MICROSOFT OFFICE 365 SECURITY
Microsoft Office 365 has undergone
extensive auditing and aligns its security and compliance posture with widely
recognized frameworks like NIST SP 800-53, resulting in 695
individual controls across 17 control domains. These controls demonstrate
Microsoft’s robust approach to information security, risk management, and
compliance for its cloud services.
🔐 Summary of the 17
Control Domains in Office 365 Audited Controls
# |
Control Domain |
Purpose |
1 |
Access Control (AC) |
Enforcing least privilege, controlling logical access to
resources. |
2 |
Awareness and Training (AT) |
Ensuring users are aware of security responsibilities. |
3 |
Audit and Accountability (AU) |
Logging, monitoring, and analyzing system activities. |
4 |
Security Assessment (CA) |
Regularly evaluating security controls. |
5 |
Configuration Management (CM) |
Managing secure settings and system configurations. |
6 |
Contingency Planning (CP) |
Disaster recovery and business continuity planning. |
7 |
Identification and Authentication (IA) |
Verifying user and system identities securely. |
8 |
Incident Response (IR) |
Detecting, reporting, and responding to security
incidents. |
9 |
Maintenance (MA) |
Secure management and repair of systems. |
10 |
Media Protection (MP) |
Securing data at rest and during transport. |
11 |
Physical and Environmental Protection (PE) |
Protecting facilities and hardware. |
12 |
Planning (PL) |
Security and privacy planning processes. |
13 |
Personnel Security (PS) |
Managing risks related to employees and contractors. |
14 |
Risk Assessment (RA) |
Identifying, evaluating, and mitigating risks. |
15 |
System and Services Acquisition (SA) |
Secure design and acquisition of systems/services. |
16 |
System and Communications Protection (SC) |
Securing data transmission and internal communications. |
17 |
System and Information Integrity (SI) |
Ensuring system operations are accurate and resilient. |
📄 Access to Full List of
Controls with Evidence
You can access the full breakdown of these 695 controls
and their implementation evidence via:
- Microsoft
Service Trust Portal:
🔗 https://servicetrust.microsoft.com
→ Sign in with your organization’s Microsoft 365 account
→ Go to “Compliance Reports” → Select "Office 365 Audited Controls – NIST 800-53" - Microsoft
Compliance Manager in Microsoft Purview:
→ Navigate to compliance.microsoft.com
→ Use pre-built templates (e.g., NIST 800-53, ISO 27001)
→ Review control mappings, implementation status, and upload supporting evidence.
📌 Sample Control Entry
(from NIST 800-53 mapped in Office 365)
Control ID |
AC-2 – Account Management |
Objective |
Ensure accounts are created, managed, and deactivated
securely. |
M365 Implementation |
Azure AD with lifecycle policies, PIM, user activity logs. |
Evidence |
Audit logs from Azure AD, Conditional Access policy
snapshots, PIM configuration screen. |
------------------------------------------------
Access Control (AC) is one of the foundational
control families in cybersecurity and compliance frameworks like NIST SP
800-53. In Microsoft 365, it includes a range of controls and tools designed to
ensure that only authorized users can access specific systems, applications,
and data — and that access is limited to what is necessary.
Here’s a detailed breakdown of Access Control (AC) in
Microsoft 365, including example controls, tools used, and evidence
you can collect for audits or compliance purposes:
🔐 Access Control (AC) in
Microsoft 365
Control ID |
Control Title |
Microsoft 365 Implementation |
Example Evidence |
AC-1 |
Access Control Policy |
Access control rules defined in Azure AD |
Documented policies, screenshots from Compliance Manager |
AC-2 |
Account Management |
Azure AD User Lifecycle, PIM (Privileged Identity
Management) |
List of accounts, PIM logs, user role assignment records |
AC-3 |
Access Enforcement |
Conditional Access Policies, Azure AD RBAC |
Policy definitions, access logs, screenshot of role
assignments |
AC-4 |
Information Flow Enforcement |
Data sharing policies, DLP and sensitivity labels |
DLP policy configurations, test cases, audit logs |
AC-5 |
Separation of Duties |
Role-based access control in Azure AD, Intune and M365
roles |
Role mappings, permissions reviews, administrative policy
documents |
AC-6 |
Least Privilege |
Enforced via PIM, limited Admin roles |
Admin role configurations, audit of least privilege
assignments |
AC-7 |
Unsuccessful Login Attempts |
Azure AD Identity Protection, Risky Sign-In Alerts |
Alert logs, blocked sign-in reports, login failure reports |
AC-8 |
System Use Notification |
Banner messages via Intune or M365 sign-in customization |
Screenshots of customized login banners or Acceptable Use
Policies (AUP) |
AC-11 |
Session Lock |
Configured through Intune device compliance policies |
Group policy reports, Intune MDM logs |
AC-12 |
Session Termination |
Timeout and idle session controls in SharePoint, Teams,
Exchange, Intune |
Settings screenshots, session logs |
AC-17 |
Remote Access |
VPN, Microsoft Defender for Endpoint, Conditional Access
policies |
VPN configuration files, CA policy screenshots, audit logs |
AC-18 |
Wireless Access |
Managed via Intune for device enrollment and policies |
Device compliance reports, MDM configuration screenshots |
AC-19 |
Access Control for Mobile Devices |
Managed with Intune, Conditional Access, and App
Protection Policies |
Mobile policy documents, device access logs, app
protection policy screenshots |
AC-20 |
Use of External Systems |
Controlled via CA policies and DLP |
External sharing policies, access logs,
SharePoint/OneDrive guest access audit logs |
AC-21 |
Information Sharing Restrictions |
DLP, AIP (Azure Information Protection), sensitivity
labels |
Label configurations, sharing reports, DLP incident logs |
🛠️ Microsoft 365 Tools
That Support Access Control
- Azure
Active Directory (AAD)
- Microsoft
Intune
- Microsoft
Purview (formerly Compliance Center)
- Microsoft
Defender for Office 365
- Privileged
Identity Management (PIM)
- Microsoft
Conditional Access
Would you like this in Excel or Word format with exportable
fields (control ID, objective, evidence, tools)?
Here's a detailed explanation of the Awareness and
Training (AT) control family, specifically how it's implemented and
evidenced within Microsoft 365 under frameworks like NIST SP 800-53
or ISO 27001.
🎓 Awareness and Training
(AT) in Microsoft 365
The AT control family ensures users are aware of
cybersecurity threats, policies, and their role in maintaining the security of
systems and data. Microsoft 365 supports these controls through a mix of built-in
tools, integrations, and policy settings.
📋 Detailed AT Control
Table
Control ID |
Control Title |
Microsoft 365 Implementation |
Example Evidence |
AT-1 |
Security Awareness and Training Policy |
Organizations define training requirements and policies.
M365 provides reporting/audit options. |
Documented policy; Compliance Manager training reports;
SharePoint-hosted policy doc |
AT-2 |
Security Awareness Training |
Integration with LMS (Learning Management System),
Phishing simulation via Defender ATP |
Training completion logs, LMS reports, screenshots of
phishing simulation results |
AT-3 |
Role-Based Security Training |
Specialized training for admins via Microsoft Learn,
Microsoft Security portal, or LMS |
Certificates of completion, course enrollments, training
records |
AT-4 |
Security Training Records |
Maintained in HRMS/LMS or Microsoft Viva Learning
integrations |
Exported reports from LMS, Viva Learning completion
summaries |
🛠️ Tools Used in
Microsoft 365 to Support AT Controls
Tool / Feature |
Purpose |
Microsoft Defender for Office 365 (Attack Simulation) |
Run simulated phishing or social engineering campaigns |
Microsoft Compliance Manager |
Maintain evidence of policies and training activities |
Microsoft Learn / Docs Training Paths |
Provide technical training paths for different roles |
Microsoft Viva Learning (optional) |
Centralized access to learning content including
compliance & security training |
SharePoint Online / OneDrive |
Host training materials, policies, videos |
Microsoft Teams |
Conduct live training sessions, webinars, or share
awareness materials |
Azure AD Sign-in Pages / Intune Banners |
Display login warnings, Acceptable Use Notices |
📁 Evidence Examples for
Audit/Compliance
- Security
training attendance reports from LMS or Microsoft Viva Learning
- Screenshots
of phishing test emails and simulation dashboards
- Uploaded
signed policy acknowledgment documents in SharePoint
- Role-based
learning certificates (e.g., Microsoft Learn or LinkedIn Learning)
- Audit
logs showing policy communication activities in Teams or Outlook
📌 Recommended Best
Practices
- Conduct
phishing simulations every 3–6 months using Microsoft Defender.
- Publish
Acceptable Use Policies (AUP) and security videos via SharePoint or
Teams.
- Assign
mandatory training for different job roles via Viva Learning or
third-party LMS.
- Track
and audit completion via Microsoft Compliance Manager or HR
systems.
Would you like this formatted into a downloadable Excel
table or included with other control families like AC in a full
compliance control register?
Here is a table format summarizing the Audit and
Accountability (AU) controls in Microsoft 365:
Control ID |
Control Name |
Description |
Microsoft 365 Implementation |
Example Evidence |
AU-1 |
Audit and Accountability Policy |
Establishes the organization's audit and accountability
policy. |
Define logging and audit policies in Microsoft Purview
and Azure AD. |
Documented policy, Compliance Manager assessment reports |
AU-2 |
Auditable Events |
Identifies events that need to be logged for auditing
purposes. |
Configure Microsoft Purview Audit to track events
across Exchange, Teams, etc. |
Exported audit logs showing user login attempts, file
accesses, admin actions |
AU-3 |
Content of Audit Records |
Specifies the information that must be included in audit
logs (who, what, when, where). |
Logs include user identity, timestamp, source, and action
taken (e.g., file access). |
Example audit log showing user ID, timestamp, action,
source IP |
AU-4 |
Audit Storage Capacity |
Ensures sufficient storage for audit logs and records. |
Logs stored for up to 1 year by default, 10 years with Advanced
Audit (E5). |
Storage retention settings, retention policy documentation |
AU-5 |
Response to Audit Processing Failures |
Ensures response to audit processing failures (e.g., log
collection issues). |
Alerts generated if audit log collection fails or logs are
tampered with. |
Alert logs showing audit processing failures, missed log
entries |
AU-6 |
Audit Review, Analysis, and Reporting |
Defines procedures for reviewing, analyzing, and reporting
audit logs. |
Use Microsoft Sentinel for automated log analysis
and alerting. |
Screenshot of Sentinel alert dashboard, log review
report |
AU-7 |
Audit Reduction and Report Generation |
Supports the generation of audit reports and log reduction
based on filters (event type, timeframe). |
Use Microsoft Purview to filter and generate audit
logs based on specific criteria. |
Filtered audit log showing specific actions or time
frames, generated report |
AU-8 |
Time Stamps |
Ensures that audit logs are accurately time-stamped and
synchronized with UTC. |
Logs are time-stamped with UTC (Coordinated
Universal Time). |
Exported logs showing time stamps in UTC format |
AU-9 |
Protection of Audit Information |
Ensures that audit logs are protected from tampering or
unauthorized access. |
Logs are protected by RBAC and Microsoft Purview
access policies. |
Role-based access control reports, RBAC policy
documentation |
AU-11 |
Audit Record Retention |
Specifies how long audit records are retained and when
they can be deleted. |
Microsoft Purview allows retention policies for
audit logs, with longer retention for E5. |
Screenshot of retention policy settings, log retention
evidence |
AU-12 |
Audit Generation |
Defines requirements for the generation of audit logs,
including system and application logging. |
Microsoft Defender for Office 365 and Microsoft
Sentinel automatically generate audit logs for security events. |
Logs generated by Defender, system alerts in Sentinel |
This table summarizes key controls under Audit and
Accountability (AU) and their implementation in Microsoft 365. Would
you like this information in an Excel sheet or a PowerPoint
presentation for further use?
Here is a table summarizing the Security Assessment (CA)
controls with their descriptions and how they can be implemented in Microsoft
365:
Control ID |
Control Name |
Description |
Microsoft 365 Implementation |
Example Evidence |
CA-1 |
Security Assessment and Authorization Policy and
Procedures |
Establishes the organization's policy and procedures for
conducting security assessments and authorizations. |
Define assessment processes using Compliance Manager
and Azure AD to monitor security controls. |
Documented security assessment policy, Compliance Manager
reports |
CA-2 |
Security Assessments |
Conducts regular security assessments to evaluate the
effectiveness of security controls. |
Use Microsoft Defender and Microsoft Sentinel
for continuous monitoring and assessment of security risks. |
Security assessment reports from Defender, findings
from vulnerability scans |
CA-3 |
System Interconnections |
Ensures that interconnections between systems are secure
and that their security posture is assessed. |
Use Azure AD to secure integrations between
systems, third-party apps, and cloud services. Conduct assessments using Sentinel. |
Diagrams showing secure system interconnections, Sentinel
security reports |
CA-5 |
Plan of Action and Milestones (POA&M) |
Develops a plan of action to address weaknesses found
during assessments and define milestones for remediation. |
Use Compliance Manager to track POA&M, ensuring
identified security gaps are addressed with deadlines. |
POA&M document in Compliance Manager, progress
reports on remediation actions |
CA-6 |
Security Assessments and Continuous Monitoring |
Ensures that security assessments are ongoing and
continuous monitoring is conducted. |
Use Microsoft Defender, Sentinel, and Azure
Security Center for continuous monitoring and security assessments. |
Continuous monitoring dashboards, real-time alerts from Defender
and Sentinel |
CA-7 |
Independent Security Assessments |
Ensures that independent third-party security assessments
are conducted periodically. |
Third-party penetration testing, external security audits,
and risk assessments. |
External security assessment reports, audit results from
independent testers |
CA-8 |
Security Testing and Evaluation |
Conducts security testing to evaluate the effectiveness
and resilience of security controls. |
Use Microsoft Defender for Identity, Azure AD,
and Sentinel for security testing such as vulnerability scans,
penetration tests, and attack simulations. |
Penetration testing reports, security evaluation results
from Defender |
CA-9 |
Test Results and Documentation |
Maintains documentation of security test results,
including vulnerability scans, penetration tests, and audits. |
Store test results in Microsoft Purview and use Compliance
Manager for documenting security test findings. |
Test reports and findings documented in Purview, Compliance
Manager audit logs |
CA-10 |
Security Authorization and Continuous Monitoring |
Ensures that authorization decisions are based on
comprehensive security risk assessments and continuous monitoring. |
Use Microsoft Sentinel and Compliance Manager
to assess security risk and monitor the authorization processes. |
Authorization documentation, continuous monitoring reports
from Sentinel |
This table summarizes key controls under Security
Assessment (CA) with their respective descriptions, implementation in Microsoft
365, and example evidence.
Would you like this in an Excel sheet or PowerPoint
presentation for further sharing or reference?
Here is a table summarizing the Configuration Management
(CM) controls with their descriptions and how they can be implemented in Microsoft
365:
Control ID |
Control Name |
Description |
Microsoft 365 Implementation |
Example Evidence |
CM-1 |
Configuration Management Policy and Procedures |
Establishes the organization's policy and procedures for
managing configurations of IT systems and software. |
Use Microsoft Compliance Manager to define
configuration management policies for Microsoft 365 services. |
Documented configuration management policy, Compliance
Manager reports |
CM-2 |
Baseline Configuration |
Establishes a baseline configuration for IT systems to
ensure they are secure and meet organizational requirements. |
Define baseline configurations using Microsoft Endpoint
Manager (Intune) for device management and Azure AD for identity
and access. |
Baseline configuration settings, Endpoint Manager
configuration documentation |
CM-3 |
Configuration Change Control |
Ensures that changes to configuration settings are
controlled and documented. |
Use Azure DevOps for managing configuration changes
to cloud resources, Endpoint Manager for devices. |
Change request logs, approval workflows, change logs from Azure
DevOps |
CM-4 |
Security Configuration |
Ensures that security configurations are implemented and
maintained for all systems. |
Use Microsoft Defender to enforce security
configurations and compliance settings across Microsoft 365 services. |
Security configuration reports, Defender compliance
reports |
CM-5 |
Configuration Monitoring |
Monitors the configuration of IT systems to detect
unauthorized or unintended changes. |
Implement monitoring with Microsoft Sentinel to
detect configuration drift and unauthorized changes across Microsoft 365
environments. |
Alert logs from Sentinel, configuration change
detection results |
CM-6 |
Automated Configuration Management |
Automates the configuration management process to ensure
consistency and efficiency. |
Leverage Microsoft Endpoint Manager (Intune) for
automated device configuration, and Azure Automation for managing
cloud resource configurations. |
Automation scripts in Azure Automation,
configuration logs in Intune |
CM-7 |
Configuration Review and Audit |
Regularly reviews and audits configurations to ensure
compliance and security. |
Conduct periodic reviews using Compliance Manager
and Microsoft Defender to audit configurations for compliance with
security policies. |
Audit logs from Compliance Manager, review findings
from Defender |
CM-8 |
Configuration Deviation Management |
Identifies and manages deviations from the established
configuration baseline. |
Use Microsoft Sentinel to track and manage
configuration deviations in Microsoft 365 services. |
Deviation reports, corrective action logs from Sentinel |
CM-9 |
Configuration Documentation |
Maintains comprehensive documentation of configuration
settings and changes for accountability. |
Document configuration settings and changes in Microsoft
Purview for audit and compliance purposes. |
Configuration documentation in Purview, change
history logs |
This table provides an overview of the Configuration
Management (CM) controls, how they can be implemented in Microsoft 365,
and the types of evidence that can be generated for each control.
Would you like this in an Excel sheet or PowerPoint
presentation for further sharing or reference?
Here is a table summarizing the Contingency Planning (CP)
controls with their descriptions and how they can be implemented in Microsoft
365:
Control ID |
Control Name |
Description |
Microsoft 365 Implementation |
Example Evidence |
CP-1 |
Contingency Planning Policy and Procedures |
Establishes the organization's policies and procedures for
contingency planning. |
Use Microsoft Compliance Manager to define
contingency planning policies and procedures. |
Documented contingency planning policies, Compliance
Manager assessment reports |
CP-2 |
Contingency Plan |
Develops and maintains a contingency plan for ensuring the
availability and recovery of IT systems. |
Use Azure Backup and Microsoft 365 Backup
for developing and managing data recovery plans. |
Contingency plan document, Azure Backup
configuration for data recovery |
CP-3 |
Contingency Plan Testing |
Ensures that contingency plans are tested regularly to
validate their effectiveness. |
Schedule and automate disaster recovery drills using Azure
Automation and Microsoft Defender. |
Test logs, disaster recovery drill results, Azure
Automation scripts |
CP-4 |
Contingency Plan Maintenance |
Ensures that the contingency plan is updated regularly to
reflect changes in the IT environment. |
Use Compliance Manager to track changes in
infrastructure and ensure contingency plans are updated accordingly. |
Updated contingency plan documents, change tracking in Compliance
Manager |
CP-5 |
Alternate Processing Site |
Identifies and ensures the availability of alternate sites
for IT systems and operations in case of disaster. |
Utilize Azure Site Recovery for creating and
maintaining alternate processing sites in the cloud. |
Azure Site Recovery configuration reports,
alternate site availability documentation |
CP-6 |
Backup and Restoration |
Ensures that data is regularly backed up and can be
restored in case of system failure or disaster. |
Use OneDrive for Business, SharePoint, and Azure
Backup for data backup and restoration processes. |
Backup logs from Azure Backup, OneDrive and SharePoint
restore tests |
CP-7 |
Recovery Time Objectives (RTO) and Recovery Point
Objectives (RPO) |
Defines RTO and RPO to ensure that recovery efforts are
aligned with business continuity needs. |
Set RTO and RPO for critical systems within Microsoft
365, such as email and document storage. |
Documented RTO/RPO definitions, performance metrics during
recovery tests |
CP-8 |
Incident Response |
Ensures that the organization has an effective response
plan for incidents that affect system availability. |
Use Microsoft Sentinel for security incident
management and monitoring during contingency events. |
Incident response logs from Sentinel, incident
response playbooks |
CP-9 |
Contingency Plan Testing and Training |
Ensures that staff are trained on contingency procedures
and that testing occurs at regular intervals. |
Use Microsoft Teams and Planner to schedule
training sessions and communicate contingency procedures. |
Training attendance records, contingency training session
reports |
CP-10 |
Contingency Plan Implementation |
Ensures that contingency plans are effectively implemented
during a disaster or major incident. |
Use Azure Site Recovery and Microsoft 365 Backup
to implement disaster recovery processes. |
Recovery logs from Azure Site Recovery, restoration
verification tests |
This table provides an overview of Contingency Planning
(CP) controls, their descriptions, how they can be implemented within Microsoft
365, and the types of evidence that demonstrate compliance with each
control.
Would you like this information in an Excel sheet or PowerPoint
presentation for further reference?
-------------------------------------------------------------------------------
Here is a table summarizing the Identification and
Authentication (IA) controls with their descriptions and how they can be
implemented in Microsoft 365:
Control ID |
Control Name |
Description |
Microsoft 365 Implementation |
Example Evidence |
IA-1 |
Identification and Authentication Policy and Procedures |
Establishes the policies and procedures for identifying
and authenticating users to systems and services. |
Define and document policies in Azure AD for user
authentication methods and access controls. |
Documented policies and procedures in Azure AD
portal. |
IA-2 |
User Identification and Authentication |
Ensures that users are uniquely identified and
authenticated before they can access information systems. |
Implement Azure AD for unique user identification
and enable Multi-Factor Authentication (MFA). |
User login logs, MFA activation logs in Azure AD. |
IA-3 |
Device Identification and Authentication |
Ensures that devices are properly authenticated before
they can access systems. |
Use Microsoft Intune to manage device
authentication, ensuring that only compliant devices can access resources. |
Device enrollment logs in Intune, device compliance
status in Azure AD. |
IA-4 |
Information System Use Notification |
Ensures that users are notified when they are using
systems and that usage is monitored for security purposes. |
Display information system use notifications through Azure
AD Conditional Access policies or login banners. |
Screenshots of user notifications or banners in Azure
AD. |
IA-5 |
Authenticator Management |
Manages the lifecycle of authenticators such as passwords,
tokens, and biometrics used for authentication. |
Use Azure AD for managing password policies,
token-based authentication, and biometric settings (Windows Hello). |
Password policy configurations in Azure AD, MFA
configuration in Azure AD. |
IA-6 |
Access Control for Remote Access |
Ensures that remote users are authenticated before
accessing information systems. |
Configure Azure AD Conditional Access to enforce
secure remote access policies based on location, device compliance, etc. |
Logs of remote access policies in Azure AD
Conditional Access. |
IA-7 |
Multifactor Authentication (MFA) |
Requires users to authenticate using two or more factors
(e.g., something they know, something they have). |
Implement Azure MFA to require multiple factors for
login, protecting sensitive systems and data. |
Azure MFA logs, successful and failed MFA attempts
in Azure AD. |
IA-8 |
Account Lockout |
Locks accounts after a specified number of failed
authentication attempts to prevent brute-force attacks. |
Use Azure AD to configure lockout policies after a
set number of failed login attempts. |
Account lockout logs in Azure AD. |
IA-9 |
User Account Management |
Ensures proper management of user accounts, including
account creation, modification, and termination. |
Manage user accounts through Azure AD, including
lifecycle management for creation, modification, and deletion. |
Logs of user account creation, updates, and deletions in Azure
AD. |
IA-10 |
Authentication Session Management |
Ensures proper management of authentication sessions,
including session expiration and re-authentication. |
Use Azure AD session policies to enforce session
timeouts and conditions for re-authentication. |
Session management logs in Azure AD, session
expiration configurations. |
This table provides an overview of Identification and
Authentication (IA) controls, how they can be implemented in Microsoft
365, and includes example evidence for each control.
Would you like to receive this in an Excel sheet or PowerPoint
presentation format for easier reference or sharing?
-------------------------------
Here is a detailed table summarizing the Incident
Response (IR) controls with their descriptions, how they can be implemented
in Microsoft 365, and example evidence:
Control ID |
Control Name |
Description |
Microsoft 365 Implementation |
Example Evidence |
IR-1 |
Incident Response Policy and Procedures |
Establishes organizational policies and procedures for
responding to information security incidents. |
Define and store policies in Microsoft Purview or Compliance
Manager. |
Documented IR policies, review logs in Compliance
Manager. |
IR-2 |
Incident Response Training |
Provides training to staff on how to detect and respond to
security incidents. |
Conduct training via Microsoft Teams, track
participation using Microsoft Forms/Planner. |
Training logs, attendance reports, training materials in Teams/SharePoint. |
IR-3 |
Incident Response Testing |
Tests incident response capabilities to ensure
effectiveness and team readiness. |
Simulate incidents using Microsoft Defender and
evaluate response readiness. |
Incident drill logs, test case results, Defender incident
reports. |
IR-4 |
Incident Handling |
Ensures effective incident response through detection,
containment, eradication, and recovery. |
Use Microsoft Defender XDR and Sentinel for
real-time incident detection and automated response. |
Incident timelines, remediation actions, Defender/Sentinel
incident logs. |
IR-5 |
Incident Monitoring |
Monitors systems and networks for signs of incidents. |
Monitor using Microsoft Sentinel and Defender
for Endpoint, Defender for Cloud Apps. |
Alert logs, dashboards showing incident trends, SIEM data
in Sentinel. |
IR-6 |
Incident Reporting |
Enables timely and consistent reporting of security
incidents. |
Create automated workflows in Microsoft Power Automate
for alert-based reporting to security teams. |
Notification logs, email alerts, Power Automate flow
records. |
IR-7 |
Incident Response Assistance |
Provides users and IT teams with guidance and tools to
respond to incidents. |
Centralize guidance documents in SharePoint; use Microsoft
Teams for real-time collaboration. |
Guidance documents, Teams chat logs, usage metrics. |
IR-8 |
Incident Response Plan Update |
Ensures that the incident response plan is regularly
updated based on lessons learned. |
Track updates through Compliance Manager and
version control with SharePoint or Purview. |
Change logs, plan version history, post-incident review
summaries. |
IR-9 |
Post-Incident Analysis |
Conducts a root cause analysis and captures lessons
learned after an incident. |
Document RCA and lessons learned in Microsoft Forms
or Planner, store in SharePoint. |
Post-incident reports, meeting minutes, remediation task
assignments. |
IR-10 |
Coordination with External Parties |
Coordinates incident handling with external stakeholders
such as regulators and vendors. |
Use Microsoft Teams for communication, store
compliance responses in Purview or Compliance Center. |
Communication logs, regulator response documentation,
vendor notification records. |
This table aligns with NIST SP 800-53 IR controls and shows
how to operationalize them in Microsoft 365 environments with practical
evidence.
Would you like this table exported to Excel or PowerPoint
for easier sharing or documentation?
Here is a detailed table for Maintenance (MA) controls
in the context of cybersecurity and how they can be implemented in Microsoft
365, along with example evidence:
Control ID |
Control Name |
Description |
Microsoft 365 Implementation |
Example Evidence |
MA-1 |
System Maintenance Policy and Procedures |
Establishes policies and procedures for performing
maintenance on information systems. |
Define and store maintenance policies in Microsoft
Purview or Compliance Manager. |
Policy documents, version history in Purview, audit
logs in Compliance Center. |
MA-2 |
Controlled Maintenance |
Ensures maintenance is scheduled, approved, and performed
by authorized personnel only. |
Use Microsoft Intune and Azure AD roles to
assign and monitor authorized maintenance activities. |
Maintenance logs, user access control records, change
approval documentation. |
MA-3 |
Maintenance Tools |
Controls the use of tools used for system maintenance to
ensure they are authorized and secure. |
Maintain tool inventories using Microsoft Defender for
Endpoint; block unauthorized tools via Intune. |
Tool usage logs, Intune policy configurations, blocked
applications list. |
MA-4 |
Nonlocal Maintenance |
Applies controls for remote (nonlocal) maintenance
activities. |
Secure remote access using Microsoft Entra ID
Conditional Access, MFA, and Privileged Identity Management
(PIM). |
Remote access logs, Conditional Access policy logs, PIM
usage reports. |
MA-5 |
Maintenance Personnel |
Ensures only authorized personnel perform maintenance on
critical systems. |
Role-based access control via Azure AD, track
access via Defender for Identity. |
Role assignment reports, access logs, training records of
maintenance staff. |
MA-6 |
Timely Maintenance |
Ensures timely performance of necessary maintenance
activities to reduce security risks. |
Schedule system updates and patching via Windows Update
for Business or Intune. |
Patch management reports, update deployment logs. |
MA-7 |
Maintenance Record-Keeping |
Requires organizations to keep records of maintenance
performed. |
Track and store logs using Microsoft Log Analytics
and Sentinel. |
Archived logs, ticketing system entries, SharePoint
maintenance records. |
These controls align with the NIST SP 800-53 MA family
and show how to integrate them effectively into your Microsoft 365
environment with audit-ready evidence.
Would you like this in an Excel spreadsheet or PowerPoint
presentation format?
Here is a comprehensive table for Media Protection (MP)
controls, including descriptions, Microsoft 365 implementations, and example
evidence:
Control ID |
Control Name |
Description |
Microsoft 365 Implementation |
Example Evidence |
MP-1 |
Media Protection Policy and Procedures |
Establishes organizational policy and procedures for
managing and protecting media. |
Define policies in Microsoft Purview or Compliance
Manager; use SharePoint for distribution. |
Policy document versions, user acknowledgment records,
training materials. |
MP-2 |
Media Access |
Restricts access to media to authorized individuals only. |
Use Sensitivity Labels and Information
Protection in Microsoft Purview to limit access. |
Access logs, label audit reports, conditional access
policies in Azure AD. |
MP-3 |
Media Marking |
Marks media with appropriate sensitivity classifications. |
Implement Microsoft Sensitivity Labels
(Confidential, Highly Confidential, etc.) via Purview. |
Label configuration settings, audit trails,
emails/documents with visible labels. |
MP-4 |
Media Storage |
Physically or digitally protects media when stored. |
Store sensitive data in OneDrive for Business, SharePoint,
with encryption at rest enabled. |
Encryption policy documentation, BitLocker or Azure
Storage encryption evidence. |
MP-5 |
Media Transport |
Protects media during physical or electronic transport. |
Use Microsoft Purview Message Encryption (OME) and
TLS for email/file transport security. |
Email encryption headers, OME settings screenshots,
transfer logs. |
MP-6 |
Media Sanitization |
Ensures that media is sanitized before disposal or reuse. |
Use Microsoft Data Lifecycle Management and Information
Governance for retention and deletion. |
Retention policy settings, audit logs showing file
deletion or auto-expiry. |
MP-7 |
Media Use Restrictions |
Limits use of portable media (e.g., USB drives) and
external sharing. |
Enforce policies using Microsoft Defender for Endpoint,
Intune, and Microsoft DLP policies. |
Device control logs, blocked USB logs, external sharing
policy configuration reports. |
MP-8 |
Media Downgrading |
Ensures approval and procedures are in place when
reclassifying sensitive data to a lower classification. |
Configure Microsoft Sensitivity Label Policies to
require justification for label downgrades. |
Justification logs from Purview, policy settings
screenshots. |
These controls align with NIST SP 800-53 Media Protection
(MP) family and demonstrate how Microsoft 365 tools can enforce and
audit these controls effectively.
Would you like this in an Excel or PowerPoint
format for easier presentation or documentation?
Here is a detailed table for Physical and Environmental
Protection (PE) controls, including descriptions, how they relate to Microsoft
365 (especially in cloud/SaaS environments), and example evidence where
applicable:
Control ID |
Control Name |
Description |
Microsoft 365 / Cloud Relevance |
Example Evidence |
PE-1 |
Physical and Environmental Protection Policy and
Procedures |
Establishes the baseline policies and procedures for
physical security. |
Microsoft follows strict data center physical security
practices, described in Microsoft Trust Center. |
Documentation of policies, Microsoft compliance reports
(SOC 1, SOC 2, ISO 27001). |
PE-2 |
Physical Access Authorizations |
Grants and manages physical access to sensitive areas. |
Azure data centers use biometric scans, badges, and
security guards. |
SOC 2 Type II audit report, physical access logs
(Microsoft internal). |
PE-3 |
Physical Access Control |
Enforces physical access restrictions to authorized
personnel. |
Data centers have multi-layered access controls including
biometric verification and surveillance. |
Audit reports, Microsoft Azure documentation on data
center access controls. |
PE-4 |
Access Control for Transmission Medium |
Protects cabling and transmission lines from unauthorized
physical access. |
Microsoft secures transmission lines and physical media
within its data centers. |
Certification reports (ISO 27001), internal diagrams and
physical security SOPs. |
PE-5 |
Access Control Monitoring |
Monitors physical access using CCTV and intrusion
detection systems. |
Azure facilities are continuously monitored by security
personnel and video surveillance. |
CCTV usage statements, monitoring policy in compliance
documentation. |
PE-6 |
Visitor Control |
Controls and monitors visitor access to physical
facilities. |
Visitors are logged, escorted, and have temporary access
only in Microsoft data centers. |
Visitor log records (internal), SOC audit references. |
PE-8 |
Emergency Power |
Provides backup power to maintain availability during
outages. |
Microsoft data centers use diesel generators and battery
UPS systems. |
Infrastructure descriptions in Microsoft whitepapers and
compliance documentation. |
PE-9 |
Emergency Lighting |
Provides lighting in emergency situations for safe
evacuation and response. |
Built into Azure’s facility design for continuity and
safety. |
Azure facility safety documents, building safety standards
certifications. |
PE-10 |
Fire Protection |
Protects physical environments from fire damage. |
Advanced fire suppression systems are in place at Azure
data centers. |
Environmental safety audit documents, ISO 22301
certification. |
PE-11 |
Temperature and Humidity Controls |
Maintains environmental conditions to protect IT hardware. |
HVAC systems continuously monitor and control
temperature/humidity in Azure data centers. |
Data center operation documentation, Microsoft Cloud
infrastructure whitepapers. |
PE-12 |
Water Damage Protection |
Prevents water leaks or flooding in critical areas. |
Leak detection systems and elevated floors are used in
Microsoft facilities. |
Facility maintenance policies, Microsoft data center
engineering overview. |
PE-13 |
Delivery and Removal |
Controls the delivery and removal of IT equipment and
media. |
Microsoft tracks all equipment delivered and removed from
secure zones. |
Inventory control logs, supply chain audit logs
(internal). |
PE-14 |
Alternate Work Site |
Provides protection for alternate sites (e.g., disaster
recovery sites). |
Microsoft ensures DR/BCP through geo-redundant regions in
Azure and Office 365. |
BCP/DR plans, Microsoft geo-redundancy documentation. |
Note: As Microsoft 365 is a cloud-based SaaS
platform, physical controls are mostly managed by Microsoft in their
global data centers. Customers can review these controls via the Microsoft Trust Center
and request detailed audit reports under NDA.
Would you like this data as an Excel spreadsheet or PowerPoint
deck for reporting or documentation purposes?
Here is a detailed table for the Planning (PL)
control family from NIST 800-53, including descriptions, relevance to Microsoft
365, and example evidence:
Planning (PL) – Control Family in Table Format
Control ID |
Control Name |
Description |
Microsoft 365 / Cloud Relevance |
Example Evidence |
PL-1 |
Security Planning Policy and Procedures |
Requires development, documentation, and dissemination of
security planning policies and procedures. |
Documented via Microsoft's internal policies and
compliance with ISO 27001/27017 in Microsoft 365. |
Policy documents in Microsoft Purview, ISO audit reports,
compliance portal evidence. |
PL-2 |
System Security Plan |
Describes the security requirements for the system and the
controls in place. |
Covered in Microsoft's System Security Plan (SSP)
for its cloud offerings. |
Shared under NDA with customers, included in FedRAMP/Azure
Security Documentation. |
PL-2(1) |
System Security Plan: Plan Updates |
Requires periodic review and update of the system security
plan. |
Microsoft updates its SSP regularly in line with FedRAMP
and compliance obligations. |
Change logs, SSP version history. |
PL-2(2) |
System Security Plan: Content |
Requires inclusion of specific content such as system
environment, security roles, controls. |
Microsoft's SSP contains detailed control mappings and
security boundaries. |
FedRAMP SSP content outline, system architecture diagrams. |
PL-4 |
Rules of Behavior |
Defines rules for users on acceptable use of systems and
data. |
Enforced using Microsoft 365 Acceptable Use Policies
and Intune compliance policies. |
Policy acknowledgment logs, user onboarding documentation,
DLP policy logs. |
PL-5 |
Privacy Impact Assessment (PIA) |
Requires an assessment of privacy risks when systems
collect/store PII. |
Microsoft conducts PIAs for all services involving
customer data in compliance with GDPR. |
PIA documentation (internal), Microsoft privacy compliance
statements. |
PL-6 |
Security-Related Activity Planning |
Requires planning for security activities including
assessments, testing, and contingency. |
Microsoft maintains planning processes for security
assessments via Compliance Manager. |
Test plans, change management workflows, audit logs. |
PL-7 |
Security Concept of Operations (CONOPS) |
Describes the system’s purpose, operations, and security
architecture. |
Included in Microsoft Azure architecture and
documentation. |
Azure CONOPS-like documentation and security architecture
diagrams. |
PL-8 |
Information Security Architecture |
Establishes a security architecture that is integrated
with the enterprise architecture. |
Microsoft follows Zero Trust architecture across Microsoft
365 and Azure cloud services. |
Microsoft Security Architecture documentation, Zero Trust
implementation reports. |
Summary
The Planning (PL) controls ensure a well-defined,
structured approach to information security by requiring documentation, role
clarity, and strategic foresight. Microsoft 365 supports these controls through
its robust compliance framework, Zero Trust model, and system
documentation available via the Microsoft Trust Center.
Would you like this exported as an Excel file, PowerPoint
deck, or PDF?
Here is a detailed table for the Personnel Security (PS) control family from NIST 800-53, showing how these controls relate to Microsoft 365 (as a cloud service provider) and what example evidence may apply:
Personnel Security (PS) – Control Family
Control ID | Control Name | Description | Microsoft 365 / Cloud Relevance | Example Evidence |
---|---|---|---|---|
PS-1 | Personnel Security Policy and Procedures | Establishes policies and procedures to ensure appropriate personnel security practices. | Microsoft maintains detailed HR and security policies in line with ISO/IEC 27001, SOC 2, etc. | HR policies, internal policy manuals, ISO 27001/27018 audit reports. |
PS-2 | Position Risk Designation | Assigns risk levels to organizational roles based on their responsibilities. | Microsoft classifies roles by sensitivity and applies background checks accordingly. | Job descriptions with risk designations, access control documentation. |
PS-3 | Personnel Screening | Requires background checks or vetting before granting access to systems. | All Microsoft employees undergo background checks per jurisdictional requirements. | Screening logs, onboarding checklist (internal), SOC 2 or ISO control summaries. |
PS-4 | Personnel Termination | Ensures that access is revoked promptly when personnel leave or change roles. | Microsoft uses automated de-provisioning, access review, and identity governance systems. | Azure AD deactivation logs, role change logs, Microsoft Entra ID access review. |
PS-5 | Personnel Transfer | Ensures role changes are tracked and access is adjusted accordingly. | RBAC policies and Just-in-Time (JIT) access in Microsoft Entra PIM for internal personnel. | Access change logs, Azure PIM activation history, audit trail in Compliance Center. |
PS-6 | Access Agreements | Requires personnel to sign agreements outlining security responsibilities. | Microsoft employees agree to NDA and Acceptable Use policies before gaining access to systems. | Signed policy acknowledgments, onboarding documents. |
PS-7 | Third-Party Personnel Security | Ensures third-party contractors/vendors comply with the same standards. | Vendors and contractors are assessed via Microsoft's Supplier Security and Privacy Assurance. | Third-party agreements, supplier audit records, NDA templates. |
PS-8 | Personnel Sanctions | Defines sanctions for violating security policies. | Microsoft enforces disciplinary procedures and ethics policies for security violations. | HR disciplinary policy documents, incident response logs, ethics training records. |
Key Notes
-
Since Microsoft 365 is a cloud service, Personnel Security (PS) controls are primarily the responsibility of Microsoft (as the provider) and are audited under SOC 2 Type II, ISO 27001, and FedRAMP certifications.
-
For customers of Microsoft 365, equivalent PS controls apply internally to their admins, support personnel, and third-party integrations.
Would you like this information exported into an Excel, PDF, or PowerPoint deck for reporting or compliance documentation?
---------------
Here is a detailed table for the Risk Assessment (RA)
control family (based on NIST SP 800-53), including descriptions, relevance to
Microsoft 365, and examples of evidence.
Risk Assessment (RA) – Control Family
Control ID |
Control Name |
Description |
Microsoft 365 / Cloud Relevance |
Example Evidence |
RA-1 |
Risk Assessment Policy and Procedures |
Requires organizations to develop and implement policies
and procedures for conducting risk assessments. |
Microsoft documents policies for risk management in line
with ISO 27005, FedRAMP, and SOC 2. |
Risk management policies, ISO 27001 certification,
Microsoft Trust Center documents. |
RA-2 |
Security Categorization |
Categorize information systems and data based on impact
levels. |
Microsoft categorizes data and services under its data
classification scheme and compliance framework. |
Classification levels (Confidential, Highly Confidential),
label configuration in Purview. |
RA-3 |
Risk Assessment |
Conduct periodic assessments to identify risks to
organizational operations, assets, and individuals. |
Microsoft performs internal and third-party risk
assessments on its infrastructure and services. |
Risk register, security risk assessment reports, audit
logs, compliance center reports. |
RA-3(1) |
Update Risk Assessment |
Risk assessments must be updated when significant changes
occur or periodically. |
Microsoft updates assessments based on new features,
vulnerabilities, or compliance needs. |
Risk register updates, change logs, policy review
schedules. |
RA-5 |
Vulnerability Monitoring and Scanning |
Identify, monitor, and scan for system vulnerabilities. |
Microsoft uses automated vulnerability scanning across its
infrastructure and issues patches accordingly. |
Patch management logs, CVE reports, Microsoft Security
Update Guide, Defender reports. |
RA-5(1) |
Update Tool Capabilities |
Ensure vulnerability scanning tools are regularly updated. |
Microsoft Defender and Microsoft Security Center tools are
automatically updated. |
Defender version history, tool patch documentation. |
RA-5(2) |
Remediate Identified Vulnerabilities |
Mitigate discovered vulnerabilities in a timely manner. |
Microsoft uses secure development lifecycle (SDL) and a
defined remediation process. |
Vulnerability ticket logs, remediation timelines, risk
exception handling reports. |
RA-5(3) |
Automated Trend Analysis |
Perform automated analysis to identify trends in
vulnerability data. |
Microsoft Defender and Microsoft Sentinel provide
dashboards and analytics. |
Sentinel dashboards, trend analysis reports, alerts and
action logs. |
Summary:
The RA (Risk Assessment) control family ensures a
continuous process of evaluating threats and vulnerabilities, aligning with
regulatory and business requirements. Microsoft 365 facilitates this via:
- Compliance
Manager
- Microsoft
Defender
- Microsoft
Purview
- Microsoft
Sentinel
These tools offer automated assessments, security scoring,
and mitigation planning.
Would you like this in Excel, PDF, or PowerPoint
format for easier reporting or documentation?
Here is a detailed table for the System and Services
Acquisition (SA) control family from NIST SP 800-53, tailored to
include relevance to Microsoft 365 and examples of evidence where
applicable:
System and Services Acquisition (SA) – Control Family
Control ID |
Control Name |
Description |
Microsoft 365 / Cloud Relevance |
Example Evidence |
SA-1 |
System and Services Acquisition Policy and Procedures |
Establishes policies and procedures for acquiring and
maintaining IT systems and services. |
Microsoft documents and enforces acquisition processes
through secure SDLC and third-party vetting. |
Policy documents, ISO 27001 certification, SDL (Security
Development Lifecycle) evidence. |
SA-2 |
Allocation of Resources |
Ensures that adequate resources are allocated to protect
organizational systems. |
Microsoft allocates significant budget and personnel to
security and compliance across cloud services. |
Azure security investment documentation, audit reports,
financial investment overviews. |
SA-3 |
System Development Life Cycle (SDLC) |
Requires security considerations to be integrated
throughout the system development process. |
Microsoft uses a secure development lifecycle (SDL)
process for all cloud offerings including 365. |
SDL documentation, DevSecOps pipeline diagrams, secure
coding policies. |
SA-4 |
Acquisition Process |
Requires that acquisitions include security and privacy
requirements. |
Microsoft includes contractual security clauses for
vendors and third-party developers. |
Procurement policy, third-party risk management policy,
contract templates. |
SA-5 |
System Documentation |
Ensures complete and up-to-date system documentation. |
Microsoft provides extensive technical and security
documentation for 365 and Azure services. |
Product documentation, compliance datasheets,
architectural diagrams. |
SA-8 |
Security and Privacy Engineering Principles |
Applies standard security and privacy principles during
system design and implementation. |
Microsoft incorporates Zero Trust and Privacy-by-Design
principles. |
Design documentation, Zero Trust whitepapers, privacy
architecture diagrams. |
SA-9 |
External System Services |
Assesses and manages risk from external service providers. |
Microsoft uses the Supplier Security and Privacy Assurance
(SSPA) program for third-party oversight. |
SSPA compliance records, vendor security assessments, SLA
documents. |
SA-9(1) |
Risk Assessments for External Providers |
Periodic reassessment of third-party service risks. |
Microsoft regularly reassesses risks from critical
vendors. |
Third-party audit results, reassessment logs, risk
register. |
SA-10 |
Developer Configuration Management |
Requires secure configuration and version control for
systems and codebases. |
Microsoft uses configuration baselines, Git repositories,
and access control mechanisms. |
Azure DevOps logs, Git version control logs, secure coding
policies. |
SA-11 |
Developer Testing and Evaluation |
Requires testing of systems prior to deployment. |
Microsoft conducts unit testing, static/dynamic code
analysis, and penetration testing. |
QA reports, testing evidence, bug tracking tickets, secure
code review logs. |
SA-12 |
Supply Chain Protection |
Identifies and mitigates risks from the IT supply chain. |
Microsoft follows secure hardware sourcing and firmware
validation for Azure data centers. |
Supply chain assurance documents, hardware validation
policies. |
SA-15 |
Development Process, Standards, and Tools |
Requires defined processes and tools for secure system
development. |
Microsoft uses industry-standard tools for secure
development across Microsoft 365 cloud stack. |
Toolchain documentation, DevSecOps flow diagrams, SDL
training records. |
SA-22 |
Unsupported System Components |
Identifies and removes or updates unsupported software and
hardware. |
Microsoft ensures all systems are patched, and legacy
services are deprecated securely. |
Patch management logs, lifecycle support documentation,
Windows/Office update records. |
Key Takeaways:
- Microsoft
365 leverages robust acquisition and development controls backed by
formal certifications like FedRAMP, ISO 27001, and SOC 2
Type II.
- The Secure
Development Lifecycle (SDL) is a core part of Microsoft’s assurance
program, ensuring that all new features/services go through rigorous
security review.
Would you like this formatted as an Excel spreadsheet,
PowerPoint presentation, or PDF document for your records or
reporting needs?
Here is a detailed table for the System and
Communications Protection (SC) control family from NIST SP 800-53,
tailored to include relevance to Microsoft 365 and typical evidence
examples:
System and Communications Protection (SC) – Control
Family
Control ID |
Control Name |
Description |
Microsoft 365 / Cloud Relevance |
Example Evidence |
SC-1 |
Policy and Procedures |
Develops and disseminates security policy and procedures
for system and communications protection. |
Microsoft has internal policies and procedures documented
under ISO and FedRAMP frameworks. |
ISO 27001 policies, compliance documents, audit logs. |
SC-7 |
Boundary Protection |
Monitors and controls communications at external
boundaries. |
Microsoft 365 uses Azure firewalls, proxies, and perimeter
controls (e.g., Zero Trust architecture). |
Network diagrams, firewall configuration, Secure Score
logs. |
SC-7(12) |
TLS Encryption |
Uses cryptographic methods like TLS to protect
communications. |
Microsoft 365 encrypts data in transit using TLS 1.2+. |
TLS configuration proof, SSL certificate management in
Microsoft Defender. |
SC-8 |
Transmission Confidentiality and Integrity |
Protects data in transit from unauthorized disclosure and
modification. |
Enforced through TLS and IPsec encryption across Microsoft
cloud infrastructure. |
Packet inspection logs, configuration of email encryption
(M365), IPsec policy docs. |
SC-12 |
Cryptographic Key Establishment and Management |
Securely manages cryptographic keys. |
Microsoft uses Azure Key Vault and customer-managed keys
(CMK) options. |
Key lifecycle documents, audit logs, CMK configuration
screenshots. |
SC-13 |
Cryptographic Protection |
Implements cryptographic methods to protect sensitive
data. |
BitLocker, Azure Storage encryption, Microsoft Purview
Information Protection. |
Encryption algorithm specs, Purview sensitivity label
setup, BitLocker settings. |
SC-15 |
Collaborative Computing Devices |
Controls use of devices like webcams, microphones, etc. |
Microsoft 365 allows policy control over Teams, webcams,
and device access via Intune. |
Intune compliance policy, Teams device settings, usage
logs. |
SC-18 |
Mobile Code |
Controls execution of mobile code (e.g., JavaScript,
Flash). |
Microsoft Edge, Defender for Endpoint policies restrict
unsafe mobile code execution. |
Endpoint configuration logs, Defender policy settings. |
SC-28 |
Protection of Information at Rest |
Ensures sensitive information is protected while stored. |
Microsoft 365 data is encrypted at rest using BitLocker,
Azure Storage encryption, etc. |
Audit logs, data encryption policies, SharePoint/OneDrive
settings. |
SC-28(1) |
Encryption for Information at Rest |
Requires encryption for sensitive stored data. |
Enabled by default in Microsoft 365/Azure;
customer-controlled keys supported. |
CMK/Azure Key Vault logs, M365 compliance center
configuration. |
SC-39 |
Process Isolation |
Ensures system processes operate in isolation to avoid
interference. |
Microsoft uses Hyper-V, containers, and
virtualization-based security in Azure. |
Hyper-V config, VM process isolation documents, Azure
container security reports. |
SC-43 |
Usage Restrictions for External Systems |
Limits use of external systems for processing/storing
sensitive data. |
Microsoft enforces conditional access, compliance
boundaries, and third-party connector reviews. |
Conditional Access policies, third-party risk reports, DLP
enforcement logs. |
SC-44 |
Detonation Chamber / Sandboxing |
Analyzes suspicious content in isolated environments. |
Microsoft Defender for Office 365 uses Safe Attachments
and Safe Links for sandboxing. |
Security Center reports, Threat Explorer logs, ATP
configuration settings. |
Summary:
The System and Communications Protection (SC) family
ensures confidentiality, integrity, and secure communication. Microsoft 365
provides robust support for these controls using:
- Microsoft
Defender for Office 365
- Microsoft
Purview
- Azure
Key Vault
- TLS/IPsec
- BitLocker
& Disk Encryption
Would you like this as a downloadable Excel, PDF,
or PowerPoint file?
Here is a detailed table for the System and Information
Integrity (SI) control family based on NIST SP 800-53, customized to
include relevance to Microsoft 365 and supporting evidence examples.
System and Information Integrity (SI) – Control Family
Control ID |
Control Name |
Description |
Microsoft 365 / Cloud Relevance |
Example Evidence |
SI-1 |
Policy and Procedures |
Establishes policies and procedures to ensure the
integrity of systems and information. |
Microsoft maintains policies aligned with ISO 27001 and
NIST frameworks. |
Policy documentation, compliance reports, internal
security guidelines. |
SI-2 |
Flaw Remediation |
Identifies, reports, and corrects flaws in systems and
software. |
Microsoft issues regular patches and updates through
Windows Update and Office 365 auto-updates. |
Patch logs, CVE tracking, monthly patching schedules,
Windows Update settings. |
SI-3 |
Malicious Code Protection |
Detects and prevents malicious code (e.g., malware,
ransomware). |
Microsoft Defender for Endpoint and Office 365 provides
real-time protection and automated response. |
Defender dashboards, malware detection reports, threat
intelligence logs. |
SI-4 |
System Monitoring |
Monitors systems to detect attacks and unauthorized
activity. |
Microsoft 365 uses Sentinel, Defender, and Audit Logs for
monitoring. |
SIEM integration, alert logs, Sentinel incident reports. |
SI-4(5) |
Unauthorized Use Monitoring |
Detects and alerts on unauthorized system usage. |
Microsoft Defender detects suspicious user behavior and
insider threats. |
Activity alerts, audit logs, Insider Risk Management
policies in Purview. |
SI-5 |
Security Alerts, Advisories, and Directives |
Receives and responds to security alerts and advisories. |
Microsoft provides Threat Intelligence feeds and
integrates with MSRC (Microsoft Security Response Center). |
Threat Explorer reports, MSRC notices, Microsoft 365
Message Center updates. |
SI-6 |
Security Function Verification |
Ensures security functions operate correctly and securely. |
Defender and Microsoft Secure Score provide continuous
validation of protection settings. |
Secure Score report, Defender health checks, endpoint
policy audit. |
SI-7 |
Software, Firmware, and Information Integrity |
Verifies integrity of software and firmware using trusted
checks. |
Microsoft uses Secure Boot, code signing, and integrity
validation in the supply chain. |
Secure Boot logs, SHA hashes for updates, firmware
validation reports. |
SI-7(1) |
Integrity Checks |
Periodically verifies file and configuration integrity. |
Microsoft Defender Application Control and Intune monitor
for unauthorized changes. |
Intune compliance policies, file integrity check logs. |
SI-8 |
Spam Protection |
Detects and filters unsolicited and malicious email. |
Microsoft Defender for Office 365 includes spam filtering,
spoof detection, and phishing defense. |
Exchange Online Protection (EOP) logs, spam filtering
reports, Defender settings. |
SI-10 |
Information Input Validation |
Validates input to prevent injection and other attacks. |
Microsoft employs input validation in its services and
APIs to prevent attacks (e.g., XSS, SQLi). |
Developer SDL evidence, application testing logs, threat
modeling documents. |
SI-11 |
Error Handling |
Manages error messages securely to avoid information
leakage. |
Microsoft uses secure coding practices to prevent
error-based attacks and logs sensitive errors internally. |
Application logs, redacted error messages, secure error
management practices. |
Summary:
The System and Information Integrity (SI) control
family helps ensure that Microsoft 365 systems are continuously protected,
monitored, and updated against threats and software flaws. Microsoft supports
these controls via:
- Microsoft
Defender (Endpoint & Office 365)
- Microsoft
Sentinel
- Microsoft
Purview / Compliance Center
- Microsoft
Security Response Center (MSRC)
Would you like this exported into Excel, PDF,
or PowerPoint format for documentation or presentation purposes?
Comments
Post a Comment