Professional Documents
Culture Documents
Microsoft General - Professional Services - Responses To Requests For Information
Microsoft General - Professional Services - Responses To Requests For Information
Contents
1. Introduction .................................................................................................................................................................... 3
1.1. Overview ................................................................................................................................................................. 3
2. Information Security ....................................................................................................................................................... 3
2.1. Information Security Policy ..................................................................................................................................... 3
2.2. Organization of Information Security ..................................................................................................................... 4
2.3. Access Control ......................................................................................................................................................... 4
2.4. Physical and Operational Security .......................................................................................................................... 6
2.5. System Development .............................................................................................................................................. 6
2.6. Security Risk Management ..................................................................................................................................... 7
3. Governance, Risk and Complaince .................................................................................................................................. 8
3.1. Asset Management ................................................................................................................................................. 8
3.2. Change Control ....................................................................................................................................................... 9
3.3. Business Practices ................................................................................................................................................. 10
4. Privacy and Regulatory ................................................................................................................................................. 10
4.1. Regulatory Compliance ......................................................................................................................................... 10
4.2. Privacy ................................................................................................................................................................... 11
4.3. Incident Response and Management ................................................................................................................... 12
5. Personnel ...................................................................................................................................................................... 12
5.1. Human Resources ................................................................................................................................................. 12
5.2. Supplier Relationship ............................................................................................................................................ 13
5.3. Training ................................................................................................................................................................. 13
6. Business Continuity ....................................................................................................................................................... 14
6.1. Business Continuity Management ........................................................................................................................ 14
Effective: March 18, 2019
©2019 Microsoft Corporation - Microsoft Confidential. All rights reserved. This document is provided ”as-is.” Information
and views expressed in this document, including URL and other Internet Web site references, may change without notice.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. This
document is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure
agreement.
1. Introduction
1.1. Overview
Microsoft Professional Services includes a diverse group of technical architects, engineers, consultants, and
support professionals dedicated to delivering on Microsoft's mission of empowering customers to do more
and achieve more.
You may find out more about Microsoft Professional Services https://aka.ms/mprofserv and by going to the
Microsoft Professional Services section on the Microsoft Trust Center, https://aka.ms/mpstrust.
This Standard Response to Requests for Information provides responses to customer questions about Microsoft
Consulting Services, Unified Support, and Premier Support for Commercial On Premises, Azure, Dynamics 365,
Intune, and for Office 365 Medium Business and Enterprise customers, as covered under the Microsoft Professional
Services Data Protection Addendum (MPSDPA). The definitions included in this document are the same as within
the MPSDPA.
2. Information Security
Are the roles and responsibilities defined Security roles and responsibilities are defined and documented in accordance
and documented in the information with policy as needed. This is audited under the Professional Services ISO
security policy? 27001 independent certification (A.06.01.01)
How often is access reviewed for non- Where Microsoft Professional Services organization user accounts are
permanent personnel? assigned to non-permanent personnel (e.g., contractors, consultants), the
accounts and VPN access are reviewed for appropriate access rights and
inactivity at least every six months. This policy is informed by ISO 27001,
industry best practices, and other regulatory guidelines.
Can a user account be shared? Microsoft password management policy requires that each user account is
assigned to a specific person and not shared.
Is there a dedicated staff or individual The security of Microsoft facilities and physical access are assigned to
responsible for physical security? roles and ultimately to individual personnel. This is audited under the
Professional Services ISO 27001 independent certification (A.11.01.01).
Does SDL provide a thorough review of SDL may include design requirements, analysis of attack surface, and threat
security concerns throughout the modeling. SDL helps Microsoft predict, identify, and mitigate vulnerabilities
production life cycle? and threats from before a service is launched through its entire production
life cycle.
How current is SDL? Microsoft continuously updates the SDL using the latest data and best
practices to help ensure that systems and software associated with Microsoft
Professional Services have had vulnerabilities addressed.
How is the annual risk assessment Microsoft Professional Services organization performs an annual risk
managed? assessment through a program that has been approved by management,
communicated to appropriate constituents and has an owner with the
responsibility of maintaining and reviewing the program.
What does the annual risk assessment Microsoft performs an annual risk assessment that covers security,
cover? continuity, and operational risks. As part of this process, threats to security
are identified and the risk from these threats is formally assessed.
3. Governance, Risk and Complaince
Are there policies and procedures Microsoft has policies and procedures governing the installation or use of
regarding the installation or use of unauthorized, unlicensed, and unsupported hardware and software.
unauthorized, unlicensed, and unsupported Unsupported hardware cannot join Microsoft’s domain and cannot be used.
hardware and software. Non-Microsoft Software licenses are tracked through standard procurement
processes. This is audited under the Professional Services ISO 27001
independent certification (A.08.02.03).
Microsoft Professional Services organization prohibits the use of portable
media and devices in the data center and during routine operations.
Does Microsoft Professional Services have Microsoft Professional Services organization has acceptable use policies that
an acceptable use policy? govern assets and handling of proprietary information.
How does Microsoft Professional Services Microsoft Professional Services organization maintains a process designed to
comply with applicable regulations? ensure compliance with security/privacy legislative and regulatory regulations
in each applicable jurisdiction. This is audited under the Professional Services
ISO 27001 independent certification (A.18.01.01).
Does Microsoft provide legal or regulatory A process for legal or regulatory training to customers is not provided.
training? Microsoft cannot provide legal guidance to third parties.
Is there a process to provide customers Microsoft will report to customers any legal actions that specifically impact
with information related to pending, or that customer, to the extent allowed by law. However legal matters in other
recent legal complaints, Attorney General, Microsoft businesses, or that impact other customers, are not relevant to this
or other government inquiries? relationship, and no process is provided to report every legal matter.
4.2. Privacy
Is there a data classification and protection Microsoft Professional Services organization policies include data classification
policy that identifies the data types that and protection. More information can be found in the Professional Services
require oversight and governance? Compliance Framework document.
Data Protection violations are reported and addressed per the incident
Are violations reported and addressed per management program. This is audited under the Professional Services ISO
incident management procedures? 27001 independent certification (A.16.01.02).
Is a process for handling data protection We provide support using a shared services model to provide 24/7 support.
incidents outside of normal business hours This is audited under the Professional Services ISO 27001 independent
(e.g. in an emergency) in place? certification (A.16.01.02).
5. Personnel
Are all subsidiaries, affiliates, suppliers, Microsoft Professional Services organization policies apply to all entities
subcontractors and other entities with including parent company, subsidiary, affiliates, suppliers and others with
access to Support and Consulting Data access to Support and Consulting Data. This policy is informed by ISO
required to adhere to data protection 27001 and industry best practices.
policies?
Microsoft Professional Services organization contract, part-time,
Are part-time, contract, temporary and temporary and offshore personnel are required to adhere to the data
offshore personnel required to comply protection program and its requirements, through contractual
with organization’s policies? obligations. Personnel perform duties via standard processes and when
possible, policies are enforced technically through a common toolset. This
is audited under the Professional Services ISO 27001 independent
certification (A.15.01.02)
5.3. Training
In the Premier Data Protection Amendment, see section TOMs III. Domain:
Human Resources Security.
6. Business Continuity
Is there a documented policy for business Business Continuity plans to recover from minor incidents (for example,
continuity and disaster recovery that has localized disruptions of business components) to major disruptions (for
been approved by management? example, fire, natural disasters, pandemics, extended power failures,
equipment, and/or telecommunications failure) are regularly updated and
exercised.
Is there a single point of contact on Each customer has a designated point of contact through the Technical
business resiliency issues? Account Management role, which can coordinate and provide information on
business resiliency issues.
Does Microsoft have insurance coverage Microsoft Professional Services has the financial capability to cover business
for business interruptions or general interruptions or general services interruption.
services interruptions?
Are business continuity plans reviewed on a Business Continuity plans to recover from minor incidents (for example,
regular basis? localized disruptions of business components) to major disruptions (for
example, fire, natural disasters, pandemics, extended power failures, equipment,
and/or telecommunications failure) are regularly updated and exercised
Do Microsoft Professional Services business Microsoft Professional Services business continuity plans align with the
continuity plans align with Microsoft’s Microsoft’s Enterprise Business Continuity Management approved program and
business continuity plans? policy to support continuous delivery of essential business services.