Blog Post

Microsoft Security Community Blog
2 MIN READ

New NIST CSF and CSA CCM Assessments available in Compliance Manager

jutingying's avatar
jutingying
Icon for Microsoft rankMicrosoft
Jul 24, 2018

Cybersecurity remains a critical management issue in the era of digital transforming. In April, Brad Smith, President and Chief Legal Officer of Microsoft, published a blog post to discuss a Cybersecurity Tech Accord, and to reinforce the importance of supporting an open, free, and secure Internet. As Brad mentions in his post, one of the core principles of the proposed Tech Accord is to empower users, customers, and developers to strengthen cybersecurity protection.

As part of our work on this principle, we are continuing to build and enhance the Assessments available in Compliance Manager to help organizations implement and verify security controls for their Microsoft cloud tenant.

 

New available Assessments in Compliance Manager

With the July release of Compliance Manager, we are announcing the availability of new and updated Assessments for Office 365 and Azure:

  • National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) for Office 365: NIST CSF is a set of standards, best practices, and recommendations that can help organizations enhance their cybersecurity at the organizational level. Organizations can follow the customer actions provided in the NIST CSF Assessment to configure and assess their Office 365 environment.
  • Cloud Security Alliance Cloud Controls Matrix (CSA CCM) for Office 365: CSA has defined the Cloud Control Matrix, which provides best practices to help ensure a more secure cloud computing environment. Potential cloud customers can use this Assessment to make informed decisions when transitioning their IT operations to the cloud. Office 365 customers can leverage the recommended customer actions to strengthen their cloud security controls.
  • UK National Health Service (NHS) for Azure: NHS in England provided a single standard that governs the collection, storage, and processing of patient data. Organizations can evaluate Microsoft’s internal controls and see how they adhere to the requirements and review their responsibilities for controls.
  • Health Insurance Portability and Accountability Act (HIPAA)/ Health Information Technology for Economic and Clinical Health (HITECH) Act for Office 365: We also added HITECH controls into the HIPAA Assessment.

You can create these new Assessments in Compliance Manager today. To learn about how to add new Assessments, please see the support documentation.

 

Since we released Compliance Manager in February, many companies have begun using it as part of their overall compliance process. We’d like to share one such story with you. Watch this video and see how the biggest stadium in France uses Compliance Manager to protect confidential data with Microsoft 365:

 

 

If you are not familiar with Compliance Manager, you can download this white paper to learn more. We will continue to add Assessments for Microsoft Cloud services, so keep watching the Security, Privacy, and Compliance blog.

Updated May 11, 2021
Version 5.0
azure
compliance
compliance manager
microsoft 365

13 Comments

  • jeffw1010's avatar
    jeffw1010
    Copper Contributor
    Sep 22, 2019

    hi Tina

     

    Sorry, next question. Who is or is there a Compliance Manager Microsoft internal champion or product owner for Australia? Or is that you out of Singapore?

  • jeffw1010's avatar
    jeffw1010
    Copper Contributor
    Sep 22, 2019

    Hi Tina

     

    Thanks or the quick response.

    1. Re: "stored in the United States on Microsoft Cloud Storage and replicated across Azure regions located in Southeast Asian and West Europe"
    2. Is the replication "automatic" or can we "turn off" certian jurisdictions"
    3. If repliactation is not discretionary, can you please advise the jurisdicitions and geographies in scope

    Multi Org assessment:

    1. My project requires 25 + orgs to have a logically dedicated version of CM or an equivalent for a NIST based cyber maturity assessment.
    2. The 25 orgs are adminstratively and operationally indepdent and also part of a single legal entity with a single Board.
    3. The assessments are to be completed as a stand alone independent units.
    4. Key use cases is the data analysis/business intellignce and aggregation across the 25 orgs based on a number of views:
      1. risk pofile - H,M &L
      2. critical assetts
      3. common assetts
      4. geographies, compliance & jusirisdictions
      5. IT vs OT
      6. supply chain risk profile
      7. year on year improvemnent
      8. cyber budget

    How can I do that with CM, or woud Iexport CM data to Microsoft reporting services?

  • jutingying's avatar
    jutingying
    Icon for Microsoft rankMicrosoft
    Sep 20, 2019

    Hi jeffw1010 - unfortunately we don't have data residency functionality yet. Data entered and uploaded in Compliance Manager will be stored in the United States on Microsoft Cloud Storage and replicated across Azure regions located in Southeast Asian and West Europe. Microsoft personnel do not have standing access to the data and we secure the data access following the industry standards. Please let me know if you have any additional question.

     

    Thanks,

    Tina

  • jeffw1010's avatar
    jeffw1010
    Copper Contributor
    Sep 18, 2019
    can we customise  Compliance Manager ?
     
    I wish to add the Australian ASD E8 Maturity Model?
     
    https://www.cyber.gov.au/publications/essential-eight-maturity-model