compliance framework and best practices for online services
TRANSCRIPT
Compliance Framework and Best Practices for Online Services
Mark Estberg and John Howie
Senior Directors
Microsoft CorporationMarch 2010
Your Presenters
Mark Estberg, Senior Director
Risk and Compliance Management
Online Services Security and Compliance
Microsoft
John Howie, Senior Director
Technical Security Services
Online Services Security and Compliance
Microsoft
Agenda
• The Microsoft Cloud Infrastructure
• Cloud Security Challenges
• How Microsoft Responds to the Challenges
– Risk-based Information Security Program
– Security Controls
– Comprehensive Compliance Framework
This external use deck aligns to and supports the “Microsoft Compliance Framework for Online
Services” and “Securing Microsoft’s Cloud Infrastructure” white papers that can be downloaded
at www.globalfoundationservices.com
Powering Online Services
200 +
Sites and Services
Global Foundation
Services
The Microsoft Cloud Environment
• Physical
Infrastructure
• Logical
Infrastructure
• Compute Runtimes
• Identity and Directory
Stores
Cloud Platform
Services
• And
Others
Cloud Infrastructure
Consumer
and Small
Business
Services
Enterprise
Services
Third-Party
Hosted
Services
Cloud Security Challenges
Cloud Challenges
Growing Interdependence
Amongst Public and
Private Sector
With these new dependencies come
mutual expectations that platform
services and hosted applications be
secure and available.
Complex, Global Regulatory
Requirements and
Industry Standards
Each country may pass their own laws
that govern the provision and use of
online environments.
Evolving Technologies,
Changing Business Models,
Dynamic Hosting Environment
Keeping pace with growth and
anticipating future needs is essential to
running an effective security program.
Increasing Sophistication
of Attacks
Malicious activity focuses on infiltrating
and disrupting online service offerings.
Microsoft Response to Challenges
Risk-based Information
Security Program
Maintaining a Deep Set of
Security Controls
Comprehensive Compliance Framework
Response to Cloud Security Challenges
Comprehensive Framework
• ISO/IEC 27001:2005 certification
• Statement of Auditing Standard 70 Type I and Type II attestations
Certification and Attestations
• Payment Card Industry Data Security Standard
• Health Insurance Portability and Accountability Act
Industry Standards and Regulations
• Media Ratings Council
• Sarbanes-Oxley, etc.
• Identify and integrate:
Regulatory requirements
Customer requirements
• Assess and remediate:
Eliminate or mitigate gaps in control design
Controls Framework
• Test effectiveness and assess risk
• Attain certifications and attestations
• Improve and optimize:
Examine root cause of non-compliance
Track until fully remediated
Predictable Audit Schedule
Compliance Process
Control Framework: Domains
Domains
Structure
1. General Information
2. Information Security
3. Organization of Information Security
4. Asset Management
5. Human Resources Security
6. Physical and Environmental Security
7. Communications and Operations
Management
8. Access Control
9. Information Systems Acquisition,
Development, and Maintenance
10. Information Security Incident
Management
11. Business Continuity Management
12. Risk Management
13. Compliance
14. Privacy
Control Framework: Structure
• Domain
• Sub Domain
• Control Objective
• Associated Standard (External
Compliance Requirement)
• Applicable Security, Standard
Operating Procedure, or System
Reference
• Sample Control Activity
• Sample Testing Activity
Domains
Structure
Control Modules
Microsoft Online Services SecurityConfidence
Born from years of experience managing
security risks in traditional development and operating
environments
Strategic Information
Security Program
Based on industry best practices to enable rapid
adaption to cloud infrastructure changes
Certification Framework
Streamlines certification process for product and service delivery teams
Trusted Brand
Established through meeting business obligations along with
legal and commercial expectations
Questions and Answers
• Submit text questions using the “Ask” button
• Don’t forget to fill out the survey
• For upcoming and previously live webcasts:
www.microsoft.com/webcast
• Got webcast content ideas? Contact us at:
http://go.microsoft.com/fwlink/?LinkId=41781
© 2010 Microsoft Corporation. All rights reserved. Microsoft and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.