Blog written by:
Chris Ang
SharePoint Architect
CCNA, MCPD, MCTS, A+

Intro

Organizations constantly have to upgrade their security policies to protect their data and assets. Proving compliance is one of the most challenging tasks the IT administrators and managers come face to face with time and again. Decision makers need insight into the security protocols in place and instant alerts in case of threats. Whether it’s the company’s physical data center or information stored in the cloud, data governance and compliance have become topmost priorities for managements across organizations.

Office 365’s Built-in Security and Compliance Center

With the Office 365 Security and Compliance Center, IT administrators can quickly and easily set up policies and enable services across Office 365, Exchange Online and SharePoint Online. Users can manage archiving, eDiscovery, auditing, retention and deletion policies in Exchange Online and SharePoint Online.

You can also assign permissions to compliance managers in the organization so they can access some of the compliance features in the Security and Compliance Center.

(Source: https://technet.microsoft.com/en-us/library/dn532171.aspx )

The integrated Office 365 compliance solutions help you manage organization data, comply with legal and regulatory requirements and monitor actions taken on your data. Microsoft has several certifications to make the Office 365 compliance framework on a par with global, regional and industry standards.

In-Focus : Microsoft Security Certifications

Microsoft Office 365 has independent verification to show it meets the requirements specified in ISO 27001, European Union (EU) Model Clauses, the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA), and the Federal Information Security Management Act (FISMA). Office 365 offers various certifications and attestations to help organizations comply with local regulations across geographies and industries.

Let’s look at some of the certifications that Microsoft has that allow organizations and companies to host their data:

1. Argentina PDPA—Microsoft Azure, Microsoft Dynamics CRM online and Office 365 have implemented the security measures in the Argentina Personal Data Protection Act.
2. CSA-CCM—This is the certification for the Microsoft Cloud Security Alliance (CSA) and Cloud Controls Matrix (CCM), and it details how Microsoft cloud services fulfill the security, privacy, compliance and risk management requirements defined in CSA CCM version 3.0.1. The CSA is a nonprofit organization consisting of corporations and important stakeholders who dedicate themselves to defining best practices for a secure cloud computing environment. They help customers make informed decisions when transitioning their IT operations to the cloud.
3. CS Mark (Gold)—This is the first security standard for cloud service providers in Japan. Microsoft achieved a CS Gold Mark for all three service classifications: Microsoft Azure for IaaS and PaaS, and Office 365 for SaaS. The Japan Information Security Audit Association (JASA), a non-profit organization established by the government to strengthen information security in Japan CS Gold Mark, accredits this. A CS Gold Mark means that in-scope services can host important government data.
4. DISA—The Defense Information Systems Agency (DISA) Cloud Service Support has granted a DISA Impact Level 2 Provisional Authorization to Microsoft Azure, Azure Government, Office 365 MT, and Office 365 U.S Government, based on the Federal Risk and Authorization Management Program (FedRAMP). DISA is the combat support agency of the US Department of Defense (DoD) and is responsible for defining the baseline security requirements for cloud service providers (CSPs) that host DoD information, systems and applications, and for DoD’s use of cloud services. The DISA certification helps DoD agencies and supporting organizations to use cloud services without having to go through a full approval process on its own, saving time and effort.
5. ENISA IAF—The European Network and Information Security Agency (ENISA) Information Assurance Framework (IAF) requirements are mapped to Microsoft cloud services through the CSA CCM. You can refer to the CSA CCM response version 3.0.1.
6. EU Model Clauses—Microsoft offers European Union (EU) Standard Contractual Clauses that provide contractual guarantees around transfers of personal data. Microsoft was the first cloud service provider to gain approval from the EU’s Article 29 Working Party for contractual commitments.
7. FDA 21 CFR Part 11—Regulations Title 21 Part 11 details security requirements for the electronic records of companies that sell food and drugs in the United States.
8. FedRAMP—Microsoft Azure, Azure Government, Dynamics CRM Online Government and Office 365 Government have a Provisional Authority to Operate for the Federal Risk and Authorization Management Program (FedRAMP), mandatory for cloud services  federal agencies use. All executive federal agencies must use FedRAMP to validate the security of cloud services.
9. FERPA—Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of students’ educational records, including personally identifiable and directory information. Microsoft Azure, Microsoft Dynamics CRM Online and Office 365 comply with FERPA, and the law applies to schools, school districts and any other institution that receives funding from the US Department of Education, both public and private.
10. FIPS 140-2—Microsoft certifies that the underlying cryptographic modules used in Microsoft products, including Microsoft enterprise cloud services, comply with the Federal Information Processing Standard Publication (FIPS) 140-2, a US government standard.
11. FISC—Microsoft Azure and Office 365 received independent assessment for meeting the requirements for the Center for Financial Industry Information Systems (FISC) Version 8, standard security for banking computer systems in Japan.
12. FISMA—Microsoft Azure, Azure Government, Dynamics CRM Online Government and Office 365 Government have a Provisional Authority to Operate for FedRAMP, the successor of the Federal Information Security Management Act (FISMA) for US government cloud solutions.
13. GxP—The Microsoft cloud meets Good Clinical, Laboratory, and Manufacturing Practices (GxP), as part of compliance with the US Food and Drug Administration Code of Federal Regulations Title 21 CFR Part 11.
14. HIPAA/ HITECH—Microsoft enterprise cloud services offer a Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement that stipulates adherence to HIPAA, which regulates patient Protected Health Information (PHI) in the US. It applies to covered entities—doctors’ offices, hospitals, health insurers and other healthcare companies—with access to patients’ protected health information, as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf.
15. CCSL (IRAP)—Microsoft Azure and Office 365 have accreditation for the Certified Cloud Services List (CCSL), which identifies cloud services that have successfully completed an Information Security Registered Assessors Program (IRAP) assessment by the Australian Signals Directorate.
16. ISO/ IEC 27001—The ISO/IEC 27001 certificate validates that Microsoft enterprise cloud services have implemented the internationally recognized information security controls defined in the ISO/IEC 27001 standard.
17. ISO/ IEC 27018—Microsoft was the first cloud provider to adhere to the ISO/IEC 27018 code of practice, which covers privacy protections for the processing of personal information by cloud service providers.
18. Japan, My Number Act—The My Number Act assigns a unique number to each resident of Japan. Companies using Microsoft cloud services can be assured that Microsoft does not have standing access to My Number data.
19. MTCS—Microsoft was the first global cloud service provider to receive the Singapore Multi-Tier Cloud Security (MTCS) certification across all three classifications, IaaS, PaaS, and SaaS, for in-scope services.
20. NZ CC Framework—The New Zealand Government Chief Information Officer published a cloud computing (CC) framework of 100+ questions on the security, privacy and sovereignty aspects of cloud services. Microsoft NZ demonstrates how Microsoft addresses these questions.
21. Section 508 / VPATs—Microsoft cloud services offer Voluntary Product Accessibility Templates (VPATs), a standardized form documenting whether a product meets the accessibility requirements of Section 508, an amendment to the Rehabilitation Act of 1973.
22. Shared Assessments—Microsoft demonstrates the alignment of Microsoft Azure, Microsoft Dynamics CRM Online and Office 365 with the Shared Assessments Program, a vendor-risk management tool-set, through the CSA CCM version 3.0.1.
23. SOC 1—Microsoft cloud services have had successful audits using American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) 1 standards for design and operational security.
24. SOC 2—Microsoft cloud services have had successful audits using American Institute of Certified Public Accountants (AICPA) Service Organization Controls Type 2 standards for design and operational security.
25. ENS SPAIN—Spain’s Esquema Nacional de Seguridad (National Security Framework, or ENS) provides information and communications technologies security guidance to public administrations and cloud service providers (CSPs). Microsoft was the first hyperscale CSP to receive this ENS certification for Microsoft Azure and Office 365.
26. UK G-Cloud—The UK Crown Commercial Service has renewed the classification of Microsoft in-scope cloud services to Government Cloud (G-Cloud) v6, covering all four of its offerings at the OFFICIAL level.

Notes for On-Premise Security

While many skeptics are concerned about privacy and security while hosting on the cloud, one thing to note is that Microsoft cloud offers advanced security standards that may not even be in place for on-premise environments. In addition, the security setup and protocols followed in a large facility may often be more secure than an independent setup on-premise or in a local data center. The standards Microsoft put in place may minimize the chance of a security breach since a local security department may have a greater chance for human error and mistakes if strict policies in an in-house security setup are not followed.

As you can see from the above listed Microsoft certifications, Office 365 offers a comprehensive set of certifications and attestations of any cloud service provider. These will help you understand whether Office 365 meets your requirements in terms of security and compliance.

• Author
• Recent Posts

Chris Ang

Solution Architect at Cognillo (formerly QiPoint)

Chris Ang (New York, NY USA) is a SharePoint Architect with 20 years experience in programming and network infrastructure.

Currently working at Cognillo (https://www.cognillo.com), he has helped architect and develop SharePoint Enterprise products for customers such as the U.S. Navy, U.S. Army, U.N. Security Council of Netherlands, Australian Government, U.S. Dept of Treasury, U.S. Dept of Justice, Canadian Dept of Defense, Scotiabank, JPMorgan CHASE Bank, Intel, Ford Motors, Microsoft, NASA, DARPA, SNC Lavalin, Penguin Books, and more.

He is a proud father of 2, and when he has any spare time, he loves to paint portraits of his kids.

Latest posts by Chris Ang (see all)

• What is SharePoint? A Beginner’s Guide to MS SharePoint Software - October 8, 2018
• Beginner’s Guide: Windows PowerShell – How to Use Tutorial for Dummies - October 8, 2018
• Remote PowerShell to Manage SharePoint on-premises - August 14, 2018