Simplify Compliance and Reduce Risk with Microsoft Compliance Manager
Microsoft Compliance Manager, part of the Microsoft 365 compliance center, is a comprehensive solution for end-to-end compliance management. It helps organizations simplify compliance, reduce risk, and adhere to global, industry, and regional regulations and standards. Compliance Manager translates complex regulations, standards, company policies, and control frameworks into simple language, maps regulatory controls to recommended improvement actions, and provides step-by-step guidance on implementing these actions to meet regulatory requirements. It also helps prioritize tasks by assigning a score to each action, contributing to an overall compliance score.
Key benefits include:
- Pre-built Assessments: Available for common industry and regional standards and regulations, with custom assessments to meet unique compliance needs, depending on your licensing agreement.
- Workflow Functionality: Streamlines the completion of risk assessments.
- Detailed Guidance: Offers actionable steps to improve compliance with relevant standards and regulations.
- Risk-based Compliance Score: Assists in understanding your compliance status by tracking progress in completing improvement actions.
For organizations operating solely on-premises, they are entirely responsible for implementing necessary controls to meet standards and regulations. With cloud services like Microsoft 365, this responsibility is shared between the organization and the cloud provider, but the organization remains ultimately accountable for the security and compliance of its data.
In a Software as a Service (SaaS) model like Microsoft 365, Microsoft handles controls related to physical infrastructure, security, and networking. This relieves organizations from the need to build datacenters or implement network controls. Organizations manage risks associated with data classification and accountability, while certain aspects, such as identity and access management, involve shared risk management. The chart below illustrates the division of responsibility between the cloud customer and the cloud provider across various on-premises and online service models.
Moving your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your regulatory compliance burden by leveraging shared responsibility. For instance, consider the NIST 800-53 regulation from the United States National Institute of Standards and Technology, one of the most comprehensive security and data protection frameworks used by the U.S. government and large organizations. If your organization adheres to this standard while using Microsoft 365, Microsoft will manage over 75 percent of the 500+ controls, leaving you to focus only on the remaining controls. In contrast, if your organization were fully on-premises, you would need to implement and maintain all NIST 800-53 controls independently. Managing your IT portfolio under the shared responsibility model can lead to considerable time and cost savings.
Compliance Manager calculates your compliance score to help you prioritize actions that improve your overall compliance posture. The impact of each improvement action on your compliance score depends on the relative risk it represents. Points are awarded based on the action’s risk level, identified by the following characteristics:
- Mandatory or discretionary
- Preventative, detective, or corrective
Your compliance score tracks your progress in completing recommended actions that mitigate risks related to data protection and regulatory standards. Your initial score is derived from the Data Protection Baseline, which encompasses controls common to many industry regulations and standards. While this baseline offers a solid foundation for evaluating your compliance posture, the score gains greater significance as you incorporate assessments tailored to your organization’s specific needs. You can also use filters to view portions of your compliance score based on criteria such as solutions, assessments, and regulations.
2W Tech conducted a demonstration of Microsoft’s Compliance Manager, part of the Microsoft Purview suite, a tool that aids organizations in managing regulatory compliance within Microsoft 365 and other cloud services. The session focused on accessing, navigating, and leveraging the essential features of Compliance Manager, including understanding compliance scores, implementing improvement actions, setting up and customizing assessments, and updating compliance status collaboratively.
Key discussion points:
- Compliance Score: Explained the concept of a compliance score, how it is calculated based on mandatory and discretionary controls, and the significance of this metric in gauging compliance status.
- Control Types: Differentiated between preventative, detective, and corrective controls, and provided examples of each to ensure clear understanding.
- Accessing Compliance Manager: Detailed the steps to access Compliance Manager via compliance.microsoft.com and emphasized the importance of appropriate permissions.
- Navigating Compliance Manager: Demonstrated the Microsoft Purview homepage and how to locate key sections of Compliance Manager.
- Benefits of Shared Responsibility: Highlighted how Microsoft manages a portion of compliance controls, reducing the burden on organizations.
- Customizing Assessments: Walked through setting up assessments using the template library, customizing assessments to fit organizational needs, and tracking progress.
- Improvement Actions: Showed how key improvement actions are listed, their impact on compliance score, and the importance of updating actions continuously.
- Updating Controls: Described the process of editing control status, assigning tasks for collaboration, and ensuring compliance scores reflect the latest status accurately.
- Custom Templates: Explained creating custom templates either by extending existing ones or building from scratch using an Excel import process.
This demo provided a comprehensive overview of Microsoft Compliance Manager’s capabilities, emphasizing its practicality in managing compliance within a shared responsibility model.
Click here to view Microsoft Compliance Manager Demo
Read More: