Privacy

What does privacy at Microsoft mean?

Are you using my data to build advertising
products?

Compliance
What certifications and capabilities does
Microsoft hold?
How does Microsoft support customer
compliance needs?
Do I have the right to audit Microsoft?

Transparency
Where is my data?
Who has access to my data ?

Security
Is cloud computing secure?

Are Microsoft Online Services secure?

Your

Privacy
Matters

Leadership in

Independently

Relentless on

You know where data

resides, who can
access it and what we
do with it

Compliance with
World Class Industry
standards verified
by 3rd parties

Excellence in cutting
edge security practices

Transparency

Verified

Security

http://trustoffice365.com
Office 365 Privacy Whitepaper
Office 365 Security Whitepaper and
Service Description
Office 365 Standard Responses to
Request for Information

Office 365 Information Security

Management Framework

Services are highly configurable and scalable without customization.

Services are under the Microsoft Security Policy.
We provide transparency in data location and transfers.
We audit on your behalf and provide certification reports.
Microsofts liability is capped, consistent with industry standards.

Office 365 is an evergreen service. Customers need to stay current.

Our solution evolves rapidly with a documented roadmap.
We provide services offers to help you migrate to the cloud efficiently.

Office 365 is a highly standardized service that Microsoft offers under highly
standardized contractual terms and condition.

Reduce vulnerabilities, limit exploit severity

Education

Process

Administer and track

security training

Guide product teams to meet

SDL requirements

Training

Requirements
Establish Security
Requirements

Core Security
Training

Accountability
Establish
release criteria
and sign-off as
part of FSR

Design

Implementation

Verification

Release

Establish Design
Requirements

Use Approved
Tools

Dynamic
Analysis

Incident
Response Plan

Fuzz Testing

Final
Security
Review

Attack Surface
Review

Release
Archive

Create Quality
Gates / Bug Bars

Analyze Attack
Surface

Security & Privacy

Risk Assessment

Threat
Modeling

Ongoing

Deprecate
Unsafe
Functions
Static Analysis

Process

Improvements

Incident
Response
(MSRC)

Response

Execute
Incident
Response
Plan

Threat and vulnerability management, monitoring, and response

Data

Access control and monitoring, file/data integrity

User

Account management, training and awareness, screening

Application

Secure engineering (SDL), access control and monitoring, antimalware

Host

Access control and monitoring, anti-malware, patch and

configuration management

Internal network

Dual-factor authentication, intrusion detection, vulnerability

scanning

Network perimeter
Facility

Edge routers, intrusion detection, vulnerability scanning

Physical controls, video surveillance, access control

https://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html

Privacy at Office 365

At Microsoft, our strategy is to consistently set a high bar around privacy practices that support
global standards for data handling and transfer

No Advertising
No advertising products out of Customer Data.
No scanning of email or documents to build analytics or mine data.

Data Portability
Office 365 Customer Data belongs to the customer.
Customers can export their data at any time.

No Mingling
Choices to keep Office 365 Customer Data separate from consumer services.

How Privacy of Data is Protected?

We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Microsoft Online Services Customer Data1

Usage Data

Account and
Address Book Data

Customer Data (excluding

Core Customer data)

Core
Customer Data

Operating and Troubleshooting the Service

Yes

Yes

Yes

Yes

Security, Spam and Malware Prevention

Yes

Yes

Yes

Yes

Improving the Purchased Service, Analytics

Yes

Yes

Yes

No

Personalization, User Profile, Promotions

No

Yes

No

No

Communications (Tips, Advice, Surveys, Promotions)

No

No/Yes

No

No

Voluntary Disclosure to Law Enforcement

No

No

No

No

Advertising5

No

No

No

No

Usage Data

Address Book Data

Customer Data (excluding

Core Customer Data*)

Core Customer Data

Operations Response Team

(limited to key personnel only)

Yes.

Yes, as needed.

Yes, as needed.

Yes, by exception.

Support Organization

Yes, only as required in

response to Support Inquiry.

Yes, only as required in response to

Support Inquiry.

Yes, only as required in response

No.
to Support Inquiry.

Engineering

Yes.

No Direct Access. May Be Transferred

During Trouble-shooting.

No Direct Access. May Be

Transferred During Troubleshooting.

No.

Partners

With customer permission. See

Partner for more information.

With customer permission. See Partner

for more information.

With customer permission. See

Partner for more information.

With customer permission. See

Partner for more information.

Others in Microsoft

No.

No (Yes for Office 365 for small business

Customers for marketing purposes).

No.

No.

Compliance

Office 365 compliance

We are the first and only major cloud based productivity to offer the following

ISO27001
ISO27001 is one of the best security benchmarks available across the world.
Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process
and management

EU Model Clauses
Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers.
EU Model Clauses a set of stringent European Union wide data protection requirements

Data Processing Agreement

Address privacy, security and handling of Customer Data.
Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states
Enables customers to comply with their local regulations.

Office 365 compliance

Comply with additional industry leading standards

US Health Insurance Portability and Accountability Act

HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually
identifiable health information

Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps
enables our customers to comply with HIPAA concerning protected health information.

EU Safe Harbor
EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has
been legitimated by a recognized mechanism, such as the "Safe Harbor" certification
Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every
twelve months

Office 365 Compliance With Key Standards

ISO 27001

All customers

Available

EU Safe Harbor

EU customers

Available

Primarily US customers

Available

US Government

Available

HIPAA/BAA

All Customers

Available

EU Model Clauses

EU Customers

Available

Data Processing Agreement

All Customers

Available

EDU Customers

Available

SSAE 16 (Statement on standards

for Attestation Engagement)
SOC 1 (Type I & Type II)
compliance
FISMA

FERPA

Transparency
At Microsoft, our strategy is to consistently set a high bar around privacy practices that support
global standards for data handling and transfer

Where is Data Stored?

Clear Data Maps and Geographic boundary information provided
Ship To address determines Data Center Location

Who accesses and What is accessed?

Core Customer Data accessed only for troubleshooting and malware prevention purposes
Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Microsoft notifies you of changes in data center locations.

This saves customers time and money, and allows Microsoft

to provide assurances to customers at scale.

Policy
Control
Framework

Standards

Business rules for protecting information and

systems which store and process information

A process or system to assure the implementation

of policy

System or procedural specific requirements that

must be met

Step-by-step procedures

Operating Procedures

26

Microsoft Cloud Vantage

Recommended Partner

Cloud Vantage Services

Cloud Vantage Services helps you realize

business value from your Office 365
investments by providing deep expertise

and collaboration across the full lifecycle

to smoothly transition to Office 365, and
make the most out of your cloud

investments.

http://trustoffice365.com
Office 365 Privacy Whitepaper (New!)
Office 365 Security Whitepaper and
Service Description
Office 365 Standard Responses to
Request for Information

Office 365 Information Security

Management Framework

 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The
information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentations. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.