Post on 31-Mar-2015
John HowieSr. Director, Online Services Security and Compliance Technical Security Services, Global Foundation ServicesMicrosoft Corporation
Creating a Standard Response to Request for Information using CCM
2
Growing interdependence
amongst public and private sector
Mutual expectations that platform services
and hosted applications be secure
and available
Cloud Security Challenges
Evolving technologies,
changing business models, dynamic
hosting environment
Keeping pace with growth and
anticipating future needs is essential to running an effective
security program
Complex, global regulatory
requirements and industry standards
Each country may pass their own laws
that govern the provision and use of online environments
Increasing sophistication
of attacks
Malicious activity focuses on infiltrating
and disrupting online service offerings
3
Global Foundation Services
Microsoft’s Cloud Environment
Cloud Platform Services
Cloud Infrastructure
Consumer and Small Business Services
Enterprise Services
Third-Party Hosted
Services
Security Global DeliverySustainabilityInfrastructure
4
Comprehensive Compliance Framework
ISO/IEC 27001:2005 certificationStatement of Auditing Standard 70 type II attestation
Certification and Attestations
Predictable Audit Schedule
Test effectiveness and assess riskAttain certifications and attestationsImprove and optimize
Examine root cause of non-complianceTrack until fully remediated
Controls Framework
Identify and integrateRegulatory requirementsCustomer requirements
Assess and remediate Eliminate or mitigate gaps in control design
Payment card industry data security standard Health insurance portability and accountability act
Industry Standards and Regulations
FISMA (NIST 800-53 r3)Sarbanes-Oxley, privacy laws, etc.
PCI DSS certificationFISMA certification and accreditation
5Microsoft Confidential
Security Policy and Standards• Security Policy
– Applies to all of Microsoft– High-level objectives– Aligns to Industry Standards
• ISO/IEC 27001:2005, NIST SP800-53r3, etc.
• Security Standards– Apply to Online Services– Low-level, high-detail
• Baseline Configurations– Technology- and environment-
specific
• Standard Operating Procedures– Business- and property-specific
implementations
6
Global Foundation Services
Scope of Cloud Controls Matrix
Cloud Platform Services
Cloud Infrastructure
Consumer and Small Business Services
Enterprise Services
Third-Party Hosted
Services
Security Global DeliverySustainabilityInfrastructure
7Microsoft Confidential
Documenting Cloud Control Matrix
Leveraged frameworks built from statutory and regulatory compliance obligations and used in audits
Exist at both Global Foundation Services and Office 365Based on ISO/IEC 27002 and supplemented with specific controls from obligations
Each control is described with a response
Proof of controls comes in the form of our ISO/IEC 27001:2005 certifications and SAS No 70/SSAE16 reports
8Microsoft Confidential
Example of use of Cloud Control MatrixControl ID
In CCMDescription
(CCM Version R1.1. Final)
Microsoft Response
DG-01
Data Governance - Ownership / Stewardship
All data shall be designated with stewardship with assigned responsibilities defined, documented and communicated.
Microsoft Online Services has implemented a formal policy that requires assets (the definition of asset includes data and hardware) used to provide Microsoft Online Services to be accounted for and have a designated asset owner. Asset owners are responsible for maintaining up-to-date information regarding their assets. “Allocation of information security responsibilities and ownership of assets” is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 6.1.3 and 7.1.2. For more information review of the publicly available ISO standards we are certified against is suggested.
DG-02
Data Governance - Classification
Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.
Microsoft Online Services standards provide guidance for classifying assets of several applicable security classification categories, and then implements a standard set of Security and privacy attributes. “Information classification” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 7.2. For more information review of the publicly available ISO standards we are certified against is suggested.
9Microsoft Confidential
Security, Trust and Assurance Registry
Our Standard Response is our STAR submissionOne document, based on CCM, is Microsoft’s position on security and privacy for Office 365
10Microsoft Confidential
Future Work
Microsoft will keep the Standard Response current as Cloud Control Matrix is updated
Microsoft is investigating use of Control Assessment Initiative Questionnaire
Might be more appropriate for other services and questions and inquiries from customers and policy-makers
We are evaluating CloudAudit
11
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.