John HowieSr. Director, Online Services Security and Compliance Technical Security Services, Global Foundation ServicesMicrosoft Corporation

Creating a Standard Response to Request for Information using CCM

2

Growing interdependence

amongst public and private sector

Mutual expectations that platform services

and hosted applications be secure

and available

Cloud Security Challenges

Evolving technologies,

changing business models, dynamic

hosting environment

Keeping pace with growth and

anticipating future needs is essential to running an effective

security program

Complex, global regulatory

requirements and industry standards

Each country may pass their own laws

that govern the provision and use of online environments

Increasing sophistication

of attacks

Malicious activity focuses on infiltrating

and disrupting online service offerings

3

Global Foundation Services

Microsoft’s Cloud Environment

Cloud Platform Services

Cloud Infrastructure

Consumer and Small Business Services

Enterprise Services

Third-Party Hosted

Services

Security Global DeliverySustainabilityInfrastructure

4

Comprehensive Compliance Framework

ISO/IEC 27001:2005 certificationStatement of Auditing Standard 70 type II attestation

Certification and Attestations

Predictable Audit Schedule

Test effectiveness and assess riskAttain certifications and attestationsImprove and optimize

Examine root cause of non-complianceTrack until fully remediated

Controls Framework

Identify and integrateRegulatory requirementsCustomer requirements

Assess and remediate Eliminate or mitigate gaps in control design

Payment card industry data security standard Health insurance portability and accountability act

Industry Standards and Regulations

FISMA (NIST 800-53 r3)Sarbanes-Oxley, privacy laws, etc.

PCI DSS certificationFISMA certification and accreditation

5Microsoft Confidential

Security Policy and Standards• Security Policy

– Applies to all of Microsoft– High-level objectives– Aligns to Industry Standards

• ISO/IEC 27001:2005, NIST SP800-53r3, etc.

• Security Standards– Apply to Online Services– Low-level, high-detail

• Baseline Configurations– Technology- and environment-

specific

• Standard Operating Procedures– Business- and property-specific

implementations

6

Global Foundation Services

Scope of Cloud Controls Matrix

Cloud Platform Services

Cloud Infrastructure

Consumer and Small Business Services

Enterprise Services

Third-Party Hosted

Services

Security Global DeliverySustainabilityInfrastructure

7Microsoft Confidential

Documenting Cloud Control Matrix

Leveraged frameworks built from statutory and regulatory compliance obligations and used in audits

Exist at both Global Foundation Services and Office 365Based on ISO/IEC 27002 and supplemented with specific controls from obligations

Each control is described with a response

Proof of controls comes in the form of our ISO/IEC 27001:2005 certifications and SAS No 70/SSAE16 reports

8Microsoft Confidential

Example of use of Cloud Control MatrixControl ID

In CCMDescription

(CCM Version R1.1. Final) 

Microsoft Response

DG-01 

Data Governance - Ownership / Stewardship

All data shall be designated with stewardship with assigned responsibilities defined, documented and communicated.

Microsoft Online Services has implemented a formal policy that requires assets (the definition of asset includes data and hardware) used to provide Microsoft Online Services to be accounted for and have a designated asset owner. Asset owners are responsible for maintaining up-to-date information regarding their assets.  “Allocation of information security responsibilities and ownership of assets” is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 6.1.3 and 7.1.2. For more information review of the publicly available ISO standards we are certified against is suggested.

DG-02 

Data Governance - Classification

Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.

Microsoft Online Services standards provide guidance for classifying assets of several applicable security classification categories, and then implements a standard set of Security and privacy attributes.   “Information classification” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 7.2. For more information review of the publicly available ISO standards we are certified against is suggested.

9Microsoft Confidential

Security, Trust and Assurance Registry

Our Standard Response is our STAR submissionOne document, based on CCM, is Microsoft’s position on security and privacy for Office 365

10Microsoft Confidential

Future Work

Microsoft will keep the Standard Response current as Cloud Control Matrix is updated

Microsoft is investigating use of Control Assessment Initiative Questionnaire

Might be more appropriate for other services and questions and inquiries from customers and policy-makers

We are evaluating CloudAudit

11

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.