Standard Response to Requests for Information

for Microsoft Professional Services

Contents
1. Introduction .................................................................................................................................................................... 3
1.1. Overview ................................................................................................................................................................. 3
2. Information Security ....................................................................................................................................................... 3
2.1. Information Security Policy ..................................................................................................................................... 3
2.2. Organization of Information Security ..................................................................................................................... 4
2.3. Access Control ......................................................................................................................................................... 4
2.4. Physical and Operational Security .......................................................................................................................... 6
2.5. System Development .............................................................................................................................................. 6
2.6. Security Risk Management ..................................................................................................................................... 7
3. Governance, Risk and Complaince .................................................................................................................................. 8
3.1. Asset Management ................................................................................................................................................. 8
3.2. Change Control ....................................................................................................................................................... 9
3.3. Business Practices ................................................................................................................................................. 10
4. Privacy and Regulatory ................................................................................................................................................. 10
4.1. Regulatory Compliance ......................................................................................................................................... 10
4.2. Privacy ................................................................................................................................................................... 11
4.3. Incident Response and Management ................................................................................................................... 12
5. Personnel ...................................................................................................................................................................... 12
5.1. Human Resources ................................................................................................................................................. 12
5.2. Supplier Relationship ............................................................................................................................................ 13
5.3. Training ................................................................................................................................................................. 13
6. Business Continuity ....................................................................................................................................................... 14
6.1. Business Continuity Management ........................................................................................................................ 14
Effective: March 18, 2019

©2019 Microsoft Corporation - Microsoft Confidential. All rights reserved. This document is provided ”as-is.” Information
and views expressed in this document, including URL and other Internet Web site references, may change without notice.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. This
document is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure
agreement.
 1. Introduction

1.1. Overview
Microsoft Professional Services includes a diverse group of technical architects, engineers, consultants, and
support professionals dedicated to delivering on Microsoft's mission of empowering customers to do more
and achieve more.

You may find out more about Microsoft Professional Services https://aka.ms/mprofserv and by going to the
Microsoft Professional Services section on the Microsoft Trust Center, https://aka.ms/mpstrust.

This Standard Response to Requests for Information provides responses to customer questions about Microsoft
Consulting Services, Unified Support, and Premier Support for Commercial On Premises, Azure, Dynamics 365,
Intune, and for Office 365 Medium Business and Enterprise customers, as covered under the Microsoft Professional
Services Data Protection Addendum (MPSDPA). The definitions included in this document are the same as within
the MPSDPA.

2. Information Security

2.1. Information Security Policy

Question Microsoft Response

Microsoft Professional Services organization maintains defined and

Are Microsoft Professional Services security documented information security policies. This is audited under the
policies defined and documented? Professional Services ISO 27001 independent certification (A.05.01.01).

Information security policies undergo a formal management review and

Are the information security policies approval at an interval not to exceed 1 year. This is audited under the
regularly reviewed and approved by Professional Services ISO 27001 independent certification (A.05.01.02).
management?

Microsoft Professional Services organization’s Information Security Policy is

published on an internal site that is available to all personnel; All employees
What is the process for communicating
receive annual training that covers the information security policy, along with
information security policies?
privacy, data handling, this is audited under the Professional Services ISO
27001 independent certification (A.05.01.02).

In the event a significant change is required in security requirements, it may

How often are information security policies be reviewed and updated outside of the regular schedule. This is audited
reviewed? under the Professional Services ISO 27001 independent certification
(A.05.01.02).
 2.2. Organization of Information Security

Question Microsoft Response

Are the roles and responsibilities defined Security roles and responsibilities are defined and documented in accordance
and documented in the information with policy as needed. This is audited under the Professional Services ISO
security policy? 27001 independent certification (A.06.01.01)

Microsoft Professional Services organization maintains a process for

How is an exception made to the security exceptions that requires senior management approval for each exception. This
policy? is audited under the
Professional Services ISO 27001 independent certification
(A.06.01.01)

Microsoft Professional Services organization separates roles and

responsibilities between job functions to prevent unauthorized activity
Are there separation of duties to prevent without collusion. This is audited under the Professional Services ISO 27001
unauthorized activity? independent certification (A.06.01.02).

2.3. Access Control

Question Microsoft Response

Microsoft Professional Services organization has documented Access Control

Are Microsoft Professional Services access Policies which are periodically reviewed. This is audited under the
control policies Professional Services ISO 27001 independent certification (A.09.01.01).
documented?

Microsoft Professional Services organization standards require that access to

Support and Consulting Data is granted based on business justification,
How is access to data determined in
limited based on "need-to-know" and "least-privilege" principles. This is
Professional Services?
audited under the Professional Services ISO 27001 independent certification
(A.09.01.02).

Microsoft Professional Services organization implements access rights

How are access rights for Joiners, Movers, management for Joiners, Movers, and Leavers. This is audited under the
and Leavers managed? Professional Services ISO 27001 independent certification (A.09.02.02).

How are users’ access rights verified?
What happens to a user’s access when a
user is separated or terminated?
How often is access reviewed for non-
permanent personnel?
Can a user account be shared?
What does a user need to do to change a
password?
Do active accounts have a unique identifier
for access to platforms, applications, and
databases?
How often do users need to change a
password?
Can a password be displayed in clear text
during user authentication?
What is the process for new employees to
receive an initial password?
How long can a user login with the initial
password?
Microsoft Professional Services organization has a formal process for regular
review of users’ access rights to determine they have been given least
privilege access. This is audited under the Professional Services ISO 27001
independent certification (A.09.02.05).
Microsoft Professional Services organization uses a formal user registration
and de-registration process to modify or remove the access rights of
personnel whose role has been separated or terminated. This is audited under
the Professional Services ISO 27001 independent certification (A.09.02.06).
Where Microsoft Professional Services organization user accounts are
assigned to non-permanent personnel (e.g., contractors, consultants), the
accounts and VPN access are reviewed for appropriate access rights and
inactivity at least every six months. This policy is informed by ISO 27001,
industry best practices, and other regulatory guidelines.
Microsoft password management policy requires that each user account is
assigned to a specific person and not shared.
This is audited under the Professional Services ISO 27001 independent
certification (A.09.03.01).
Microsoft requires users to authenticate prior to changing their password.
For most systems Microsoft leverages Active Directory to implement this.
This policy is informed by ISO 27001, industry best practices, and other
regulatory guidelines. This is audited under the Professional Services ISO
27001 independent certification (A.09.04.02).
Microsoft Professional Services organization policy requires that each user has
unique identifiers for access to platforms, applications and databases. This is
audited under the Professional Services ISO 27001 independent certification
(A.09.04.02).
Microsoft password management policy requires that systems enforce
password changes at least every 70 days and be different from at least the
previous twenty-four passwords. Most systems rely on Active Directory for
password management, which enforces minimum requirements for password
length, complexity and expiry, and these meets or exceed industry standards.
This is audited under the Professional Services ISO 27001 independent
certification (A.09.04.02).
Microsoft policy requires that passwords in systems are prevented from
being displayed in clear text during user authentication. This policy is
informed by ISO 27001, industry best practices, and other regulatory
guidelines. This is audited under the Professional Services ISO 27001
independent certification (A.09.04.02).
The Microsoft standard process for distribution of initial passwords encrypts
the information in an email sent to the employee's manager using Digital
Rights Management. The credentials are communicated from the manager to
new employees and the initial password must be immediately changed at first
login by the employee. This policy is informed by ISO 27001, industry best
practices, and other regulatory guidelines. This is audited under the
Professional Services ISO 27001 independent certification (A.09.04.02).
Microsoft password management policy requires that systems enforce
initial/temporary passwords to be changed at first logon. Most systems rely
on Active Directory to enforce this policy. This policy is informed by ISO

What does password
complexity/management include?
Who can reset passwords?
2.4. Physical and Operational Security
Question
Does Microsoft Professional Services have a
physical security program?
Is there a dedicated staff or individual
responsible for physical security?
Are there operating procedures for
maintaining physical security?
Are there requirements for individuals to
be permitted in the facility?
2.5. System Development
Question
27001, industry best practices, and other regulatory guidelines. This is
audited under the Professional Services ISO 27001 independent certification
(A.09.04.02).
The Microsoft standard process for password management includes password
strength, password history, inactivity and other industry standard password
best practices. Password policies for corporate domain accounts are managed
through Microsoft corporate Active Directory policy. This is audited under the
Professional Services ISO 27001 independent certification (A.09.04.03).
Microsoft restricts password reset authority to authorized personnel and/or an
automated password reset tool. This is audited under the Professional Services
ISO 27001 independent certification (A.09.04.03).
Microsoft Response
Microsoft Professional Services utilizes the Azure Global Infrastructure
Organization, which maintains a physical security program that meets or
exceeds industry standards for a global network for Microsoft datacenters.
The security of Microsoft facilities and physical access are assigned to
roles and ultimately to individual personnel. This is audited under the
Professional Services ISO 27001 independent certification (A.11.01.01).
Microsoft utilizes operating procedures that have a designated owner, are
maintained, reviewed annually, and approved by management. This work is
performed by Azure Global Infrastructure Organization and Microsoft
Corporate Services Engineering (CSE) organizations.
Access to Microsoft facilities must be approved, personnel must check-in
with physical security at the point of arrival and provide a valid proof of
ID before entry. This is audited under the Professional Services ISO 27001
independent certification (A.11.01.02).
Microsoft Response

What processes are in place to protect
software and services?
Systems and software tools used to provide services and support at Microsoft
undergo the Security Development Lifecycle (SDL), a comprehensive security
assurance review that informs every stage of design, development, and
deployment of Microsoft software and services. SDL may include design
requirements, analysis of attack surface, and threat modeling.

Microsoft has a mature Security Development Lifecycle (SDL) process that is

followed for all engineering and development projects. The Microsoft SDL
Are security controls applied to internally process implements security engineering principles that meet or exceed
developed applications? industry standards across each phase.

Does SDL provide a thorough review of SDL may include design requirements, analysis of attack surface, and threat
security concerns throughout the modeling. SDL helps Microsoft predict, identify, and mitigate vulnerabilities
production life cycle? and threats from before a service is launched through its entire production
life cycle.

How current is SDL? Microsoft continuously updates the SDL using the latest data and best
practices to help ensure that systems and software associated with Microsoft
Professional Services have had vulnerabilities addressed.

2.6. Security Risk Management

Question Microsoft Response

How is the annual risk assessment Microsoft Professional Services organization performs an annual risk
managed? assessment through a program that has been approved by management,
communicated to appropriate constituents and has an owner with the
responsibility of maintaining and reviewing the program.

What does the annual risk assessment Microsoft performs an annual risk assessment that covers security,
cover? continuity, and operational risks. As part of this process, threats to security
are identified and the risk from these threats is formally assessed.
 3. Governance, Risk and Complaince
3.1. Asset Management
Question
Does Microsoft have an approved asset
management policy?
How is the asset management policy
managed?
How is the asset management policy
communicated across the organization?
How does Microsoft maintain inventory of
hardware assets?
Who oversees the procedures for
managing assets?
Are there policies and procedures
regarding the installation or use of
unauthorized, unlicensed, and unsupported
hardware and software.
Microsoft Response
Microsoft has an approved asset management policy that meets or exceeds
industry standards. This is audited under the Professional Services ISO 27001
independent certification (A.08.01.01).
Microsoft has an approved asset management policy that meets or exceeds
industry standards. The program and policy have designated owners whose
responsibility includes maintenance, periodic review and approval by
management. This is audited under the Professional Services ISO 27001
independent certification (A.08.01.01).
Microsoft has an approved asset management policy that meets or exceeds
industry standards. The program is communicated across the organization to
appropriate constituents through documentation, training, and technical
enforcement in tools as appropriate. This is audited under the Professional
Services ISO 27001 independent certification (A.08.01.01).
Microsoft maintains an inventory of hardware assets using a proprietary
Microsoft asset tracking system, that uses a unique identifier, and meets or
exceeds industry standards.
This work is performed by Azure Global Infrastructure Organization and
Corporate Services Engineering (CSE)). This audited under the Professional
Services ISO 27001 independent certification (A.08.02.02).
Information labeling procedures for Microsoft Professional Services
organization physical and logical information assets requires that each asset
have a designated owner who is responsible for up-to-date asset
classification and protection in accordance with classification. This is audited
under the Professional Services ISO 27001 independent certification
(A.08.02.02)
Microsoft has policies and procedures governing the installation or use of
unauthorized, unlicensed, and unsupported hardware and software.
Unsupported hardware cannot join Microsoft’s domain and cannot be used.
Non-Microsoft Software licenses are tracked through standard procurement
processes. This is audited under the Professional Services ISO 27001
independent certification (A.08.02.03).
Microsoft Professional Services organization prohibits the use of portable
media and devices in the data center and during routine operations.
If removal media is necessary in a customer engagement, use of BitLocker
technology for disk encryption is required.
 Are portable media and devices allowed in
the data center?
Is there a process to remove information
prior to decommissioning equipment?
Is there a retention schedule for customer
confidential paper records?
Does Microsoft have procedures to
safeguard customer confidential or
personal data stored in cabinets or vaults?
Are Microsoft personnel informed about
the policy on portable storage devices?
Is removable media encrypted at rest?
What methods does Microsoft
Professional Services use to protect
sensitive data?
3.2. Change Control
Question
How does Microsoft Professional Services
control change management?
How does Microsoft Professional Services
review and document program changes?
These policies have designated owners, are reviewed at least annually, and are
approved by management.
This is audited under the Professional Services ISO 27001 independent
certification (A.08.03.01).
Microsoft Professional Services organization has processes in place to
remove information from or destroy decommissioned equipment based on a
risk determination. This is audited under the Professional Services ISO 27001
independent certification (A.08.03.02).
Microsoft Professional Services organizations policy is to not use paper
records for confidential or Support and
Consulting Data. If paper records are required to be utilized, they are
immediately destroyed after use using industry standard document
destruction practices. This audited under the Professional Services ISO 27001
independent certification (A.08.03.02)
Not applicable
Microsoft Professional Services organization does not handle physical
documents.
Microsoft Professional Services organization trains personnel to avoid use
of removable media during customer engagements whenever possible.
This is audited under the Professional Services ISO 27001 independent
certification (A.07.02.02).
If removal media is necessary in a customer engagement, use of BitLocker
technology for disk encryption is required. This is audited under the
Professional Services ISO 27001 independent certification.
Microsoft Professional Services organization policies include data classification
and protection to appropriately protect risk. Sensitive data is designated as
Support and Consulting Content and protected as highly confidential.
Protections for Content include annual vulnerability testing, encryption in
transit and at rest, and geographic distribution based on customer location.
Microsoft Response
Microsoft Professional Services organization uses formal change control
policy and procedures in our operations environment to manage and
control changes to information assets. This is audited under the
Professional Services ISO 27001 independent certification (A.12.01.02).
Microsoft Professional Services organization implements formal
documented data protection reviews for creating new, or changing
existing, offers and business processes that affect information security.
This is audited under the Professional Services ISO 27001 independent
certification (A.12.01.02).
Does the organization allow modifications Microsoft policy and practices discourage modifications to software
to software? packages and limits them to necessary changes. This policy is influenced by
ISO 27001 and industry best practices.

3.3. Business Practices

Question Microsoft Response

Microsoft Professional Services organization personnel are prohibited from

Can Microsoft Professional Services actions that would influence actions or obtain an improper advantage for the
personnel offer gifts or make promises to company, its customers or any third party. Personnel must abide by the
government officials or individuals in the published Microsoft Standards of Business Conduct:
private sector? https://www.microsoft.com/en- us/legal/compliance/buscond/lawsregs.aspx.

Does Microsoft Professional Services have Microsoft Professional Services organization has acceptable use policies that
an acceptable use policy? govern assets and handling of proprietary information.

This is audited under the Professional Services ISO 27001 independent

certification (A.18.01.01)

There is an approved policy restricting the use of social media by personnel.

Are Microsoft Professional Services staff Microsoft Professional Services organization policies prohibit publication of
allowed to use social media? non-public, confidential, proprietary or Support and Consulting Data in social
media. Employees are expected to be smart and exercise good judgment in
the use of social media.

4. Privacy and Regulatory

4.1. Regulatory Compliance

Question Microsoft Response

How does Microsoft Professional Services Microsoft Professional Services organization maintains a process designed to
comply with applicable regulations? ensure compliance with security/privacy legislative and regulatory regulations
in each applicable jurisdiction. This is audited under the Professional Services
ISO 27001 independent certification (A.18.01.01).

Microsoft has dedicated personnel who are designated to have responsibility

How do Microsoft Professional Services for keeping current with regulatory compliance. This is audited under the
personnel keep current with regulatory Professional Services
compliance? ISO 27001 independent certification (A.18.01.01).

Is Microsoft Professional Services
responsible for all of customer’s legal
requirements, even those that do not
address IT?
Does Microsoft provide legal or regulatory
training?
Is there a process to provide customers
with information related to pending, or
recent legal complaints, Attorney General,
or other government inquiries?
4.2. Privacy
Question
Are regular privacy risk assessments
conducted?
Is there a data classification and protection
policy that identifies the data types that
require oversight and governance?
Is there a process in place to report, track
and communicate all legal, privacy or data
protection complaints received regarding
your products/services?
Microsoft Professional Services organization complies with all laws and
regulations applicable to its provision of the Services. In the event Microsoft
became aware of non- compliance with legal requirements it was required to
adhere to it would notify customers.
Microsoft is however not responsible for compliance with any laws or
regulations applicable to the customer or customer's industry that are not
generally applicable to IT services providers. It is up to the customer to
determine whether our offering meets their needs. Microsoft cannot provide
legal guidance to customers.
A process for legal or regulatory training to customers is not provided.
Microsoft cannot provide legal guidance to third parties.
Microsoft will report to customers any legal actions that specifically impact
that customer, to the extent allowed by law. However legal matters in other
Microsoft businesses, or that impact other customers, are not relevant to this
relationship, and no process is provided to report every legal matter.
Microsoft Response
Microsoft Professional Services organization maintains a process for assessing
any new offers or key business processes that involve usage of Support and
Consulting Data. This is audited under the Professional Services ISO 27001
independent certification (A.18.01.01).
Microsoft Professional Services organization policies include data classification
and protection. More information can be found in the Professional Services
Compliance Framework document.
Microsoft Professional Services organization responds to customer complaints
as a critical business responsibility. This is audited under the Professional
Services ISO 27001 independent certification (A.18.01.01).
In addition to product support, Microsoft’s Privacy Team provides a
Microsoft-wide function to handle complaint processes and procedures to
report, track and communicate complaints received about Microsoft’s
products and services.
Does Microsoft prohibit the use of national
identification numbers, Social Security
numbers, or any other local equivalents as
identified by privacy laws to identify
computer system users?
4.3. Incident Response and Management
Question
How does Microsoft Professional Services
manage security incidents?
Are violations reported and addressed per
incident management procedures?
Is a process for handling data protection
incidents outside of normal business hours
(e.g. in an emergency) in place?
Are customers provided details of incidents
in a timely manner?
5. Personnel
5.1. Human Resources
Question
Are background checks performed on
employees and subcontractor personnel?
Microsoft Professional Services organization identifies computer system users
by an alias that is not derived from national identification numbers or other
local equivalents as identified by privacy laws.
Microsoft Response
Microsoft Professional Services organization has an established incident
response program with procedures that have designated roles and
responsibilities within security, operations and support partner teams for the
detection, escalation and response of information security incidents. This is
audited under the Professional Services ISO 27001 independent certification
(A.16.01.01).
Data Protection violations are reported and addressed per the incident
management program. This is audited under the Professional Services ISO
27001 independent certification (A.16.01.02).
We provide support using a shared services model to provide 24/7 support.
This is audited under the Professional Services ISO 27001 independent
certification (A.16.01.02).
The incident management program details the response to an incident,
including the notification of personnel in a manner that is appropriate and
timely. This is audited under the Professional Services ISO 27001 independent
certification (A.16.01.05).
Microsoft Response
Background checks are performed for personnel in the United States or
for access to certain critical systems. The specific background checks may
vary by duty or jurisdiction. This is audited under the Professional Services
ISO 27001 independent certification (A.07.01.01).

Do employees and subcontractors who
have access to customers’ systems and
information sign a non-disclosure or
confidentiality agreement?
Is there a disciplinary process for non-
compliance with information security
policies?
Is there a constituent termination or
change of status process?
5.2. Supplier Relationship
Question
Are all subsidiaries, affiliates, suppliers,
subcontractors and other entities with
access to Support and Consulting Data
required to adhere to data protection
policies?
Are part-time, contract, temporary and
offshore personnel required to comply
with organization’s policies?
5.3. Training
Question
Microsoft Professional Services organization requires employees and
contractors to sign agreements that include non-disclosure provisions and
asset protection responsibilities, upon hire and annually thereafter. In
addition, employees must acknowledge Microsoft’s Employee Handbook,
which describes the responsibilities and expected behavior regarding
information and information system usage, on an annual basis. This is
audited under the Professional Services ISO 27001 independent
certification (A.07.01.02).
There is a disciplinary process for personnel that intentionally violate the
information security policies. This is audited under the Professional Services
ISO 27001 independent certification (A.07.02.03).
Microsoft Professional Services standards address requirements for access
management lifecycle including access provisioning, authentication, access
authorization, removal of access rights and periodic access reviews. This is
audited under the Professional Services ISO 27001 independent certification
(A.07.03.01).
Microsoft Response
Microsoft Professional Services organization policies apply to all entities
including parent company, subsidiary, affiliates, suppliers and others with
access to Support and Consulting Data. This policy is informed by ISO
27001 and industry best practices.
Microsoft Professional Services organization contract, part-time,
temporary and offshore personnel are required to adhere to the data
protection program and its requirements, through contractual
obligations. Personnel perform duties via standard processes and when
possible, policies are enforced technically through a common toolset. This
is audited under the Professional Services ISO 27001 independent
certification (A.15.01.02)
Microsoft Response

Are new and existing employees trained in
data protection and privacy awareness?
Is there an information security awareness
program that communicates information
security policy to all employees,
contractors and Service Providers?
6. Business Continuity
6.1. Business Continuity Management
Question
Microsoft Professional Services organization personnel take part in a data
protection training program that includes privacy awareness, as well as
being recipients of periodic awareness updates when applicable. Data
Protection education is an ongoing process conducted regularly that
includes online role-based training at least annually. This is audited under
the Professional Services ISO 27001 independent certification (A.07.02.02).
Microsoft Professional Services organization’s Information Security Policy is
published on an internal site that is available to all personnel; All employees
receive annual Information Security Awareness Training
Microsoft Professional Services organization personnel take part in a data
protection training program customized as appropriate to the services being
provided and the role they perform. All personnel are also recipients of
periodic security awareness updates when applicable. This training program
includes discussion of the information security program and where to find
program documentation such as the Information Security Policy. Security
education is an on- going process and is conducted regularly to minimize
risks, but at a minimum on an annual basis.
This is audited under the Professional Services ISO 27001 independent
certification (A.07.02.02).
In the Premier Data Protection Amendment, see section TOMs III. Domain:
Human Resources Security.
Microsoft Response

Is there a documented policy for business
continuity and disaster recovery that has
been approved by management?
Does the business continuity and disaster
recovery plan contain an annual schedule
of required tests?
Is there a single point of contact on
business resiliency issues?
Does Microsoft have insurance coverage
for business interruptions or general
services interruptions?
Are business continuity plans reviewed on a Business Continuity plans to recover from minor incidents (for example,
regular basis?
Do Microsoft Professional Services business
continuity plans align with Microsoft’s
business continuity plans?
Microsoft Professional Services organization maintains a mature business
continuity management program which has a designated owner, is
documented, approved by management, and communicated to appropriate
constituents.
Business Continuity plans to recover from minor incidents (for example,
localized disruptions of business components) to major disruptions (for
example, fire, natural disasters, pandemics, extended power failures,
equipment, and/or telecommunications failure) are regularly updated and
exercised.
Microsoft Professional Services business continuity plans align with the
Microsoft’s Enterprise Business Continuity Management approved program
and policy to support continuous delivery of essential business services.
This is audited under the Professional Services ISO 27001 independent
certification (A.17.01.02).
Critical infrastructure components are regularly tested to establish and
validate recovery capability per Enterprise guidelines and requirements. Full
scale and functional Business Continuity exercises are conducted in
production environment to review the recovery capability of key business
processes. This is audited under the Professional
Services ISO 27001 independent certification (A.17.01.03).
Each customer has a designated point of contact through the Technical
Account Management role, which can coordinate and provide information on
business resiliency issues.
Microsoft Professional Services has the financial capability to cover business
interruptions or general services interruption.
localized disruptions of business components) to major disruptions (for
example, fire, natural disasters, pandemics, extended power failures, equipment,
and/or telecommunications failure) are regularly updated and exercised
Microsoft Professional Services business continuity plans align with the
Microsoft’s Enterprise Business Continuity Management approved program and
policy to support continuous delivery of essential business services.