5) (1) (f) of GDPR requirements.
And what you're able to see here is that,
even though this control maps to these articles,
the actions that you take for this control
also gives you ability to
satisfy requirements for ISO 27001,
ISO 27018, HIPAA, NIST 800-171 and NIST 800-53.
So based on our internal workings
and the research that we have done over the years,
we can create this mappings by which we are reducing
the amount of work that you need to
do across all of the standards.
So even if you are, at this point,
working to satisfy a one particular GDPR control,
you are able to satisfy a bunch of other controls
across these various data protection
and regulatory compliance standards.
So now I know what control it is.
I know which GDPR articles it's mapped to.
If I click on them all here,
I will able to get a detailed customer actions,
and as a compliance office or privacy officer,
I'm able to go through
the actual detail customer actions of
what my organization needs to
do to satisfy these control requirements.
And in the customer actions,
we have two distinct categories.
There are some actions which are procedural,
and we have highlighted that here.
And then some actions which are technical configuration
and the actions that you take by
using various Microsoft Cloud features,
we have highlighted that here.
And what you are trying to do here is
that we are connecting the dots
between various Microsoft Cloud
features that we have made available to you,
and how using that
features you will be able
to satisfy regulatory requirement.
So as a compliance officer,
I'm able to see this and now I understand that
I have Allen in my organization,
who can actually go and
use these features and configure those features.
So what I'm going to do is that,
I'm going to go to assigned button and I'm going to
assign this control to Allen,
and I'm going to assign a priority.
In this case, I'm going to assign
medium priority and I'm going to add my note
saying that "please implement
this control and provide the evidence."
And once I do that and I hit "assign button"
the e-mail is sent to Allen
and he's able to
understand what actions that he need to take.
Now so what we're able to do is that,
now we are going to go and see what e-mail
Allen has received and
what actions Allen is going to take.
>> Let's have a look at Allen's mailbox now.
So as you can see, Allen has received
the message that was sent to him through
the Compliance Manager Tool when
Om assigned the task to him. Through the e-mail.
Allen has the ability to click on
view action item assigned to you,
and when he clicks on that,
that takes him immediately to
the action items dashboard for
him inside Compliance Manager.
And as you saw here, Compliance Manager
requires authentication,
and so Allen has authenticated
using his Azure Active Directory account.
Now once in the action items dashboard,
Allen gets a list of all of
the controls that have been assigned to him.
In this case, there's several controls.
Now you only saw Om assign one control to Allen,
but as mentioned that
one control is mapped to several other controls.
And although Allen only has one task to do,
once that task has been completed,
and the work has been verified,
all of the mapped controls will
show that they've been completed and
the compliance score will reflect
that they've been scored as a result of those actions.
Now what Allen can do is he can look at the information.
Again we can focus in on just the one control
that he was actually directly assigned by Om.
That would be the GDPR Control 46 10.1.2.
Allen has full access to
those customer actions that Om mentioned before,
and he can see not only what
the responsibility is for the organization,
but what Microsoft recommends that
they do to fulfill their responsibility,
and what are the step by
step instructions that are
required for Allen to do those things.
And those things, as Om said,
could vary from anything to implementing and reviewing
business policies to implementing and
configuring technology features within our cloud.
Once Allan has digested
the customer actions and
actually gone and completed the work,
he can go into the implementation details field
and enter in the details of what he did.
So as an example,
this action required Allan to
review the organization's data handling standards
policy and standard operating procedures
and verify that it
documents the organization's requirements
for encrypting personal data that they store.
So Allan can enter his information in
the implementation details and that could be anything.
It's up to each customer to determine
how they want to include their implementation details.
Using Microsoft's approach as an example,
what we would do is typically enter something that said.
Now, this is just the implementation details.
What Allan also needs to do is
come up with a way to test this.
And so in this case,
it's a pretty simple thing to do
because all we need to do is,
and again, you can be as brief or as verbose as you like.
Now once Allan has implemented the control,
he'll go ahead and change
the status which was changed from
"Not Implemented" to "Planned"
when Om assigned it to Allan.
Allan cannot change that status from "Planned" to
"Implemented" and he can
enter the data which it was implemented.
Now you recall the instructions for
the customer actions and as part of the test plan,
it requires someone to review the data hailing
policy and verify that in
fact in Section 3 in those pages,
it includes that information.
So to do that, I can simply click on "Manage Documents",
I can then click "Upload",
choose the policy document that I
want or perhaps I'm uploading
a screenshot or maybe a group policy export
or some other configuration settings.
But again, I have the ability to upload
documents and any documents that I do
upload are restricted to
only authorized users of Compliance Manager.
Once I had the document uploaded,
at that point, that's all the work
that Allan needs to do.
So now he can reassign
the task back to the compliance officer to
verify the implementation of
that control and mark it as either passed or failed.
So I can go on to reassign,
I'm going to type in Om's name, and again,
I can select a priority,
that's very useful when you're
assigning multiple tasks to
the same individuals and you want to give them a heads
up as to which ones are more
important to implement first.
Again, I'm going to allow the default of sending
email notification and then I
can include again one more note.
You can see the note that Om put in
here is still in here and I can simply
erase that note and enter in my own note which could be,
Om, I implemented the control.
Please verify using the test plan information.
Once I'm done with that, I can click on "Assign",
and now that task has now been assigned back to Om.
And you'll see here in a moment,
that task will disappear from
my action items because it's no longer assigned to me.
>> So now Allan has assigned that task by
doing [inaudible] and uploading the evidence
back to me as a compliance officer.
So I can go in my action items and
see what other various actions are assigned to me.
Now again, you will recall that there is
only one control but since it is
related to various different controls,
we are showing all these controls assigned to me.
But if I go to my "GDPR" tab, I see that, okay,
this is the control that are assigned to me and I'm able
to go and look at what
was the implementation detail that was entered
by Allan and then what was
the test plan and the management
response that he entered.
And I'm also able to go
and go in to "Manage Documents" and see
the actual document evidence that Allan has
uploaded and after a satisfactory review,
I'm able to come here and assign
a test date and select a test result,
and in this case I'm going to say it's passed.
And once I say it's passed,
now I can go and if I see my assessment dashboard,
you will see that
not only the GDPR control
that we actioned upon was satisfied but on
NIST control was also
satisfied by taking the same customer actions
and three ISO controls
now that are satisfied by taking same customer actions.
So if you see here,
our ability to map
these controls and map
customer actions that are supporting
the controls across various data protection
regulatory standards is helping
you to do minimum work that
you need to do but then get the benefit of [inaudible] that
work across the various controls that we have here.
Now, what we do is that you are able to go and
export all the things that
you have done and also in that report,
you will see what
Microsoft has done for a particular standard.
So let's assume that you as a customer has
taken care of all the 61 controls that are
your responsibility and Microsoft has taken care
of all the controls that are Microsoft's responsibility.
Now you are able to export this report which will be
directly showing you all the details
on Microsoft managed controls,
implementation details as well as
test plans and customer managed controlled detail.
Again, implemented details
and test plans as you enter them
and the links to the evidence that
you have uploaded from a one single report.
Now you are able to take that report
and give it to your external or internal auditors
or regulators to demonstrate
end to end compliance on top of Microsoft Cloud.
So, that's what we wanted to demo together for your view.
>> In addition to
showing you how to use Compliance Manager,
we also want to ensure that you understand
the permissions model used by Compliance Manager.
By default, any user in
a cloud tenant can access Compliance Manager.
There's no tenant data in Compliance Manager before
organizations add implementation
details or upload evidence.
Compliance Manager doesn't have any connection to
the tenants security configuration and we
don't have the ability to detect
things in the tenants environment.
Now organizations can assign
five permissions roles by clicking "Settings".
After users add it to the role,
the default permissions are removed and
only users that have been added to
a role will be able to access
Compliance Manager and perform
the actions allowed by that role.
Reader has View Only permissions.
Contributors can edit all fields
except the test result and last test date.
Assessors can edit all fields.
Administrators can manage assessments including creating,
archiving and deleting assessments
and portal admins can add users to each role.
The Compliance Manager is available today for Azure,
Dynamics 365 and Office
365 Business and Enterprise
subscribers in our public cloud.
It's free for everyone with
a Microsoft Enterprise paid or trial
subscription and it features assessments for
multiple regulations and standards
including NIST 800-171,
NIST 800-53, the GDPR,
ISO 270001, ISO 2700018 and HIPAA.
We'll be adding more assessments
in the future based on feedback.
>> Thank you for watching.
We hope you find this helpful.
You can find more resources including blogs,
white papers, supporting documents
and more at the link on this slide.
>> Thanks for your time.
For more infomation >> Child Protective Services Visited Home Of Doomed Mamaroneck Girl Day Before She Died - Duration: 1:42. 
For more infomation >> Disabled veterans group in search of space to expand services - Duration: 1:48. 
For more infomation >> Woman Hopes Changes Will Be Made To RTD Services - Duration: 2:40. 
Không có nhận xét nào:
Đăng nhận xét