Many organizations struggle with the complexity and cost of compliance with data protection and security standards, especially if they must comply with multiple standards and regulations. While figures vary by industry, on average, organizational compliance will cost an organization $5.47 million annually. However, the cost of noncompliance is nearly three times higher, at $14.82 million.
Compliance is only set to get more expensive and more difficult as current standards are updated to fit an ever-changing cyber threat environment, and the U.S. federal government mulls passing a nationwide data protection law in the wake of the EU GDPR and the California Consumer Privacy Act.
Thankfully, if your enterprise subscribes to Microsoft 365, you have access to numerous features that help ease the pain and expense of compliance.
Manage Compliance Processes with Compliance Manager
Cloud compliance is a bit different than the on-prem compliance some organizations may be accustomed to. Microsoft’s cloud services, such as Office 365 and Azure, operate under a shared responsibility model. Microsoft is responsible for security and compliance of the cloud, and organizations are responsible for security and compliance in the cloud. The Microsoft 365 Security and Compliance Center brings the separate but related functions of enterprise security and compliance together in one central hub to make it easier for organizations to secure their cloud data and apps and ensure they are compliant with applicable regulatory and industry standards.
The heart of Microsoft’s compliance tools is Compliance Manager, which allows organizations to better manage regulatory compliance under the shared-responsibility model. Among other features, Compliance Manager allows organizations to:
Assess Controls and Prioritize Compliance Activities
The Compliance Score feature allows enterprises to perform ongoing assessments on security, compliance, and privacy controls across Microsoft Cloud products for common regulations and standards, including the GDPR, NIST 800-53 and NIST CSF, HIPAA/HITECH, FFIEC, and FedRAMP Moderate and High. Each Compliance Score includes the Microsoft-managed controls for security of the cloud. The remainder of the score is generated by the successful implementation and testing of customer-managed controls.
Each customer-managed control is assigned a possible number of points on a scale of 1 to 10; the higher the score, the higher the risk associated with a failure of that control. Compliance Scores help organizations prioritize compliance activities by allowing them to zero in on controls that have a higher potential risk if they fail.
More Easily Comply with Multiple Regulations & Standards
Many enterprises must comply with multiple standards and regulations; for example, an enterprise may have to comply with both CSA CCM and the GDPR. In addition to assessing controls, Compliance Scores map relevant controls across regulations and standards. This eliminates duplicative work and enables organizations to take proactive measures to keep up with the dynamic compliance landscape by allowing them to reevaluate common controls and enhance them to comply with the most rigorous standard.
Coordinate Compliance Activities Across the Enterprise
Enterprise compliance is a team effort. Different compliance-related tasks, such as device management, data loss prevention, eDiscovery, and data retention, are performed by different employees throughout the organization. Compliance Manager provides a centralized hub to assign roles and distribute, track, and record tasks, eliminating silos that can impede communication and workflows. Enabling the role-based access control feature ensures that employees can access only those tasks they have permissions for. Compliance Manager also provides a secure repository for employees to upload documentation of compliance activities and processes.
Easily Generate Compliance Reports
Compliance Score assessment data can be exported to an Excel file, producing a detailed report for auditors, regulators, and internal compliance stakeholders. Reports include details for both Microsoft-managed controls and customer-managed controls, including control implementation status, control test dates, and test results, along with links to supporting documents.
Know and Classify Data with Advanced Data Governance
Solid data governance is the foundation of data protection and compliance, but the era of big data has created big problems for organizations. New data is being generated at an exponential rate, and most of it is unstructured. New data privacy laws, such as the GDPR and the California Consumer Privacy Act, mandate that organizations categorize, classify, and securely handle all this data throughout its lifecycle, from creation/collection to disposal.
Microsoft Advanced Data Governance helps organizations know, classify, and protect sensitive data across devices, apps, and cloud services with features such as:
- Retention labels that allow organizations to classify data across the enterprise and enforce rules that specify the retention or deletion of data based on specified triggers. Labels can be applied automatically or manually, at both the document and container levels.
- Sensitivity labels that protect sensitive content without impeding collaboration and workflow. These labels can be used to classify and enforce protection rules on emails, documents, sites, and other content, allowing them to be safely shared within and outside the organization.
- A unified labeling experience for Azure Information Protection and Office 365, so sensitivity and retention labels can be created and set up in one place.
- Over 85 built-in sensitive information types that can automatically detect common sensitive data, such as credit card information, bank account information, and Social Security numbers, and the ability to create custom types.
- Built-in default system alerts for activities such as an unusually large volume of file downloads or file modifications, with the ability to create custom alerts.
Protect Privileged Accounts with Privileged Access Management
Securing privileged accounts is crucial to complying with data protection standards and preventing cyber attacks. The new Privileged Access Management (PAM) feature in Office 365 employs the same Zero Standing Access policy that Microsoft enforces in its own data centers. Users who need privileged access must ask for it. Once they are approved, they are granted just enough access to complete their assigned tasks, and no more, just in time, and for no longer than they need it. All of the users’ activities are logged, and their privileged permissions automatically expire after a specified period.
Combined with Azure AD Privileged Identity Management (PIM), PAM adds an extra barrier between unauthorized users and privileged access to enterprise data. While Azure AD PIM secures admin roles in Office 365 and Azure clouds, PAM controls access to tasks within Office 365.