With increasing global, regional, and industrial regulations, organizations need more help than ever to make sure they are compliant with all relevant standards. Research shows there are over 250 daily updates to global regulations and 1 in 4 organizations do not know which data regulations apply to them. More than 90% of Microsoft’s enterprise customers have a multi-cloud strategy and they are struggling to keep up with the constantly changing regulatory landscape, especially with data stored across a hybrid environment.
To help customers simplify their compliance efforts and reduce risks, we introduced Microsoft Compliance Manager. We are keeping customers’ multi-cloud strategy front and center in our innovations in Compliance Manager and are excited to share all the work we have been doing the last few months to enable customers to assess compliance for their non-Microsoft 365 workloads.
Extending compliance beyond Microsoft 365
Azure and Dynamics 365 regulatory templates within Compliance Manager:
Earlier this year, we announced universal assessment templates in Compliance Manager that allow customers to map non-Microsoft regulatory assessments to any product or service in their environment. Today, we are very excited to announce that Compliance Manager now includes Azure and Dynamics 365 assessment templates, helping you track compliance for your Microsoft cloud from a single place. Starting this week customers will be able to create Azure and Dynamics 365 assessments (in preview) for ISO 27001, NIT 800-53, SOC2, and FedRAMP (Moderate and High).
Figure1: Azure and Dynamics 365 templates (in preview) in Compliance Manager
Compliance Manager as a platform:
With Compliance Manager and its universal templates, we are enabling customers and partners to extend compliance management capabilities to non-Microsoft environments. Our partners such as Protiviti and BDO are helping customers by building value-added scenarios on Compliance Manager:
Protiviti’s compliance quick start guide helps customers jump-start their compliance journey using the Microsoft 365 compliance solutions and provides recommendations for deployment and configuration of their Microsoft 365 environment while using Microsoft Compliance Manager to govern risk and compliance.
“Protiviti has extensive experience and a proven history in the IT Security, Risk, and Compliance space. We are leveraging Microsoft’s Compliance Manager platform to expand its value beyond Microsoft 365 by extending custom templates to assist customers with challenging compliance-related issues covering non-Microsoft 365 assets such as End User Developed Applications (EUDAs). This is in addition to a set of workshops and managed service solutions to help customers with Microsoft Compliance Manager, wherever customers are in their compliance journey”, said Natalie Fedyuk, Managing Director, Protiviti
BDO Digital’s Compliance Assessment leverages Microsoft 365 deployments to help customers demonstrate their compliance across several regulations, implement controls to reduce their compliance risks, and utilize tooling and best practices to implement effective compliance processes.
“This offering will provide clients with significant value due to its ability to rapidly demonstrate where the compliance risk exists within an organization and the strategies to build a sustainable compliance program,” said Pierre Taillefer, BDO Canada Partner, National Risk Advisory Leader.
Additional capabilities in Compliance Manager
In addition to the extensibility capabilities mentioned above, we are also continuing to make updates within Compliance Manager to help you better meet your compliance requirements.
Data Protection Baseline template includes zero trust controls:
At Microsoft, we embrace a strategy of Zero Trust. This is not only the practice of protecting against outside-in threats, but also protecting from the inside out. To help customers embrace a Zero Trust approach, Compliance Manager’s data protection baseline assessment now includes Zero trust control families. These control families map to existing and additional improvement actions, making it easy to assess, monitor, and improve compliance with our Zero Trust principles and recommendations. Customers can use the data protection baseline to implement actions that can enable them to follow a Zero Trust strategy by leveraging the improvement actions in the newly added Zero Trust control families that map to Zero Trust defense areas of Apps, Data, Endpoint, Identity, Infrastructure, and Network.
Figure 2: Data protection baseline for Microsoft 365 with Zero Trust control families
New Privacy regulatory assessments and control mapping:
Staying ahead of data privacy regulations and understanding the technical actions needed to address compliance can be daunting. Nearly 66% of countries have data protection and privacy legislation and 26 U.S. states have proposed their own privacy measures so far in 2021. To help, Compliance Manager has more than 200 regulatory assessment templates covering global, industrial, and regional Data Protection and Privacy regulations, making it easier for customers to interpret, and assess and improve their compliance with regulatory requirements.
Compliance Manager now includes three additional Privacy specific assessment templates for Colorado Privacy Act, Virginia Consumer Data Protection Act (CDPA), and Egypt Privacy law. We will continue to add new assessments as more laws are enacted. Additionally, we have mapped privacy-specific controls across these assessment templates to our recently announced Privacy Management for Microsoft 365 solution to help you scale your compliance efforts.
Figure 3: Privacy Management improvement action items in Compliance Manager
Compliance Trial We are happy to share that there is now an easier way for you to try Microsoft compliance solutions directly in the Compliance Admin Center. By enabling the trial in the Compliance center, you can quickly start using all capabilities of Microsoft Compliance, including Insider Risk Management, Records Management, Advanced Audit, Advanced eDiscovery, Communication Compliance, Microsoft Information Protection, Data Loss Prevention, and Compliance Manager. This trial is currently rolling out to tenants worldwide and you can learn more about it here.