risk management in microsoft online services

Updated August 10, 2009

Security in Business Productivity Online Suite

AgendaWhat is Business Productivity Online SuiteMicrosoft Online Services Risk Management

SecurityPrivacy & RegulatoryService ContinuityCompliance Management

Customer BenefitsQ&A

Business Productivity Online Suite

Some existing customers

Risk Management ProgramInformation Security Policy

Security PrivacyService Continui

ty

Compliance Management

Security ProgramA risk-based, multi-dimensional approach to help safeguard services and data

Security Management Security Monitoring & Response, Threat & Vulnerability Management

Edge Routers, Firewalls, Intrusion Detection, Vulnerability Scanning

Network perimeter

Dual-factor Authentication, Intrusion Detection, Vulnerability Scanning

Internal Network

Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt

Host

Secure Development Lifecycle, Access Control & Monitoring, Anti-Malware

Application

Access Control & Monitoring, File/Data IntegrityData

User Account Management, Training & Awareness, Screening

Facility Video Surveillance, biometrics, Access Control

Privacy ProgramDesigned to establish consistent "high bar" privacy practices that support global standards for data handling and transfer

Documented & enforced privacy requirements

Microsoft Online Services Privacy Statement Microsoft Online Services Privacy and

Regulatory Divisional Requirements Specific to Software + Services

Corporate-level Privacy Guidelines for Service Development

Privacy disclosures & transparency Microsoft Online Services Privacy Statement EU Safe Harbor Certification

Notice

Choice

Disclosure

Service Continuity Program

Service Continuity

Management

Governance

Business Impact Analysis

Dependency Analysis

Gap Analysis & Reporting

Strategies & Solutions

Planning

Maintaining & Exercising

Training & Awareness

Business Impact AssessmentSingle point of failure and dependency analysisDefined recovery objectivesDocumented recovery plans and proceduresRecovery exercises

Compliance ManagementRationalize and harmonize requirements

Microsoft internalCorporate (security & privacy policies, etc.)Microsoft Online Services (security & privacy policies)Trustworthy Computing (SDL, Engineering Excellence, etc.)

Industry & regulatoryIndustry best practices: ISO/IEC 27001:2005, NIST SP 800-53

Customer requirements: SOX, HIPAA, FISMA, GLBA, PCI DSSData protection laws

Geo Political

Industry & Regulatory

Microsoft Internal

Inputs

Common Baseline Requirements

Conditional Requirements

Remove non-applicable, harmonize redundant, identify conditional

Compliance Monitoring & AssessmentInternal monitoring

Technical compliance (patch and configuration mgmt, vulnerability scans, penetration tests, etc.)

Personnel compliance (training and awareness, screening, etc.) Process compliance (business process evaluation,

change control, access management, etc.) Physical security compliance (CCTV monitoring,

access control and logging, etc.)

Third Party validation Facilities & infrastructure services – ISO cert + SAS 70 BPOS Dedicated – ISO aligned + SAS 70 BPOS Standard – ISO aligned

Microsoft Online

Services

Planning

Assessmen

t

Remediatio

n

Reporting

Commitment in ActionWhat we provide

Services are designed, engineered and operated with security as core tenet

Privacy of customer data is respected

Audits demonstrate independent validation

Service resiliency and service and data recoverability are fundamental to service operations

99.9% uptime SLA

Customer benefits

Mature and comprehensive security management

Service upgrades and security updates

Comprehensive security monitoring and response

Customer control over customer data

Compliance management capabilities available to customers

Additional ResourcesMicrosoft Online Services: www.microsoft.com/online

Business Productivity Online Suite• 30 day free trial : http://www.microsoft.com/online/products.mspx• Technical information on TechNet http://technet.microsoft.com/msonline

• Service descriptions, developer guide, service level agreement, migration/deployment guides and tools and other technical information and blogs

• Security white paper: http://go.microsoft.com/fwlink/?LinkID=125754&clcid=0x409

• Privacy policy: http://www.microsoft.com/online/legal/MOS_Privacy_Statement_Full.htm

http://www.microsoft.com/online

http://www.microsoft.com/online/products.mspx

http://technet.microsoft.com/msonline

http://go.microsoft.com/fwlink/?LinkID=125754&clcid=0x409

http://www.microsoft.com/online/legal/MOS_Privacy_Statement_Full.htm

http://www.microsoft.com/online/legal/MOS_Privacy_Statement_Full.htm

Thank You!

risk management in microsoft online services

Technology

privacy programdesigned

security programa risk

intrusion detection

training awareness

global standards

data handling

multidimensional approach

eu safe harbor certification