Get to know the new Service Trust Portal

On November 16, we released a major update to the Service Trust Portal (STP)[1]. This update includes two significant changes to the STP:

  1. We re-organized the content into Guides.
  2. We released a Preview of a new feature called Compliance Manager[2].

Guides

The current Guide experience is like the previous STP experience, which provided Compliance Reports and Trust Documents. There are three categories of Guides: Compliance Guides, Trust and Transparency Guides, and Azure Blueprints.[3]

  • Compliance Guides include ISO, SOC, FedRAMP and other audit reports, bridge letters and materials related to independent, third-party audits of Microsoft’s cloud services such as Microsoft Azure, Microsoft Office 365, Microsoft Dynamics 365, and others.
  • Trust and Transparency Guides include deep dive whitepapers that provide details on how we design and operate our cloud services, FAQs, end-of-year security assessments, and penetration test results.
  • Azure Blueprints provide turn-key compliance solutions and support tailored to the needs of industry verticals that accelerate cloud adoption and usage for customers with regulated or restricted data. Available blueprints include U.S. Department of Defense, FedRAMP, Healthcare, NIST, PCI-DSS, and U.K. G-Cloud.

As we continue to develop the Guides feature of the STP, you’ll see things change from the old naming to Guides. We will also be introducing search features that provide results from both public and controlled (e.g., documentation that requires authentication to download) and Guide filters that will enable personalization of Guide delivery based your role or industry.

Compliance Manager

Compliance Manager provides tools to track, implement, and manage the auditing controls to help your organization reach compliance with security or data protection industry standards when measured against Microsoft cloud services, such as Office 365 and Azure. It helps the person who oversees the data protection strategy for your organization (sometimes called a data protection officer) to manage the compliance and risk assessment process.

Compliance Manager combines the information from Audited Controls with a compliance management system that can be used to track and report on your organization’s compliance activities. It is implemented as a dashboard that provides a summary of your data protection and compliance stature, and recommendations for improvement. These are only recommendations, though; it is up to each customer to evaluate the effectiveness of the recommendations in their environment. The recommendations in Compliance Manager should not be interpreted as a guarantee of compliance.

Compliance Manager:

  • Enables you to conduct risk assessment of Microsoft cloud services: Combines the detailed information provided by Microsoft to auditors and regulators as part of various third-party audits of Microsoft ‘s cloud services against various standards (such as International Organization for Standardization 27001:2013 and ISO 27018:2014) and information that Microsoft compiles internally for its compliance with regulations (such as the EU General Data Protection Regulation or GDPR) with your own self-assessment of your organization’s compliance with these standards and regulations.
  • Provides you recommended actions and detailed guidance to improve your data protection capabilities that can help you meet regulatory requirements.
  • Simplifies your compliance workflow and enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization’s compliance goals. It also provides a secure repository for you to upload and manage evidence and other artifacts related to your compliance activities, so that you can produce richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders.

Check out the demo video below to see Compliance Manager Preview in action.

[embed]https://www.youtube.com/watch?v=-ScjtTIOnQs[/embed]

Controlling Access to Compliance Manager

As with the rest of the STP, by default, everyone in your organization with an Office 365 or Azure Active Directory account has access to Compliance Manager and can perform almost any action in Compliance Manager[4]. The target user audience for Compliance Manager are those individuals in your organization that are responsible for:

  • Compliance
  • Privacy
  • Security
  • Risk assessments
  • Auditing
  • Data protection
  • IT administration

These users may already have a variety of Azure Active Directory administrator roles assigned to them, such as:

  • Global administrator
  • Exchange administrator
  • Skype for Business administrator
  • SharePoint administrator
  • Compliance administrator
  • Security administrator
  • And others

To control who has access to Compliance Manager (along with the level of access) using built-in Role Based Access Control (RBAC) for permissions, you must change the default permissions and configure Compliance Manager to be accessible to a limited set of users by adding at least one user to each Compliance Manager role (see these instructions). After a user has been added to each role, the default permissions are removed, and only users who have been added to a role will be able to access Compliance Manager and perform the actions allowed by that role.

For example, if you add a user to the role that lets users manage Assessments, only members of that role can manage Assessments. Similarly, if you don't add a user to the role that lets users read the data in Assessments, then all users in your organization can access Compliance Manager and read data in any Assessment.

Compliance Manager Data

Compliance Manager is integrated with your Office 365 or Azure Active Directory organization for authentication and access control purposes. Beyond this integration, Compliance Manager does not have access to any other data within your cloud subscription(s). Unlike some security and compliance features that can scan your organization’s tenant configuration settings, such as Office 365 Secure Score, Compliance Manager has no access to your tenant’s settings or data.

Compliance Manager does provide you with the ability to enter information and upload files within the Customer Managed Controls section. Any data that you upload and store in Compliance Manager will be accessible to your entire organization, unless you restrict access to Compliance Manager as described above. Microsoft personnel do not have access to this data, which is stored within Microsoft cloud storage that is compliant with the data protection standards in Tier C of our Compliance Framework for Industry Standards.

Compliance Manager Feedback

The new Service Trust Portal and Compliance Manager are currently in Preview and we need your feedback to make it as useful to you as possible. Please use the Feedback button on the bottom of the page and tell us what you think. You can even include screenshots. All feedback is read by the STP and Compliance Manager development team at Microsoft. All feedback is anonymous, unless you include your email address.

[1] The STP is different from the Microsoft Trust Center.

[2] The original announcement for Compliance Manager can be found here.

[3] As a convenience to those customers who have an Office 365 subscription, we also provide the Compliance Guides and the Trust and Transparency Guides in the Service Assurance area of the Office 365 Security & Compliance Center.

[4] Only Tenant Admins and STP Portal Admins will be able to see and access the Settings page.