Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Transcription

1

2

3 Privacy Transparency What does privacy at Microsoft mean? Are you using my data to build advertising products? Where is my data? Who has access to my data? Compliance What certifications and capabilities does Microsoft hold? How does Microsoft support customer compliance needs? Do I have the right to audit Microsoft? Security Is cloud computing secure? Are Microsoft Online Services secure?

4 Your Privacy Matters Leadership in Transparency Independently Verified Relentless on Security You know where data resides, who can access it and what we do with it Compliance with World Class Industry standards verified by 3 rd parties Excellence in cutting edge security practices

5 Office 365 Privacy Whitepaper Office 365 Security Whitepaper and Service Description Office 365 Standard Responses to Request for Information Office 365 Information Security Management Framework

6 Services are highly configurable and scalable without customization. Services are under the Microsoft Security Policy. We provide transparency in data location and transfers. We audit on your behalf and provide certification reports. Microsoft s liability is capped, consistent with industry standards. Office 365 is an evergreen service. Customers need to stay current. Our solution evolves rapidly with a documented roadmap. We provide services offers to help you migrate to the cloud efficiently.

7 7

8 Office 365 is a highly standardized service that Microsoft offers under highly standardized contractual terms and condition.

9

10

11 Reduce vulnerabilities, limit exploit severity Education Process Accountability Administer and track security training Guide product teams to meet SDL requirements Establish release criteria and sign-off as part of FSR Incident Response (MSRC) Training Requirements Design Implementation Verification Release Response Core Security Training Establish Security Requirements Create Quality Gates / Bug Bars Security & Privacy Risk Assessment Establish Design Requirements Analyze Attack Surface Threat Modeling Use Approved Tools Deprecate Unsafe Functions Static Analysis Dynamic Analysis Fuzz Testing Attack Surface Review Incident Response Plan Final Security Review Release Archive Execute Incident Response Plan Ongoing Process Improvements

12 Threat and vulnerability management, monitoring, and response Data User Application Host Internal network Network perimeter Facility Access control and monitoring, file/data integrity Account management, training and awareness, screening Secure engineering (SDL), access control and monitoring, antimalware Access control and monitoring, anti-malware, patch and configuration management Dual-factor authentication, intrusion detection, vulnerability scanning Edge routers, intrusion detection, vulnerability scanning Physical controls, video surveillance, access control

13

14

15 Privacy at Office 365 At Microsoft, our strategy is to consistently set a high bar around privacy practices that support global standards for data handling and transfer No Advertising No advertising products out of Customer Data. No scanning of or documents to build analytics or mine data. Data Portability Office 365 Customer Data belongs to the customer. Customers can export their data at any time. No Mingling Choices to keep Office 365 Customer Data separate from consumer services.

16 How Privacy of Data is Protected? We use customer data for just what they pay us for - to maintain and provide Office 365 Service Microsoft Online Services Customer Data 1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Operating and Troubleshooting the Service Yes Yes Yes Yes Security, Spam and Malware Prevention Yes Yes Yes Yes Improving the Purchased Service, Analytics Yes Yes Yes No Personalization, User Profile, Promotions No Yes No No Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No Voluntary Disclosure to Law Enforcement No No No No Advertising 5 No No No No Core Customer Data Operations Response Team (limited to key personnel only) Support Organization Engineering Partners Others in Microsoft Usage Data Address Book Data Customer Data (excluding Core Customer Data * ) Core Customer Data Yes. Yes, as needed. Yes, as needed. Yes, by exception. Yes, only as required in response to Support Inquiry. Yes. With customer permission. See Partner for more information. No. Yes, only as required in response to Support Inquiry. No Direct Access. May Be Transferred During Trouble-shooting. With customer permission. See Partner for more information. No (Yes for Office 365 for small business Customers for marketing purposes). Yes, only as required in response to Support Inquiry. No Direct Access. May Be Transferred During Troubleshooting. With customer permission. See Partner for more information. No. No. No. With customer permission. See Partner for more information. No.

17 Compliance

18 Office 365 compliance We are the first and only major cloud based productivity to offer the following Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers. EU Model Clauses a set of stringent European Union wide data protection requirements Address privacy, security and handling of Customer Data. Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states Enables customers to comply with their local regulations. ISO27001 ISO27001 is one of the best security benchmarks available across the world. Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management EU Model Clauses Data Processing Agreement

19 Office 365 compliance Comply with additional industry leading standards US Health Insurance Portability and Accountability Act HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information. EU Safe Harbor EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months

20 Office 365 Compliance With Key Standards ISO All customers Available EU Safe Harbor EU customers Available SSAE 16 (Statement on standards for Attestation Engagement) SOC 1 (Type I & Type II) compliance Primarily US customers Available FISMA US Government Available HIPAA/BAA All Customers Available EU Model Clauses EU Customers Available Data Processing Agreement All Customers Available FERPA EDU Customers Available

21

22 Transparency At Microsoft, our strategy is to consistently set a high bar around privacy practices that support global standards for data handling and transfer Where is Data Stored? Clear Data Maps and Geographic boundary information provided Ship To address determines Data Center Location Who accesses and What is accessed? Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Microsoft notifies you of changes in data center locations.

23

24 This saves customers time and money, and allows Microsoft to provide assurances to customers at scale.

25 Policy Business rules for protecting information and systems which store and process information Control Framework A process or system to assure the implementation of policy Standards System or procedural specific requirements that must be met Operating Procedures Step-by-step procedures

26 26

27

28

29

30

31

32

33 Microsoft Cloud Vantage Recommended Partner

34 Cloud Vantage Services Cloud Vantage Services helps you realize business value from your Office 365 investments by providing deep expertise and collaboration across the full lifecycle to smoothly transition to Office 365, and make the most out of your cloud investments.

35 Office 365 Privacy Whitepaper (New!) Office 365 Security Whitepaper and Service Description Office 365 Standard Responses to Request for Information Office 365 Information Security Management Framework

36 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentations. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.