t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Similar documents
Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

ASD CERTIFICATION REPORT

Digital Health Cyber Security Centre

DXC Security Training

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Manchester Metropolitan University Information Security Strategy

Information Security Controls Policy

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

University of Sunderland Business Assurance PCI Security Policy

INFORMATION SECURITY GOVERNANCE, RISK & COMPLIANCE CLOUD CONSULTING SERVICES CIO & CISO SERVICES. forebrook

David Jenkins (QSA CISA) Director of PCI and Payment Services

AUTHORITY FOR ELECTRICITY REGULATION

WELCOME ISO/IEC 27001:2017 Information Briefing

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Altius IT Policy Collection

April Appendix 3. IA System Security. Sida 1 (8)

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Australian Government Information and Communications Technology Security Manual

John Snare Chair Standards Australia Committee IT/12/4

Position Description IT Auditor

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

External Supplier Control Obligations. Cyber Security

INFORMATION ASSURANCE DIRECTORATE

BHConsulting. Your trusted cybersecurity partner

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

ISO27001:2013 The New Standard Revised Edition

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cloud Security Standards Supplier Survey. Version 1

Cloud Security Standards

Checklist: Credit Union Information Security and Privacy Policies

SECURITY PRACTICES OVERVIEW

Cloud Security Standards and Guidelines

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Payment Card Industry - Data Security Standard (PCI-DSS)

Technical Security Standard

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Daxko s PCI DSS Responsibilities

The Common Controls Framework BY ADOBE

Accreditation Process. Trusted Digital Identity Framework February 2018, version 1.0

DEFINITIONS AND REFERENCES

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Section 1: Assessment Information

Security by Default: Enabling Transformation Through Cyber Resilience

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Title: Planning AWS Platform Security Assessment?

Security and Architecture SUZANNE GRAHAM

Standard Development Timeline

ADIENT VENDOR SECURITY STANDARD

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

A company built on security

Executive Order 13556

MEETING ISO STANDARDS

Payment Card Industry (PCI) Data Security Standard

Information Technology Branch Organization of Cyber Security Technical Standard

MIS Week 9 Host Hardening

IoT & SCADA Cyber Security Services

ROLE DESCRIPTION IT SPECIALIST

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

The Office of Infrastructure Protection

Avanade s Approach to Client Data Protection

Canada Life Cyber Security Statement 2018

Advent IM Ltd ISO/IEC 27001:2013 vs

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Certified Information Security Manager (CISM) Course Overview

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

locuz.com SOC Services

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Altius IT Policy Collection Compliance and Standards Matrix

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

CYBER SECURITY POLICY REVISION: 12

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Recommendations for Implementing an Information Security Framework for Life Science Organizations

ISO & ISO & ISO Cloud Documentation Toolkit

Payment Card Industry (PCI) Data Security Standard

Apex Information Security Policy

POSITION DESCRIPTION

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Cyber Security Program

Ransomware. How to protect yourself?

Altius IT Policy Collection Compliance and Standards Matrix

Security Controls in Service Management

Critical Cyber Asset Identification Security Management Controls

Information Security Policy

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

PROCEDURE Cryptographic Security. Number: G 0806 Date Published: 6 July 2010

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Data Sheet The PCI DSS

Department of Defense INSTRUCTION

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

SC27 WG4 Mission. Security controls and services

Information Security Controls Policy

Application for Certification

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Building Secure Systems

Security Standards for Electric Market Participants

Transcription:

e info@ Mr. James Kavanagh Chief Security Advisor Microsoft Australia Level 4, 6 National Circuit, Barton, ACT 2600 19 August 2015 Microsoft CRM Online IRAP Assessment Letter of Compliance Dear Mr. Kavanagh, This document is to act as a letter of compliance for the Microsoft CRM Online service. From February through July 2015 Foresight Consulting was engaged to conduct an IRAP assessment of the Microsoft CRM Online service, consistent with the process prescribed in the Australian Government Information Security Manual(ISM) and Protective Security Policy Framework. The assessment was conducted by Peter Baussmann who is a registered assessor within the Australian Signals Directorate Information Security Registered Assessors Program (IRAP). Microsoft CRM Online was assessed with regard to ISM controls for unclassified but sensitive information referred to as UNCLASSIFIED (DLM). Within the ISM, these are identified as UD controls. The scope of assessment was limited to the Microsoft CRM Online service. Foresight conducted the IRAP assessment in two stages: The first stage determined whether the system architecture (including information security documentation) is based on sound security principles and has addressed all applicable controls from the ISM. The second stage determined whether the controls, as approved by the system owner and reviewed during the first stage, have been implemented and are operating effectively. Validation included onsite inspections, personnel interviews, process demonstrations, configuration reviews and review of existing certification reports and evidence. Foresight Consulting also reviewed the Australian CRM Online System Security Plan and have prepared a detailed Report of Compliance documenting applicability and compliance with specific controls. A summary of assessment findings is provided in the attached table. The principal finding of this assessment process is that the applicable Information Security Manual controls are in place and fully effective within Microsoft CRM Online for the processing, storage and transmission of UNCLASSIFIED (DLM) Australian Government data. If in the future, a significant change occurs to services within scope of this assessment, Microsoft should advise an IRAP assessor for consideration of reassessment. Microsoft should also review the latest versions of the Australian Government Information Security Manual as they are published for changes to controls applicable to the service. Regards, Peter Baussmann, CISSP, CISM, CCSA, PCI-QSA, PCI-P, ASD IRAP Assessor Principal Security Consultant, Foresight Consulting 1

e info@ Information Security Risk Management Risk Assessment Foresight found the controls in place to be effective for the management of CRM Online Security Risk Management Plan information security risks. Information Security Engagement Government Engagement Foresight found that Microsoft, as a cloud service provider, has implemented Outsourced General Information appropriate security measures to protect Technology Services government information. Outsourced Cloud Services Roles and Responsibilities Chief Information Security Officer Foresight found that the roles identified met IT Security Advisor the intent of the roles described within the ISM and that team responsibilities were IT Security Managers clearly defined. IT Security Officers System Owners Information Security Documentation Documentation Framework The Information Security Policies in place provide clear policy guidance and are Information Security Policy considered to be an effective security control for Dynamics CRM Online. System Security Plan Standard Operating Procedures Incident Response Plan The Dynamics CRM Online Australia SSP clearly details security controls for the system and is considered to be an effective security documentation control for CRM Online. The Microsoft Standard Operating Procedures reviewed addressed a subset of security control areas and are considered in sufficient to the intent of the applicable controls within the ISM. Dynamics CRM Online Incident Management SOP meets the ISM requirements for an 2

e info@ Incident Response Plan and are assessed to be effective security controls. Business Continuity and Disaster Recovery Plan Business continuity and disaster recovery are suitably addressed and CRM Online is considered compliant with the ISM controls relating to availability, business continuity and disaster recovery. Information Security Monitoring Vulnerability Management Microsoft s vulnerability management practices are assessed as effective for the identification, assessment, remediation and ongoing management of vulnerabilities. Change Management The change management process is considered an effective security control for managing changes to CRM Online. Cyber Security Incidents Detecting, Reporting and Managing Cyber Security Incidents Microsoft s incident management practices are considered compliant with the ISM and an effective security control for detecting, reporting and managing security incidents relating to CRM Online. Physical Security Physical Security for Systems The physical security controls in place meet or exceed ISM requirements for storage of UNCLASSIFIED (DLM) data. Personnel Security Information Security Awareness & Training Authorisations, Security Clearances & Briefings Review of personnel security measures and interviews with security personnel provided assurance to Foresight that personnel security is managed effectively within the organisation. Communications Security Communications Infrastructure Communications security within assessed data centres is considered effective to meet the intent of the applicable controls within the ISM Communications Security section for 3

e info@ Product Security the handling of UNCLASSIFIED (DLM) information. Product Selection & Acquisition Microsoft s product security processes, Product Installation & Configuration combined with supporting vulnerability management, software and media security Product Classifying & Labelling processes are assessed as an effective Product Maintenance & Repairs implementation of the ISM Product Security controls. Product Sanitisation & Disposal Media Security Media Security Asset Management Software Security Standard Operating Environments Foresight found effective media security controls are in place for the handling, sanitisation, destruction and disposal of media. Foresight found that asset management is performed effectively within Microsoft consistent with the requirements for UNCLASSIFIED (DLM) information. Foresight found that effective SOE security controls are in place that meet the intent of the ISM. Application whitelisting controls are currently being deployed but are not fully in place. Microsoft have developed a work plan to address this finding, whose completion should be assessed at a point in the future. With the completion of this remediation, the SOE controls will be fully effective. Software Patching Software Development Foresight found the security updates and patching processes and controls in place to meet the intent of the ISM requirements. Foresight found that the approach Microsoft takes to software security including secure development and deployment meets or 4

e info@ exceeds the security requirements of the ISM. Database Systems Microsoft database security controls meet the compliance requirements for Database Systems within the ISM. Access Identification, Authentication & Authorisation Identification of users and administrators Privileged Access Privileged access to systems is appropriately managed and monitored with controls assessed as effective with regard to applicable ISM controls. Event Logging and Auditing Microsoft s collection and management of the CRM Online system and network event logs is an effective mechanism and meets the ISM requirements for event logging and auditing. Secure Administration Secure Administration Foresight found that the security measures put in place for secure administration of the CRM Online environment meet the intent of the ISM Secure Administration requirements. Network Security Network Management The network management and configuration mechanisms are considered effective security controls for the transmission and handling of UNCLASSIFIED (DLM) data. Network Design & Configuration The intrusion detection mechanisms within CRM Online are considered effective security controls for detecting malicious or unusual activities within a cloud environment and meet the intent of the controls contained within the ISM Service Continuity for Online Services The DDoS controls in place are considered operationally effective and meet the service 5

e info@ continuity compliance requirements of the ISM. Cryptography Cryptographic Security The cryptographic functions used within CRM Online are considered to be effective security controls. Cross Domain Security Cross Domain Security The firewalling capability implemented within CRM Online is considered effective for the protection of UNCLASSIFIED (DLM) information. Data Transfers Data Transfers The security mechanisms in place for data transfer meet the intent of the ISM and are considered effective security controls for the transfer of UNCLASSIFIED (DLM) information. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback