Microsoft SC-900 – Module 4 : Describe the capabilities of Microsoft compliance solutions part 1

1. Module 4 introduction

This is the module four of SC 900 certification. If you have read so far, it means that you now have a solid understanding of the security features provided with Microsoft Azure. Things around Microsoft three, six, five Azure Security Center and the security features in Azure Active Directory are not new to you. Now those are the security angle of Microsoft services. Now there is another angle to it the compliance, legal and the regulatory standards. This module is all about various services and features provided by Microsoft to ensure that your organizations stay on top of the line when it comes to compliance related to legal and regulatory standards.

To protect their customers, partners and themselves, microsoft provides an array of tools and capabilities to enable organizations to manage compliance. So what are we going to do? In this lesson, we will learn about the common compliance needs organizations are required to meet. And then we’ll explore about the solutions like Microsoft 365 Compliance Center and the Compliance Manager which will help manage and simplify compliance across an organization. So at the end of this lesson, you will be able to talk about Microsoft Compliance Center and the benefits of Compliance Manager. So, without any further delay, let’s get started.

2. Common Compliance Needs

Organizations, enterprises, institutions, and the entire societies generate and rely on data to function on day to day basis. Data has become more important than ever. Any manipulation or loss of that data can damage organization’s reputation. The sheer scale of data generated and the increasing reliance on it means data management has become crucial. Governments and related entities are working hard to protect people by creating regulations that are designed to protect data through several measures. And these measures could be granting individuals the right to access the data at any time. Granting individuals the right to correct or delete data about them if needed.

 Introducing various kinds of retention periods that dictate a minimum or maximum amount of time data should be stored. It also enables the governments and the regulatory agencies the right to access and examine data when necessary.Various rules have been defined for what data can be processed and how that should be done. There are certain regulations that also require that the data remains protected even if it’s moved between geographic locations. For example, regulations in some countries require that any personal data transferred outside of it borders meets several conditions.

And it may include that the destination country where personal data is to be transferred must be considered. To have adequate protections of data, organizations must create appropriate safeguards, such as specific clauses that must be included in contracts with organizations or bodies that can handle any of this personal data. We need to know about different kinds of regulations that are in place. We’ll talk about them in the next lesson. Although it is short, it is important. Thanks for watching so far. I’ll see you there.

3. Common compliance regulations

Microsoft caters to an array of compliance and regulations, industrywide and countrywide. Some of the important ones are HIPAA, which stands for Health Insurance Portability and Accountability Act. This introduces rules on how healthrelated information should be protected how to prevent fraud and abuse in case of preventive health care. This was created to modernize the flow of health care information stipulate how personally identifiable information, which is called as a PII, is maintained by healthcare and healthcare insurance industries. It should be protected from fraud and theft and address limitations on health care insurance coverage. There’s another important one which is farpa stands for Family Educational Rights and Privacy Act. This introduces rules to protect student information.

This will be protecting the student educational records. And this law will be applicable to all schools that receive funds under the applicable program of the United States Department of Education. The Fairpaw gives parents certain rights with respect to their children’s educational records, and these rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level, the ISO 27701. Now, this specifies rules and guidance to manage personal information and demonstrate compliance as well. When it comes to PII, the ISO 27 70 one is an extension of ISO 27,001, which is for Information Security management systems. This also is there to protect your data. This is an international standard that provides guidelines for protection of privacy and how companies handle personal data.

It helps improve the compliance with data regulations and data protection regulations worldwide. These are just some of the regulations that we can talk about, but Microsoft supports organizations compliance needs based on industries as well as based on region. There’s a lot of built in tools and capabilities out there within the Microsoft interfaces to help them protect information, manage data governance, and respond to regulatory requests as well. In the upcoming sections, we will take a look at certain tools that Microsoft provides. For example, the compliance center and the features that it provides, the compliance manager and the various benefits of the compliance manager as well.

4. Compliance Center

Microsoft three six five compliance center. This is one tool that brings everything under a single umbrella. You’ve got the data that you need in order to help understand and manage your organization’s compliance. Need for you to access the compliance center, you need to be a global admin, a compliance admin, or a compliance data administrator. So when an admin signs in to the Microsoft 365 Compliance Center, they will get a bird’s eye view of how the organization is meeting its compliance requirements, along with possible solutions as well as to how you can improvise the compliance. You get information about any active alerts and there’s a lot of information that you get there. The default compliance center homepage contains several cards. For example, the compliance scorecard. You already heard about this word score before in the Microsoft 365 Security Center as well. This is something similar.

So you get a score in terms of percentage and it shows the compliance score and it will forward admins to the compliance manager where they can see a breakdown of the compliance score. The compliance score measures the progress in getting sudden recommended proven actions within those controls. That score helps your organization to understand the current compliance posture. What you can also see is a solution catalog where you can see information about information protection and governance, insider Risk Management and Discovery and Response Section the Information Protection and Governance section quickly shows you how to use the Microsoft 365 compliance solutions so that you can protect and govern data in your organization.

There’s this Insider Risk Management section as there on the home page and it will show you how your organization can identify, analyze and act on the internal risk that are created by internal user before they cause harm. Finally, the discovery and risk section. This is also there on the home page. I will tell you how your organization can quickly find, investigate and respond to the compliance issues with relevant data. All of these are backed up with outstanding combination of policies, alerts and reports.

5. What is Compliance Manager

The compliance manager. Microsoft Compliance Manager is a feature in the Microsoft 365 Compliance Center. This is helping administrators to manage an organization’s compliance requirements with greater ease and convenience. You can have the Compliance Manager help organizations throughout their compliance journey from taking their inventory data to managing the complexities of of implementing controls, staying current with regulations and certifications, and also reporting to auditors. The Compliance Manager will help simplify compliance and reduce risk by providing a lot of information. Like you got pre built assessments based on common regional and industry regulations and standards.

You got Admins who can also use custom assessment to help with compliance needs unique to your organization.There are a lot of workflow capabilities that enable Admins to efficiently complete risk assessment for the organization. There are step by step improvement actions that Admins can take in order to meet regulations and standards relevant to that organization. Although some of the actions are also managed by Microsoft, but Admins can get implementation details and audit results of those actions. Finally, you get a compliance score, which is a calculation that helps an organization understand its overall compliance pusher by measuring how it’s progressing with improvement actions.

All in all, the Compliance Manager Dashboard will show you the current compliance score will help the Admins to see what needs attention and guides them to key improvement actions.

6. What are Controls

We have used this word several times controls. What is a control? A control is a requirement of regulation, possibly of a standard or a policy. It defines how to assess, how to manage, how to prepare for the system configuration, for the organization processes, and for the people who are responsible for meeting a specific requirement of a standard, regulation or a policy. The compliance manager will track different types of controls. For example, there’s Microsoft Managed Controls, something you can build on your own, which falls under your controls.

Then the shared controls. The first one, Microsoft Managed Controls, clearly means that this will be managed by Microsoft cloud service. Microsoft will be wholly responsible for implementing such controls. Second one is referred to as Customer Managed Controls and these are implemented and managed by your own organization. And the last one, which is Shared Controls, is just falling in the middle of Microsoft Managed Controls and your controls. Now this is where the responsibility shared with the organization and Microsoft.

7. What are Assesments

Now once we have controls, what are we going to do with them? Well, we got to assess them. So we group the controls from a specific regulation or a standard or a policy. Completing the actions within that assessment will help us meet the requirements of a standard regulation or a law. For example, an organization may have an assessment that when the Admin completes all the actions within it, it will help bring the organization, Microsoft 365, up to the level of ISO 27,001. Now that is an example of assessment. Assessment can have several components there and there are in scope services, Microsoft Manage controls, your controls, the shared controls and the assessment score.

These are what you will see inside an assessment. The Inscope services is where you will see the specific set of Microsoft services which are applicable to that assessment. The Microsoft Managed controls will tell us whether the control is managed by Microsoft or not. And if it does, then it will mark it as Microsoft Managed Control. Now, your controls means that these controls are managed by you as a customer. It is implemented by the Admin and managed by the Admins organization or your company. In short, the Shade controls is the responsibility for the organization and by Microsoft as well. And finally you get the assessment score which will show you the progress in achieving the total possible points from actions within that assessment that are managed by your organization and by Microsoft as well.

So that’s your assessment score that you should be looking at. Now when creating these assignments, an Admin will assign them to a group. The admin can configure groups in whatever way is the most logical for the organization. So what could be an example? You might want to group the assessments by audit year, possibly a region solutions or the teams within an organization or some other way the Admin may want to group them. Now once the Admin has created the group, the Admin can filter the compliance manager dashboard to view the score by one or more groups.

8. Understand Compliance score

I did mention that the compliance manager gives you certain score. Let’s talk about that. And how can you understand the compliance score? So the compliance score measures the progress in completing the recommended improvement actions within the controls. The score can help your organization to understand the current compliance pusher, right? So it’s going to help your organization to prioritize the actions based on their potential to reduce the risks. The admins would usually go ahead and break down the compliance score so they will navigate to the compliance manager and then look at the compliance score and break it down to see how they can improvise it.

Is there any remediation that they can do? Now, if you look at the entire compliance score, you will get a couple of things. Number one is your improved actions and Microsoft actions as well. Now, your improved actions, the actions that organization is expected to manage and Microsoft actions, is that actions that Microsoft manages for the organizations. Again, some of these are mandatory and others are discretionary, right? So not everything is something that you should look at for you to be compliant, right? And you need to get a total score. There are certain technical considerations and non technical considerations, so they are categorized as mandatory discretionary and there are others as well.

For example, preventive detective and corrective the mandatory actions. Is that something that should not be bypassed at all? For example, if you look at the password length expiration that is so critical, discretionary is that totally depends on the user’s understanding and adhering to the policy. An example of this would be a policy where users are required to ensure that devices are logged before they leave them. Preventative actions are designed to handle specific tasks. So for example, look at encryption for the data at rest. Now that’s an example of preventative action. What is detective? The detective action actively monitors a system to identify irregularities that could represent the risk or that can be used to detect breaches or intrusions.

For example, this could be the type of actions for system access audits or regulatory compliance audits as well. Finally, the corrective one. Corrective actions would help the administrators to minimize the adverse effects of security incidents. This is done by undertaking corrective measures to reduce their immediate effect or possibly even reverse the damages. Keep in mind that actions that are mandatory and preventative, that is, with 27 points, provide the highest points value towards your compliance score. Organizations accumulate points for every completed action and the compliance code is shown as a percentage representing all the actions completed compared with the ones outstanding.

9. Chapter Summary

We have reached yet another milestone. It’s important to go ahead and take a step back and understand what we learned so far. So we looked at various tools that are provided by Microsoft to manage compliance for your organization. We explored the Compliance Center Compliance Manager and how it can help organizations manage the compliance. Now without these tools, organizations could not manage compliance compliance and they would be risk of not meeting required legal and regulatory standards. With all of these tools, they can stay in line with compliance requirements, right? So we looked at Microsoft Compliance Center and the benefits of the compliance manager. What’s coming up next is the information, protection and governance capabilities of Microsoft 365. Thanks for watching so far and I’ll see you in the next lesson.

10. The information protection and governance capabiliities of Microsoft 365

Welcome to this next lesson where we talk about the information protection and governance capabilities of Microsoft 365. Let’s set the expectations here as to what we’re going to learn here in this lesson. Well, we know that organizations need to protect all kinds of data, including financial information and personal information. And that’s really important to ensure that employees and the organization are protected, protected from those risks. The organization needs to stay in line with compliance standards wherever it operates. Microsoft provides solutions that can help organizations to implement information protection and governance.

In this lesson, we’ll talk about how Microsoft solutions and capabilities, for example, data classification, records management, and data loss prevention will really help you implement information protection and governance. We’ll talk about the data classification capabilities. Next we’ll go to records management and then finally, the objectives and the tools used in the data loss prevention. Thanks for watching so far. I’ll see you in the next lesson where we’ll start with how do you know your data? How do you protect your data and how would you govern your data?

11. Know your data, protect your data, and govern your data

This particular point is very important where we should talk about know your Data, protect Your Data, and Govern Your data. The Microsoft Information Protection would discover, classify and protect your sensitive information and any kind of business critical content throughout its lifecycle across your organization. Microsoft Information Protection, which provides you various tools to know your data, protect and then prevent the data loss. Then there is another tool called as Microsoft Information Governance, which is responsible to manage your content lifecycle using various solutions.

For example, how do you import the data, where do you store the data? And how do you classify the business critical data so that you can keep what you need and delete what you don’t? It gives the organizations the capabilities to govern their data for compliance or regulatory requirements. Now, these two tools, Microsoft Information Protection and Microsoft Information Governance, will work together to classify, protect and keep your data where it lives and where it should go. Now, these are the four key points for example, knowing your data, protecting Your data, preventing Data Loss and Govern Your Data. Think about the first point knowing your data.

Organizations can understand their data landscape and identify important data which is going through their on premises, sometimes in the cloud and on the hybrid environments. As well. There are capabilities and tools such as Trainable Classifiers, Activity Explorer and Content Explorer that will allow organizations to know their data. You also need to protect your data using mechanisms like encryption, access restrictions, and probably visual markings as well. You also prevent your data loss by detecting any kind of risky behavior and prevent any accidental oversharing of sensitive information.

You need to know that there are capabilities such as data loss prevention policies and Endpoint Data Loss Prevention, which will enable organizations to avoid the data loss. Finally, you govern the data. Organizations can automatically keep, delete and store the data and records in a compliant manner. Capabilities like retention policies, retention labels, and records management would enable organizations to govern their data. Now, information and capabilities related to each of these areas would be discussed throughout this lesson, so stay tuned. I will talk about the data classification in the next section.