Module 5ca - Identity, Governance, Privacy and Compliance - Privacy, Compliance and Data Protection Standards

Question 1

General Knowledge: What is “Compliance” and “Regulatory Compliance”?

Answer 1

Compliance means to adhere to a law, standard, or set of guidelines governing bodies enforce

Regulatory Compliance is the discipline and process of ensuring that your company adheres to all laws that governing bodies enforce

Question 2

Hint: “regional”

What are the four (4) groups for Compliance Offerings?

Answer 2

Global | US Gov | Industry | Regional

Question 3

Hint: OSAFR

What is covered in Compliance Offering details?

Answer 3

• Overview of the standard
• Scope: What cloud services are in-scope for the Offering
• Audit Cycle: includes links to the audit report
• FAQs
• Resources: white papers, etc.

Question 4

Compliance Offering: what is Criminal Justice Information Service (CJIS)?

Answer 4

Criminal Justice Information Service. Azure adheres to this policy for accessing data from the FBI

Question 5

Compliance Offering: what is CSA STAR Certification? (Hint: stand up straight!)

What three things does it demonstrate wrt:

• ISO
• Cloud Control Matrix
• STAR Capability Maturity

Answer 5

Certification of a cloud provider’s security posture.

The cert demonstrates

• Conformance with certain ISO standards
• Cloud security issues outlined in CCM (Cloud Control Matrix) have been addressed
• Assessed against STAR Capability Maturity Model for CCM control areas

Question 6

Hint: GDPR

Compliance Offering: what are EU Model Clauses?

Answer 6

This offering provides contractual guarantees for transfers of personal data OUTSIDE the EU

Question 7

Compliance Offering: what is HIPAA? What agreement does Microsoft offer with it?

Answer 7

lol Health Insurance Portability and Accountability Act, regulates patient Protected Health Information (PHI)

Microsoft offers customers a HIPAA Business Associate Agreement (BAA) should they require HIPAA Compliance

Question 8

Compliance Offering: what is ISO 27018?

Answer 8

Compliance for processing personal information by a cloud service provider

Question 9

Compliance Offering: what is the Multi-Tier Cloud Security (MTCS) Certification?

Answer 9

When a provider offers multiple “Tiers”of services, they must have this cert per tier. For Azure, all three service classifications have this cert (IaaS, PaaS, SaaS).

Question 10

Compliance Offering: what is the Service of Controls (SOC) Report Framework?

Answer 10

Service Organization Controls. 3rd party auditors cover data security, availability, processing integrity and confidentiality as applicable to in-scope trust principles

Question 11

Compliance Offering: what is the National Inst. of Standards - Cybersecurity Framework (NIST CSF)? (simple def)

Answer 11

They are guidelines and best practices for managing cybersecurity related risks

Question 12

Compliance Offering: what is the UK Government G-Cloud?

Answer 12

Cloud computing certification for services used by UK government entities. For UK gov entities to use your cloud services, you need to have this cert.

Question 13

What is the Microsoft Privacy Statement?

Answer 13

It explains what personal data Microsoft collects, how it’s used and for what purposes

Question 14

The Microsoft Privacy Statement covers all its Services, web sites, apps, software, but not the hardware (physical servers, devices, etc.). Hardware is covered in the Device Privacy Statement (T/F)?

Answer 14

False. The Microsoft Privacy Statement covers BOTH Software and Hardware as well as for specific products like Windows and XBox

Question 15

Hint: legal agreements

What is Microsoft’s OST (Online Services Terms)? What obligations does it detail?

Answer 15

A legal agreement between MS and the customer that details obligations by BOTH parties w.r.t. processing and security of customer and personal data

Question 16

The OST (Online Services Terms) covers all subscription based, online services like Azure, MS Dynamics 365, Office 365 and Bing Maps. Nothing else (ex. it doesn’t include desktop apps like Microsoft Office or SQL Server Mgmt Studio)? (T/F)

Answer 16

True. “ONLINE” means “ONLINE” so only Subscription online SaaS.

Question 17

What is the Data Protection Addendum (DPA) and what are four (4) definitions it provides?

Answer 17

Defines the data processing and security terms for online services, including:

• Compliance with laws
• Disclosure of processed data
• Data security (practices, policies, data encryption, data access, customer responsibilities, compliance with auditing)
• Data transfer, retention and deletion

Question 18

How do you access DPA?

Answer 18

DPA is found on the Licensing Terms and Documentation page. In the search bar, type “DPA”, then locate the link to the DPA in your preferred language (or filter for the language)

Question 19

What is the Trust Center?

Answer 19

Trust Center is a website that provides resources and support for legal and compliance communities.

• In-depth information on security, privacy, compliance, policies, features and practices across cloud products
• Links to security, privacy and compliance blogs and upcoming events

Question 20

What is Azure Compliance Documentation?

Answer 20

Azure’s complete list of Compliance Offerings, including everything under the following categories

• Global
• US Gov
• Financial Services
• Health
• Media and Manufacturing
• Regional (international; Asia Pacific, EMEA)

Finally, there’s a section on additional resources and information including Audit Reporting and Certs, Privacy and GDPR, Compliance Blueprints, white papers, etc.

Question 21

How does PCI DSS apply to Microsoft?

Answer 21

This is a payment provider compliance lol

Azure maintains PCI DSS validation using an approved Qualified Security Assessor and is certified as compliant with PCI DSS v3.2.1. at Service Provider 1

Or simply put, if you want to implement payment processing, CDE (cardholder data environment), etc. you can rely on Azure for the PCI DSS validation and compliance