Why to use Compliance Manager for assessments and attack simulator to educate users.

Today I will be talking about Compliance Manager and in next part about Attack Simulator and why they matter for your organization.

Compliance is based on organization industry or customer requirements.

Compliance improves your security posture. It will help you define baseline for security requirements, but also minimize costs during possible breaches and lost of classified internal data.

Microsoft made and Compliance Manager portal that has standards based on industry and regulations.

The following compliance templates are available in the following subscriptions.

License TypeAssessment Templates (included by default)
Microsoft 365 or Office 365 A1/E1/F1/G1Data Protection Baseline
Microsoft 365 or Office 365 A3/E3/F3/G3
Microsoft 365 or Office 365 A5/E5/G5Data Protection Baseline
Microsoft 365 A5/E5/F5/G5 ComplianceEU GDPR
Microsoft 365 A5/E5/F5/G5 eDiscovery and AuditNIST 800-53
Microsoft 365 A5/E5/F5/G5 Insider Risk ManagementISO 27001
Microsoft 365 A5/E5/F5/G5 Information Protection and GovernanceCustomer Assessments
CMMC Level 1-5 (only available for G5)

And there is also premium templates available for purchase.

And premium templates are available in all subscriptions. There was a change at 7/2021 from Microsoft.

“To meet customers where they are in their compliance journey, we are excited to announce that Compliance Manager premium assessment templates will no longer require a Microsoft 365 E5 or Office 365 E5 license as a prerequisite. This update enables all enterprise customers to assess compliance with the regulations most relevant to them and meet their unique compliance needs. Starting July 1st, 2021, all Enterprise customers, both commercial and government, can purchase premium assessment templates as long as they have any Microsoft 365 or Office 365 subscription.”

So, there is many points why to use Compliance Manager.

  • Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs.
  • Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
  • Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you’ll see implementation details and audit results.
  • A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

Compliance Manager Secure Score.

Your initial score is calculated according to the default Data Protection Baseline assessment provided to all organizations. Upon your first visit, Compliance Manager is already collecting signals from your Microsoft 365 solutions. You’ll see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take.

You can also add your own assessment from the templates. Be default the following assessment is enabled in every tenant.

And when you click add you create from a template.

I will choose CIS Microsoft 365 Foundations Benchmark which has two levels.

  • Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.

And controls they have.

SectionDescriptionAmount of controls
Account/Authentication policiesRecommendations related to setting the appropriate account and authentication policies.8
Application permissionsRecommendations related to the configuration of application permissions within Microsoft 365.4
Data managementRecommendations for setting data management policies.6
Email security/Exchange OnlineRecommendations related to the configuration of Exchange Online and email security.13
Auditing policiesRecommendations for setting auditing policies on your Microsoft 365 tenant.14
Storage policiesRecommendations for securely configuring storage policies.2
Mobile device managementRecommendations for managing devices connecting to Microsoft 365.13
Total recommendations60

And when you start applying the template, you can copy the information from old assessments or create a new one.

And when you are done with applying process, you will start to see assessment running in our tenant.

So, lets open one and you will see what is inside.

On the left you will points that this will affect on the Compliance and Secure Score. And on the rights instructions how to implement and what licenses it requires, so it’s a one-step shop for all info.

You can select implementation status or let it be discovered when you run the assessment again.

You can see the policies on the same page and like you would imagine CIS policy has a lot more actions inside.

Next part of this blog series will cover Attack Simulator usage, what there is now and what will be in the future.

Stay tuned and safe!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *