Overcome Your Data Compliance Hurdles with Microsoft Purview Compliance Manager
With the hybrid and remote work trend on the rise, businesses are facing several compliance challenges, such as keeping up with regulatory changes and ensuring that employees are following security best practices. Many organizations even suffer from a lack of time and resources to adhere to compliance regulations, or simply find the complexities of following such protocols to be too taxing.
Introducing Microsoft Purview Compliance Manager, your one-stop answer to data compliance, honestly. Microsoft Compliance Manager reduces non-compliance risk and helps your organization seamlessly adhere to compliance requirements by following guidelines provided by the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework), ISO (International Organization for Standardization), FedRAMP (Federal Risk and Authorization Management Program), and GDPR (General Data Protection Regulation of the European Union).
What is Microsoft Compliance Manager?
Microsoft Compliance Manager, a feature in the Microsoft Purview compliance portal, conveniently helps your organization maintain compliance requirements with ease. By taking inventory of your data protection risks, managing complexities of control implementation, keeping up to date with certifications and regulations, as well as reporting to auditors, Microsoft Purview Compliance Manager simplifies how your organization manages compliance.
In addition, Microsoft Purview Compliance Manager helps meet your unique needs by offering workflow capabilities to help you efficiently complete your risk assessments. Users also gain improvement actions with detailed step-by-step guides to help comply with standards relevant to your organization, along with a risk-based compliance score that provides deep visibility to improve the overall compliance posture of the company.
Key Elements of Microsoft Purview Compliance Manager
To help you manage your compliance activities, the Microsoft Compliance Manager uses several data elements, including:
Controls
Controls detail the requirements of the compliance standard your organization is trying to meet to define how you assess and manage system configuration. Compliance Manager tracks Microsoft-managed, customer-managed, and shared controls that Microsoft and your organization share responsibility for implementing. These controls are assessed and updated continuously.
Assessments
Assessments are groupings of controls that evaluate your organization’s compliance with industry and regional regulations. Completing all actions within an assessment can help bring your organization in line with the compliance standard requirements. In addition to controls, assessments have several other components including in-scope services and assessment scores.
Templates
Templates are a framework of controls for creating assessments. The Compliance Manager provides pre-built templates to help you easily create assessments, but you can also modify these existing templates or create new templates optimized for your needs.
Improvement Actions
Improvement actions help centralize compliance activities by providing recommendations that align your organization with regulations and standards for data protection. You can assign improvement actions to users within your organization to perform implementation and testing work.
Using Microsoft Compliance Manager to Calculate Compliance Score
Microsoft Compliance Manager’s dashboard displays an overall compliance score that measures your progress in completing recommended improvement actions suggested within controls. Your current compliance score can be used to understand where your organization stands and what actions you can prioritize to improve.
Each improvement action impacts your score differently, depending on the risks involved. Assessment scores are calculated using improvement action scores.
Two types of actions count toward your overall score: improvement actions managed by your organization and Microsoft actions managed by Microsoft. Actions can either be technical or non-technical, and the type of action determines the scoring impact of the action.
- Technical actions are implemented by interacting with the technology of a solution, such as changing a configuration. Even if a technical action belongs to multiple groups, points are only granted once per action, as the action only needs to be implemented once for your tenant.
- Non-technical actions are managed by your organization and can either be documentation or operational. If a non-technical action belongs to multiple groups, points are applied each time the action is implemented.
Premium Templates in Microsoft Compliance Manager
As mentioned, Compliance Manager provides templates to help you create assessments, and these templates can be modified according to the needs of your organization. Microsoft provides a variety of comprehensive templates that help your organization comply with national, regional, and industry-specific requirements that govern data use and collection.
There are two categories of templates available in Compliance Manager: included and premium. Included templates cover key regulations and requirements and are granted by your Compliance Manager license. Premium templates are available to be purchased for additional needs and scenarios, covering over 300 regulations and standards.
As of July 1st, 2021, customers have been able to purchase premium templates as an add-on without needing to have a Microsoft 365 E5 license as a prerequisite, as long as they have a Microsoft 365 or Office 365 subscription, and customers with licenses can see the list of 300+ premium assessments in their tenants already. Premium templates ensure that customers can comply with several requirements across multiple standards of regulation just by taking one action.
Of the premium assessments available, some noteworthy assessments for public sector and small to medium organizations in Canada include:
- Canada Cybersecure – Baseline Cyber Security Controls: Focuses on reducing risk and helping organizations plan how to respond to cybersecurity incidents and data breaches.
- Canada – British Columbia – Information Privacy & Security – FOIPPA: Focuses on protecting records that are created and compiled by the public bodies of British Columbia. Complying with the controls and carrying out the recommended actions can earn you a certificate.
Microsoft Compliance Offering with the Center for Internet Security (CIS) Benchmarks
The Center for Internet Security (CIS) identifies, develops, validates, promotes, and sustains best practice solutions for cyber defense. To further help with national, regional, and industry-specific regulations for data collection and use, the Center for Internet Security (CIS) has published benchmarks for Microsoft products and services.
Some of these benchmarks include the Microsoft Azure and Microsoft 365 Foundations Benchmarks, and the Windows 10 and Server 2016 Benchmarks. The CIS Microsoft Azure Foundations Benchmark is geared towards customers that plan to deploy secure solutions incorporating Azure, and we at Steeves and Associates use the accompanying document as a baseline to establish secure security frameworks for our clients.
CIS benchmarks establish a basic level of security for anyone adopting Microsoft products and services, but for more granular control over compliance, you can utilize Microsoft Compliance Manager.
Leverage Microsoft Compliance Manager to Granularly Manage Compliance
Keeping up with regulatory changes can be difficult, but Microsoft Compliance Manager simplifies how your organization manages compliance by taking inventory of your data protection risks, managing complexities of control implementation, keeping up to date with certifications and regulations, and reporting to auditors.
Experts at Steeves and Associates can not only set you up with baseline security practices by utilizing CIS benchmarks but can also configure your organization’s overall compliance framework by effectively utilizing Microsoft Compliance Manager and its premium templates.
Connect with us to qualify for a free workshop on how to leverage Microsoft Compliance Manager to protect sensitive information and establish protocols for meeting compliance requirements across your organization.