Microsoft Online Services Security and Compliance Operational Certification Initiative

Similar documents
AGILE PROJECT MANAGEMENT

Enabling Office 365 Services

System requirements for ICS Skills ATS

How To Report Financial Results From A New Segment Structure At Microsoft.Com

Microsoft Requirements Guide. Yes. Yes. Yes. Contact Shared Services. Contact Dawn Darby at Microsoft

ผ ว จ ย ต าแหน ง ว ฒ การศ กษา สถานท ต ดต อ

Laboratory Information Management System (LIMS)

Celoxis Onboarding Program

General Policies and Procedures; Refund claim procedures Proposed Amendment: N.J.A.C. 18:2-5.8

Access the UTHSCSA Palo Alto Networks (PAN) VPN using Global Protect VPN client and Two Factor Authentication (2FA)

JOB PROFILE POSITION INFORMATION. Senior Human Resources Manager. CEO / Executive Director: Human Resources

Systems Analysis and Design

Archive Attender Version 3.5

COLONIAL INTERMEDIATE UNIT 20 JOB DESCRIPTION AND STANDARDS OF PERFORMANCE. Management Assistant Child Accounting and School Based Access Program

Avery Wizard: Using the wizard with Microsoft Word. This is a simple step-by-step guide showing how to use the Avery wizard in word

SECURE YOUR WINDOWS ENTERPRISE WITH STRONG PASSWORD MANAGEMENT

What are Qualified Devices?

JOB DESCRIPTION. Organisation Chart. Business Intelligence Programme Manager. Business Intelligence Programme Co-ordinator

M i m o s a A r c h i v e S o f t w a r e ~ S e a r c h i n g f o r m e s s a g e s. Outline. Introduction to Mimosa Archive

An Introduction to Time-weighted vs. Money-weighted Returns

Thompson Hospitality Executive Chef Lucinda Roenicke

Microsoft Access 2007 Survey Response Database

Welcome to your Nationwide MySave Online Account

Computer Basics in Health Care

MICROS e7 Version 2.7 Patch 1 Upgrade Best Practices

MICROSOFT OFFICE LIVE MEETING GUIDE TO GENERATING REPORTS

XperiDo for Microsoft Dynamics CRM. Recommended Price List Effective from 1 February 2015

XperiDo for Microsoft Dynamics CRM. Recommended Price List Effective from 1 February 2015

Date: 08/18/2015 Windows 2008R2 SP1 EndoWorks 7.4 Windows Updates Description Tested Pass/Fail Date

AuditNet 2012 Survey Report on Data Analysis Audit Software

Rimage Producer and Professional Windows OS Guide/FAQs For Rimage end users February 2014

The new licensing model increases the flexibility of organizational use and reduces total cost of ownership.

Job Description. Data Acquisition and Processing Manager Band 8b

Security Audit Program - ISO 28000, 27001, & ISO / HIPAA / SOX PCI-DSS Compliant

Table of Contents. Aileron Aeronautical Fees and Lease Management Billing Solution

EUROPEAN EXTERNAL ACTION SERVICE

Unexpected sync results

Version 7 (August 2010)

Bonds, Preferred Stock, and Common Stock

Service Management in Microsoft Dynamics CRM 2011

[MS-CCEIP]: Corporate Customer Experience Improvement Program Client-to-Server Protocol

Quick Step Guide for Internal Applicants

ADMINISTRATOR, INFORMATION SYSTEMS TECHNOLOGY, RESEARCH, PLANNING & EVALUATION STUDIES

Mastering Mandates. ICMA Executive Education Skills Course Training Programme

Microsoft Hyper-V Replica for Disaster Recovery

Secure Transport Service (STS) US Certificate Update Information (SHA2) For External Client Facing Users

Red Hat Enterprise IPA Identity & Access Management for Linux and Unix Environments. Dragos Manac

Job Description. Applications Development Manager Band 8b

Need to change the steps in a business process to match the way your organization does things? This guide shows you how.

INFORMATION DIRECTIVE GUIDANCE GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING

Document Control SOP. Document No: SOP_0103 Prepared by: David Brown. Version: 10

Autodesk Navisworks 2015 Service Pack 3

CE 4.2 to Windows 7 - Synchronism Problem

DRAFT TERMS OF REFERENCE FOR COMMUNICATIONS CONSULTANT

Next-Gen Monitoring of Active Directory. Click to edit Master title style

C5 version. Microsoft Office 2010 (x86 and x64) [2] [6] [7] [8] Microsoft Office

Time Tracking Software For Personal or Business Use

Asset and Lifecycle Management

Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

Microsoft Office 365 how to make a booking for meeting rooms and resource calendars

VisionWaves : Delivering next generation BI by combining BI and PM in an Intelligent Performance Management Framework

E-Lock ProSigner vs. In-built Acrobat 6.0 signatures

Transcription:

MicrosoftOnlineServicesSecurityandCompliance OperationalCertificationInitiative Published:February2009 1

MicrosoftOnlineServicesSecurityandCompliance OperationalCertificationInitiative Introduction GlobalFoundationServices(GFS)providestheinfrastructureforMicrosoft sonlineservices.gfshasstreamlinedthe mannerinwhichcompliancewithrelevantsecurityandprivacystandardsismanagedandmaintained.thesestandards arebasedongovernmentregulations,industrymandates,internalpoliciesandindustrybestpractices.inadditionto ensuringthatcomplianceexpectationsarecontinuallyachieved,thismethodologyhashelpedproducesas70typeiand IIattestations,ISO27001certifications,aswellasstreamliningtheworkassociatedwithmeetingauditobligations. ThispaperwilldiscussthecurrentcompliancelandscapeandthemethodologyusedbytheGFSOnlineServicesSecurity andcompliance(ossc)organizationtorationalizeandoptimizemanagementofsecuritycompliance. ComplianceLandscape TheGFS managedonlineoperatingenvironmentisrequiredtomeetasignificantnumberofgovernment mandated, industry,internallyderivedandindustrybestpracticesecurityrequirements.manyoftheserequireaperiodicreviewto validatethatcomplianceisbeingmaintained.someoftheexistingauditsandassessmentsofexternalcompliance expectationsare: ThePaymentCardIndustryDataSecurityStandard(PCI DSS)requiresannualreviewandvalidationofsecurity controlsrelatedtocreditcardtransactions.numerousonlineservicesareauditedannuallyforpcicompliance; MicrosoftagreedtoaConsentOrderwiththeFTCin2002thatrequiresanauditeveryotheryeartovalidate compliancewiththeorderandadherencetothemicrosoftonlineservicesinformationsecurityprogram.this auditrequirementisineffectuntil2022; VariousAdvertisingsystemsareauditedagainsttheMediaRatingsCouncil(MRC)requirements.Thisstandard relatestotheintegrityofadvertisingsystemdatagenerationandprocessing; SelectedAdvertisingsystemsareauditedforSarbanes Oxley(SOX)complianceannuallytovalidatecompliance withkeyprocessesrelatedtofinancialreportingintegrity; Microsoft sentryintothehealthservicesindustryintroducescompliancerequirementsasabusinessassociate ofentitiescoveredbythehealthinsuranceportabilityandaccountabilityact(hipaa); Inaddition,variousInternalAuditandprivacyassessmentsoccurthroughoutagivenyear. AsMicrosoftonlinebusinessescontinuetogrowandevolveandnewonlineservicesareintroducedintotheGFS environment,additionalrequirementsareexpectedwhichcouldincluderegionalandcountry specificdatasecurity standards. 2

OperationalCertificationInitiative Itwasdeterminedthatmanyoftheauditsandassessmentslistedaboverequiredanevaluationofthesameoperational controlsandprocessesforseveralofthegfsteamsprovidingoperationalinfrastructureservices.thereforecompliance wasoftendemonstratedbyproducingthesamedataandinformation.whilemicrosoftcontinuedtomeetthevarious securityrequirementsandtopasstheassociatedauditsorassessments,therewasasignificantopportunitytoconverge redundantefforts,tostreamlineprocesses,andtoproactivelymanagecomplianceexpectationsinamoreholistic manner. Inanefforttoaccomplishthis,OSSCcreatedtheOperationalCertificationInitiative,otherwiseknownasOCI.OCI rationalizedthevariouscomplianceeffortsbydefiningaunifyingmethodologyformanagingcomplianceacrossthegfs environment,andbyextensionacrossthevariousbusinessesoperatingwithinthisenvironment,thusprovidinga consistentandmanageableprocessforpreparingfor,andultimatelysatisfying,securityrequirements. OCIisdesignedtobeacontinuousandscalableprogramthatensuresGFSismeetingsecurityrequirementsandthatthe OnlineServicesInformationSecurityProgram,policy,standardsandassociatedcontrolsandprocessesremaincurrentas businessrequirementschange.inaddition,thestandardizedsecuritycontrolframeworkcomingoutofocicanbe consumedorleveragedbyotherteamswithinmicrosoft. OCIMethodology OCIfollowsafivestepmethodologyrepresentedinthefollowingillustration: Step1:IdentifyandIntegrateRequirements 3

Ananalysisofinternalpolicy,regulatory,industry,legalandcontractualrequirementswasconductedtodefinea supersetofstandardsecuritycontrolobjectives.eachindividualrequirementwasmappedtothesestandardizedcontrol objectives,providingforaconsistentapplicationofsecurityrequirements.toallowtheframeworktobeeasily expandedinthefuture,aninternationalstandard(iso27001)wasusedasthebasisfordefiningthecontrolobjectives. Step2:AssessandRemediateGaps Functionson boardedtotheociframeworkareprovidedwithasetofstandardcontrolobjectivesthatmustbemet throughadequatelydesignedinternalcontrolsandprocesses.aninitialstateofcomplianceisdeterminedthroughthe identificationandevaluationofeachfunction sexistingcontrolactivitiesandprocedures,otherwiseknownasacontrol designreview.alsoaspartofthisinitialevaluation,highriskorhighlymanualcontrolsareidentifiedsomonitoring controlscanbeidentifiedtoensurethesekeycontrolsarecontinuouslymonitored.controldesigngapsareidentified andrequireremediationbeforeoperatingeffectivenesstesting. Step3:TestEffectivenessandAssessRisk Oncethecontroldesigngapsareremediated,operatingeffectivenesstestingofthecontrolsisconducted,either internallyorbyexternalthirdparties.operatingeffectivenessfailuresareidentifiedandrequireremediationbefore certificationsandattestationsareperformed. Step4:AttainCertificationandAttestations ThestateofcompliancewiththeOCIframeworkisperiodicallyevaluatedandreportedonthroughthirdpartyreviews, suchassas70typeiandiiattestationsaswellasiso27001certifications.thesas70reportsandisocertificationare alsousedascollateraltosatisfytheexpectationsofselectedexternalaudits,includingsomeofthoselistedabove.for auditsthatcannotdirectlyconsumethesas70orisocertification,oftenthematerialproducedandcollectedduring thesereviewscanbeusedtorepresentandsupportcomplianceclaims.securingasas70reportandisocertification alsoprovidesassurancestopotentialcustomersthatgfs ssecuritycontrolsareappropriatelydesignedandare operatingeffectively. Step5:ImproveandOptimize TheOCIcontrolframeworkisperiodicallyaugmentedwithnewrequirementsthatareintroducedtotheenvironment throughregulation,contractualorlegalobligations,internalpolicyand/orindustrybestpractices.acomprehensive reviewofthecontrolframeworkoccursannuallyandindividualrequirementscanbeaddedormodifiedasdeemed necessary. Conclusion OCIistheculminationofhardworkwithinOSSCtorationalizerequirementsformultipleauditsintoasingle,expandable framework.gfshasoptimizedauditingacrosstheinfrastructurebyauditingonlyagainstthatframework.themost significantbenefitisforcustomers:theindependent,externalvalidationofrequirementsthatmakeupociprovidesa levelofassurancethatmicrosoftmeetsorexceedsindustrystandards. 4

TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthe dateofpublication.becausemicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobea commitmentonthepartofmicrosoft,andmicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateof publication. ThisWhitePaperisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,AS TOTHEINFORMATIONINTHISDOCUMENT. Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartof thisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans (electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionof MicrosoftCorporation. Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubject matterinthisdocument.exceptasexpresslyprovidedinanywrittenlicenseagreementfrommicrosoft,thefurnishingofthis documentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty. 2009MicrosoftCorporation.Allrightsreserved. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information