Microsoft is aware of these trust issues and has created a central storehouse called the Service Trust Portal (STP) for information about them. STP is a website, shown in Figure 3-43, available to everyone at http://aka.ms/stp, although some parts of the site are restricted to registered users of Microsoft 365 and other products. See Figure 3-44.
FIGURE 3-44 The Microsoft Service Trust Portal website
Among the many resources on the site are links to documents in the following categories:
- Audit Reports Provide independent audit and assessment reports of Microsoft’s cloud services, evaluating their compliance with standards such as those published by the International Organization for Standardization (ISO), Service Organization Controls (SOC), National Institute of Standards and Technology (NIST), Federal Risk and Authorization Management Program (FedRAMP), and General Data Protection Regulation (GDPR)
- Documents & Resources Consist of a large library of documents, including white papers, FAQs, compliance guides, penetration test reports, Azure security and compliance blueprints, and other data protection resources
- Compliance Manager Assesses and scores an organization’s regulatory compliance based on multiple published standards
- Industries & Regions Provide documents containing compliance information for specific industries—such as education, financial services, government, health care, manufacturing, and retail—and specific countries, including Australia, Czech Republic, Germany, Poland, Romania, Spain, and the United Kingdom
- Trust Center Links to the Trust Center site, which provides documentation on how Microsoft supports security, privacy, compliance, and transparency in its cloud services
- Resources Provide information about Microsoft’s global datacenters, security and compliance information for Microsoft 365, and a FAQ list for the Service Trust Portal
- My Library Enables users to pin documents from the site onto a separate user page for quick reference later
Microsoft Purview
Microsoft Purview is an umbrella brand that includes Microsoft’s data risk, compliance, and governance tools, some of which were, at one time, separate products. For example, Azure Purview and the Microsoft 365 Compliance Manager are now available through the Microsoft Purview portal, shown in Figure 3-45.
FIGURE 3-45 The Microsoft Purview portal
Compliance Manager
Compliance Manager—now incorporated into the Microsoft Purview portal—is a risk assessment tool that enables an organization to track and record its activities to achieve compliance with specific certification standards. An assessment of an organization’s compliance posture is based on the capabilities of the Microsoft 365 cloud services and how the organization uses them, compared to an existing standard, regulation, or law.
The home page for the Compliance Manager tool in the Purview portal contains an Overview tab that displays the general compliance score for the network and a list of key improvement actions, along with their status, Impact values, and completion states, as shown in Figure 3-46.
FIGURE 3-46 The Compliance Manager page in the Microsoft Purview portal
Selecting an improvement action displays a detailed information screen describing the reasons for the action and providing instructions on how to implement it, as shown in Figure 3-47.
FIGURE 3-47 Detail of an improvement action in Compliance Manager in the Microsoft Purview portal
Enterprise networks can be subject to a wide variety of compliance standards, and Compliance Manager includes a long list of regulations, shown in Figure 3-48. Administrators can select a particular standard and configure Compliance Manager to assess the network and determine to what degree it is compliant with the selected standard.
FIGURE 3-48 The Regulations tab in Compliance Manager in the Microsoft Purview portal
Leave a Reply