Service Trust Portal & Compliance Manager

Start Addressing your Compliance Assessment Needs with Service Trust Portal and Compliance Manager Tools.

Co-authored with Ryan Sturm of GetSecureAndCompliant and John Wagner.

Microsoft offers its customers many amazing tools to help them in their security and compliance efforts.  This article will cover the information available in the Service Trust Portal and the capabilities in Compliance Manager that can help your Risk and Compliance leaders and IT staff ensure that you get to and remain in compliance with the various regulations you may need to comply with. 

As part of their Shared Responsibility model, Microsoft provides their customers with an easy-to-access one-stop shop for in-depth security, compliance, and privacy information assessments for the Microsoft Cloud.  This information comes built-in to Microsoft’s productivity platform so that customers can automatically assess and manage their security and compliance posture.

In this post we will provide a high-level overview of the two main tools, beginning with the Service Trust Portal and the new Compliance Manager within it.

Service Trust Portal

Note: You will have to log in with a valid Microsoft Office 365, M365, or Azure subscription account to access locked reports.

With the Service Trust Portal, customers can:

• Review the available independent audit reports for Microsoft’s Cloud services, which provide information about compliance with data protection standards and regulatory requirements. The full list of audit reports can found here.

• View pen tests and security assessments. View reports from independent third-party penetration tests and security assessments of Microsoft’s cloud services.  The results of those tests and assessments can be found here.

• Leverage Azure Blueprints, which define a repeatable set of Azure resources that implement and adhere to your organization’s standards, patterns, and requirements and rapidly build new environments with a set of built-in components to speed up development and delivery.  An overview of the blueprints as well as a list of those available can be found here.

• Gain access to White Papers, FAQs, and Compliance guides.  You will be able to review a wealth of security implementation and design information with the goal of making it easier for you to meet regulatory compliance by understanding how Microsoft Cloud services keep your data secure.

Compliance Manager

Compliance Manager makes it easy to perform on-going risk assessments of Microsoft’s cloud services. Your organization can use Compliance Manager to manage all your organization’s compliance activities from implementation to reporting. 

We suggest starting with 4 main steps:

• Have the Portal Admin assign Roles to your Users.
• Review actions items in Microsoft Secure Score to comply with regulations related to your industry for Security & Compliance.
• Pick an Assessment that is appropriate for your organization
• Assign Actions to your users based on the Controls in that Assessment.

The following sections will outline the different components of Compliance Manager and walk you through the steps you can take.

Role Based Access Control can be used to make sure you control who can view your assessment and action information, and who can make changes.  A breakdown of the Compliance Manager RBAC Roles can be found here.

To assign roles, login as a Tenant Admin or Compliance Portal Admin here.

Enable Secure Score integration to provide automatic updates to the status of action items in Compliance Manager. This is configurable for individual Action Items or all actions globally and provides updates from Secure Score.

Review Action Items to improve your Microsoft Secure Score here.

Add 100 points to your Microsoft Secure Score by enabling MFA for Admins in setting up just three of the Four Baseline Conditional Access Policies. It will take up to 24 hours for your score to update. Additionally, follow the Five steps to securing your identity infrastructure to improve your score which aligns with Security & Compliance Best Practices.

Assessments for Your Organization

With increased concern over data compliance, organizations need a way to view and demonstrate how well they are addressing specific requirements. In Compliance Manager, these reviews are called Assessments.

Typically, the requirements for these controls are defined by records managers who are experts in the field of records management, but not necessarily technology experts. Requirements may also come from experts in security, privacy, or legal teams. Compliance is best addressed by a team with representation from all of these experts, as well as IT.

The controls available can be classified as “Microsoft Managed” or “Customer Managed”; the latter are what the customer is responsible for enabling.

As we can see, out of the box, this assessment shows that all of the relevant Microsoft controls for HIPAA (a health-records regulation in the United States) are enabled, but the customer has only enabled eleven of the thirty-eight related controls available to them.

Once an organization has run an Assessment, it can take action to implement each control in some way, mark it as planned, or decide to exclude a control from the assessment entirely. For the purpose of auditing, this provides a document trail of which controls an organization decided to use in their content management protocols. Actions are covered below.

Templates

An Assessment will measure an organization’s adoption of relevant controls defined by specific industry regulations. The controls measured are defined by Templates based on specific regulations. For example, a company may want an assessment of its compliance posture for HIPAA.

When an Assessment is created, it is based on a template in Compliance Center. Typically, these are based on industry regulations, but custom templates can be created. Compliance Manager also comes with several pre-defined templates.

Additionally, by looking under Templates in Compliance Manager, we can see details on what’s included – from the list in the image above.

Under each are indications of which Microsoft product it applies to, what certification it covers, how many controls are available, and what the maximum score can be – a good thing to know if you are measuring compliance across multiple criteria.

By clicking into a template, you can see the individual families of controls to see what actions are available.

Groups

When an Assessment is created, it is placed in a Group of other Assessments. In Compliance Manager, a Group is a way to categorize multiple Assessments.

For example, in a large organization, the Finance department may have half a dozen different assessments, one for each of various regulation types. Legal may have another set.

By default, there is one Group in place, called Default Group. To create another Group, simply throw the switch and enter a name for the Group when creating an Assessment. The newly created Group will be available for all other new Assessments going forward.

Assigning Action Items

Actions Items are included in customer-managed controls as part of the built-in workflow management functionality that you can use to manage and track your progress towards Assessment completion.

Users in your organization can use Compliance Manager to review the controls from all Assessments they have assigned to them.  When they open the Action Items dashboard, they will see a list of Action Items assigned to them.  What they can do with those Action Items will depend on the role assigned to the user.

The workflow built into Compliance Manager can be used to initially assign an Action Item to one person for implementation and then to the next person to test and upload evidence.

What does this look like in Action (Pun intended)?        

By clicking on an Assessment from the Compliance Manager Dashboard, it will take you to the Actions section for that Assessment where you can review available Actions.  In the example below, the portal admin has assigned an Action Item to a Compliance Administrator.

In this example, the Action’s been assigned to Megan Bowen, the priority’s been set to Medium, and there’s a note to get approval for the implementation plan before completing.

The key concept here is that not only have actions been identified to improve the compliance score, but there is accountability and an audit trail of that Action’s implementation.

Megan can review the action and upload any relevant documents, then make any notes.

Additionally, if another person or party should be responsible, the action item can be reassigned.

Compliance Management thus serves as a change log as well, for any steps taken to address compliance with various data governance regulations.

This information can be provided for audit purposes, providing a clear trail of decisions made about compliance.

Summary

Hopefully with the topics we have covered you can see how Compliance Manager will enable you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your compliance goals.