Risk Management in Microsoft Online Services


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk Management in Microsoft Online Services

  1. 1. Updated August 10, 2009<br />Security in Business Productivity Online Suite<br />
  2. 2. Agenda<br />What is Business Productivity Online Suite<br />Microsoft Online Services Risk Management<br />Security<br />Privacy & Regulatory<br />Service Continuity<br />Compliance Management<br />Customer Benefits<br />Q&A<br />
  3. 3. Business Productivity Online Suite<br />Some existing customers<br />
  4. 4. Risk Management Program<br />Information Security Policy<br />Security<br />Privacy<br />Service Continuity<br />Compliance Management<br />
  5. 5. Security Program<br />A risk-based, multi-dimensional approach to help safeguard services and data<br />Security Management <br />Security Monitoring & Response, Threat & Vulnerability Management<br />Data<br />Access Control & Monitoring, File/Data Integrity<br />User<br />Account Management, Training & Awareness, Screening<br />Application<br />Secure Development Lifecycle, Access Control & Monitoring, Anti-Malware<br />Host<br />Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt<br />Internal Network<br />Dual-factor Authentication, Intrusion Detection, Vulnerability Scanning<br />Network perimeter<br />Facility<br />Edge Routers, Firewalls, Intrusion Detection, Vulnerability Scanning<br />Video Surveillance, biometrics, Access Control<br />
  6. 6. Privacy Program<br />Designed to establish consistent "high bar" privacy practices that support global standards for data handling and transfer<br />Documented & enforced privacy requirements <br /><ul><li>Microsoft Online Services Privacy Statement
  7. 7. Microsoft Online Services Privacy and Regulatory Divisional Requirements Specific to Software + Services
  8. 8. Corporate-level Privacy Guidelines for Service Development</li></ul>Privacy disclosures & transparency<br /><ul><li>Microsoft Online Services Privacy Statement
  9. 9. EU Safe Harbor Certification</li></li></ul><li>Service Continuity Program<br />Business Impact Assessment<br />Single point of failure and dependency analysis<br />Defined recovery objectives<br />Documented recovery plans and procedures<br />Recovery exercises<br />
  10. 10. Compliance Management<br />Rationalize and harmonize requirements<br />Microsoft internal<br />Corporate (security & privacy policies, etc.)<br />Microsoft Online Services (security & privacy policies)<br />Trustworthy Computing (SDL, Engineering Excellence, etc.)<br />Industry & regulatory<br />Industry best practices: ISO/IEC 27001:2005, NIST SP 800-53<br />Customer requirements: SOX, HIPAA, FISMA, GLBA, PCI DSS<br />Data protection laws<br />Inputs<br />Remove non-applicable, harmonize redundant, identify conditional<br />Common Baseline Requirements<br />Conditional Requirements<br />
  11. 11. Compliance Monitoring & Assessment<br /><ul><li>Internal monitoring
  12. 12. Technical compliance (patch and configuration mgmt, vulnerability scans, penetration tests, etc.)
  13. 13. Personnel compliance (training and awareness, screening, etc.)
  14. 14. Process compliance (business process evaluation, change control, access management, etc.)
  15. 15. Physical security compliance (CCTV monitoring, access control and logging, etc.)
  16. 16. Third Party validation
  17. 17. Facilities & infrastructure services – ISO cert + SAS 70
  18. 18. BPOS Dedicated – ISO aligned + SAS 70
  19. 19. BPOS Standard – ISO aligned</li></li></ul><li>Commitment in Action<br />What we provide<br /><ul><li>Services are designed, engineered and operated with security as core tenet
  20. 20. Privacy of customer data is respected
  21. 21. Audits demonstrate independent validation
  22. 22. Service resiliency and service and data recoverability are fundamental to service operations
  23. 23. 99.9% uptime SLA</li></ul>Customer benefits<br /><ul><li>Mature and comprehensive security management
  24. 24. Service upgrades and security updates
  25. 25. Comprehensive security monitoring and response
  26. 26. Customer control over customer data
  27. 27. Compliance management capabilities available to customers</li></li></ul><li>Additional Resources<br />Microsoft Online Services: www.microsoft.com/online<br />Business Productivity Online Suite<br /><ul><li> 30 day free trial : http://www.microsoft.com/online/products.mspx
  28. 28. Technical information on TechNet http://technet.microsoft.com/msonline
  29. 29. Service descriptions, developer guide, service level agreement, migration/deployment </li></ul>guides and tools and other technical information and blogs<br /><ul><li>Security white paper: http://go.microsoft.com/fwlink/?LinkID=125754&clcid=0x409
  30. 30. Privacy policy: http://www.microsoft.com/online/legal/MOS_Privacy_Statement_Full.htm</li></li></ul><li>Thank You!<br />