Simplify regulatory compliance with Microsoft Purview Compliance Manager
Reduce the time it takes to comply with regulations that impact your organization. Compliance Manager in Microsoft Purview breaks down compliance criteria for over 350 regulations and standards globally.
If you’re concerned about security and data protection, compliance should also be your concern. Think about cases where data is maintained for 12 months and you’ve accumulated it for over 10 or 20 years; this makes an attack surface 10 or 20 times larger than it needs to be. And from a regulatory standpoint, in many respects, the risk of not hitting compliance requirements can be far more damaging than a data breach.
When you put in place or meet the majority of compliance requirements, this can lead to a greater protection response of security and privacy threats in the future. Compliance Manager gives you precise guidance on the capabilities you can turn on in Microsoft and other cloud services to meet specific requirements without relying on interpretation.
You can digitize the workflow for collaborating with others in your organization while assigning and documenting actions, including any manual processes. All of which makes it easier to prepare for auditors.
Join Daniel Hidalgo from the Microsoft Purview team and @JeremyChapmanMechanics as they walk you through the benefits and details of Compliance Manager in Microsoft Purview.
Managing compliance is difficult — make it easier and reduce the time spent.
Compliance Manager in Microsoft Purview breaks down compliance criteria for over 350 regulations and standards globally, so you don’t have to. See how to assess you compliance.
Replace muddled compliance interpretation with precise guidance.
Compliance Manager in Microsoft Purview tells you what to turn on in Microsoft and other cloud services and manual steps to take to meet requirements. See how to check compliance regardless of service (Google Cloud, Okta, Salesforce).
The materials you hand over to compliance auditors can be compiled much easier. See what it takes to export materials to auditors.
Replace the spreadsheet.
Move to an ALWAYS up-to-date compliance tracking system. Get your team on the same page with specific actions to comply with regulations and standards. See how to stay up to date with regulation changes.
Watch our video here.
00:58 Why you want to use Compliance Manager
03:18 How to assess you compliance
05:22 Run assessment based on specific regulation or a standard
06:16 Check compliance regardless of service (Google Cloud, Okta, Salesforce)
09:38 Collaboration experience of Compliance Manager
11:01 Allocating permissions
11:33 Setting up alerts
12:24 Export materials to auditors
13:04 How to stay up to date with regulation changes
13:48 How to sign up for Compliance Manager in Microsoft Purview
- Compliance Score detail: https://aka.ms/ComplianceScoreCalc
- Get started with Compliance Manager: https://aka.ms/ComplianceManager
- Set up FREE Trial of Premium Templates: https://aka.ms/TryComplianceManager
Unfamiliar with Microsoft Mechanics?
As the Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
- Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries?sub_confirmation=1
- Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
- Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/website
- To get the newest tech for IT in your inbox, subscribe to our newsletter: https://www.getrevue.co/profile/msftmechanics
Keep getting this insider knowledge, join us on social:
- Follow us on Twitter: https://twitter.com/MSFTMechanics
- Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
- Enjoy us on Instagram: https://www.instagram.com/microsoftmechanics/
- Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics
- Coming up, if you want to reduce the time it takes to get and stay compliant with regulations impacting your organization, we take a closer look at Compliance Manager and Microsoft Purview, which helps you by breaking down the compliance criteria for over 350 regulations and standards globally so you don’t have to interpret them, giving you precise guidance on the capabilities that you can turn on in Microsoft and other cloud services to meet specific requirements, and digitizing the workflow for collaborating with others in your organization, so that you can assign and document actions, including any manual processes as well. All of which make it easier to prepare for auditors and more. And to walk us through all this I’m joined by Daniel Hidalgo from the Microsoft Purview team. Welcome back to Mechanics.
- Thanks for having me back, Jeremy. There’s a lot to dig into.
- And it’s really great to have you on because we’ve done quite a few shows recently on security and Zero Trust approaches. But of course, on the other side of this is compliance. Now, if you think about some of the most public data breaches that we’ve seen over the last couple of years in the headlines, they often expose more than just the security vulnerabilities that those companies had. They also reveal gaps in how compliance is managed, especially in cases where customer or employee data is stolen.
- They do. And you bring a great point because if you’re concerned about security and data protection, compliance needs to be part of that concern as well. Think about cases where data should be maintained for only 12 months. And you’ve actually been keeping it for 10 or even 20 years worth.
- And what that means is that your attack surface is basically 10 or 20 times larger than it really needs to be.
- Yes. And it can get you into even deeper trouble from a regulatory standpoint. Because of the penalties involved, in many respects the risk from not hitting compliance requirements can be far more damaging than a data breach.
- That said there’s a bright side to all of this, because what you put in place to meet the majority of compliance requirements will actually lead to greater protection response to security and privacy threats in the future.
- Yes, they will definitely lead to better security protections for your critical data, faster response times, and more resilience to legal incidents too.
- That’s easier said than done though, because anyone who’s done this type of work knows just how hard it can be to interpret what you need to do to be compliant. So how do we help here?
- Yeah, it can get really complex because just like the threat landscape continues to evolve with security, the regulatory landscape continuously evolves for compliance. And if you’re a compliance manager, you might be stuck tracking your compliance status by using manual tools like spreadsheets, where you’re constantly chasing your IT team and other accountable stakeholders just so you can check progress on actions to prove your compliance. You may not understand the criteria for complying to specific regulations in the first place, or there may be multiple interpretations of what is required across teams. And that’s really where Compliance Manager comes into play, in terms of helping everyone get on the same page on the specific actions to take to comply with a given regulation or standard. It also provides a collaboration platform between compliance managers and IT and other stakeholders. And it assesses your start point so that you can get an accurate read of progress against your compliance goals.
- Okay, so let’s break this down. How would I use Compliance Manager then to get a read on where I’m starting from, in order to assess my compliance?
- Yeah. So any organization is going to have a number of regulations depending on their industry or regional location. So before you do anything out of the box, we’ll give an initial measure of your compliance posture, which is an assessment of where you stand today. In Microsoft Purview, I’ve navigated to Compliance Manager. And the first thing that I see is my compliance score. This score is initially built off a generic data protection baseline for Microsoft 365. This is a combination of requirements across international regulations like GDPR and ISO, as well as FedRAMP and NIST in the US, to establish a baseline of requirements needed for the protection of your data. And we’ve mapped the fulfillment of those requirements across two dimensions. The first being Microsoft actions, which are the things we are responsible for as we operate our own services and they help you to fulfill specific requirements and contribute to your overall score. And second, improvement actions that you can implement which are tailored to your specific tenant. This is where Compliance Manager can pull signals from over 200 automatic capabilities available for you and assess whether or not you’ve implemented them. So as I scroll down, these improvement actions are also broken down into several categories, from protecting information to things like privacy management. And if we click into one to look at the detail, you can see that we award points to them, which are weighted based on impact. So technical actions, as you can see here, are typically worth 27 points. And if you want to look at what goes into the score in more detail, you can check out our guidance at aka.ms/ComplianceScoreCalc.
- And you know, this really highlights the shared responsibility between Microsoft and also you as a consumer of the service. And it makes it a lot easier to know what to do now. You mentioned that there were four different regulations that this baseline was built off of. So if you wanted to maybe look beyond that baseline to know how you might be faring against a specific regulation or a standard, how would you do that?
- So that’s when you want to run an assessment, which is the primary reason you want to use Compliance Manager in the first place, in that it unpacks more specifically how you’re faring against the specific regulation and shows you the steps that you can take to improve. So I’ll hop over to a fresh tenant that doesn’t have any previously run assessments. From the Assessment tab, I can create a new assessment. I’ll add one. Now I can select a template. We have a continuously expanding library of hundreds of assessment templates to choose from that translate around 350 regulations and standards worldwide into tangible actions for you. The majority of our templates today are from Microsoft 365, and we’ve been extending these templates to Azure and Dynamics 365 as well.
- Okay, so these templates will increasingly span different Microsoft services, but what if you want to just understand compliance criteria of a regulation that’s agnostic of a service?
- Well, that’s where our universal template comes in. Here’s the universal template for GDPR. And as you can see here with an action like confirm accuracy of collected personal data, these translate what is required by the regulation and generically specify the capability you ideally need to help fulfill this requirement. So from that perspective, they provide a universal criteria for compliance, which is useful not just across Microsoft services, but across non-Microsoft services too. Additionally, we’ve also started to make data connectors available for various of these non-Microsoft solutions, starting with Google cloud, Okta and Salesforce, with many more coming by the end of the year. These will help aggregate compliance actions taken across multiple of these solutions.
- So it really means the kind of criteria that we establish here can be used across the board.
- Right. Because our goal here is really to have Compliance Manager be that single tool that helps with compliance fulfillment. You can also modify templates to meet your specific needs. Now, going back to our assessment, I’ll choose the EU GDPR for Microsoft 365 and hit save. I can give it a name. Now I need to choose an assessment group. You can configure groups in whatever way is most logical for your organization. I’ll keep the default group for now. Everything looks good in the summary screen, so from here I can create an assessment.
- Okay. So once you’ve kicked that off, how long does it take then for the information to start to come back?
- It can take up to 24 hours to process everything. We literally scan your tenant against over 200 automated actions to determine our recommendations. To save time, since I already have an assessment created, I’ll go to that one. I’ll click into it. And I can see a summary of my progress based on my completion of actions within the assessment. And I can see a list of my improvement actions, which as I mentioned have a weighted value. Next, I’ll take a look at controls. Think of a control as how we interpret our requirement of a regulation. Oftentimes these will span multiple regulations. Here we are seeing control families relevant to GDPR. Next, we can see the improvement actions that you are responsible for. These can be manual or automatic. So I’ll start with something manual and search for privacy. And I’ll choose this one to establish a privacy program. Here I can see guidance for the types of measures we need to put in place. The nice thing about these improvement actions is that we map them across all applicable regulatory controls. For example, here you’re seeing how many regulations require a privacy program, so that once you take this action you’ll satisfy this requirement across multiple regulations. So you won’t be duplicating efforts. Now I’m going to go back and instead of manual, I’ll start testing source by automatic, which as I mentioned are actions that I can turn on in the service and you can see your implementation status across various actions. I can see that this one, ‘create and apply a retention policy,’ has failed. So let’s investigate that. This is an action for setting a time limit for how long specific data can be kept. And I can see that it has not been implemented. From here I can assign accountability to this action to the specific stakeholders. In fact, I’ll assign this one to you, Jeremy. So why don’t you walk us through the collaboration experience?
- Perfect. I love building retention policies. So here I can see I’ve already received an email and I can see that I’ve been assigned this action. So I’m going to go ahead and click on the link and that will take me straight to Compliance Manager and directly to that improvement action. And it also shows me guidance and even describes how I can create and apply a retention policy in Microsoft Purview. Then it deep links me directly to where I can configure this here with this launch now link. And when I click on that, I’m taken directly to data lifecycle management and all the retention policies. And I can quickly add a new policy from here if I want to. And this also works for manual improvement actions as well, where you can edit implementation detail by specifying whether or not I’ve implemented an action. I can document an alternative implementation approach, which is really useful for example, if I’ve used another tool or process to carry out the same action, I can also indicate if implementation is scheduled or in plan or just not yet executed, or I can even market action as out of scope or irrelevant. Next and important for manual actions, I can also add any testing control details to document specific manual tests and outcomes and add documents, images, or media as supporting evidence towards a specific action. And this workflow really helps to preserve an audit log of all the actions that are taken. That said, though, presumably there are limits to what people can and should do. So how do I make sure that the right people are actually interacting with these types of controls?
- Right, so before you delegate anything, you really need to make sure that you can define the permission levels of individuals that are part of the process. So under Permissions, you can assign people in your organization different role types, from administrator who can assign permissions and assessor who typically validates work done to contributors like you in this case that can take action and report back on what they did, or you can just make someone a reader with read-only rights.
- So it’s really straightforward then to set up assessments and collaborate against actions. But how do you stay compliant, for example, in cases where someone may be inadvertently reverses an automatic action, and that’s going to impact the compliance score?
- So this is where we recommend you set up alerts. You can set up alerts to notify you immediately when certain changes to improvement actions occur. Here in the Alerts Policies tab, you can see I have a few configured. You can set them up to be alerted for things like changes in test status or implementation if someone has turned off multifactor authentication, for example, or an increase or a decrease in your score. And if the conditions and thresholds you set are met, we’ll notify designated stakeholders via email. And they will also see these alerts in the Compliance Manager experience.
- Okay, so the million dollar question here is though, how does everything that you’ve shown today ease the processor help in terms of giving materials over to our auditors?
- Yeah, so you can really use Compliance Manager as inputs for what you report to your auditors. I’ll generate a report from my assessment and that outputs an Excel file. And it will show you an aggregate view of all of the actions taken to meet specific requirements. You can sort and filter it. For example, I’ll sort the control column B into ascending order, and this sorts the improvement actions in the same order as the GDPR regulation.
- So this gives something tangible in this case then that you can hand over as part of your auditing reports. That said though, with all the changes that are happening almost daily to the regulations and standards out there, how do you stay up to date with those changes?
- Yeah, so our team continuously assesses changes across the over 350 regulations that we support today and growing. We translate those requirements, mapping both Microsoft manage actions and your improvement actions that help with fulfillment. And in fact, Compliance Manager sets up a default alert policy to monitor for score changes in those improvement actions. When an update is available for an improvement action, we’ll notify you as you can see here with pending updates. And you can accept the update or come back to it later. But in this case, I choose to accept it.
- And everything that you’ve shown today really helps people get compliant faster and also stay compliant. So for anyone who’s watching right now, what do you recommend people do to get started with Compliance Manager?
- Don’t wait and get started today. The data protection baseline is available to all versions of Office and Microsoft 365, just go to aka.ms/ComplianceManager. And you can also set up a free trial for premium templates at aka.ms/TryComplianceManager. These will help you take your compliance posture to the next level.
- Thanks so much Daniel for joining us today and also giving us a great tour on Compliance Manager. Of course, keep watching Microsoft Mechanics for the latest updates, and don’t forget to subscribe to our channel if you haven’t already. And as always, thank you so much for watching.