Microsoft 365 now includes Compliance Score (in Preview a/o November 2019). Like Secure Score, Compliance Score gives your organization a defined metric against which to measure how well its controls meet various requirements for data compliance.
Here is an overview of what Compliance Score is, with a bit of a dive into a specific example for CSA CCM – an industry standard for cloud security.
First, here’s the new Compliance Center. You can get there by either 1) going to the Compliance Admin Center in Office 365, or 2) go to https://compliance.microsoft.com/homepage and logging in with an appropriate credential when challenged. Either way, on the left is a new Compliance Score panel.
Just like the dashboard on your car, there’s a nifty little gauge that shows your organization’s overall compliance score. This is a measure across all metrics, which I’ll get to momentarily. The key concept here is that there are hundreds of individual actions that can be taken, and they are broadly categorized as Microsoft-enabled or Customer-enabled. This is based in part on the shared responsibility model.
Actions & Assessments
Every action has a specific score value that reflects its weight. Additionally, each action can be affiliated with one or more assessments. Several assessments are available out-of-box, generally aligned with specific regulations or industry standards. A given action might be associated with multiple assessments; for example, requiring a passcode to unlock a mobile device is so fundamental that it’s part of several assessments.
Actions can be viewed within the context of their assessments, but also in context of their solutions. For example, you might want to review all the actions available under Exchange, or Azure Information Protection, or Advanced Threat Protection.This might make sense for an organization that leaves compliance up to specific service owners.
That said, looking at Compliance Score under Assessments is more useful to business managers, who tent to care less about the technology and more about the business and regulatory requirements. Going through actions one-by-one can be overwhelming, so it’s more useful to look at them as organized by specific requirements using assessments.
Example Compliance Score Assessment – CSA CSM
In the following example, I’m going to dive into the action items required for CSA CSM compliance. CSA CSM is an industry standard known as Cloud Security Alliance Cloud Security Matrix – a standard not just for Microsoft, but other cloud provides such as Amazon Web Services and Google Cloud.
Under the Assessments tab in Compliance Score, I have a list of existing assessments You can create your own, and add more using out-of-box templates, but Ima park that for now, to focus on addressing my CSA CSM score.
What I care about most is my Assessment Progress (highlighted). If I have several related assessments, I might organize them into an assessment group, and at the end, I have a column that tells me what regulation the assessment supports.
To see what actions I might take to improve my score, I click in to the customer managed actions.
Here’s where we get into the meat of Compliance Score’s value. Put yourself in the shoes of a compliance officer, perhaps in a legal or privacy department, or part of a cross-functional team. You’ve been given this industry standard (CSA CSM) to meet, and need to report on compliance as you initiate a program over the next six months.
In this view (image above) you can see all actions, their status with respect to testing or implementation, their point value, and which solution they’re aligned with. This list can be exported for offline analysis.
As a compliance officer, you might review each of these actions one by one. Are some of them impractical? Are some of them easy to implement? Which actions will have the biggest impact in improving your score?
It’s very rare for an organization to implement all actions in a big-bang approach. Instead, a program for achieving compliance would typically start with an initial evaluation – what is our score at the start – followed by collaboration with all stakeholders: representatives from various business units, as well as the compliance and IT teams.
This collaboration group reviews the current state and the recommended actions, and outlines what the individual policies should be, and then initiates one more projects to implement those actions.
For each action, implementation can be assigned, with a due date for testing and implementation; status can also be set to “Not in Scope” or “Alternative Implementation”, if the specific action is carved out or met using another solution.
This is a project manager’s dream. Accountability! Due Dates! Also, how-to-implement documentation and links to where to do so.
Working the Process with Compliance Center
Let’s continue this imaginary process.Compliance Score updates every twenty-four hours. That is, if you make a change, your score won’t change for a day. So on Day 1 of this exercise, my overall compliance score is 17502/24595, or 71%. Specific to CSA CSM compliance, assessment progress is 62%, mostly on the back of the 272 Microsoft enabled controls; only 7 of the 187 customer enabled controls have been enabled.
I’ll make some changes and fire up the hurry-up machine (actually, just waiting a day). While we wait, let me point out that some of these actions require no configuration at all in the Microsoft cloud. For example, the “Implement Incident Handling” action is essentially an attestation that a process is in place. It’s only worth a single point, but hey, everything counts in small amounts, right?
There, the hurry-up machine’s finished. Let’s take a look.
OK, so not a lot – I’ve only bumped my score 50 points or so, not enough to move the needle – but it’s a step in the right direction towards improving my overall compliance score. How about progress against my goal of complying with CSA CSM?
A little better. I implemented four controls and got a 1% gain in compliance. To recap fully, my overall score is now 17558/24595, still 71%. Specific to CSA CSM compliance, assessment progress is now 63%, with 11 of the 187 customer enabled controls enabled.
Summary
Compliance Score, within Compliance Center, is powerful auditing tool for organizations to measure and address their compliance with various regulatory requirements. It provides a consistent scoring method to assess against, and suggests useful actions to increase that score. It also provides an audit trail for decisions taken, or not taken, in applying those recommended controls.