This post has been republished via RSS; it originally appeared at: Healthcare and Life Sciences Blog articles.
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
This blog series is aimed at Security and Compliance officers who need to understand how the Microsoft Purview Compliance Manager assessments can help them meet their regulatory and certification needs.
This document will be covering:
- the goal of this blog series
- discussing Compliance Manager assessment at a high level and how to leverage them to meet a business need such as HIPAA, GDPR, CCPA, NIST, etc
This document does not cover any other aspect of Microsoft E5 Purview, including:
- Compliance Manager (configuration)
- Data Classification
- Information Protection
- Data Protection Loss (DLP) for Exchange, OneDrive, Devices
- Data Lifecycle Management (retention and disposal)
- Records Management (retention and disposal)
- Insider Risk Management (IRM)
- Advanced Audit
- Microsoft Cloud App Security (MCAS)
- Information Barriers
- Communications Compliance
For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner.
We will not be walking through the HITRUST assessment step-by-step. For more information on running an assessment in Compliance Manager, you should reference the corresponding documentation listed in the Appendix and Links section below.
Overview of Document
We will be walking through:
- Sample Assessment details and Purview Score
Using Compliance Manager assessments to meeting government regulations or industry certifications.
- Actions– the things that need to be done to mark a Control as completed and
- Assessments – these help you implement data protection controls specified by compliance, security, privacy, and data protection standards, regulations, and laws. Assessments include actions that have been taken by Microsoft to protect your data, and they're completed when you take action to implement the controls included in the assessment.
- Assessment Templates – these templates track compliance with over 300 industry and government regulations around the world.
- Compliance Score - Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. You receive an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.
- Controls – the various requirements in your tenant that must be met to meet a part of an assessment
- Control Family – a grouping of Controls
- Microsoft Actions – These are actions that Microsoft has performed in side of your tenant to help it meet a specific assessment.
- Progress – each assessment has a progress chart to help you visualize the progress you are making to meet the requirements of the assessment
- Your Improvement Actions – These are actions that you and your organization must perform to meet a specific assessment.
- Regulations – the regulations or standards pertaining to the action
- (Microsoft) Solutions – the solution where you can go to perform the action
- Action Types – indicates whether the improvement action is technical, meaning it can be implemented within a solution or product, or non-technical, which would be implemented outside of a technical solution
- Group - the group to which you assigned the action
- Categories – the related data protection category (such as, protect information, manage devices, etc.)
You should have a basic understanding of Compliance Manager and how it works. You can find this information in the blog named “Paint By Numbers” and the official Microsoft documentation found at docs.microsoft.com. You an find links to these in the section below labeled Appendix and Links.
You should have read Part 1 of this blog series (Microsoft Purview – Compliance Score Series (Part 1) – Overview).
Sample Assessment Details
Let us look at a sample of what each blog in this series will look like.
All Control Families Section
You will first see that ALL the Control Families relevant to your regulation/certification/assessment.
Compliance applicable All Control Families
Secondly, you will next find the section of the blog that shows you all the Control Families applicable relevant to the your regulation/certification/assessment
Relevant Purview solutions
You will next find the section of the blog that shows the Purview components relevant to the your regulation/certification/assessment
Last, you will see your Purview Compliance score for your the certification/regulation/assessment
Appendix and Links
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.