Streamline Compliance with Microsoft Purview and Compliance Manager
Discover how Microsoft Purview and Compliance Manager simplify compliance with over 350 global regulations, offering precise guidance and automated workflows.
File
Simplify regulatory compliance with Microsoft Purview Compliance Manager
Added on 09/27/2024
Speakers
add Add new speaker

Speaker 1: Coming up, if you want to reduce the time it takes to get and stay compliant with regulations impacting your organization, we take a closer look at Compliance Manager and Microsoft Purview, which helps you by breaking down the compliance criteria for over 350 regulations and standards globally so you don't have to interpret them, giving you precise guidance on the capabilities that you can turn on in Microsoft and other cloud services to meet specific requirements, and digitizing the workflow for collaborating with others in your organization so that you can assign and document actions, including any manual processes as well, all of which make it easier to prepare for auditors and more. And to walk us through all this, I'm joined by Daniel Hidalgo from the Microsoft Purview team. Welcome back to Mechanics.

Speaker 2: Thanks for having me back, Jeremy. There's a lot to dig into.

Speaker 1: And it's really great to have you on because we've done quite a few shows recently on security and zero trust approaches, but of course, on the other side of this is compliance. Now, if you think about some of the most public data breaches that we've seen over the last couple of years in the headlines, they often expose more than just the security vulnerabilities that those companies had, they also reveal gaps in how compliance is managed, especially in cases where customer or employee data is stolen.

Speaker 2: They do. And you bring a great point, because if you're concerned about security and data protection, compliance needs to be part of that concern as well. Think about cases where data should be maintained for only 12 months, and you've actually been keeping it for 10 or even 20 years worth.

Speaker 1: And what that means is that your attack surface is basically 10 or 20 times larger than it really needs to be.

Speaker 2: Yes, and it can get you into even deeper trouble from a regulatory standpoint. Because of the penalties involved, in many respects, the risk from not hitting compliance requirements can be far more damaging than a data breach.

Speaker 1: That said, there's a bright side to all of this, because what you put in place to meet the majority of compliance requirements will actually lead to greater protection response to security and privacy threats in the future.

Speaker 2: Yes, they will definitely lead to better security protections for your critical data, faster response times, and more resilience to legal incidents too.

Speaker 1: That's easier said than done, though, because anyone who's done this type of work knows just how hard it can be to interpret what you need to do to be compliant. So how do we help here?

Speaker 2: Yeah, it can get really complex, because just like the threat landscape continues to evolve with security, the regulatory landscape continuously evolves for compliance. And if you're a compliance manager, you might be stuck tracking your compliance status by using manual tools like spreadsheets, where you're constantly chasing your IT team and other accountable stakeholders, just so you can check progress on actions to prove your compliance. You may not understand the criteria for complying to specific regulations in the first place, or there may be multiple interpretations of what is required across teams. And that's really where compliance manager comes into play, in terms of helping everyone get on the same page on the specific actions to take to comply with a given regulation or standard. It also provides a collaboration platform between compliance managers and IT and other stakeholders. And it assesses your start point so that you can get an accurate read of progress against your compliance goals.

Speaker 1: Okay, so let's break this down. How would I use compliance manager then to get a read on where I'm starting from in order to assess my compliance?

Speaker 2: Yes, so any organization is going to have a number of regulations depending on their industry or regional location. So before you do anything out of the box, we'll give an initial measure of your compliance posture, which is an assessment of where you stand today. In Microsoft Purview, I've navigated to Compliance Manager, and the first thing that I see is my compliance score. This score is initially built off a generic data protection baseline for Microsoft 365. This is a combination of requirements across international regulations like GDPR and ISO, as well as FedRAMP and NIST in the US, to establish a baseline of requirements needed for the protection of your data. And we've mapped the fulfillment of those requirements across two dimensions. The first being Microsoft actions, which are the things we are responsible for as we operate our own services, and they help you to fulfill specific requirements and contribute to your overall score. And second, improvement actions that you can implement, which are tailored to your specific tenant. This is where Compliance Manager can pull signals from over 200 automatic capabilities available for you and assess whether or not you've implemented them. So as I scroll down, these improvement actions are also broken down into several categories, from protecting information to things like privacy management. And if we click into one to look at the detail, you can see that we award points to them, which are weighted based on impact. So technical actions, as you can see here, are typically worth 27 points. And if you want to look at what goes into the score in more detail, you can check out our guidance at aka.ms slash compliance score calc.

Speaker 1: And you know, this really highlights the shared responsibility between Microsoft and also you as a consumer of the service, and it makes it a lot easier to know what to do. You mentioned that there are four different regulations that this baseline is built off of. So if you wanted to maybe look beyond that baseline to know how you might be faring against a specific regulation or a standard, how would you do that?

Speaker 2: So that's when you want to run an assessment, which is the primary reason you want to use Compliance Manager in the first place, in that it unpacks more specifically how you're faring against a specific regulation and shows you the steps that you can take to improve. So I'll hop over to a fresh tenant that doesn't have any previously run assessments. From the assessment tab, I can create a new assessment, I'll add one. Now I can select a template. We have a continuously expanding library of hundreds of assessment templates to choose from that translate around 350 regulations and standards worldwide into tangible actions for you. The majority of our templates today are for Microsoft 365, and we've been extending these templates to Azure and Dynamics 365 as well.

Speaker 1: Okay, so these templates will increasingly span different Microsoft services. But what if you want to just understand compliance criteria of a regulation that's agnostic of a service?

Speaker 2: Well, that's where a universal template comes in. Here's the universal template for GDPR. And as you can see here with an action like confirm accuracy of collected personal data, these translate what is required by the regulation and generically specify the capability you ideally need to help fulfill this requirement. So from that perspective, they provide a universal criteria for compliance, which is useful not just across Microsoft services, but across non-Microsoft services too. Additionally, we've also started to make data connectors available for various of these non-Microsoft solutions, starting with Google Cloud, Okta, and Salesforce, with many more coming by the end of the year. These will help aggregate compliance actions taken across multiple of these solutions.

Speaker 1: So that really means the kind of criteria that we establish here can be used across the board.

Speaker 2: Right, because our goal here is really to have Compliance Manager be that single tool that helps with compliance fulfillment. You can also modify templates to meet your specific needs. Now going back to our assessment, I'll choose the EU GDPR for Microsoft 365 and hit save. I can give it a name. Now I need to choose an assessment group. You can configure groups in whatever way is most logical for your organization. I'll keep the default group for now. Everything looks good in the summary screen, so from here I can create an assessment.

Speaker 1: Ok, so once you've kicked that off, how long does it take then for the information to start to come back?

Speaker 2: It can take up to 24 hours to process everything. We literally scan your tenant against over 200 automated actions to determine our recommendations. To save time, since I already have an assessment created, I'll go to that one. I'll click into it and I can see a summary of my progress based on my completion of actions within the assessment. And I can see a list of my improvement actions, which as I mentioned, have a weighted value. Next I'll take a look at controls. Think of a control as how we interpret a requirement of a regulation. Oftentimes these will span multiple regulations. Here we are seeing control families relevant to GDPR. Next we can see the improvement actions that you are responsible for. These can be manual or automatic. So I'll start with something manual and search for privacy. And I'll choose this one to establish a privacy program. Here I can see guidance for the types of measures we need to put in place. The nice thing about these improvement actions is that we map them across all applicable regulatory controls. For example, here you're seeing how many regulations require a privacy program so that once you take this action, you'll satisfy this requirement across multiple regulations. So you won't be duplicating efforts. Now I'm going to go back and instead of manual, I'll start testing source by automatic, which as I mentioned, are actions that I can turn on in the service and you can see your implementation status across various actions. I can see that this one, create and apply a retention policy, has failed. So let's investigate that. This is an action for setting a time limit for how long specific data can be kept. And I can see that it has not been implemented. From here, I can assign accountability to this action to the specific stakeholders. In fact, I'll assign this one to you, Jeremy. So why don't you walk us through the collaboration experience?

Speaker 1: Perfect. I love building retention policies. So here I can see I've already received an email and I can see that I've been assigned this action. So I'm gonna go ahead and click on the link and that will take me straight to Compliance Manager and directly to that improvement action. And it also shows me guidance and even describes how I can create and apply a retention policy in Microsoft Purview. Then it deep links me directly to where I can configure this here with this launch now link. When I click on that, I'm taken directly to Data Lifecycle Management and all the retention policies and I can quickly add a new policy from here if I want to. And this also works for manual improvement actions as well, where you can edit implementation detail by specifying whether or not I've implemented an action, I can document an alternative implementation approach, which is really useful, for example, if I've used another tool or process to carry out the same action. I can also indicate if implementation is scheduled or in plan or just not yet executed. Or I can even mark an action as out of scope or irrelevant. Next and important for manual actions, I can also add any testing control details to document specific manual tests and outcomes and add documents, images, or media as supporting evidence towards a specific action. And this workflow really helps to preserve an audit log of all the actions that are taken. That said, though, presumably there are limits to what people can and should do. So how do I make sure that the right people are actually interacting with these types of controls?

Speaker 2: Right. So before you delegate anything, you really need to make sure that you can define the permission levels of individuals that are part of the process. So under permissions, you can assign people in your organization different role types from administrator who can assign permissions, an assessor who typically validates work done, to contributors like you in this case that can take action and report back on what they did. Or you can just make someone a reader with read-only rights.

Speaker 1: So it's really straightforward then to set up assessments and collaborate against actions. But how do you stay compliant, for example, in cases where someone maybe inadvertently reverses an automatic action and that's going to impact the compliance score?

Speaker 2: So this is where we recommend you set up alerts. We can set up alerts to notify you immediately when certain changes to improvement actions occur. Here, in the alerts policies tab, you can see I have a few configured. You can set them up to be alerted for things like changes in test status or implementation if someone has turned off multi-factor authentication, for example, or an increase or a decrease in your score. And if the conditions and thresholds you set are met, we'll notify designated stakeholders via email, and they will also see these alerts in the Compliance Manager experience.

Speaker 1: Okay, so the million-dollar question here is, though, how does everything that you've shown today ease the process or help in terms of giving materials over to our auditors?

Speaker 2: Yeah, so you can really use Compliance Manager as inputs for what you report to your auditors. I'll generate a report from my assessment, and that outputs an Excel file, and it will show you an aggregate view of all of the actions taken to meet specific requirements. You can sort and filter it. For example, I'll sort the control column B into ascending order, and this sorts the improvement actions in the same order as the GDPR regulation.

Speaker 1: So this gives something tangible in this case, then, that you can hand over as part of your auditing reports. That said, though, with all the changes that are happening almost daily to the regulations and standards out there, how do you stay up to date with those changes?

Speaker 2: Yeah, so our team continuously assesses changes across the over 350 regulations that we support today and growing. We translate those requirements, mapping both Microsoft Managed Actions and your Improvement Actions that help with fulfillment. And in fact, Compliance Manager sets up a default alert policy to monitor for score changes in those Improvement Actions. When an update is available for an Improvement Action, we'll notify you, as you can see here, with pending updates. And you can accept the update or come back to it later. But in this case, I choose to accept it.

Speaker 1: And everything that you've shown today really helps people get compliant faster and also stay compliant. So for anyone who's watching right now, what do you recommend people do to get started with Compliance Manager?

Speaker 2: Don't wait and get started today. The data protection baseline is available to all versions of Office and Microsoft 365. Just go to aka.ms.compliancemanager. And you can also set up a free trial for premium templates at aka.ms.compliancemanager. These will help you take your compliance posture to the next level.

Speaker 1: Thanks so much, Daniel, for joining us today and also giving us the great tour on Compliance Manager. Of course, keep watching Microsoft Mechanics for the latest updates. And don't forget to subscribe to our channel if you haven't already. And as always, thank you so much for watching.

ai AI Insights
Summary

Generate a brief summary highlighting the main points of the transcript.

Generate
Title

Generate a concise and relevant title for the transcript based on the main themes and content discussed.

Generate
Keywords

Identify and highlight the key words or phrases most relevant to the content of the transcript.

Generate
Enter your query
Sentiments

Analyze the emotional tone of the transcript to determine whether the sentiment is positive, negative, or neutral.

Generate
Quizzes

Create interactive quizzes based on the content of the transcript to test comprehension or engage users.

Generate
{{ secondsToHumanTime(time) }}
Back
Forward
{{ Math.round(speed * 100) / 100 }}x
{{ secondsToHumanTime(duration) }}
close
New speaker
Add speaker
close
Edit speaker
Save changes
close
Share Transcript