COMPLIANCE IN THE CLOUD

Executive summary

Conducting risk assessments of information management systems is a critical activity for any organization. Many organizations must conduct annual risk assessments or audits to gain an understanding about the ongoing effectiveness of security, compliance, and privacy controls implemented by their organization or their cloud service provider. For regulated organizations that are considering or using a cloud service, you must perform due diligence to know if the cloud service meets your security, compliance, and privacy requirements

Let’s discuss some of the solutions from KAMIND IT that help customers to overcome the challenges that can make it difficult to achieve organizational compliance when using cloud services. These solutions provide you with rich details about KAMIND IT internal controls and how they are designed to meet comprehensive regulatory standards. To help you overcome compliance management challenges, meet regulatory requirements, and conduct self-service audits and risk assessments, we’ve introduced the Service Trust Portal and Compliance Manager. They’re designed to help organizations meet complex compliance obligations and improve data protection capabilities when choosing and using Microsoft Cloud services.

img-excutive-summary

Compliance Challenges

Data protection compliance is a complex and disjointed process. To achieve organizational compliance, compliance personnel need to have a solid understanding of risk assessment, auditing, operations, technology, and more. Compliance personnel are the experts in industrial regulations and standards, while IT professionals are the experts in technology solutions. The disconnection between compliance and IT departments makes it challenging to equip an organization with enough capabilities to achieve data protection compliance. Moreover, in this mobile-first, cloud-first world, organizations now encourage employees to use multiple devices and various on-premises or cloud applications to enhance their productivity. Multiple data-hosting assets further increase the complexity of data protection compliance. It’s a big burden for compliance personnel to stay up-to-date with all the changes. 32 percent of companies spend more than four hours per week merely creating and amending reports to the board. This means compliance personnel need more assistance, either from a software service or consulting service, to help them meet evolving regulatory requirements. In Figure 1, we can see that heavy human involvement is invested in upfront policy interpretation and internal audits. Organizations need to have enough knowledge to interpret policies and define internal controls to meet requirements. They also need strong technology capabilities to implement data-protection-related controls, as well as a better way to manage all their compliance records for audits.

img-compliance-challenges

Achieving organizational compliance is extremely challenging. To help organizations manage compliance requirements from a single place, Microsoft developed a new solution, Compliance Manager. You can find more details below.

KAMIND IT Control Frameworks

KAMIND IT demonstrates our cloud compliance to organizations transparently to build their trust in The Microsoft cloud and to help them become more willing to adopt and use cloud technology. Obtaining compliance certification is one of the best ways to prove to businesses that we understand what is needed to protect their data. The certification process also motivates us to design better controls. Having a control framework helps Microsoft manage the compliance activities more efficiently because of common requirements from various regulations and standards. KAMIND IT & Microsoft have more than 1,100 controls that help to meet requirements of various regulations and standards, including GDPR, ISO 27001, ISO 27018, FedRAMP, HIPAA, and others. Having such a broad set of controls implemented and tested gives KAMIND IT, with use of The Microsoft Intelligent Cloud, the ability to support regulations and standards worldwide.

Shared Responsibilities

When organizations have their data on-premises, they are responsible for 100 percent of the controls to secure data and be compliant with regulations or standards.

Once they move their data to cloud services, such as Office 365, Dynamics 365, or Azure, it becomes a partnership—a shared responsibility—to achieve compliance. The Microsoft Intelligent Cloud assumes and manages the larger part of these controls for software as a service (SaaS) like Office 365, Dynamics 365, and others. This enables organizations to focus on and manage a smaller subset of data protection and regulatory compliance controls.

img-shared-responsibilities

Under this shared responsibility model, KAMIND IT helps organizations protect their data and stay compliant with relevant regulations and standards when they use Microsoft Cloud services. With Office 365, we use Lockbox to restrict and control access to the production environment and customer data, but also offer features like Customer Lockbox, which allows customers to be part of the chain of approval required for elevated access. Another example is encryption, where we deliver baseline industry-standard encryption by default for data in transit and at rest, but also provide features like Azure Information Protection and Office 365 Customer Key to give customers additional levels of control. A final example is personnel control, where responsibility is equally shared. At KAMIND IT, we train our employees to protect customer data and report suspected security incidents, and we emphasize the need for customers to do the same in their organizations.

Compliance Manager
This self-service risk assessment tool enables you to track, assign, and verify your organization’s compliance activities related to Microsoft Cloud services, such as Office 365, Dynamics 365 and Microsoft Azure.

Audit reports
Audit reports help you stay current on the latest privacy, security, and compliance information for Microsoft Cloud services. This includes ISO, SOC, FedRAMP, and other audit reports, bridge letters, and materials related to independent third-party audits of Microsoft Cloud services.

Data protection guides
Data protection guides provide information about how Microsoft Cloud services protect your data, and how you can manage cloud data security and compliance for your organization. This includes deep-dive white papers that provide details on the design and operation of our cloud services, FAQs, end-of-year security assessments, penetration test results, and compliance guide, which is the guidance for conducting risk assessments and improving data protection capabilities.

Trust documents
Currently, there are three categories of documents that provide many resources for assessing Microsoft Cloud; learning our security, compliance, and privacy practices; and improving data protection capabilities.

Azure Security and Compliance Blueprints
Azure Security and Compliance Blueprints provide resources to assist with building and launching cloud-powered applications that help organization comply with regulations and standards. Blueprints include resources listed below for Government, Finance, Healthcare, Retail industries:

  • Industry-specific overview and guidance.
  • Customer responsibilities matrix.
  • Reference architectures with threat models.
  • Control implementation matrices.
  • Automation to deploy reference architectures.
Img-privacy-recources

Privacy resources

Documentation and tools for data protection impact assessments, data subject requests (DSRs), and data breach notifications are provided to incorporate into your own accountability program in support of the General Data Protection Regulation (GDPR). The privacy section provides resources for multiple areas, including the following.

  • Data Subject Requests
    Data subject requests provide information about how specific Microsoft Cloud services enable organizations to discover, access, rectify, restrict, delete, and export personal data; connects organizations to the DSRs tools Microsoft builds to help them respond to DSRs (for example, Data Log Export for responding to telemetry log DSRs).
  • Data Breach Notifications
    Data breach notifications provide information about how Microsoft detects and responds to personal data breaches, and how organizations can set up their privacy contact to receive breach notifications from Microsoft in the event of personal data breach.
  • Data Protection Impact Assessments
    Data protection impact assessments provide information about Microsoft’s and organizations’ responsibilities for DPIA compliance, and documentation from Microsoft that can support organizations to create their own DPIAs on Microsoft Cloud services.
img-simplified-compliance

Simplified Compliance

Compliance Manager helps to simplify the compliance process by providing you built-in tools to collaborate and track your compliance activities, reducing the need to rely on paperwork or spreadsheets to manually collect information across multiple teams.

To make it easier for collaboration across teams, the control management tool allows compliance officers and data protection officers to track each control in Compliance Manager and assign it to corresponding roles (such as IT admin, HR, or privacy team). The people assigned the task can enter the control implementation details and upload evidence to Compliance Manager to record their actions for auditing. Any data uploaded and stored in Compliance Manager is also stored in Microsoft Cloud storage.

Tracking control progress in real-time across various workflows, compliance officers and risk assessors can perform proactive ongoing assessments to get ready for audits. You can generate richly detailed reports in a few clicks in Microsoft Excel to document Microsoft’s and your compliance activities, complete with links to the evidence collected. The audit-ready report can help your organization be better prepared for internal or external auditing; it also can be provided to auditors, regulators, and other compliance stakeholders. To meet your auditing needs based on your organizational structure, Compliance Manager provides a Group functionality to help you group assessments by region, business unit, or year, depending on your compliance workload design. Records and evidence of common controls across regulations and standards in the same Group are synchronized - thereby reducing duplicated effort to satisfy identical requirements across different assessments.

Conclusion

The Service Trust Portal and Compliance Manager help to simplify your compliance journey by giving you the information and tools to conduct risk assessment and manage your end-to-end compliance processes when using Microsoft Cloud services. You’ll be able to assess your compliance risks more easily with these two tools across the process of considering and adopting Microsoft Cloud services.