If you are living in Europe, you may aware how GDPR (General Data Protection Regulation) is storming through IT world. Service providers, Vendors and pretty much every business who deals with digital data are looking or making plans to face GDPR which is going to enforce from 25 May 2018. Some already compliance and some are still struggling to figure it out. It’s a time people talk about compliances more than ever. Compliances are always painful to deals with. Its involves knowledge, experience, skills, people, time, roles and responsibilities, services and many more. More importantly need to evaluate how these compliances, laws are matching with each business model. There is no single button or shortcuts to make organizations to comply with these compliances which comes time to time.
These compliances are also changes based on industry trends or needs. Even your organization comply with certain compliances today, it may not in 6 months’ time. so, continues awareness and skills are also required to maintain the compliance status. For an organization, it’s not one-man job either. Different roles will have different responsibilities to make it possible. Some compliances are just “good to have” type. but some compliances are must for certain business to operate and some compliance are backed by law, so that types leave no choice.
This whole GDRP experience taught some lessons,
Complexity – when new regulations and compliances are enforced, lack of information, complexity, lack of experience and skills make it difficult for organizations to adopt it in short period of time. This rush and uncertainty can make organizations to make vulnerable moves which can lead in to bigger problems.
Compatibility with other compliances – Sometime businesses may comply with multiple compliances. So, things you do to comply with one compliance can affect to compliances you already comply with. It is hard to keep track of each and individual actions and measure its impact.
Commitment – As I explain before, it is not one-man job, different parties, different roles need to make relevant commitment to achieve compliance targets. Organizations always finds it difficult to measure commitments or evaluate task progress throughout the implementation process.
Tools and methods – As everyone agrees there are no shortcuts to comply with compliances. It is not like installing a software or enabling a service. Organizations needs to go through relevant rules and see how its apply with its infrastructure, business models. But it is not always practical to do all these manually. As an example, GDPR has more than 100 rules. If we not use tools or other methods to see how its apply to existing infrastructure, it can be time consuming, complex process. There are existing tools which gives your reports based on the information you provide but so far, I am not aware of a tool which do real time analysis of infrastructure and reports back about compliances status.
On Last Ignite event Microsoft introduced Compliance Manager tool which simplifies the compliance adoption process for organization. As a service provider Microsoft also have role to play to make its cloud products comply with these compliances. So, Microsoft creates a service where it explains how it’s done its task and give insight to customers to do their bit in form of tasks. Each of these tasks include detail explanation. Each of these tasks can assign to a user and measure its progress real-time.
This service is available for Azure and Office 365 customers. This is not only covering GDPR, it also covers other compliance such as ISO 27001:2013, ISO 27018:2014. This is currently on preview and it will generally available in 2018.
In order to access this tool, you need to have valid Office 365 Subscription. Azure and Dynamic support is coming soon. This also can test using trial Azure account. Once you have login details ready, go to https://servicetrust.microsoft.com/ and click on “Launch Compliance Manager”
In next page, it will ask about the subscription. If you have valid subscription already you can use “Sign In” option.
After successful authentication, it will load the Dashboard for the compliance manager.
Each tile represent compliance. Using “Add Assessment” button we can add new compliances to the list. To do it first click on Add Assessment option.
Then in the pop up select relevant product and click on Next
In next window, you can select the relevant assessments and click on Add to Dashboard
Each of the tile have two sections. One is to list down the controls Microsoft comply with and one is to list down controls customer comply with.
In order to see these in details click on the assessment name on the tile.
Then it lists down the section for each control.
As an example, if I expand one of task related to Microsoft, it explains what is it and what Microsoft did to implement it and who assessed it.
Now if I do the same for customer controls I can see similar details. But most of it need to be fill by customer. It provides detail description of the assessment. If go to customer actions it gives some insights what customer need to do to pass the assessment.
It also has two sections where we can add notes about implementation, test plan and management response.
Using Test Date option we can define the data for assessment.
Using Test Result drop down we can select the assessment status.
Using Manage Documents option we can upload relevant documents for the task.
More importantly using Assign button task can assign to another user in the organization.
In my demo, I am assigning it to user Agnes Schleich with high priority.
Email notification for this is not working yet, but in future once task been assign, it will send email notification to user.
Now when I login as user Agnes Schleich to compliance manager, I can see the assigned task under action items.
Cool, isn’t it? Microsoft promised to add more and more assessment in coming months to make life easier with compliances. Once you done evaluation, do not forget to provide feedback using Feedback button.
This marks the end of this blog post. If you have any questions feel free to contact me on firstname.lastname@example.org also follow me on twitter @rebeladm to get updates about new blog posts.