Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft runs on trust, and Microsoft 365 customers require world class security and privacy functions within their products. The thorough auditing of Microsoft 365 assures customers that the security functions, data handling practices, associated policies, and tooling have been effectively implemented and satisfy the corresponding standards. Microsoft 365's internal compliance program is designed to ensure security and privacy are considered at all phases of the development and operation lifecycle.
Each new service and those making significant changes to their functionality must must execute three related review efforts: security, privacy, and compliance. Assessments are conducted to understand the scope of the service, which results in a list of requirements that must be met before deployment.
Security
The security assessment is owned by the Microsoft 365 Security Team and is designed to identify all the security solutions that service teams need to install and configure. Microsoft 365 has developed solutions to secure each individual service and connect them to the centralized systems that helps protect Microsoft as a whole. These include solutions such as identity and access management, anti-malware software, central logging, and encryption of data. Service teams are also required to create data flow diagrams for threat modeling to help map potential attack vectors. The Microsoft 365 Security Team provides service teams with guidance and performs a final review and approval of the service security functions.
Privacy
Privacy focuses on customer data the service team transmits, processes, and stores. Tasks include identifying data types collected, retention periods, classification, and any third-party interactions. A dedicated privacy manager and lawyer(s) perform a review of the data handling functions. Threat models are also used to safeguard against unexpected data leakage. The privacy manager must provide official approval and verification of privacy assessment completion.
Compliance
Many customers have regional and industry specific compliance requirements that must be met to use cloud services such as Microsoft 365. An objective of compliance assessment is to ensure that the service and any downstream dependencies meet the compliance requirements for the applicable standards such as ISO 27001, SOC 2, FedRAMP for government customers, and others described here.
The last step of this three assessment process is the final trust review, which involves an all-encompassing check of the service's security, privacy, and compliance posture. It verifies that each service is properly secured, follows best practices, meets all relevant regulatory requirements, and all identifiable risks have been considered and addressed as needed. Additionally, the holistic relationship to all other services and environments is considered at this point.
Teams developing a new service are encouraged to participate in a consultative review session in combination with other assessments. The service teams receive advice on their design, including guidance on avoiding potential pitfalls and blockers prior to beginning development.
Once the security, privacy, and compliance efforts are complete and approved, a service may become generally available to customers or need to wait for audit depending on the size, scope, and service.