Office 365 Service Assurance and Audited Controls

  • Article

At Microsoft, we believe that transparency is key to earning customer trust. When you entrust your data to the Microsoft Cloud, you will have questions:

  • Where is it and who can access it?
  • What is Microsoft doing to protect it?
  • What does Microsoft do to comply with regulatory requirements?
  • How can I verify that Microsoft is doing what it says?

Because it’s your data, you decide who has access, and you work with us to decide where it is located. To safeguard your data, we use advanced security technology and cryptography. Our compliance with US and international standards is independently audited, and we’re transparent on many levels—from how we handle legal demands for customer data to the security of our code. We offer detailed trust information on each of our cloud services, which we group into four categories:

  • Secure
  • Private
  • Compliant
  • Transparent

We do this not just to be transparent, but to also help you answer the questions above, and to make it easier for you to perform your own risk assessment of using Office 365. And we do this to help you understand how the controls within Office 365 meet the security, compliance, and privacy requirements of your organization.

To that end, we have launched a new Office 365 Security & Compliance Center, which is designed to be a one-stop portal for protecting your Office 365 data. It is a new portal that is an evolution of the Office 365 Compliance Center. The Security & Compliance Center is designed for organizations that have data protection or compliance needs, or that want to audit user and administrator activity. You can use the Security & Compliance Center to manage compliance for all of your organization’s data across Office 365.

You can access the Security & Compliance Center at https://protection.office.com using your Office 365 admin account. Administrators can also delegate access to compliance, security, and other teams in your organization. For more information, see Give users access to the Security & Compliance Center.

The Security & Compliance Center includes several navigation panes that provide access to several auditing and reporting features:

  • Permissions   Enables you to assign permissions such as Compliance Administrator, eDiscovery Manager, and others to people in your organization so they can perform tasks in the Security & Compliance Center.
  • Security policies   Enables you to create and apply device management policies using Office 365 Mobile Device Management and to set up Data Loss Prevention (DLP) policies for your organization.
  • Data management   Enables you to import email or SharePoint from other systems into Office 365, configure archive mailboxes, and set retention policies for email and other content within your organization.
  • Search & investigation   Provides content search, audit log and eDiscovery case management tools to quickly drill into activity across Exchange Online mailboxes, groups and public folders; SharePoint Online, and OneDrive for Business.
  • Reports   Enables you to quickly access reports for SharePoint Online, OneDrive for Business, Exchange Online, and Azure AD.
  • Service assurance   Provides information about how Microsoft maintains security, privacy and compliance with global standards for Office 365, Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and other cloud services. Also includes access to third-party ISO, SOC and other audit reports, as well as Audited Controls, which provides details about the various controls that have been tested and verified by third-party auditors of Office 365.

Service Assurance

Many of our customers in regulated industries are subject to extensive compliance requirements. To perform their own risk assessments, customers often need in-depth information on how Office 365 maintains the security and privacy of their data. Office 365 is committed to the security and privacy of customer data in its cloud services and to earning customer trust by providing a transparent view of its operations, and easy access to independent compliance reports and assessments.

As mentioned above, the Service Assurance area provides information about how Microsoft's cloud services maintain security, privacy and compliance with global standards. The Service Assurance area includes independent third-party audit reports for Office 365, Yammer, Azure, CRM Online, and Intune, as well implementation and testing details for the security, privacy, and compliance controls used by Office 365 to protect customer data, which can be found in the Audited Controls area.

The Service Assurance section in the Security & Compliance Center provides transparency of operations and information on how Microsoft maintains the security, privacy and compliance of customer data in Office 365. Customers can use the third-party reports on advanced security and compliance standards, along with a library of white papers, FAQs, and other materials on Office 365 topics such as data encryption, data resiliency, security incident management and more, to perform their own regulatory risk assessments. Compliance officers can assign the “Service Assurance User” role in Permissions to give users access to the Service Assurance dashboard. The tenant administrator can also provide external users, such as independent auditors, with access to information in the Service Assurance dashboard through the Microsoft Cloud Service Trust Portal (STP). For details on how to access the STP, visit Get started with the Service Trust Portal for Office 365 for business, Azure, and Dynamics CRM Online subscriptions.

Audited Controls

The Audited Controls area provides information about how the controls used within Office 365 meet security, compliance, and privacy requirements. Microsoft's internal control system is based on the National Institute of Standards and Technology (NIST) special publication 800-53.  With Audited Controls, we are also mapping our internal control system to other standards, such as International Organization for Standardization (ISO) 27001:2013 and ISO 27018:2014.

Using the Audited Controls feature, customers can perform their own assessment of the risks of using Office 365. Customers view the details of a given control, that includes:

  • Control ID (as assigned by the particular mapped standard)
  • Test status (whether or not the control passed testing)
  • Test date (when the control was last tested)
  • Tested by (typically third-party auditors or Microsoft)
  • Control implementation details (how the control is implemented)
  • Testing performed to evaluate control effectiveness (how the control was tested)

The following figure is an example of a control and the available details for it:

[caption id="attachment_3045" align="alignnone" width="258"]Example control from the Audited Controls area of Service Assurance Example control from the Audited Controls area of Service Assurance[/caption]

Because a control can map to multiple standards, the Test Date is the date when the control was last tested during any audit. As a result, the Test Date may me more recent than the date of the audit for the standard to which it is mapped. For example, a control such as one of our cryptographic key management policy controls, is typically tested by multiple third-party auditors as part of separate audits that are being conducted (e.g., ISO, SOC, etc.).

Audited Controls also enables customers to download an Excel file containing the details on all of the controls that were tested as part of a specific audit (e.g., ISO 27001:2013, or ISO 27018:2014, etc.). As of this writing, the only standards mapping files available are for ISO, but additional mapping against other standards is planned for a future release.

Check out Service Assurance and Audited Controls and let us know what you think.  You can use the Feedback mechanism in Service Assurance to send us anonymous or non-anonymous comments and feedback.