Privacy

What does privacy at Microsoft mean? Are you using my data to build advertising products?

Transparency
Where is my data? Who has access to my data ?

Compliance
What certifications and capabilities does Microsoft hold? How does Microsoft support customer compliance needs? Do I have the right to audit Microsoft?

Security
Is cloud computing secure?

Are Microsoft Online Services secure?

Privacy
Matters

Your

Transparency

Leadership in

Independently

Verified

Relentless on

Security

You know where data resides, who can access it and what we do with it

Compliance with World Class Industry standards verified by 3rd parties

Excellence in cutting edge security practices

http://trustoffice365.com
Office 365 Privacy Whitepaper Office 365 Security Whitepaper and Service Description Office 365 Standard Responses to Request for Information

Office 365 Information Security Management Framework

Services are highly configurable and scalable without customization. Services are under the Microsoft Security Policy. We provide transparency in data location and transfers. We audit on your behalf and provide certification reports. Microsofts liability is capped, consistent with industry standards.

Office 365 is an evergreen service. Customers need to stay current.

Our solution evolves rapidly with a documented roadmap. We provide services offers to help you migrate to the cloud efficiently.

Office 365 is a highly standardized service that Microsoft offers under highly standardized contractual terms and condition.

Reduce vulnerabilities, limit exploit severity

Education
Administer and track security training
Training Requirements
Establish Security Requirements Core Security Training Create Quality Gates / Bug Bars Security & Privacy Risk Assessment

Process
Guide product teams to meet SDL requirements
Design
Establish Design Requirements Analyze Attack Surface Threat Modeling

Accountability
Establish release criteria and sign-off as part of FSR Incident Response (MSRC)

Implementation
Use Approved Tools Deprecate Unsafe Functions Static Analysis

Verification
Dynamic Analysis Fuzz Testing Attack Surface Review

Release
Incident Response Plan Final Security Review Release Archive

Response

Execute Incident Response Plan

Ongoing

Process

Improvements

Threat and vulnerability management, monitoring, and response Data User Application Host Internal network Network perimeter Facility Access control and monitoring, file/data integrity Account management, training and awareness, screening

Secure engineering (SDL), access control and monitoring, antimalware

Access control and monitoring, anti-malware, patch and configuration management Dual-factor authentication, intrusion detection, vulnerability scanning Edge routers, intrusion detection, vulnerability scanning Physical controls, video surveillance, access control

https://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html

Privacy at Office 365

At Microsoft, our strategy is to consistently set a high bar around privacy practices that support global standards for data handling and transfer

No Advertising
No advertising products out of Customer Data. No scanning of email or documents to build analytics or mine data.

Data Portability
Office 365 Customer Data belongs to the customer. Customers can export their data at any time.

No Mingling
Choices to keep Office 365 Customer Data separate from consumer services.

How Privacy of Data is Protected?

Microsoft Online Services Customer Data1 Operating and Troubleshooting the Service Usage Data Yes Account and Address Book Data Yes Customer Data (excluding Core Customer data) Yes

We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Core Customer Data Yes

Security, Spam and Malware Prevention

Improving the Purchased Service, Analytics Personalization, User Profile, Promotions Communications (Tips, Advice, Surveys, Promotions) Voluntary Disclosure to Law Enforcement Advertising5 Usage Data Operations Response Team (limited to key personnel only) Yes.

Yes
Yes No No No No Address Book Data Yes, as needed.

Yes
Yes Yes No/Yes No No

Yes
Yes No No No No Customer Data (excluding Core Customer Data*) Yes, as needed.

Yes
No No No No No Core Customer Data Yes, by exception.

Support Organization
Engineering Partners Others in Microsoft

Yes, only as required in response to Support Inquiry.

Yes. With customer permission. See Partner for more information. No.

Yes, only as required in response to Support Inquiry.

No Direct Access. May Be Transferred During Trouble-shooting. With customer permission. See Partner for more information. No (Yes for Office 365 for small business Customers for marketing purposes).

Yes, only as required in response No. to Support Inquiry.

No Direct Access. May Be Transferred During Troubleshooting. With customer permission. See Partner for more information. No. No. With customer permission. See Partner for more information. No.

Compliance

Office 365 compliance

We are the first and only major cloud based productivity to offer the following

ISO27001
ISO27001 is one of the best security benchmarks available across the world. Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management

EU Model Clauses
Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers. EU Model Clauses a set of stringent European Union wide data protection requirements

Data Processing Agreement

Address privacy, security and handling of Customer Data. Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states Enables customers to comply with their local regulations.

Office 365 compliance

Comply with additional industry leading standards

US Health Insurance Portability and Accountability Act

HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information

Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information.

EU Safe Harbor
EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months

Office 365 Compliance With Key Standards

ISO 27001 EU Safe Harbor SSAE 16 (Statement on standards for Attestation Engagement) SOC 1 (Type I & Type II) compliance FISMA HIPAA/BAA EU Model Clauses Data Processing Agreement FERPA All customers EU customers Available Available

Primarily US customers

Available

US Government All Customers EU Customers All Customers EDU Customers

Available Available Available Available Available

Transparency
At Microsoft, our strategy is to consistently set a high bar around privacy practices that support global standards for data handling and transfer

Where is Data Stored?

Clear Data Maps and Geographic boundary information provided Ship To address determines Data Center Location

Who accesses and What is accessed?

Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Microsoft notifies you of changes in data center locations.

This saves customers time and money, and allows Microsoft to provide assurances to customers at scale.

Policy Control Framework

Business rules for protecting information and systems which store and process information

A process or system to assure the implementation of policy

Standards

System or procedural specific requirements that must be met

Step-by-step procedures

Operating Procedures

26

Microsoft Cloud Vantage

Recommended Partner

Cloud Vantage Services

Cloud Vantage Services helps you realize business value from your Office 365 investments by providing deep expertise

and collaboration across the full lifecycle

to smoothly transition to Office 365, and make the most out of your cloud

investments.

http://trustoffice365.com
Office 365 Privacy Whitepaper (New!) Office 365 Security Whitepaper and Service Description Office 365 Standard Responses to Request for Information

Office 365 Information Security Management Framework

 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentations. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.