Microsoft Compliance Manager - What is it?

Microsoft Compliance Manager - What is it?

Hey everyone, I hope you all had a great break - I'm back on board and thought it made sense to cover some more Purview capabilities!

In December 2022, Microsoft made some licensing changes concerning Compliance Manager, making the product much more accessible to users. Due to this, I have been getting many questions about what this product does and how people can start using it.

We have also recently covered Compliance Manager with a SCI blog - check it out below:

I will quickly cover the licensing changes below; then we can start to dig into Compliance Manager and its templates;

What changed with template licensing in December 2022?

Organizations at the E5/A5/G5 levels have greater flexibility in which templates they can use for free as part of their licensing agreement. These organizations can choose up to three premium templates for free instead of having a pre-determined set of included templates. The Microsoft Data Protection Baseline is also included by default as part of your subscription.

For customers using any of the templates that were included before the December 2022 change (NIST 800-53, ISO 27001, GDPR), continued use of those templates will count against the allotted three free premium templates. Customers who have already purchased one or more premium templates will be able to use an additional three premium templates for free.

Also new in December 2022: Templates that belong to the same regulation family now count as one template. For example, the templates for CMMC Levels 1 through 5, are now considered a single template so that you don't need to purchase multiple versions. When you purchase a template license for a regulation, the license will apply for all levels and versions of that regulation.

So, this Compliance Manager thing - what is it for?

In short, Compliance Manager is a feature within the Purview portal that helps you to manage your compliance requirements more quickly - think of things like ISO 27001 or the ASD Essential 8. As we all know, it's critical to have a compliance management program in place to ensure you're meeting your compliance requirements, whether required by the location you operate in, like GDPR or an industry regulation that you work in.

One of the key benefits here is that when speaking about an organisation tracking its compliance requirements - it's essentially very resource intensive and is followed in multiple different areas. This might be through numerous spreadsheets with those controls mapped out to other teams or managed separately.

I have personally been a part of the Cyber Security team when audit times come around and find out who has what data to track and demonstrate compliance to an auditor. Compliance Manager provides that single tool to streamline that process. By centralising compliance data and automating those tasks where we can, we can save time and resources on charges that would otherwise be very complex.

The other essential part I wanted to touch on before showing off how some of this works is that it has built-in automated workflows - including tracking and reporting. When a regulation or control changes, Microsoft will go through and update that time to reflect that change and can automate some of the checks required to prove compliance (but not all!).

What does this look like?

No alt text provided for this image

Once you log into the Purview Portal, you can select Compliance Manager, which brings up the Compliance dashboard. Now, depending on what assessment templates we have configured (more on that shortly), it will populate several different areas:

  • Your Compliance Score - Showing your score against the assessments you have configured.
  • Key Improvement Actions - These show the controls you have to implement to achieve a level of compliance and are broken down into Not Completed, Completed and rules that you have marked as out of the scope of these assessments.
  • Solutions that affect your score - Showing the solutions that impact your overall score and how many remaining actions are outstanding on them.
  • And finally, the Compliance Score Breakdown shows different control pillars and how many points have been achieved.

Now as you can see, there is much information to dig through here - and keep in mind that within my tenant, I only have two assessments configured: the Data Protection Baseline for M365 and ISO 27001 for Azure - when we have multiple assessments requiring the same controls, those controls will be aggregated, as in that same control won't be listed multiple times.

Microsoft has over 730 templates currently built into Compliance Manager; they cover regulations depending on your location and multiple industry regulations and controls. We can configure assessments based on the ones included or create custom assessments by combining controls from existing assessments via an excel spreadsheet import.

No alt text provided for this image

Improvement Actions

Ok, now this is where the real work comes into play - Improvement Actions, otherwise known as "What do I need to do to meet my Compliance Requirements?"

Depending on the assessments you have configured, you will have many different controls. I have narrowed my search to only controls assigned to my Data Protection Baseline assessment template, as you can see below - you have multiple other filtering options, from filtering down templates to the different solutions that are affected even down to the various categories that those controls exist in.

No alt text provided for this image

Once we have those improvement actions assigned to them, we can select and dive deeper into the actual control itself. For this example, I have selected Enable self-service password reset - a reasonably common control. We can see here information such as;

  • The implementation status, as well as when this implementation occurred.
  • Notes, regarding the implementation, typically from the user that configured it.
  • What user or group that this control was assigned to.
  • As well as guidance on how to implement this control within an environment - a key part of Compliance Manager, allowing you to streamline that process.
  • Finally, we have a learn more section, allowing a user to find out why these controls are essential and how they work.

No alt text provided for this image

Now, it's pretty easy to see just how powerful this can be having all of this information in one place - it also allows you to enter testing notes, what other controls may be related to this one and provides the ability to upload evidence of a control's implementation - ensuring that all of the information needed to validate a control exists within the one central area.

Conclusion

So, hopefully, within this article, I have covered what Compliance Manager is and how it can be helpful to within your environment - especially with the recent licensing changes.

Regulatory compliance might not be the most exciting thing for most of us. Still, it is a critical avenue to set that baseline level of security and privacy across different organisations. So, in that aspect, we should maintain those controls regularly.

As always, I am open to any suggestions, future articles, or feedback on any of the writing I do. I'll continue to post articles throughout the year, so the more feedback I get - the better!

Peace.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics