compliance framework for industry standards and...
TRANSCRIPT
Compliance Framework for
Industry Standards and
Regulations – Customer
Guidance
Published: March 2017
Introduction We work hard to bring our customers the latest innovations in productivity with Office 365 services and
applications. At the same time, we understand that compliance with standards and regulations, and the
ability to use integrated tools to help meet compliance needs, are imperative and unwavering
requirements for our customers.
To help customers with their compliance needs related to Office 365, we have created a compliance
framework that is designed to give customers visibility into Office 365’s compliance with global, regional
and industry standards, and details how customers can control Office 365 services based on compliance
needs.
Office 365 Compliance Framework Within this compliance framework, Microsoft classifies Office 365 applications and services into four
categories. Each category is defined by specific compliance commitments that must be met for an Office
365 service, or a related Microsoft service, to be listed in that category.
Services in compliance categories C and D that have industry leading compliance commitments are
enabled by default while services in categories A and B come with controls to enable or to disable these
services for an entire organization.
A B C D Microsoft Cloud Services1
Privacy and Security
commitments
Microsoft Cloud Services
Verified with International
standards and terms
Microsoft Cloud Services
Verified with International
and Regional standards
and terms
Microsoft Cloud Services
Verified with International,
Regional and Industry
specific standards and
terms
Strong Privacy and
Security Commitments
• No mining of
customer data for
advertising
• No voluntary
disclosure of customer
data to law
enforcement agencies
Strong Privacy and Security
Commitments
• ISO 27001
• ISO 27018
• EU Model Clauses (EUMC)
Strong Privacy and
Security Commitments
• ISO 27001
• ISO 27018
• EU Model Clauses
(EUMC)
• FERPA
• HIPAA Business
Associate Agreement
• SSAE 16 SOC 1 & SOC
2 Reports
Strong Privacy and Security
Commitments
• ISO 27001
• ISO 27018
• EU Model Clauses
(EUMC)
• FERPA
• HIPAA Business
Associate Agreement
• SSAE 16 SOC 1 & SOC
2 Reports
• FedRAMP, IRS 1075,
UK Official (IL2)
• Health Information
Trust Alliance
(HITRUST)
1 This compliance framework does not apply to any client software component of a Microsoft cloud service because such a
component runs on a customer’s device and not in a Microsoft datacenter.
Contractual commitment
to meet US and EU data
residency requirements
Admin controls are
available to enable or
disable services in this
category
Admin controls are available
to enable or disable services in
this category
Services in this category
may be enabled by default Services in this category
are enabled by default
Power BI for Office 365
Outlook Mobile for iOS
and Android
Sunrise for iOS and
Android Microsoft StaffHub
Power BI
Office 365 Advanced
Security Management
Microsoft Dynamics
CRM Online
Azure Rights
Management
Office 365 Video
Microsoft Intune
Sway
Yammer Enterprise
Bookings
Planner
Microsoft Teams
Office 365 for Enterprise,
Education and Government
plans that include
Exchange Online
SharePoint Online
OneDrive for Business
Skype for Business
Project Online
Azure Active Directory
Exchange Online
Protection
Access Online
Office Online
Office 365 ProPlus2
Microsoft Graph
Office Delve
Providing customers necessary control Microsoft commits to provide appropriate controls for customers to use Office 365 based on
their business needs. Services in compliance categories C and D that have industry leading
compliance commitments maybe turned on by default while services in categories A and B
come with controls to enable or to disable these services for an entire organization.
If the service is an end-user application such as Outlook for iOS or Android, the control to
enable or disable such application resides with the end-user. Customers can choose to use
services in categories A and B based on their business needs with appropriate consideration of
risk.
There is also additional documentation called Advanced Privacy Options for Administrators on
the Office 365 trust center at http://trust.office365.com.
2 Office 365 ProPlus enables access to various cloud services, such as Roaming Settings, Licensing, and OneDrive consumer
cloud storage, and may enable access to additional cloud services in the future. Roaming Settings and Licensing support the standards and terms in category D. OneDrive consumer cloud storage does not, and other cloud services that are accessible through Office 365 ProPlus and that Microsoft may offer in the future also may not, support these standards and terms
Control to enable/disable service in Category A
Microsoft StaffHub Microsoft StaffHub is a cloud-based platform that works across all your devices. It enables staff workers
and their managers to manage time, communicate with their teams, and share content. Microsoft
StaffHub is on by default, and IT admins can turn it off for their organization at any time by going
to staffhub.ms/admin and setting Enable Microsoft StaffHub to Off.
Microsoft StaffHub is actively working towards meeting the commitments provided in category C of the
O365 Compliance Framework.
For more information, see https://staffhub.office.com/
Control to enable/disable service in Category B
Power BI The Power BI cloud services works together with Excel to provide a complete self-service
analytics solution. With Excel for authoring reports and Power BI for sharing them, everyone in
your organization has a powerful new way to work with data. Power BI is an add-on service that
needs to be purchased separately by going to Purchase Services in the admin portal.
The roadmap for Power BI includes progression from Tier A to Tier D over time. This document will be
updated to reflect changes over time.
For more information, see Get Started with Power BI and Bring Whole Excel Files into Power BI.
Office 365 Advanced Security Management Office 365 Advanced Security Management can be enabled though the Security and Compliance Center.
Under the Alerts section, you will find Manage Advanced Alerts. By clicking this, you will see the
following screen where you need to check the box next to “Turn on Advanced Security Management for
Office 365” and click on “Go to Advanced Security Management”
Control to enable/disable service in Category C
Microsoft Dynamics CRM Online Microsoft Dynamics CRM alongside Office 365 empowers your team to engage more effectively
with your customers. This combined power of customer relationship management (CRM) with
already-familiar Office tools helps your employees achieve goals across sales, service,
marketing, and social. Microsoft Dynamics CRM Online is an add-on service that needs to be
purchased separately by going to Purchase Services in the Office 365 Admin Center.
For more information, see Office 365 + Microsoft Dynamics CRM.
Office 365 Video Office 365 Video enables you to upload, share, and play back video messages throughout your
company. It is enabled by default, however if your organization does not want to use it, a
SharePoint Online tenant admin can disable it. When Office 365 Video is disabled, no one in
your organization (including video admins for Office 365 Video) can access it, and no link to it is
visible in Office 365. A SharePoint Online tenant admin can re-enable it when your organization
is ready to use it.
For more information on managing Office 365 Video, including enabling and disabling Office
365 Video, see Manage your Office 365 Video portal.
Microsoft Intune You may choose between Microsoft Intune and built-in Mobile Device Management (MDM) for
Office 365 to apply policies on end user devices. Office 365 has built-in MDM capabilities that
are a subset of the enterprise mobility features in Microsoft Intune. Office 365 built-in MDM
policies can be created and applied from within the Compliance Center to achieve the
following. You may choose to apply Microsoft Intune policies from within Microsoft Office 365
in order for this service to be applicable to end user devices.
1. Help secure and manage corporate resources
2. Apply mobile device settings
3. Perform a selective wipe of Office 365 data
4. Preserve Office 365 productivity experience
5. Manage policies
Microsoft Intune requires either a paid subscription or a purchase with the Enterprise Mobility
Suite for you to have an ability to enable it in your environment.
Yammer Enterprise Yammer basic can upgraded to Yammer enterprise by performing Yammer enterprise activation
in the Office 365 Admin Center. For this, navigate to Included Services to activate Yammer.
For more information, see Plan for Yammer integration with Office 365.