Do not miss new blog posts! Subscribe to new posts, news, and updates.

  • Atle Skjekkeland

Microsoft Compliance Score - simplify compliance and reduce risks

A global enterprise has to be compliant with thousands of regulatory requirements impacting how they manage data and content. Some of the regulations are often very complex to understand, and it can be difficult to determine what you need to do to ensure compliance. It often ends up with analysis paralysis - or spending a fortune on lawyers and consultants.


Microsoft is working on introducing a Compliance Score tool that will help you simplify compliance and risks for Microsoft 365 and beyond. The tool will come with pre-configured templates for improving compliance with:

  1. Brazil General Data Protection Law (LGPD)

  2. California Consumer Privacy Act (CCPA) (preview)

  3. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) 3.0.1

  4. European Union GDPR

  5. Federal Financial Institutions Examination Council (FFIEC) Information Security Booklet

  6. FedRAMP Moderate

  7. HIPAA / HITECH

  8. IRAP / Australian Government ISM (preview)

  9. ISO 27001:2013

  10. ISO 27018:2014

  11. ISO 27701:2019

  12. Microsoft 365 Data Protection Baseline

  13. NIST 800-53 Rev. 4

  14. NIST 800-171

  15. NIST Cybersecurity Framework (CSF)

  16. SOC 1

  17. SOC 2


How does it work? Let me guide you through it based it my first impressions. When you login to the M365 Compliance Center, you can access a preview of the Compliance Score. This is your custom dashboard showing your current score, what needs attention, and guides you to take actions to improve your score and compliance with the above regulations. The Compliance Score is available for all M365 licenses, - you don´t need the E5 license to use it.

Microsoft has already a lot of data protection functionality enabled in your M365 tenant to protect your information. This provides you with an initial score, and you can then add assessments to improve your score and compliance. As an example, if you are in the financial services industry, you may to add the FFIEC assessment. If you operate in Europe, you may want to add the EU GDPR assessment.


Some of the key tools that you have available:


Assessments


Assessments are guided templates with groupings of actions necessary to meet the requirements of one or more standards, regulations, or laws. As an example for the GDPR template, if you complete all actions within it, it helps you configure M365 in line with the GDPR requirements.

My impression is that E5 customers will be able create custom assessment, - either against internal policies or standards, or against industry-specific regulations.


Improvement Actions


Each assessment provides you with a list of actions to take to configure M365 to meet the requirements of one or more standards, regulations, or laws.

And for each action, you can assign responsibilities, set implementation status, test status, and test date. You can also filter the actions to better plan your work, e.g. first focus on retention labels, record, labels, and label policies to automate records management in SharePoint Online and Teams. You can also upload notes, test approvals and confirmations.

When starting an action, this will take you to the Compliance Center to make the required configurations. Please be aware that some of these actions may require the E5 or E5 Information Protection and Governance add-on license.


Solutions


You can in the Solutions tab see M365 functionality that are available to protect and govern information. It shows you how they will impact your compliance score and how well you are using the available solutions.


Conclusion


The new Compliance Score tool will make it more a lot easier to ensure compliance.

  • It helps you understand the compliance requirements for new and complex regulations

  • It guides you implement M365 features for ensuring compliance 

  • It ensures the implementation is done well with roles and responsibilities, testing, and documentation 

  • It helps you maximize the value of our M365 investment

  • It helps you reduce risks and document your compliance efforts.


You will still need help determining how to best configure the different M365 functionality, e.g. set the right retention and disposition with record labels and label policies to automate records management with SharePoint Online. Feel free to contact us if you need help with this.

0 views

© Infotechtion