Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusting Office 365 Privacy Transparency Compliance Security.

Published byMagdalen Wade Modified over 8 years ago

Similar presentations

Presentation on theme: "Trusting Office 365 Privacy Transparency Compliance Security."— Presentation transcript:

1 Trusting Office 365 Privacy Transparency Compliance Security

2 Trusting The Cloud It’s all over the news – “Can I trust the cloud?” 2 Privacy Loss of Control Regulatory Physical/Logical Security Key Concerns CLOUDY WITH A CHANCE OF RAIN “What is holding IT managers back (from going to the cloud) is fear about security.” — The Economist, March 5, 2010

3 The Trust Questions… 3 What does privacy at Microsoft mean? Are you using my data to build advertising products? What certifications and capabilities does Microsoft hold? How does Microsoft support customer compliance needs? Do I have the right to audit Microsoft? Where is my data? Who has access to my data ? Is cloud computing secure? Are Microsoft Online Services secure? Privacy Transparency Compliance Security

4 Office 365 Trust Center Clear messaging with plain English Details for security experts Links videos, whitepapers http://trust.office365.com

5 You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it The Trust Principles Excellence in Cutting edge security practices Compliance with World Class Industry standards verified by 3 rd parties 5 Cohesive Process Combining 4 Pillars

6 Your Privacy Matters Privacy

7 Choices to keep Office 365 Customer Data separate from consumer services. Office 365 Customer Data belongs to the customer. Customers can export their data at any time. At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer 7 Privacy at Office 365 No Mingling Data Portability No advertising products out of Customer Data. No scanning of email or documents to build analytics or mine data. No Advertising

8 8 How Privacy of Data is Protected? Microsoft Online Services Customer Data 1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the ServiceYes Security, Spam and Malware PreventionYes Improving the Purchased Service, AnalyticsYes No Personalization, User Profile, PromotionsNoYesNo Communications (Tips, Advice, Surveys, Promotions)NoNo/YesNo Voluntary Disclosure to Law EnforcementNo Advertising 5 No We use customer data for just what they pay us for - to maintain and provide Office 365 Service Usage DataAddress Book Data Customer Data (excluding Core Customer Data * )Core Customer Data Operations Response Team (limited to key personnel only) Yes.Yes, as needed. Yes, by exception. Support Organization Yes, only as required in response to Support Inquiry. No. EngineeringYes. No Direct Access. May Be Transferred During Trouble- shooting. No. Partners With customer permission. See Partner for more information. Others in MicrosoftNo. No (Yes for Office 365 for small business Customers for marketing purposes). No.

9 You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it. Transparency

10 10 Transparency Microsoft notifies you of changes in data center locations. Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Who accesses and What is accessed? Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Where is Data Stored? At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

11 Excellence in cutting edge security practices Security

12 Relentless on Security DATA APPLICATION NETWORK HOST SECURITY IDENTITY AND ACCESS MANAGEMENT PHYSICAL Excellence in cutting edge security practices

13 Integrated administration, reporting, and auditing Granular control over user access and permissions Mobile security policies and remote device wipe Multi-layered protection against spam and malware Effectiveness guaranteed by 5 financially- backed SLAs In-product controls that help protect users from threats 13 Business Productivity Visibility and Control Comprehensive Protection Communicate and collaborate more securely using Exchange, SharePoint, Lync, and Office Policy rules that inspect emails in transit Integration with AD RMS to safeguard sensitive data End-to-end encryption of communications Information Security

14 Microsoft Security Development Lifecycle Working to protect our users… Reduce vulnerabilities, limit exploit severity Education Process Accountability TrainingRequirementsDesignImplementationVerificationReleaseResponse Administer and track security training Guide product teams to meet SDL requirements Establish release criteria and sign-off as part of FSR Incident Response (MSRC) Core Security Training Establish Security Requirements Create Quality Gates / Bug Bars Security & Privacy Risk Assessment Establish Design Requirements Analyze Attack Surface Threat Modeling Use Approved Tools Deprecate Unsafe Functions Static Analysis Dynamic Analysis Fuzz Testing Attack Surface Review Incident Response Plan Final Security Review Release Archive Execute Incident Response Plan Ongoing Process Improvements – 12 month cycle

15 15 Common Security Concern Customer data at rest is not encrypted For “sensitive” data, implementation of Active Directory Rights Management Services (RMS) For “sensitive” externally sent/received e-mail, customers employ S/MIME Encryption impacts service functionality (e.g. search and indexing) Identity/key management issues The customer makes the decision

16 Compliance with World Class Industry standards verified by 3 rd parties Independently Verified

17 17 Why Get Independently Verified? “I need to know Microsoft is doing the right things” Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls This saves customers time and money, and allows Office 365 to provide assurances to customers at scale Microsoft provides transparency

18 18 Compliance Management Framework Policy Control Framework Standards Operating Procedures Business rules for protecting information and systems which store and process information A process or system to assure the implementation of policy System or procedural specific requirements that must be met Step-by-step procedures

19 19 Office 365 Compliance Address privacy, security and handling of Customer Data. Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states Enables customers to comply with their local regulations. Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers. EU Model Clauses a set of stringent European Union wide data protection requirements Data Processing Agreement EU Model Clauses ISO27001 is one of the best security benchmarks available across the world. Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management ISO27001 We are the first and only major cloud based productivity to offer the following:

20 20 Office 365 Compliance EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months EU Safe Harbor HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information. US Health Insurance Portability and Accountability Act Comply with additional industry leading standards

21 21 How To Sign Up For EU Model Clauses

22 Resources Office 365 Trust Center (http://trust.office365.com)http://trust.office365.com Office 365 Privacy Whitepaper (New!) Office 365 Security Whitepaper and Service Description Office 365 Standard Responses to Request for Information Office 365 Information Security Management Framework 22

Download ppt "Trusting Office 365 Privacy Transparency Compliance Security."

Similar presentations

Email/Calendar Collaboration Document Management Messaging Web Conferencing Best experience across devices.

/Calendar Collaboration Document Management Messaging Web Conferencing Best experience across devices.
The trust questions… Is cloud computing secure? Are Microsoft Online Services secure? Security Where is my data? Who has access to my data ? Transparency.

The trust questions… Is cloud computing secure? Are Microsoft Online Services secure? Security Where is my data? Who has access to my data ? Transparency.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
| Copyright© 2010 Microsoft Corporation Quick Start into Activating and Selling Office 365.

| Copyright© 2010 Microsoft Corporation Quick Start into Activating and Selling Office 365.
Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.
How do I handle major objections to Office 365?

How do I handle major objections to Office 365?
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.

Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.
Global Marketing Overview of Supply Chain Security Assurance Certification/membership in supply chain security programs –Different programs focus on particular.

Global Marketing Overview of Supply Chain Security Assurance Certification/membership in supply chain security programs –Different programs focus on particular.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control Security Privacy.

60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control Security Privacy.
OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.

OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.

Similar presentations

Ads by Google