Module 5ca - Identity, Governance, Privacy and Compliance - Privacy, Compliance and Data Protection Standards Flashcards

1
Q

General Knowledge: What is “Compliance” and “Regulatory Compliance”?

A

Compliance means to adhere to a law, standard, or set of guidelines governing bodies enforce

Regulatory Compliance is the discipline and process of ensuring that your company adheres to all laws that governing bodies enforce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Hint: “regional”

What are the four (4) groups for Compliance Offerings?

A

Global | US Gov | Industry | Regional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Hint: OSAFR

What is covered in Compliance Offering details?

A
  • Overview of the standard
  • Scope: What cloud services are in-scope for the Offering
  • Audit Cycle: includes links to the audit report
  • FAQs
  • Resources: white papers, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Compliance Offering: what is Criminal Justice Information Service (CJIS)?

A

Criminal Justice Information Service. Azure adheres to this policy for accessing data from the FBI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Compliance Offering: what is CSA STAR Certification? (Hint: stand up straight!)

What three things does it demonstrate wrt:

  • ISO
  • Cloud Control Matrix
  • STAR Capability Maturity
A

Certification of a cloud provider’s security posture.

The cert demonstrates

  • Conformance with certain ISO standards
  • Cloud security issues outlined in CCM (Cloud Control Matrix) have been addressed
  • Assessed against STAR Capability Maturity Model for CCM control areas
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Hint: GDPR

Compliance Offering: what are EU Model Clauses?

A

This offering provides contractual guarantees for transfers of personal data OUTSIDE the EU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Compliance Offering: what is HIPAA? What agreement does Microsoft offer with it?

A

lol Health Insurance Portability and Accountability Act, regulates patient Protected Health Information (PHI)

Microsoft offers customers a HIPAA Business Associate Agreement (BAA) should they require HIPAA Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Compliance Offering: what is ISO 27018?

A

Compliance for processing personal information by a cloud service provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Compliance Offering: what is the Multi-Tier Cloud Security (MTCS) Certification?

A

When a provider offers multiple “Tiers”of services, they must have this cert per tier. For Azure, all three service classifications have this cert (IaaS, PaaS, SaaS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Compliance Offering: what is the Service of Controls (SOC) Report Framework?

A

Service Organization Controls. 3rd party auditors cover data security, availability, processing integrity and confidentiality as applicable to in-scope trust principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Compliance Offering: what is the National Inst. of Standards - Cybersecurity Framework (NIST CSF)? (simple def)

A

They are guidelines and best practices for managing cybersecurity related risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Compliance Offering: what is the UK Government G-Cloud?

A

Cloud computing certification for services used by UK government entities. For UK gov entities to use your cloud services, you need to have this cert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the Microsoft Privacy Statement?

A

It explains what personal data Microsoft collects, how it’s used and for what purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The Microsoft Privacy Statement covers all its Services, web sites, apps, software, but not the hardware (physical servers, devices, etc.). Hardware is covered in the Device Privacy Statement (T/F)?

A

False. The Microsoft Privacy Statement covers BOTH Software and Hardware as well as for specific products like Windows and XBox

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Hint: legal agreements

What is Microsoft’s OST (Online Services Terms)? What obligations does it detail?

A

A legal agreement between MS and the customer that details obligations by BOTH parties w.r.t. processing and security of customer and personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The OST (Online Services Terms) covers all subscription based, online services like Azure, MS Dynamics 365, Office 365 and Bing Maps. Nothing else (ex. it doesn’t include desktop apps like Microsoft Office or SQL Server Mgmt Studio)? (T/F)

A

True. “ONLINE” means “ONLINE” so only Subscription online SaaS.

17
Q

What is the Data Protection Addendum (DPA) and what are four (4) definitions it provides?

A

Defines the data processing and security terms for online services, including:

  • Compliance with laws
  • Disclosure of processed data
  • Data security (practices, policies, data encryption, data access, customer responsibilities, compliance with auditing)
  • Data transfer, retention and deletion
18
Q

How do you access DPA?

A

DPA is found on the Licensing Terms and Documentation page. In the search bar, type “DPA”, then locate the link to the DPA in your preferred language (or filter for the language)

19
Q

What is the Trust Center?

A

Trust Center is a website that provides resources and support for legal and compliance communities.

  • In-depth information on security, privacy, compliance, policies, features and practices across cloud products
  • Links to security, privacy and compliance blogs and upcoming events
20
Q

What is Azure Compliance Documentation?

A

Azure’s complete list of Compliance Offerings, including everything under the following categories

  • Global
  • US Gov
  • Financial Services
  • Health
  • Media and Manufacturing
  • Regional (international; Asia Pacific, EMEA)

Finally, there’s a section on additional resources and information including Audit Reporting and Certs, Privacy and GDPR, Compliance Blueprints, white papers, etc.

21
Q

How does PCI DSS apply to Microsoft?

A

This is a payment provider compliance lol

Azure maintains PCI DSS validation using an approved Qualified Security Assessor and is certified as compliant with PCI DSS v3.2.1. at Service Provider 1

Or simply put, if you want to implement payment processing, CDE (cardholder data environment), etc. you can rely on Azure for the PCI DSS validation and compliance