Microsoft: Navigating your compliance score in a shifting landscape

On average there are 200 regulatory updates issued per day from 750 different bodies.

This finding, from a 2017 Thomson Reuters report is enough to have compliance professionals hiding behind the sofa.

“We’ve heard our customers loud and clear; it can be such a big burden for compliance professionals to stay up to date with all these changes,” said Dan Cousineau, Compliance Marketing Manager, at Microsoft. “And even when they can track the Track, track the changes sometimes they don’t have enough knowledge to define the internal controls to meet these requirements”.

Cousineau, speaking at PrivSec Global last month, outlined some of the dilemmas faced by companies when ensuring compliance teams are equipped to meet the challenge. 

“Most of the time compliance officers and privacy officers know the regulations and standards well, but they don’;t know which technologies solutions can help them meet the particular requirements or controls,” he explained.

“And then on the other hand, IT professionals may know about the technology, but they don’t know about the regulations, so there’s a real lack of connection between both compliance and IT departments.”

So where do Microsoft’s solutions fit in? The first thing to note is that Microsoft offers a shared responsibility model as a cloud vendor. 

Cousineau said when customers use on-premise IT infrastructure they have complete responsibility to protect the data and implement controls, however with cloud services the burden on the customers is lessened as responsibility is shared between with the cloud service provider. Microsoft provides the physical  infrastructure and networking, so customers don’t have to build their own data centres or physical access controls.

“A great example is the NIST 800-53. In the latest iteration there are 975 controls, 78% of those controls are Microsoft’s responsibility, while only 22% of the customers”, said Cousineau.

Microsoft also helps customers take care of their own responsibilities though, through features such as Customer Lockbox, which allows customers to be part of the necessary chain of approval for elevated access on particular controls.

Graham Hosking, Technical Specialist, Security and Compliance at Microsoft, went on to demonstrate the Microsoft Compliance Manager platform.

He showed how Compliance Manager allows you to see different assessments and regulations, and what Microsoft is doing to provide you with the controls and what the customer needs to do. Improvement actions for different areas, such as data protection, are shown along with points showing progress.

The tool also allows you see families of controls, so if you put in evidence that you meet a control, and it overlaps with another, you may not need to do it again.

And Microsoft also makes communication with the regulator easier, Hosking said. 

“From a regulatory point of view, we can take both the Microsoft actions and the customer actions into one report, and you can give that as evidence to your regulator.”

The other thing to remember is that the platform pulls in live information and notifies the customer of changes to assessments or scores, if for example, there are regulatory changes. This plus a high degree of customisation of assessments, should, Hosking and Cousineau say, enable organisations to be much more confident keeping up to speed with the mountains of shifting regulations.