One of the challenges concerning those implementing Service Delivery with Office 365, is building proof that Office 365 complies with regulatory standards and legislation.
By Geoff Evelyn, Office Services and Systems MVP
Service Assurance is a primary goal
This is particularly important in understanding how Office 365 protects your data, especially since it concerns email access, team communication, collaboration, content storage and specifically content viewed and edited in a browser. Service Delivery includes Service assurance, which is an organisational primary goal, and is directly aligned to the C/I/A triad (Confidentiality, Integrity and Availability), being key aspects of information security.
For example, Office 365 assurance in Availability would mean that authorised users can access resources in a reliable and timely manner. Without service assurance, organisations will have no way of proving beyond doubt that that the service provided meets any information security, legislation, regulatory or audit standards. In order to meet these requirements, Office 365 has been subject to a significant risk assessment and audit. You need to be able to understand and apply these to your sector and geographical location, so that you and your customers can further understand the service descriptions, the components, the processes and people and then build your own risk assessments based on what you provide through Office 365.
Why provide resources for Service Assurance
The key aspect in meeting information security goals is to first carry out a risk assessment of what you offer through Office 365, including references to resources. However, that may be as challenge for many organisations due to a number of factors, such as:
- Lack of security skillset concerning risk assessment planning and management.
- Difficulty in determining a starting point and/or having available person resources.
- Unclear of the provision of Office 365 in conjunction with existing services and processes.
This means there is a lot to take on board, let alone understand where to look for the correct resource. To help, Microsoft are focused on the area of Service Assurance for Office 365, and have gone to great lengths to ensure that customers are comfortable with not only the security elements, but can prove when audited that the relevant customer industry is covered from a regulatory and legislative perspective. Microsoft have provided plenty of guides and in the Security and Compliance section of Office 365 covering:
- Security practices for data protection.
- Visibility of independent third-party audit.
- Implementation of security, privacy, compliance and testing controls.
- Capacity, Network Security, System Acquisition, Supplier Relationships, Information Security and Legislation (ISO 27001/27018, HIPAA 1996 and FedRAMP).
Office 365 Service Assurance offering
Service Assurance is accessible through this link – and you must authenticate using your Office 365 account to see the section. A note here: a key step in carrying out a risk assessment is to build an effective team whose responsibility is to draw the relevant resources, build the risk outline, threat models and actions and then give them access to the Service Assurance section. Therefore, it is crucial they have access to the relevant content in the Security and Compliance Service Assurance section. This is further covered in the Dashboard section.
The Service Assurance section is available in the left hand menu and there are five options in that section. These are given in Table 1:
Table 1: Options in the Office 365 Security and Compliance section
Now follows a quick outline of what to expect from the sections listed above.
Before working on risk assessment, you will need to assign people to access the resources. These people (referred as Users in the Dashboard) would effectively have a ‘Service Assurance Role’. Note that adding users to this role will not automatically alert them (like the default option in assigning user access to SharePoint content). In the Add Users section of the Dashboard link there will be a link titled ‘Go to Permissions’). The below screenshot shows an example of adding a user into the Service Assurance User role. To add a user, click the Edit icon and then click the + icon to then select a user from your Office 365 site of users.
The dashboard also includes information on changes and additions to the Service Assurance section. There is a ‘What’s new’ section which lists new resources you should check out. At the point of writing this article, I noticed the SOC and ISO Audit reports (produced yearly) which is a great resource, going into detail concerning a description of Office 365 (software, people and procedures).
A key resource available in the dashboard is the ‘On-Boarding’ article, which is a full description of how to use the Service Assurance section. When visiting this for the first time, I would advise that this document be used as a starting point, advising who can access the Service Assurance section, how it should be done, and crucially about setting the customer industry and regional settings as this will filter the relevant resources accordingly. Other information in this article concerns how to find and download compliance and trust content – and this will be crucial in helping build out your risk assessments.
This is where you go to see the third party auditor content used to review and assess Office 365 technologies; ensuring they comply with standards, specific to the industry and region chosen. This is split into four sections:
- FedRamp – contains System Security plans; great high level information concerning Azure security.
- GRC (Governance, Risk management, Compliance) – A wealth of documents concerning overviews of cloud service architecture, description of service and security overviews. These can be used to aid risk assessments, for example, in Office 365 you may need to know the physical architecture and security services surrounding say Lync Online, or what Information Protection protocols are used.
- ISO (International Organisation for Standardisation) – provides information to ensure that services, processes are fit for purpose. Key ISO standards you should also read up on are ISO 27001 (information security management) and ISO 27018 (protection of PII – Personally Identifiable Information).
- SOC / SSAE 16 (Service Organisation Controls) reports – audits carried out to ascertain the fairness of presentation, suitability of design, and operating effectiveness of the controls relevant to the service being audited.
I’ve described some of Office 365 ISO / SOC compliance reports here.
Trust Documents are white papers, FAQs, end-of-year reports and other Microsoft Confidential resources that are made available under non-disclosure agreement. This area is split into two sections; FAQ and White Papers, and Risk Management Reports. The FAQ section has a great list of resources, for example, Data Resiliency in Office 365, Content Encryption, Cloud Security and more. The Risk Management section lists resources concerning Dynamics CRM, Office 365 in terms of security assessments. For those new to building out risk assessments concerning Office 365, I would strongly suggest accessing two very useful documents from this area from the get-go:
- Office 365 Customer Security Considerations User Guide
- Office 365 Customer Security Considerations Workbook
The Audited Controls section lists the global information security standard and regulations that Office 365 has implemented. Key ones are the ISO 27001:2013 and ISO 27018:2014 controls. These drill down into the controls themselves, broken into sections concerning the standard itself and associating Office 365 with each. For example, I was interested in Privacy Compliance for Office 365 and noted two controls; Countries in which PII might be stored, and Controls over PII transmitted using a data-transmission network. Once clicking on these I could read how Office 365 passed the test on this control, the implementation details and information concerning the relevant test. This is extremely useful in understanding how Office 365 works under circumstances related to the standard.
The Settings section allows you to set the Region and the Industry. This is very important and I would suggest your first step, as the resources provided through Compliance Reports and Audit Controls are filtered to what is chosen. Region will list global areas, such as Asia Pacific, Canada, Europe, Germany amongst others. Industry will list the productive enterprises. I’ve noticed this is not alphabetical, so you will need to ensure you scroll through the entire list to see all the sectors. Once this is saved, the filters will operate accordingly.
You’ve heard the question before – how secure is Office 365 with my data? Maybe you have even asked that question yourself, and that question usually spawns others. Where’s the data stored? Is it easy to get to? What controls are in place to protect it? What if I need to comply with specific standards and regulations? Data and the processing of that data forms the lifeblood of an organisation, so it is important to get answers to these questions to prevent, at the very least, customers getting shaky knees when thinking of moving their critical information to the cloud. Office 365 has answers to these questions in the Service and Assurance section of the Security and Compliance Center. Another point in relation to getting answers to the above questions is around the principles of Information Assurance, and trying to get to grips with terms like Confidentiality, Availability, Integrity and Authentication, and what they mean to Information Security and Protection.
I help penned another article about this here which will help you understand these concepts; you should give that a read, as this will strengthen your resolve in building out your Office 365 risk assessments and audits. Also, do not be afraid in requesting further aid and ensure you get buy-in with your security teams. Finally, for those new to the Security and Compliance Centre, a great video gives some great insights into the to bring you up to speed: