Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Manage compliance from one place beyond Microsoft Cloud with Compliance Manager
Published Apr 30 2019 08:55 AM 30.6K Views

Many compliance professionals and risk assessors use manual processes to record and track their day-to-day work. This is time-consuming and labor-intensive, and it inhibits efficient collaboration, especially across teams. Research shows that around 40% of companies spend more than 4 hours a week creating and amending reports[I]. This leaves compliance professionals, risk assessors and privacy professionals with less time to spend on strategic activities. The right tools can help these professionals simplify compliance management processes and increase efficiency and productivity.

 

Since we announced the general availability of Compliance Manager last year, a lot of you asked for the ability to create your own assessments for applications or regulations that weren’t already covered in Compliance Manager. Many of you also asked for automation and integration with other Microsoft solutions.

 

Apropos of that, we are thrilled to announce the public preview of Compliance Manager new experience, which includes the following enhancements:

 

Custom assessment: You can build and import templates that enable you to create assessments for any application or service (including on-premises and non-Microsoft apps and services) against any regulation or standard. You can also customize built-in assessments by adding your own controls and actions. This enables you to use Compliance Manager as your centralized compliance management tool to collaborate with stakeholders, collect evidence and prepare for audit reports in a secure and compliant cloud environment.

 

Add new templates of risk assessments in Compliance Manager for non-Microsoft apps.Add new templates of risk assessments in Compliance Manager for non-Microsoft apps.

Automatically assess security-oriented controls: Compliance Manager works with Microsoft Secure Score to detect changes to your tenant configuration and automatically record the implementation of security controls once you enable the “continuous Secure Score update” in settings. For example, after you configure multi-factor authentication for admins in your tenant, your Compliance Score and your Secure Score will both increase accordingly. Compliance Manager automatically reflects the updated status and records activity logs. This feature represents our first step toward automated control assessments that enhance the credibility of control testing.

 

Multi-factor authentication control is updated automatically via the signals from Secure Score.Multi-factor authentication control is updated automatically via the signals from Secure Score.Action-based experience: Compliance Manager includes a new action pivot that streamlines the required and recommended activities by allowing you to focus on the necessary tasks instead of each control. This sets the foundation for us to build deeper integration between technical requirements and security and compliance solutions.

 

With these new features, you can manage compliance from one place beyond Microsoft Cloud, reduce the burden of relying on manual processes, and increase your productivity to focus more on the strategic tasks.

 

Access the new Compliance Manager features in the public preview that available on the Service Trust Portal today. The new features are available for all commercial plans as additional values. We would love to hear what you think of the new features during the public preview period. You can learn more about Compliance Manager and how to use the new features in this supporting document.

 

Frequently Asked Questions

How long will Microsoft keep the data in the previous version of Compliance Manager?

We plan to keep the data in the previous version of Compliance Manager for at least 12 months from GA of the new experience to allow organizations to migrate assessments into the new experience.

 

What do organizations need to do before using the new features?

Organizations need to assign permission roles before turning on the “continuous update from Secure Score”, so only people with permission will see the tenant-specific information, such as the status of the security-oriented controls (see these instructions).

 

How often does Compliance Manager receive updates from Secure Score?

Once you turn on the continuous updates from Secure Score, you will receive the signal from Secure Score every 24 hours.

 

Why do organizations need to turn on continuous update from Secure Score for each action, but not doing it with one-time configuration for the whole tenant?

We will introduce a tenant-wide switch to turn the “continuous updates from Secure Score” on and off when the new experience reaches generally available.

 

We provide granular control on a per-action basis in case you use other third-party tools to implement controls and want to mark controls as “alternative implementation”.

 

What are other changes made for Microsoft Compliance Score in the new experience?

In the new experience, you will find that Microsoft Compliance is presented in percentage instead of numeric numbers. Additionally, we now only account for the score from customer-managed actions, not including the actions from Microsoft-managed actions. Therefore, the denominator of the percentage is the total score you can get from all the customer-managed actions. The nominator is the accumulated score from the actions you implemented and marked as passed for the test results.

 

We made the changes to align the presentation of Microsoft Compliance Score with Secure Score, so organizations can interpret both scores in a similar way.

 

Which cloud services are covered by the new Compliance Manager experience?

You can find the list of cloud services and the regulations/standards covered listed below:

  • Office 365: FedRAMP Moderate, NIST 800-53, NIST 800-171, ISO 27001, ISO 27018, FFIEC, HIPAA, NIST CSF, CSA CCM
  • Intune: FFIEC

We are working on adding GDPR assessment soon in a few weeks.  

Note that coverage of regulations and standards in Compliance Manager varies by product. We will keep adding and updating the information in the future and our goal is to provide similar experience of using Compliance Manager for all Microsoft Cloud services. Please keep providing us feedback in the areas you see strong customer demands, so we can give the feedback to the product team for prioritization.

 

What licenses do I need to access Compliance Manager?

Compliance Manager is an additional value within Office 365 for all Business and Enterprise customers in public clouds. GCC customers can access Compliance Manager, however users should evaluate whether to use the document upload feature of compliance manager, as the storage for document upload is compliant with Office 365 Tier C only. Compliance Manager is not yet available in sovereign clouds including DoD, Office 365 Operated by 21 Vianet, and Office 365 Germany.

 

[i] Thomson Reuters – Cost of Compliance 2018

 

3 Comments
Iron Contributor

Thanks Tina. Did you release the GDPR assessment during May as signaled above? 

Iron Contributor

Tina, in the first screenshot, the 2018 Office on-prem Assessment has a score of 11%. The customer managed controls show as 0 out of 48 being completed. Where does the 11% come from please? Similar for the 2018 Box Assessment US one - 0 out of 38, but an assessment score of 8%. Are those two parts linked, or completely separate? Trying to understand ... thanks!

Hi @Michael Sampson 

Sorry for the late response. We are working on adding GDPR and you should be able to find it in the next 1-2 months. Will update here when it's published. 

 

To answer your second question, each control are composed of several actions. Organizations need to complete all the actions in the control to get the update at the "customer-managed control" bar. However, once you complete an action, you get the "action score" for that assessment right away.

 

There are some common actions between assessments. E.g. when you complete an action like turning on MFA in ISO 27001, you might satisfy one of the actions in other controls in other assessments like NIST 800-53 and NIST CSF. Therefore, you would see some assessments with 0 control completed, but they have some common actions completed when you assessed other standards. The score of those actions will be reflected in the assessments. 

 

Let me know if it helps.

 

Thanks,

Tina

 

Version history
Last update:
‎May 11 2021 02:00 PM
Updated by: