Microsoft cares deeply about supporting compliance with specific standards and regulations related to data security and privacy as required by theircustomers in various geographies and industries. They consider compliance a core feature of their services, and they make significant investments in this area to ensure that that they are continuously innovating on compliance as they do with all the other aspects of Office 365. To this end, They announced two new additions to their compliance capabilities—ISO 27018 and HITRUST in the second week of Feb 2015.
ISO 27018 compliance
In their most recent ISO 27001 audit, an independent auditor validated that Microsoft incorporated controls that comply with the ISO 27018 standard for protection of personally identifiable information (PII) in public clouds.
ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
There are three big commitments enabled by these controls:
- Office 365 is “advertising-free,” so customers don’t have to worry that the data they put into Office 365 is used for advertising or marketing purposes;
- There are defined policies for the return, transfer and secure disposal of PII; and
- Office 365 proactively discloses the identities of sub-processors.
Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. HITRUST leverages the concepts and rating scheme of the NISTIR 7358 standard – Program Review for Information Security Management Assistance (PRISMA) to assess an organizations security management program. The methodology is a proven and successful scalable process and approach to evaluating an organization’s information security program. The structure of a PRISMA Review is based upon the Software Engineering Institute’s (SEI) former Capability Maturity Model (CMM), where an organization’s developmental advancement is measured by one of five maturity levels. The rating is an indicator of an organization’s ability to protect information in a sustainable manner.
Microsoft also announced that the Office 365 team, in partnership with an independent assessor, completed an assessment to evaluate their compliance with HITRUST. Viewed as an important standard by U.S. healthcare organizations, HITRUST has established the Common Security Framework (CSF) , a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. HITRUST has a rating scheme to assess an organization’s security management program where an organization’s developmental advancement is measured by one of five maturity levels. The rating is an indicator of an organization’s ability to protect information in a sustainable manner. An independent auditor evaluated the Microsoft security program overall at a Level 5 rating, which is the highest possible rating.
These two announcements further demonstrate Microsoft's commitment as a cloud service provider to build privacy as a foundational component of their services.
Microsoft understands that security and compliance are extremely important to their customers so they make it a core part of how they design and manage the service. As they rapidly innovate in productivity services with Office 365, they will continue to invest in making Office 365 a service that is highly secure and compliant with global as well as regional and industry specific standards and regulations. One can learn more about security and compliance in Office 365 by visiting the Office 365 Trust Center.