risk management in microsoft online services
DESCRIPTION
TRANSCRIPT
Updated August 10, 2009
Security in Business Productivity Online Suite
AgendaWhat is Business Productivity Online SuiteMicrosoft Online Services Risk Management
SecurityPrivacy & RegulatoryService ContinuityCompliance Management
Customer BenefitsQ&A
Business Productivity Online Suite
Some existing customers
Risk Management ProgramInformation Security Policy
Security PrivacyService Continui
ty
Compliance Management
Security ProgramA risk-based, multi-dimensional approach to help safeguard services and data
Security Management Security Monitoring & Response, Threat & Vulnerability Management
Edge Routers, Firewalls, Intrusion Detection, Vulnerability Scanning
Network perimeter
Dual-factor Authentication, Intrusion Detection, Vulnerability Scanning
Internal Network
Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt
Host
Secure Development Lifecycle, Access Control & Monitoring, Anti-Malware
Application
Access Control & Monitoring, File/Data IntegrityData
User Account Management, Training & Awareness, Screening
Facility Video Surveillance, biometrics, Access Control
Privacy ProgramDesigned to establish consistent "high bar" privacy practices that support global standards for data handling and transfer
Documented & enforced privacy requirements
Microsoft Online Services Privacy Statement Microsoft Online Services Privacy and
Regulatory Divisional Requirements Specific to Software + Services
Corporate-level Privacy Guidelines for Service Development
Privacy disclosures & transparency Microsoft Online Services Privacy Statement EU Safe Harbor Certification
Notice
Choice
Disclosure
Service Continuity Program
Service Continuity
Management
Governance
Business Impact Analysis
Dependency Analysis
Gap Analysis & Reporting
Strategies & Solutions
Planning
Maintaining & Exercising
Training & Awareness
Business Impact AssessmentSingle point of failure and dependency analysisDefined recovery objectivesDocumented recovery plans and proceduresRecovery exercises
Compliance ManagementRationalize and harmonize requirements
Microsoft internalCorporate (security & privacy policies, etc.)Microsoft Online Services (security & privacy policies)Trustworthy Computing (SDL, Engineering Excellence, etc.)
Industry & regulatoryIndustry best practices: ISO/IEC 27001:2005, NIST SP 800-53
Customer requirements: SOX, HIPAA, FISMA, GLBA, PCI DSSData protection laws
Geo Political
Industry & Regulatory
Microsoft Internal
Inputs
Common Baseline Requirements
Conditional Requirements
Remove non-applicable, harmonize redundant, identify conditional
Compliance Monitoring & AssessmentInternal monitoring
Technical compliance (patch and configuration mgmt, vulnerability scans, penetration tests, etc.)
Personnel compliance (training and awareness, screening, etc.) Process compliance (business process evaluation,
change control, access management, etc.) Physical security compliance (CCTV monitoring,
access control and logging, etc.)
Third Party validation Facilities & infrastructure services – ISO cert + SAS 70 BPOS Dedicated – ISO aligned + SAS 70 BPOS Standard – ISO aligned
Microsoft Online
Services
Planning
Assessmen
t
Remediatio
n
Reporting
Commitment in ActionWhat we provide
Services are designed, engineered and operated with security as core tenet
Privacy of customer data is respected
Audits demonstrate independent validation
Service resiliency and service and data recoverability are fundamental to service operations
99.9% uptime SLA
Customer benefits
Mature and comprehensive security management
Service upgrades and security updates
Comprehensive security monitoring and response
Customer control over customer data
Compliance management capabilities available to customers
Additional ResourcesMicrosoft Online Services: www.microsoft.com/online
Business Productivity Online Suite• 30 day free trial : http://www.microsoft.com/online/products.mspx• Technical information on TechNet http://technet.microsoft.com/msonline
• Service descriptions, developer guide, service level agreement, migration/deployment guides and tools and other technical information and blogs
• Security white paper: http://go.microsoft.com/fwlink/?LinkID=125754&clcid=0x409
• Privacy policy: http://www.microsoft.com/online/legal/MOS_Privacy_Statement_Full.htm
Thank You!