Compliance, ensuring the safe transmission and usage of your workplace documents is important no matter if you are an ASX200 multinational corporation or a Small to Medium Enterprise (SME). As companies work towards social sustainability and make the move to paperless solutions in the workplace, more and more private data is finding its way online. The way we work today is drastically different from that of 10, 20, 50 years ago. Technology is a double-edged sword; It plays a major role in increasing productivity and effectiveness in a workplace but at the same time it leaves a business open to potential security breaches if not managed effectively. Microsoft has been at the forefront of developing Compliance Framework for Industry Standards and Regulations for Office 365 and related Microsoft Services in order for businesses to have the peace of mind that when you use a Microsoft product you can work knowing that compliance standards being met.
The Compliance Framework for Industry Standards and Regulations released in May 2019, outlines how each Microsoft product meets compliance standards on a global, regional and industry level and which products users can customise, and control based on compliance needs. Technological compliance standards in the Australian workplace are constantly changing, ensuring that you are using software that continues to meet the current standards is vital to the security of your data. Connected Platforms has been helping small businesses manage their IT needs with Small Business IT Support across the Brisbane region. Don’t leave your software compliance to chance, get in touch us with to see how we can help Brisbane based businesses meet industry standards for compliance.
Understanding the Compliance Framework for Industry Standards and Regulations
The document released by Microsoft is technical in nature and at first glance might be a little hard to decipher. In summary the document aims to classify applications and services currently offered by Microsoft into four tiers. Each tier is defined by specific compliance requirements that must be met in order to be listed into that tier. Tier A and Tier B are considered the lower tiers, where Tier C and D have industry leading compliance enabled by default. This however does not mean that Tier A or B have no privacy, they just don’t have specified international compliance.
Tier A – Services Privacy and Security Commitments
Tier A at a minimum includes services that have a strong privacy and security commitment. This includes no mining of user data for advertising, no voluntary disclosure of user data to law enforcement agencies and general privacy and security terms. Tier A services can be enabled or disabled by admin controls. Some services in this category include: Outlook Mobile and Sunrise for iOS and Android. Tier B – Services Verified
Tier B – Services Verified with International Standards and Terms
Tier B services include everything in Tier A while meeting minimum international standards and terms including ISO 27001, ISO 27018, EU Model Clauses (EUMC), and the HIPAA Business Associated Agreement. Tier B services must meet minimum international standards on the privacy and security of data. Tier B Services can be enabled or disabled by admin controls. Some services in this category include Workplace Analytics.
Tier C – Services Verified with International and Regional Standards and Terms
Tier C services are enabled by default and have all commitments included in Tiers A and B, however, also now include regional commitments including SSAE 18 SOC 1 Report and SSAE 18 SOC 2 Report, further strengthening their commitment to privacy and data security. Some services in this category include Azure Information Protection, Microsoft Whiteboard, Bookings, Flow, Microsoft StaffHub and Office 365 Video.
Tier D – Services Verified with International, Regional, and Industry Specific Standards and Terms
Finally Tier D Services have the highest level of privacy and security commitments. Encompassing all commitments in Tiers A, B and C, services in this category now include industry commitments some of which include FEDRAMP, IRS 1075, Australia IRAP, and FISC (Japan). Microsoft’s flagship products fall into Tier D services including Access Online, Exchange Online, Office 365 Pro Plus, Sharepoint Online and Microsoft Teams.
Microsoft has committed to this framework and has the following principles:
- Services in a higher tier will not lose the capabilities of lower tiers.
- If a service from a higher tier moves to a lower one, it will not lose existing compliance capabilities unless a standard becomes inapplicable.
- The framework will be kept up to date to provide customers with the latest information regarding compliance across its suite of services.
- Where applicable Microsoft will give the appropriate controls to allow customers to enable the services in categories A and B that apply to their business’ needs and with the appropriate consideration of risk.
How Does This Framework Affect Your Business?
In summary the Microsoft’s Compliance Framework for Industry Standards and Regulations serves to inform their customers of the varying products and services they offer and how each of those services meets varying degrees of compliance. This allows your business to make informed decisions about the products and services that are used within your organisation. For example, as a business you know that as long as a Microsoft product is at minimum Tier A, that there will be no mining of customer data for advertising or disclosure of customer data to law enforcement agencies. On the other hand, professionals in the banking industry can rest assured that Microsoft’s Office 365 suite meets Australia’s IRAP certification. The framework can be a quick reference tool for what software services meet varying compliance needs in your industry.
How Can Managed IT Services Help?
Connected Platforms offers managed IT services Brisbane wide to help small businesses manage all their IT services. We provide many of the Microsoft cloud service solutions as listed in Microsoft’s framework to ensure your business is using software that is compliant for your industry. Don’t risk the security of your business, call us today to see how we can take your business to the next level.