Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
New NIST CSF and CSA CCM Assessments available in Compliance Manager
Published Jul 24 2018 02:00 PM 23.5K Views

Cybersecurity remains a critical management issue in the era of digital transforming. In April, Brad Smith, President and Chief Legal Officer of Microsoft, published a blog post to discuss a Cybersecurity Tech Accord, and to reinforce the importance of supporting an open, free, and secure Internet. As Brad mentions in his post, one of the core principles of the proposed Tech Accord is to empower users, customers, and developers to strengthen cybersecurity protection.

As part of our work on this principle, we are continuing to build and enhance the Assessments available in Compliance Manager to help organizations implement and verify security controls for their Microsoft cloud tenant.

 

New available Assessments in Compliance ManagerNew available Assessments in Compliance Manager

With the July release of Compliance Manager, we are announcing the availability of new and updated Assessments for Office 365 and Azure:

  • National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) for Office 365: NIST CSF is a set of standards, best practices, and recommendations that can help organizations enhance their cybersecurity at the organizational level. Organizations can follow the customer actions provided in the NIST CSF Assessment to configure and assess their Office 365 environment.
  • Cloud Security Alliance Cloud Controls Matrix (CSA CCM) for Office 365: CSA has defined the Cloud Control Matrix, which provides best practices to help ensure a more secure cloud computing environment. Potential cloud customers can use this Assessment to make informed decisions when transitioning their IT operations to the cloud. Office 365 customers can leverage the recommended customer actions to strengthen their cloud security controls.
  • UK National Health Service (NHS) for Azure: NHS in England provided a single standard that governs the collection, storage, and processing of patient data. Organizations can evaluate Microsoft’s internal controls and see how they adhere to the requirements and review their responsibilities for controls.
  • Health Insurance Portability and Accountability Act (HIPAA)/ Health Information Technology for Economic and Clinical Health (HITECH) Act for Office 365: We also added HITECH controls into the HIPAA Assessment.

You can create these new Assessments in Compliance Manager today. To learn about how to add new Assessments, please see the support documentation.

 

Since we released Compliance Manager in February, many companies have begun using it as part of their overall compliance process. We’d like to share one such story with you. Watch this video and see how the biggest stadium in France uses Compliance Manager to protect confidential data with Microsoft 365:

 

 

If you are not familiar with Compliance Manager, you can download this white paper to learn more. We will continue to add Assessments for Microsoft Cloud services, so keep watching the Security, Privacy, and Compliance blog.

13 Comments
Deleted
Not applicable

hi

 

I don't see the CSA or CIS controls when I log in, are they available yet?

Hi @Deleted - you can follow the instruction to add CSA CCM assessment for Office 365. Let me know if you have any question! Thanks!

Copper Contributor

Thanks for the help.

 

Currently for O365, when for Azure?

 

And when will CIS be available?

 

thanks

Hi @jeff warren - We don't have an ETA to share for Azure or CIS assessment yet. However, we will have some new announcements early next year that might help with your needs in these areas. Stay tuned! Thank you. 

Copper Contributor

Hi

 

Any update on availability of  Cloud Security Alliance Cloud Controls Matrix (CSA CCM) Assessment  for Azure?

 

Looks like its available for Office 365, but not yet for Azure

Deleted
Not applicable

Hi

I came across this in a recent search:
and the third party product is located at:
 
My question is then, is the road map for MSFT CM based on an incremental release of common controls hub product
Is MSFT customising it to some extent or just filtering out non-specific MSFT content?
 
Wouldn't it be easier if MSFT published and maintained Microsoft specific content, made available free, and allowed the user to import into CCH and then we can choose the free or paid for CCH versions and extend to relevant frameworks?

Hi @AwieNel - we don't have an estimated time for Azure CSA CCM assessment yet, but I did send this feedback to the product team. Thank you for letting us know.

 

Hi @Deleted - while the CCH provides the control mapping, Compliance Manager provides more than just the mapping but the detailed information of each control including how Microsoft implemented and tested controls and the recommended actions for organizations to implement their own controls. You can easily track the control progress and leverage the workflow in Compliance Manager as well. CM is our focus product to help organization to perform risk assessments on Microsoft Cloud and it's included in all commercial subscription plan, so as long as you have an AAD account, you can access it without paying additional cost. Hope this is helpful and please feel free to send me a message/email if you want to learn more information about CM vs. CCH. Thank you.

Copper Contributor
can we customise  Compliance Manager ?
 
I wish to add the Australian ASD E8 Maturity Model?
 

Hi @jeffw1010 - Yes! you can add your own templates in Compliance Manager now. You can find the supporting document for guidance here: https://docs.microsoft.com/en-us/office365/securitycompliance/working-with-compliance-manager#templa...

Please let us know if you have any feedback. 

 

Thanks,

Tina

Copper Contributor

Can the data be hosted in AU?

 

Thanks 

 

Hi @jeffw1010 - unfortunately we don't have data residency functionality yet. Data entered and uploaded in Compliance Manager will be stored in the United States on Microsoft Cloud Storage and replicated across Azure regions located in Southeast Asian and West Europe. Microsoft personnel do not have standing access to the data and we secure the data access following the industry standards. Please let me know if you have any additional question.

 

Thanks,

Tina

Copper Contributor

Hi Tina

 

Thanks or the quick response.

  1. Re: "stored in the United States on Microsoft Cloud Storage and replicated across Azure regions located in Southeast Asian and West Europe"
  2. Is the replication "automatic" or can we "turn off" certian jurisdictions"
  3. If repliactation is not discretionary, can you please advise the jurisdicitions and geographies in scope

Multi Org assessment:

  1. My project requires 25 + orgs to have a logically dedicated version of CM or an equivalent for a NIST based cyber maturity assessment.
  2. The 25 orgs are adminstratively and operationally indepdent and also part of a single legal entity with a single Board.
  3. The assessments are to be completed as a stand alone independent units.
  4. Key use cases is the data analysis/business intellignce and aggregation across the 25 orgs based on a number of views:
    1. risk pofile - H,M &L
    2. critical assetts
    3. common assetts
    4. geographies, compliance & jusirisdictions
    5. IT vs OT
    6. supply chain risk profile
    7. year on year improvemnent
    8. cyber budget

How can I do that with CM, or woud Iexport CM data to Microsoft reporting services?

Copper Contributor

hi Tina

 

Sorry, next question. Who is or is there a Compliance Manager Microsoft internal champion or product owner for Australia? Or is that you out of Singapore?

Version history
Last update:
‎May 11 2021 03:15 PM
Updated by: