Compliance requirements can be complex to interpret; highly manual; difficult to track and act upon; and costly. Do you know that there are an average 201 updates per day from 750 regulatory bodies all over the world[1]? Research shows that 65% of firms ranked “design and implementation of internal processes” the biggest hurdle of GDPR compliance[2]. We know achieving organizational compliance could be very challenging. It is hard to stay up-to-date with all the regulations that matter to your organization, and to define and implement controls with limited in-house capability.
Today, we are pleased to announce a new compliance solution to help your organization to meet data protection and regulatory standards more easily when using Microsoft cloud services – Compliance Manager will enable you to manage your compliance from one place. You can sign up for the preview program today.
Compliance Manager helps you with 3 key aspects:
- Enables you to perform real-time risk assessment on Microsoft cloud services
- Provides actionable insights to improve your data protection capabilities
- Simplifies compliance processes through built-in control management and audit-ready reporting tools
Real-time Risk Assessment: Compliance Manager provides a summarized dashboard showing your compliance posture against the data protection regulatory requirements that matter to you when using Microsoft cloud services. In each control framework, you can get a compliance score that reflects your real-time compliance posture and helps you to make real-time risk assessments.
Actionable Insights: You can get rich insights into Microsoft's and your responsibility to meet compliance standards. For each Microsoft-managed control, you can see the control implementation and testing details, test date and results. For the controls you manage, you will receive recommended actions with step-by-step guidance for implementation and testing. This tool will help you better understand how to use the Microsoft cloud features to efficiently implement the controls managed by you.
Simplified Compliance: Compliance Manager also helps you to simplify your compliance process by providing the control management tool for you to assign tasks and collaborate across teams more efficiently. You can generate audit-ready reports with evidence in a few clicks, reducing the need to manually collect information across multiple teams. This tool will help compliance / security / privacy officers, and risk assessors to perform proactive pre-assessment and get ready for the audits.
Compliance Manager will be available for public preview in November 2017. To get notification when the public preview is available, sign up for the preview program here.
Check out this video to learn more about how Microsoft can help you with GDPR compliance.
***Update on Feb 22nd 2018: Compliance Manager is now generally available for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers in public clouds. Learn more about the official product launch here.***
Frequently Asked Questions
1. Which cloud services are covered by the Compliance Manager?
For the preview program, Compliance Manager will cover Office 365.
We target to cover Office 365, Dynamics 365 and Azure when Compliance Manager is released. As we continue to grow our cloud services, we will expand the scope of dashboard to include them as well. Compliance Manager will not yet be available in Microsoft's unique clouds for China, Germany and Azure Gov/GGC High and DoD.
2. Does showing a compliance score in Compliance Manager indicate that Microsoft is a compliance expert?
The compliance score does not express an absolute measure of how compliant you are. It expresses the extent to which you have implemented controls, which can support data protection and compliance. No service can guarantee that you will be fully compliant, and the “compliance score” should not be interpreted as a guarantee in any way.
3. What compliance offerings, in terms of regulations, come with the Compliance Manager?
We target to cover GDPR, NIST 800-53, ISO 27001, and ISO 27018 standards when Compliance Manager is released.
4. Will I be able to use it for on premise services?
The current version of the dashboard will focus on tracking, implementing, and monitoring data protection and compliance on Microsoft cloud services.
5. How is the compliance score calculated?
Compliance score is based on the operating effectiveness of Microsoft controls and the customer controls you manage. Different controls have different levels of risk. We assign a weightage to each control based on the level of risk involved due to control failure. For example, if a control around providing information security awareness training is not fulfilled, it will create a risk to your data protection and compliance goals. However, this risk is not as great a risk as if your logical access control fails. Therefore, logical access controls will have bigger weightages in calculating compliance score than controls like security awareness training and will have bigger impact on the score. The end goal of providing you a score is to help you with your risk management decisions.
6. How does the “Compliance Score” differ from “Secure Score”?
Secure score is a security analytics tool to help organizations better understand their security posture in Office 365, while the compliance score provides a broader view of an organization’s data protection and compliance posture in the Microsoft cloud services - Azure, Dynamics 365, and Office 365. The compliance score and secure score can be associated in that compliance score is calculated across large superset of data protection and compliance controls; whereas secure score is focused on subset of configurable security controls.
7. Does a high or perfect score mean that I am fully compliant?
The score does not express an absolute measure of how compliant you are. It helps you understand whether you have successfully implemented your controls and if Microsoft controls are compliant. Beyond Microsoft-managed controls’ contribution to the score, a high score indicates that you have implemented more controls and that you have ascertained that the implementation is successful. This supports your goal towards being on track to be compliant.
8. If there are changes in regulations and / or regulation requirements, do I get an alert and is it reflected in my score?
If any changes in regulations necessitates changes into controls that support those regulations, we will update those controls and send you a notification if you subscribed to alerts for Compliance Manager. Any changes in the status of Microsoft managed controls will be reflected in your overall compliance score within 24 hours. Any changes in the status of controls managed by you will be reflected in real time in your overall compliance score.
9. How do I get the Compliance Manager preview?
Microsoft 365, Azure, and Dynamic 365 users (including trial users) will have access to the public preview version in November 2017. To get notification when it's available, you can sign up for the preview program here.
10. How much does it cost?
As of now Compliance Manager preview version itself will be free for Microsoft 365, Azure, and Dynamics 365 users. We are still assessing the nature of the final licensing and will provide more information when closer to general availability in 2018.
*Compliance Manager Preview is a dashboard that provides a summary of your data protection and compliance stature and recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate its effectiveness in your regulatory environment prior to implementation. Recommendations from Compliance Manager Preview should not be interpreted as a guarantee of compliance.
[1] Thomson Reuters – Cost of Compliance 2017
[2] http://resources.compuware.com/research-improved-gdpr-readiness-businesses-still-at-risk-of-non-compliance