Professional Documents
Culture Documents
Assessment Report
Assessment Report
Page 1 of 25
Assessment Report.
Table of contents
Executive Summary ..................................................................................................................................................... 3
Monitoring, Internal audit, management review, Improvement 9.1, 9.2, 9.3, 10: ............................................... 12
Development A.14: ............................................................................................................................................... 12
Business Continuity A.17: ..................................................................................................................................... 13
Service delivery A.16, 9.1, A.9, A.10, A.12: ........................................................................................................... 13
Suppliers (IT third parties) A.15: ........................................................................................................................... 14
Staff Interviews (on the sample basis) 7, 8, A.7: ................................................................................................... 15
ISO27018 Base part of controls (5-18): ................................................................................................................. 15
ISO27018 Annex A controls (A.1-A.11): ................................................................................................................ 16
Next visit objectives, scope and criteria .................................................................................................................... 18
Next Visit Plan ........................................................................................................................................................... 19
Page 2 of 25
Assessment Report.
Executive Summary
The audit was carried out at Microsoft Israeli Headquarter (HQ), Herzelyia, the audit objectives have
been achieved and the certificate scope can be confirmed. The audit team concludes based on the
results of this audit that Microsoft WDATP does fulfill the standards and audit criteria identified within
the audit report and it is deemed that the management system continues to achieve its intended
outcomes.
The audit team recommends that BSI consider the information found in this assessment report as the
evidence of the conformity of Microsoft WDATP to the requirements for ISO 27001 and ISO 27018 for
continued certification.
There were no outstanding nonconformities from previous assessments.
Page 3 of 25
Assessment Report.
No change in relation to the audited organization’s activities, products or services covered by the scope
of certification was identified.
There was no change to the reference or normative documents which is related to the scope of
certification.
Page 4 of 25
Assessment Report.
Page 5 of 25
Assessment Report.
Page 6 of 25
Assessment Report.
Please refer to Assessment Conclusion and Recommendation section for the required submission and
the defined timeline.
Page 7 of 25
Assessment Report.
The scope of the assessment is the documented management system with relation to the requirements
of ISO27001, ISO27018 and the defined assessment plan provided in terms of locations and areas of
the system and organisation to be assessed.
ISO27001, ISO27018
Microsoft WDATP management system documentation
Page 8 of 25
Assessment Report.
Assessment Participants
Opening Closing Interviewed
Name Position
Meeting Meeting (processes)
General manager
X X
(WDATP)
Program manager
X X X
lead (WDATP)
Program manager
X X X
(WDATP)
Group software
engineering X X X
manager (WDATP)
Service engineer
manager
X X X
(Operations team
manager)
Group program
manager (Security X X X
IR)
Architects and
security lead X X X
(WDATP)
Software
engineering lead X X X
(WDATP)
Service engineering
X X X
lead (WDATP)
Page 9 of 25
Assessment Report.
Assessment conclusion
BSI assessment team
Name Position
Giuseppe Esposito Team leader
The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit
criteria identified within the audit report and it is deemed that the management system continues to
achieve its intended outcomes.
RECOMMENDED - The audited organization can be recommended for certification (ISO27018) and
continued certification (ISO27001) to the above listed standards, and has been found in general
compliance with the audit criteria as stated in the above-mentioned audit plan.
Page 10 of 25
Assessment Report.
Opening meeting:
The opening meeting was conducted and arrangements for the assessment were confirmed satisfactorily
with representatives present. Were presented the finding for BSI.
Page 11 of 25
Assessment Report.
The likelihood concept used in the risk model is mostly based on history but not only.
SOA: Just 1 control excluded: A.14.2.7, cause no external development in place.
Development A.14:
Verified “WDATP development SDL SOP” ver 2018.1 15/5/2018.
A major release is issued every half year; security, privacy and compliance are the main criteria used in
development activities.
The logical phases are:
. Training; verified “standard of business conduct” and “Privacy 101 for 2018” on line annual training
report.
. Requirements phase; verified xTrack, a means to perform assessment of requirements.
. Design phase; VSO Visual Studio Online is the environment (PM and tracking system) containing the
list of tasks generated by the previous step. Verified “complete and upload a threat model” task.
. Implementation phase; Verified the classification of data to get from client Windows systems: “WDATP
RS4 Data Classification.xlsx (15/5/2018)” containing 769 rows in the “ETW” tab (ETW is the Windows
log mechanism). In total there are 997 rows in the file, corresponding to fields of data to get from client
systems.
. Validate phase (assurance team in a different VSO environment); verified report from J.T. for
penetration test on the product. Verified “WDG Serpent quick review report defender ATP April 2018”;
verified the outcome of automatic testing performed by means “Microsoft Encription-in-Transit Status”
tool.
Release phase; verified “VSO/Dashboard/RS4 Quality containing the summary of security items related
to product release.
Page 12 of 25
Assessment Report.
The “WDATP Compliance calendar” contains all the tasks to be performed and when to comply with
security, privacy and compliance requirements.
The data for the staging environment are created by the team itself and by means team machines.
Security Assurance Team (Serpent) is external and general for all windows development teams.
C.Sharp is the programming language used.
Logging and monitoring: Confirmed the procedure seen during last visit.
. Log collection (Geneva platform to collect logs)
Security, system and application events. Kept for 90 days.
. Event alerting and monitoring
AZURE IcM is the ticketing platform collecting alerts and incidents.
Capacity; no changes from last visit. Azure, MCO, Cosmos, are the environments for which it is
necessary to monitor capacity. Each quarter there is a review.
Verified “2018-04-WDATP COGs Model” the capacity plan issued April 2018.
Verified security incident 18-0672 (BI platform): 9/4/2018 occurred; closed on 11/5/2018.
Page 13 of 25
Assessment Report.
Verified “Windows & Devices group security operations (WDGFire): Security incident handling (IR) SOP”
ver 1.5.1 17/4/2018.
A.10 Cryptography
Verified “WDATPCryptographic control SOP” 20/5/2018
Are used internal and external certificates. SHA-2 2048 keys used. Kye lengths: encryption in transit TLS
1.2 at minimum and encryption at rest 256-bit AES at minimum.
Azure vault is the service used to store and manage certificates. Verified “SOP supporting tools assets –
access review” 2018.1 20/4/2018. At the moment 3.165 certificates are managed.
Finding Certificate
1637166-201805-I1 IS 663486
Reference Reference
Certificate
ISO/IEC 27001:2013 Clause A12.4.3
Standard
Category Opportunity for Improvement
Area/Process: Service delivery A.16, 9.1, A.9, A.10, A.12
The organization can consider the opportunity to extend the monitoring
and logging policy to face the risks associated with client personal data
incidents, taking into account specific local regulations other than main
Details regulations like GDPR (eg: Italian “Measures and arrangements applying
to the controllers of processing operations performed with the help of
electronic tools in view of committing the task of system administrator”).
1. 7 internal suppliers;
2. 6 internal suppliers;
3. No.
For each supplier there is a SLA; verified the risk assessment performed for “WDG Information security
as a supplier”; verified mail from Naama to Moti Gindi and Chase Carpenter saying: the results from risk
assessment on the specific supplier, compensating controls adopted, in scope services, supplier
assessment results, mitigation plans, was signed on 20 April 2018.
15.1.3 The Organization does not retain necessary to insert specific agreements for some services (eg:
Page 14 of 25
Assessment Report.
Y. K. – Software developer
Security and privacy online training completed; no personal data kept in test environments.
PT used; is followed the security development policy; is adopted code review as following control. The
changes are implemented by means controlled workflows.
A. C. – Service engineer
Learning activity every year; three courses attended in the last year.
Verified dashboard monitoring service; staging environment with no customer data.
Page 15 of 25
Assessment Report.
A.2.1 The Online Service Terms May 1, 2018 document is the basic part of the contract and contains at
“Processing of Customer Data: Ownership” the deal regarding the control. Moreover annexes to the
basic part of the contract are possible but only one time a contract was escalated to the team (that
perform the third level of escalation).
A.2.2 “Processing of Customer Data: Ownership” section from Online Service Terms May 1, 2018.
A.4.1 The timing depends on the specific subsystem; the documents are technical document like
functional specification and task description. The monitoring of the resources used and consumed gives
feedbacks on the eventual resources not deleted by the internal supplier.
A.5.1 “Disclosure of Customer Data” section from Online Service Terms May 1, 2018.
A.5.2 https://www.microsoft.com/en-us/trustcenter/Privacy/govt-requests-for-data
The page contains the commitment to respond to Government disclosure requests.
https://www.microsoft.com/en-us/about/corporate-responsibility/lerr
The page contains the last report issued (Jul-Dec 2017) showing the statistics on disclosures.
A.7.1 “Notice and Controls on use of Subprocessors” section in Online Service Terms May 1, 2018
and
https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-
terms#subcontractors
A.9.2 Security policies are recorded in a specific sharepoint; 6 year of retention policy is applied; verified
“Documentation Management SOP – Club Safety” 2017.3 16/1/2018.
A.9.3 “Data Transfers and Location” and “Data Retention and Deletion” from Online Service Terms May
1, 2018.
A.10.1 Individual contract signed by all employees contains specific clauses contained in appendix B to
the contract: “Letter of commitment to safeguarding secrecy avoiding unfair competition, intellectual
property and reputation”.
A.10.2 Verified “DM-03 Information and media handling standard” (site EGRC Enterprise Government
Risk and Compliance) containing REQ-579 (printing) requirement.
The classification of PII as confidential or high confidential is contained in “Microsoft classification
wizard”. PII can be confidential or high confidential data.
Page 16 of 25
Assessment Report.
=Document&downloadId=47d89200-b24b-491d-b657-7c523ddfb6f9&docTab=4ce99610-c9c0-11e7-
8c2c-f908a777fa4d_ISO_Reports
The data are encrypted as compensating control.
A.10.5 Personal device are not allowed by policy; the laptops are equipped with Win10 and bitlocker.
InTune is used to manage mobile phones.
A.10.7 Verified “DM-03 Information and media handling standard” general policy. The hardcopy
materials is destructed by means shredders present at any floor of the building.
A.10.8 Identity management is supported by active directory; verified “SOP Production assets – access
review” 20/4/2018; the report shows that there aren’t shared accounts.
A.10.10 The Microsoft general policy “AC-02 Account Management and access authorization standard”
valid for laptops, development environment and general services; for production the owner is “Operation
team”; deactivated account cannot be allocate to other users because the Operational team have to ask
to IT for new accounts.
A.10.11 Verified “Processing of Customer Data; Ownership” and “Security Practices and Policies”
sections from Online Service Terms May 1, 2018.
A.10.13 The Azure services don’t give the possibility to reuse an environment dismissed. Other than,
there are logical controls on user accounts and separation of environments. There aren’t possibilities to
define specific physical space for client environments.
A.11.1 The customers chose the location where to store data. The page
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/data-
storage-privacy-windows-defender-advanced-threat-protection#do-i-have-the-flexibility-to-select-where-
to-store-my-data
describes these possibilities (US, EU, UK).
In the setting onboarding phase the customer can then choose the location where store data.
A.11.2 The control relies on the secure protocol used to transmit data: the endpoints are authenticated.
Page 17 of 25
Assessment Report.
The scope of the assessment is the documented management system with relation to the requirements
of ISO27001, ISO27018 and the defined assessment plan provided in terms of locations and areas of
the system and organisation to be assessed.
Criteria:
ISO27001, ISO27018
Microsoft WDATP management system documentation
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation
of the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration
that a deputy management representative be nominated. It is expected that the deputy would stand in
should the management representative find themselves unavailable to attend an agreed visit within 30
days of its conduct.
Page 18 of 25
Assessment Report.
Page 19 of 25
Assessment Report.
Scope of Certification
Assessed location(s)
Page 20 of 25
Assessment Report.
Page 21 of 25
Assessment Report.
Audit1 Audit2
Business area/Location Date (mm/yy): 05/18 04/19
Duration (days): 1 1
Scope and Policy X X
Organisational context X X
Leadership and Commitment X X
Management System Support X X
Planning and Resources X X
Human Resource Management X X
Control of Documents and Records X X
Objectives / Performance Monitoring & Measurement X X
Management Review X X
Page 22 of 25
Assessment Report.
Supply Chain X X
Internal Audits X X
Actions / Non-Conformity / Incidents / Complaints X X
Risk Management / Prevention X X
Legal and Other Requirements X X
Improvement X X
Haifa operations X X
Definitions of findings:
Nonconformity:
Non-fulfilment of a requirement.
Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services
will meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could
demonstrate a systemic failure and thus constitute a major nonconformity.
Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.
Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a
management system which, if not improved, may lead to a nonconformity in the future.
Page 23 of 25
Assessment Report.
'Just for Customers' is the website that we are pleased to offer our clients following successful
registration, designed to support you in maximising the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number (47654212/IS 663486).
Should you wish to speak with BSI in relation to your registration, please contact our Customer
Engagement and Planning:
Notes
This report and related documents are prepared for and only for BSI’s client and for no other purpose.
As such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for
or in connection with any other purpose for which the Report may be used, or to any other person to
whom the Report is shown or in to whose hands it may come, and no other persons shall be entitled to
rely on the Report. If you wish to distribute copies of this report external to your organisation, then all
pages must be included.
BSI, its staff and agents shall keep confidential all information relating to your organisation and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.
This audit was conducted on-site through document reviews, interviews and observation of activities.
The audit method used was based on sampling the organization’s activities and it was aimed to evaluate
the fulfilment of the audited requirements of the relevant management system standard or other
normative document and confirm the conformity and effectiveness of the management system and its
continued relevance and applicability for the scope of certification.
As this audit was based on a sample of the organization’s activities, the findings reported do not imply
to include all issues within the system.
Regulatory compliance
BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report by
the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.
Page 24 of 25
Assessment Report.
Page 25 of 25