Part 4 - Compliance solutions Flashcards
Describe the Compliance Center
The Microsoft 365 compliance center brings together all of the tools and data that are needed to help understand and manage an organization’s compliance needs.
Compliance center is available to customers with a Microsoft 365 SKU with one of the following roles:
- Global administrator
- Compliance administrator
- Compliance data administrator
When an admin signs in to the Microsoft 365 compliance center portal, they’ll get a bird’s-eye view of how the organization is meeting its compliance requirements, along with which solutions can be used to help with compliance, information about any active alerts, and more.
The default compliance center home page contains several cards including:
- The compliance score card.
- The new Solution catalog card
- The Active alerts card
What is the compliance score car?
This card shows the compliance score, and will forward admins to the Compliance Manager where they can see a breakdown of the compliance score. Compliance score measures the progress in completing recommended improvement actions within controls. The score helps an organization to understand its current compliance posture. It also helps an organization to prioritize actions based on their potential to reduce risk.
What is the new Solution catalog card?
The new Solution catalog card, links to collections of integrated solutions that are used to manage end-to-end compliance scenarios across three compliance solutions areas:
The Information protection & governance section quickly shows you how to use Microsoft 365 compliance solutions to protect and govern data in your organization.
The Insider risk management section on the home page shows how your organization can identify, analyze, and act on internal risks before they cause harm.
The Discovery & respond section on the home page shows how your organization can quickly find, investigate, and respond to compliance issues with relevant data.
A solution’s capabilities and tools might include a combination of policies, alerts, reports, and more.
What is the Active alerts card?
The Active alerts card includes a summary of the most active alerts and a link where admins can view more detailed information, such as alert severity, status, category, and more.
Describe the Microsoft Compliance Manager
Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center that helps admins to manage an organization’s compliance requirements with greater ease and convenience. Compliance Manager can help organizations throughout their compliance journey, from taking inventory of data protection risks, to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
Compliance Manager helps simplify compliance and reduce risk by providing:
- Prebuilt assessments based on common regional and industry regulations and standards. Admins can also use custom assessment to help with compliance needs unique to the organization.
- Workflow capabilities that enable admins to efficiently complete risk assessments for the organization.
- Step-by-step improvement actions that admins can take to help meet regulations and standards relevant to the organization. Some actions will also be managed for the organization by Microsoft. Admins will get implementation details and audit results for those actions.
- Compliance score, which is a calculation that helps an organization understand its overall compliance posture by measuring how it’s progressing with improvement actions.
What is a security control in the Compliance Manager?
A control is a requirement of a regulation, standard, or policy. It defines how to assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.
Compliance Manager tracks the following types of controls:
Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing.
Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization.
Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.
What is a security assessment?
An assessment is a grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps to meet the requirements of a standard, regulation, or law. For example, an organization may have an assessment that, when the admin completes all actions within it, it helps to bring the organization’s Microsoft 365 settings in line with ISO 27001 requirements.
Assessments have several components:
- In-scope services: the specific set of Microsoft services applicable to the assessment.
- Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft implements for the organization.
- Your controls: these controls, sometimes referred to as customer-managed controls, are implemented and managed by the organization.
- Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.
- Assessment score: shows the progress in achieving total possible points from actions within the assessment that are managed by the organization and by Microsoft.
What are security templates?
Compliance Manager provides templates to help admins to quickly create assessments. They can modify these templates to create an assessment optimized for their needs. Admins can also build a custom assessment by creating a template with their own controls and actions. For example, the admin may want a template to cover an internal business process control, or a regional data protection standard that isn’t covered by one of Microsoft’s 150-plus prebuilt assessment templates.
What are improvement actions?
Improvement actions help centralize compliance activities. Each improvement action provides recommended guidance that’s intended to help organizations to align with data protection regulations and standards. Improvement actions can be assigned to users in the organization to do implementation and testing work. Admins can also store documentation, notes, and record status updates within the improvement action.
What is the compliance score?
Compliance score measures progress in completing recommended improvement actions within controls. The score can help an organization to understand its current compliance posture. It also helps organizations to prioritize actions based on their potential to reduce risk.
What is the difference between Compliance Manager and compliance score?
Compliance Manager is an end-to-end solution in Microsoft 365 compliance center to enable admins to manage and track compliance activities. Compliance score is a calculation of the overall compliance posture across the organization. The compliance score is available through Compliance Manager.
Compliance Manager gives admins the capabilities to understand and increase their compliance score, so they can ultimately improve the organization’s compliance posture and help it to stay in line with compliance requirements.
How to understand the compliance score
The overall compliance score is calculated using scores that are assigned to actions. Actions come in two types:
- Your improved actions: actions that the organization is expected to manage.
- Microsoft actions: actions that Microsoft manages for the organization.
These action types have points assigned to them that count towards the compliance score. Actions can also be considered technical or nontechnical, which also affects how they impact the overall compliance score. Actions are also assigned a score value based on whether they’re categorized as mandatory, discretionary, preventative, detective, or corrective:
- Mandatory – these actions shouldn’t be bypassed. For example, creating a policy to set requirements for password length or expiration.
- Discretionary – these actions depend on the users understanding and adhering to a policy. For example, a policy where users are required to ensure their devices are locked before they leave them.
The following are subcategories of actions that can be classified as mandatory or discretionary:
- Preventative actions are designed to handle specific risks, like using encryption to protect data at rest if there were breaches or attacks.
- Detective actions actively monitor systems to identify irregularities that could represent risks, or that can be used to detect breaches or intrusions. Examples of these types of actions are system access audits, or regulatory compliance audits.
- Corrective actions help admins to minimize the adverse effects of security incidents, by undertaking corrective measures to reduce their immediate effect or possibly even reverse damage.
