Posted by For me one of the key take-aways from Ignite 2019 was the new compliance score. A lot of enterprises are still struggling with a multitude of regulations, an overload of cloud-services and functions and terabytes of data/information being produced/stored/accessed each month.
It is not an easy task to achieve compliancy considering all these aspects. To help and support enterprises, Microsoft offers the service trust portal – a very comprehensive portal for any compliance officer to visit. One of the components of this portal is the Compliance Manager.
This Compliance Manager (classic) offers a dashboard displaying the rules and regulations pertaining to any specific regulation. It allowed enterprises to review specific controls, assign these to users and mark these as “done”.
This (classic) dashboard was comprehensive. But for me, it still felt that it delegated a lot of activities to the enterprise itself and required a lot of knowledge of the Microsoft platforms (Office 365 for example).
So I’m very interested in the new Compliance Score. I’ve been working with the (Microsoft/Office 365) Secure Score for some time. So I was curious if it would offer the same level of detail and recommendations. Let’s take a look.
Compliance Score
The compliance score is still in preview and you will need an Azure AD role to access it. Here’s a quick table showing the relevant roles. To access the compliance score you can either got to the new Compliance dashboard or follow this link directly.
The score dashboard contains four main components. Let’s take a look at all four.
- Overview – this is the main dashboard of the score. Nice detail: it displays the score in a percentage. The score is based on the assessments you added. More on that later.
- Improvement actions – these are your recommendations. To the point and very clear.
- Solutions. These are all Microsoft solutions which help you become compliant. Examples: Information Protection, Cloud App Security and more. Nice detail – the improvements are plotted on these solutions.
- Assessments. These are the baselines (based on templates and/or custom controls) where the recommendations originate. These assessments can be placed in different groups.
Assessments
When I started with Compliance Score I got a so-called Data Protection Baseline assessment. This assessment is based on controls for Microsoft 365 – which is the tenant I own. So be aware of this: some assessments are meant for specific platforms or services. The GDPR and NIST CSF assessment (as an example) are based on Office 365 controls.
Don’t be surprised to notice that some (or quite some) actions are contained in different assessments and overlap.
As I wanted to take a look at information protection controls, I decided to add the GDPR assessment, but also the NIST Cybersecurity Framework (CSF)
How to add an assessment? It’s quite easy, if you know how (but that’s the case with a lot of things, isn’t it 🙂 ). First of all, you go to the Assessments tab and go to Manage assessments in Compliance Manager. Yep: that’s where the assessments are managed.
In the Compliance Manager (preview!) you go to the Assessments and Add Assessment.
Here you are able to add an assessment from a long list of templates.
Add the template to either an existing group or new group and that’s it. When refreshing the page at the Compliance Score, you’ll see the improvements actions based on the added assessment.
Do note that some templates are based on the specific Microsoft solutions. Mainly Office 365 and Intune. Here’s a short list:
Intune
- EU GDPR
- FFIEC
- HIPAA/HITECH
Office 365
- EU GDPR
- IRAP
- ISO/IEC 27701:2019
- LGDP
- SOC 1
- SOC 2
One thing to keep in mind: there’s (oddly enough) no option to delete an assessment. You can hide one, but it will still pop-up in the Compliance Score (in my case). But fortunately you can filter your actions.
Improvements
Based on the assessments I added and my interests in Information Protection, I applied the relevant filter. It’s very nice to see how many information is presented in the Compliance Score. Just take a look at the filtering options.
Based on the filter, these improvement actions were presented to me.
Most of the improvement actions will not come as a surprise if you’re familiar with the Secure Score. Which makes sense as the Secure Score is directly related to the Compliance Score.
But there are differences. And these will become clear when you look at the categories of improvements:
- Control Access
- Discover and Respond
- Govern information
- Manage compliance
- Manage Devices
- Manage internal risks
- Protect against threats
- Protect information
Most of the Manage compliance actions revolve around processes. Two examples: a mandatory external audit of the Office 365 environment or enforcing NDA’s.
Being interested in information protection, let’s select that category.
Well, this makes sense. 🙂 Great stuff!
Updates from the Secure Score
The Secure Score influences the Compliance Score. By default the updates from the secure score are set per action. So your score will be adjusted based on the modified actions. If you want to have your actions in the Compliance Score be updated automatically, do the following:
Go to the Service Trust portal and select More | Admin | Settings
Here you can select the automatic update. Just like that 🙂
Wrapping up
I like the new Compliance Score. I like it a lot and more so then the compliance manager. Why? Because this score provides enterprise with a score (duh….) and improvement actions. That score is important. In my experience a graphical indication of a status is more efficient for getting the point across.
“What? That’s our score?” kinda sums up the reactions I get when during sessions. So, I see a lot of us and potential for this Compliance Score. I’ll be looking into this further in the time to come. Want to know more, just go to this Microsoft site.
Governance, Risk, Security and Compliance 
