Today, I want to do a quick refresher on what the Business Productivity Online Suite is, then dive right into our Risk Management Program. There are four components of the Microsoft Online Services Risk Management Program, and we’ll explore each one in some detail. Then we’ll pop back up to the high level to talk about what this all means to you.
Microsoft Online Services is a set of enterprise class software delivered as subscription services hosted by Microsoft and sold with partners. Our goal is to create a service option for every one of our business software products. The Business Productivity Online Suite is the initial set of services we are offering under that umbrella. It includes email, collaboration, conferencing, and instant messaging capabilities: Exchange Online, SharePoint Online, Office Live Meeting, and Office Communications Online.There are more than 500,000 seats under management by Microsoft Online Services today. Customers subscribing to the Business Productivity Online Suite include:Ingersoll-RandDoosanAvivaBlockbusterTycoEddie BauerXL CapitalEnergizerCoca-Cola EnterprisesAutodeskCeridianPitney Bowes
When we think about security for Microsoft Online Services, we do so in the context of the Microsoft Online Services Risk Management Program. This includes the intertwined disciplines of security, privacy, continuity, and compliance. In a nutshell, the objective of the program is to helpprotect the availability, confidentiality, and integrity of Microsoft Online Services and customer data. We do that by uniformly managing security, privacy, continuity and compliance under a single, centrally managed Program.In designing the program, we adopted and maturedthe best practices that had already been developing within Microsoft for years. The Global Foundation Services (GFS) arm of Microsoft has been operating online services since the launch of MSN in 1994. That team brings a deep and rich security capability to today’s Microsoft Online Services. We extend the framework that GFS has in place for maintaining certifications against industry standards, which I’ll talk about in more depth later. In 2002, the company formed the Trustworthy Computing initiative with Bill Gates committing Microsoft to fundamentally changing its mission and strategy in key areas. Today, Trustworthy Computing is a core corporate value at Microsoft, guiding nearly everything the company does. At the foundation of this initiative are these four pillars: Privacy, Security, Reliability, and Business Practices. The rigorous security practices employed by development teams at Microsoft were formalized into a process called the Security Development Lifecycle (SDL) in 2004. We’ve extended those practices to the development and operation of Microsoft Online Services. We’ve adapted and extended Microsoft’s corporate Enterprise Risk Management practices, and we maintain alignment with the ISO 27001 framework. All these ingredients helped us develop a robust Risk Management Program and get the benefit of the breadth and depth of Microsoft’s experience.There are a few common elements shared across all components of the Program:Information Security Policy – which represents an aggregate of requirements based on internal policies and external standardsRisk Assessment – through which we identify and address unique risks to services and customers by means of a comprehensive assessment and management methodologyTraining & Awareness – to ensure personnel are aware of the Program objectives and associated Policy, they understand their roles & responsibilities and they are adequately trained on critical procedures.Why is it so important that we have this centralized Risk Management Program? First, it helps us create a common security “bar” for all our services to meet. It allows us to use standardized solutions for better consistency, reduced complexity and by extension reduced risk. It provides us centralized monitoring and response, so we can get both service-specific and aggregated views of the health and status of our services, which helps us provide better visibility of health and status to our customers.
The Security Program takes a risk-based, multi-dimensional approach to putting in place the necessary & adequate safeguards across all aspects of a service. The Program aims to define security requirements applicable to people, processes and technology, and implement corresponding controls & capabilities across the services themselves, the supporting platform and infrastructure components, as well as the hosting facilities and the hardware residing within them. Role & Responsibility of the Security Program: Help ensure services are developed in a secure manner. Microsoft’s Secure Development Lifecycle plays a critical role here. Help ensure the services are operated in a secure environment. Security controls exist across and within all layers of a given service, which supports the principle of defense-in-depth.Help ensure that services and infrastructure are monitored for configuration errors, vulnerabilities, security events and anomalous behavior.Help ensure incidents are promptly detected and a mature incident management process not only addresses the immediate issue, but identifies and corrects the cause.Help ensure personnel are adequately prepared and trained to identify security issues and provide notification through the appropriate procedure.
The Service Continuity Program is based on industry best practices for business continuity and ensures a standardized approach is taken by all BPOS services for recovery.The SCM Program Phases are: 1. GovernanceManagement and oversight to all phases of the Service Continuity Program help to ensure consistent methodology, terminology, templates and tool sets. 2. Business Impact AnalysisA process designed to prioritize business functions by assessing the potential financial and non-financial impact that might result if an organization was to experience a business continuity event for a specific service. 3. Dependency AnalysisA process in which we identify time-critical functions, their recovery priorities, and inter-dependencies so that recovery time objectives can be established. 4. Gap Analysis & ReportingA process that identifies current or estimated capability versus the recovery time objective. In this phase, the team identifies any gaps associated with the people, process, technical and facilities components. 5. Strategies & SolutionsBased on the results of the previous phases, the team develops appropriate business continuity strategies. The strategies are designed to meet the recovery time and point objectives in support of the organization’s critical functions. 6. PlanningIn this phase, we design, develop, and implement Business Continuity Plans that provide continuity and/or recovery. 7. Maintaining & ExercisingThis is a critical process. We establish an exercise/testing program which documents plan exercise requirements including the planning, scheduling, facilitation, communications, auditing and post review documentation. After we establish such program, we carry out those exercises on a regular basis according to our documented plan. 8. Awareness and TrainingPolicies and processes don’t work if the people behind them aren’t trained. We create and maintain corporate awareness and enhance the skills which are required to develop and implement Service Continuity Management. Definitions Recovery Time Objective (RTO)The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). RTO’s are often used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation.Recovery Point Objective (RPO) The maximum amount of data loss an organization can sustain during an event.
The Compliance Management Program acts as a sort of glue, binding the programs and associated requirements together into a cohesive control-set. This Program helps to collect, rationalize and harmonize the requirements derived from a number of internal and external sources, ensuring that similar or redundant requirements are collapsed into a single control, and that requirements that must be met in specific situations are identified and addressed appropriately. As in our privacy program, we strive to create “high bar” standards that meet or exceed all the requirements we’ve taken in. This optimized control set helps ensure that all requirements are met appropriately, but also helps to reduce complexity and costs. Where common requirements exist across multiple services, the compliance program helps to identify a standard solution that can be used by all services. The SDL is a good example of a common process that helps all services meet requirements related to secure software development. Another example is a common change management process and supporting tool.The control framework can also document identified risks and provide a means through which to track and monitor the associate mitigations.
Using the extensible control framework provided by the Compliance Management Program, a custom control set can be created for each online service. This control set helps to document the requirements the service must meet, and serves as a checklist of sorts that can be used to validate compliance. We validate compliance when we first launch the service, as well as periodically on an ongoing basis. Assessment occurs at the procedural level, through standardized monitoring of the service environment, as well as through assessments conducted during subsequent service updates, assessments performed by the Risk Management team, and assessments conducted by Microsoft’s internal audit team.In addition to these internal assessments, Microsoft Online Services undergo review and assessment by independent third-party organizations. The facilities that BPOS services run out of, as well as the infrastructure used to support the services, have obtained ISO 27001 certification, as well as SAS 70 type II audit reports. The BPOS Dedicated offering has successfully obtained SAS 70 type II reports for several years, and is pursuing formal ISO certification by the end of 2009. The BPOS Standard offering is pursuing both a SAS 70 report and ISO certification by the end of the year. The BPOS strategy is to leverage ISO as a vehicle to provide broad assessment of our security, privacy and continuity capabilities, while relying upon the increased level of scrutiny provided by SAS 70 for critical or key controls. Microsoft believes this approach serves to demonstrate that our capabilities and practices are well defined, and that they have been implemented appropriately and are operating effectively.As the ISO and SAS certifications are achieved, customers can use those to determine whether the BPOS services have sufficient controls and practices in place for them to meet their own compliance obligations.
When a customer purchases the BPOS services, they not only get the enhanced business productivity services, they also get the added benefits of having Microsoft manage the security of the services, including:upgrading the application software and applying security updates. operation of critical security infrastructurecomprehensive monitoring and logging capabilities, as well as mature incident management. More importantly, customers retain control over their own data, as well as their ability to manage and meet their own compliance obligations.
Microsoft Online Services Risk Management
Security in Business Productivity Online Suite<br />Updated June 1, 2010<br />Presented to you by: <br />
Privacy Program<br />Designed to establish consistent "high bar" privacy practices that support global standards for data handling and transfer<br />Documented & enforced privacy requirements <br /><ul><li>Microsoft Online Services Privacy Statement
Microsoft Online Services Privacy and Regulatory Divisional Requirements Specific to Software + Services
Corporate-level Privacy Guidelines for Service Development</li></ul>Privacy disclosures & transparency<br /><ul><li>Microsoft Online Services Privacy Statement
Compliance Monitoring & Assessment<br />Internal monitoring<br />Technical compliance (patch and configuration mgmt, vulnerability scans, penetration tests, etc.)<br />Personnel compliance (training and awareness, screening, etc.)<br />Process compliance (business process evaluation, change control, access management, etc.)<br />Physical security compliance (CCTV monitoring, access control and logging, etc.)<br />Third Party validation<br />Facilities & infrastructure services – ISO cert + SAS 70<br />BPOS Dedicated – ISO aligned + SAS 70<br />BPOS Standard – ISO aligned<br />9<br />Future plans call for formal ISO and SAS 70 Type II certification<br />for all BPOS services <br />
Commitment in Action<br />What we provide<br />Services are designed, engineered and operated with security as core tenet<br />Privacy of customer data is respected<br />Audits demonstrate independent validation <br />Service resiliency and service and data recoverability are fundamental to service operations<br />99.9% uptime SLA<br />Customer benefits<br />Mature and comprehensive security management<br />Service upgrades and security updates<br />Comprehensive security monitoring and response<br />Customer control over customer data<br />Compliance management capabilities available to customers<br />10<br />
Technical information on TechNet http://technet.microsoft.com/msonline
Service descriptions, developer guide, service level agreement, migration/deployment </li></ul>guides and tools and other technical information and blogs<br /><ul><li>Security white paper: http://go.microsoft.com/fwlink/?LinkID=125754&clcid=0x409