Module 5ca - Identity, Governance, Privacy and Compliance - Privacy, Compliance and Data Protection Standards Flashcards
General Knowledge: What is “Compliance” and “Regulatory Compliance”?
Compliance means to adhere to a law, standard, or set of guidelines governing bodies enforce
Regulatory Compliance is the discipline and process of ensuring that your company adheres to all laws that governing bodies enforce
Hint: “regional”
What are the four (4) groups for Compliance Offerings?
Global | US Gov | Industry | Regional
Hint: OSAFR
What is covered in Compliance Offering details?
- Overview of the standard
- Scope: What cloud services are in-scope for the Offering
- Audit Cycle: includes links to the audit report
- FAQs
- Resources: white papers, etc.
Compliance Offering: what is Criminal Justice Information Service (CJIS)?
Criminal Justice Information Service. Azure adheres to this policy for accessing data from the FBI
Compliance Offering: what is CSA STAR Certification? (Hint: stand up straight!)
What three things does it demonstrate wrt:
- ISO
- Cloud Control Matrix
- STAR Capability Maturity
Certification of a cloud provider’s security posture.
The cert demonstrates
- Conformance with certain ISO standards
- Cloud security issues outlined in CCM (Cloud Control Matrix) have been addressed
- Assessed against STAR Capability Maturity Model for CCM control areas
Hint: GDPR
Compliance Offering: what are EU Model Clauses?
This offering provides contractual guarantees for transfers of personal data OUTSIDE the EU
Compliance Offering: what is HIPAA? What agreement does Microsoft offer with it?
lol Health Insurance Portability and Accountability Act, regulates patient Protected Health Information (PHI)
Microsoft offers customers a HIPAA Business Associate Agreement (BAA) should they require HIPAA Compliance
Compliance Offering: what is ISO 27018?
Compliance for processing personal information by a cloud service provider
Compliance Offering: what is the Multi-Tier Cloud Security (MTCS) Certification?
When a provider offers multiple “Tiers”of services, they must have this cert per tier. For Azure, all three service classifications have this cert (IaaS, PaaS, SaaS).
Compliance Offering: what is the Service of Controls (SOC) Report Framework?
Service Organization Controls. 3rd party auditors cover data security, availability, processing integrity and confidentiality as applicable to in-scope trust principles
Compliance Offering: what is the National Inst. of Standards - Cybersecurity Framework (NIST CSF)? (simple def)
They are guidelines and best practices for managing cybersecurity related risks
Compliance Offering: what is the UK Government G-Cloud?
Cloud computing certification for services used by UK government entities. For UK gov entities to use your cloud services, you need to have this cert.
What is the Microsoft Privacy Statement?
It explains what personal data Microsoft collects, how it’s used and for what purposes
The Microsoft Privacy Statement covers all its Services, web sites, apps, software, but not the hardware (physical servers, devices, etc.). Hardware is covered in the Device Privacy Statement (T/F)?
False. The Microsoft Privacy Statement covers BOTH Software and Hardware as well as for specific products like Windows and XBox
Hint: legal agreements
What is Microsoft’s OST (Online Services Terms)? What obligations does it detail?
A legal agreement between MS and the customer that details obligations by BOTH parties w.r.t. processing and security of customer and personal data