Blog Series
Part 1 - Microsoft Purview - Compliance Score (Part 1) - Overview
Part 2 - Microsoft Purview - Compliance Score (Part 2) - Sample Assessment Scoring
Part 3 - Microsoft Purview - Compliance Score (Part 3) - HITRUST
Part 4 - Microsoft Purview - Compliance Score (Part 4) - HIPAA / HITECH
Part 5 - Microsoft Purview - Compliance Score (Part 5) - GDPR
Part 6 - Microsoft Purview - Compliance Score (Part 6) - CCPA
Part 7 - Microsoft Purview - Compliance Score (Part 7) - Data Protection Baseline
Part 8 - Microsoft Purview - Compliance Score (Part 8) - ARMA GARP
Part 9 - Microsoft Purview - Compliance Score (Part 9) - NIST Privacy Framework
Part 10 - Microsoft Purview - Compliance Score (Part 10) - ISO 15489
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
This blog series is aimed at Security and Compliance officers who need to understand how the Microsoft Purview Compliance Manager assessments can help them meet their regulatory and certification needs.
This document will be covering:
This document does not cover any other aspect of Microsoft E5 Purview, including:
For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner.
We will not be walking through the HITRUST assessment step-by-step. For more information on running an assessment in Compliance Manager, you should reference the corresponding documentation listed in the Appendix and Links section below. You can also find a blog series covering how to do this and how to run other Purview functions at the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
We will be walking through:
Using Compliance Manager assessments to meeting government regulations or industry certifications.
None
You should have a basic understanding of Compliance Manager and how it works. You can find this information in the blog named “Paint By Numbers” and the official Microsoft documentation found at docs.microsoft.com. You an find links to these in the section below labeled Appendix and Links.
This blog will review specific Microsoft Compliance Manager Assessments and how they relate to Microsoft Purview solutions. Here is a list of the specific assessments:
This is not meant to be an exhaustive list as there are 700+ assessments in Compliance Manager as of the writing of this blog.
Here is the official answer as listed in docs.microsoft.com
“Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.”
Each assessment in Microsoft Purview Compliance Manager tracks all the regulatory/certification requirements relative to your Microsoft 365/Office 365 environment. Here is a visualization on how this scanning and tracking works.
Here is the official definition as found in docs.microsoft.com. The URL can be found in t Appendix and Links section below.
“Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture.
Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.”
Built into Compliance Manager is a way to review which Microsoft Solutions will be applicable to each certification/regulation along with the Compliance Score that each of these solutions will bring to your organization.
Compliance Manager keeps track of both 1) the organizations responsibilities (ie. Your organization) and 2) Microsoft’s responsibilities, as they pertain each assessment, and then maps a score to those responsibilities.
Here is an example of where you would find both of these scores in a Compliance Manager assessment that I have already run.
Before finishing this overview, I want to thank the members of the Microsoft Health Life Sciences Purview Technical Specialist team (HLS Purview TS) team for their assistance in creating, researching and developing this blog series. This includes, but is not limited to: Erfan Setork, Ken Sicinski, and Chad Lightfoot.
Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs
Compliance score calculation - Microsoft Purview (compliance) | Microsoft Learn
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.