|
1 | | -In this module, you learn how to: |
2 | | - |
3 | | -- Translate compliance requirements into a security solution |
4 | | -- Address compliance requirements with Microsoft Purview |
5 | | -- Design a solution to address privacy requirements with Microsoft Priva |
6 | | -- Design Azure Policy solutions to address security and compliance requirements |
7 | | -- Evaluate infrastructure compliance by using Microsoft Defender for Cloud |
8 | | - |
9 | | -The content in the module helps you prepare for the certification exam SC-100: Microsoft Cybersecurity Architect. |
10 | | - |
11 | | -## Prerequisites |
12 | | - |
13 | | -- Conceptual knowledge of security policies, requirements, zero trust architecture, and management of hybrid environments |
14 | | -- Working experience with zero trust strategies, applying security policies, and developing security requirements based on business goals |
15 | | - |
16 | | -## Overview of regulatory compliance |
17 | | - |
18 | | -This article provides an introduction to regulatory compliance, and therefore is not intended for implementing a compliance strategy. More detailed information about [Azure compliance offerings](/compliance/regulatory/offering-home) is available at the [Microsoft Trust Center](https://www.microsoft.com/trust-center). Moreover, all downloadable documentation is available to certain Azure customers from the [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/). |
19 | | - |
20 | | -Regulatory compliance refers to the discipline and process of ensuring that a company follows the laws enforced by governing bodies in their geography or rules required by voluntarily adopted industry standards. For IT regulatory compliance, people and processes monitor corporate systems to detect and prevent violations of policies and procedures established by these governing laws, regulations, and standards. This in turn applies to a wide array of monitoring and enforcement processes. Depending on the industry and geography, these processes can become lengthy and complex. |
21 | | - |
22 | | -Compliance is challenging for multinational organizations, especially in heavily regulated industries like healthcare and financial services. Standards and regulations abound, and in certain cases may change frequently, making it difficult for businesses to keep up with changing international electronic data handling laws. |
23 | | - |
24 | | -As with security controls, organizations should understand the division of responsibilities regarding regulatory compliance in the cloud. Cloud providers strive to ensure that their platforms and services are compliant. Organizations also need to confirm that their applications, the infrastructure those applications depend on, and services supplied by third parties are also certified as compliant. |
25 | | - |
26 | | -## Regulatory compliance as part of Governance |
27 | | - |
28 | | - |
29 | | - |
30 | | -The Cloud Adoption Framework governance model identifies key areas of importance during the journey. Each area relates to different types of risks the company must address as it adopts cloud services. Within this framework, the governance guide identifies required actions for the cloud governance team. Along the way, each principle of the Cloud Adoption Framework governance model is described further. |
31 | | - |
32 | | -### Corporate policies |
| 1 | +As organizations expand across regions and adopt new technologies like AI, they face an increasingly complex web of regulatory requirements. Security architects must design solutions that not only protect assets but also demonstrate compliance with regulations that vary by geography, industry, and technology. |
33 | 2 |
|
34 | | -Corporate policies drive cloud governance. The governance guide focuses on specific aspects of corporate policy: |
| 3 | +## What is regulatory compliance? |
35 | 4 |
|
36 | | -- **Business risks:** Identifying and understanding corporate risks. |
37 | | -- **Policy and compliance:** Converting risks into policy statements that support any compliance requirements. |
38 | | -- **Processes:** Ensuring adherence to the stated policies. |
| 5 | +Regulatory compliance refers to the discipline of ensuring that an organization follows the laws enforced by governing bodies in their geography or rules required by voluntarily adopted industry standards. For security architects, this means designing solutions that: |
39 | 6 |
|
40 | | -**Five Disciplines of Cloud Governance:** These disciplines support the corporate policies. Each discipline protects the company from potential pitfalls: |
| 7 | +- Meet specific technical and operational requirements mandated by regulations |
| 8 | +- Provide evidence of compliance through logging, monitoring, and reporting |
| 9 | +- Adapt to changing requirements as regulations evolve |
| 10 | +- Scale across multicloud and hybrid environments |
41 | 11 |
|
42 | | -- Cost Management discipline |
43 | | -- Security Baseline discipline |
44 | | -- Resource Consistency discipline |
45 | | -- Identity Baseline discipline |
46 | | -- Deployment Acceleration discipline |
| 12 | +Compliance is particularly challenging for multinational organizations in regulated industries like healthcare and financial services, where requirements vary by jurisdiction and change frequently. |
47 | 13 |
|
48 | | -Essentially, corporate policies serve as an early warning system to detect potential problems. The disciplines help the company manage risks and create guardrails. |
| 14 | +## Scenario |
49 | 15 |
|
50 | | -## Important regulatory compliance standards |
| 16 | +You're a security architect at Contoso, a multinational financial services company. Contoso recently expanded operations into new markets and is deploying AI-powered services for customer interactions. Your leadership team has tasked you with designing a compliance strategy that addresses: |
51 | 17 |
|
| 18 | +- Financial services regulations across multiple regions |
| 19 | +- Healthcare data protection requirements for a new insurance product line |
| 20 | +- AI governance requirements as the company deploys machine learning models |
| 21 | +- Privacy requirements for customer data across all services |
| 22 | +- Consistent policy enforcement across Azure, AWS, and on-premises environments |
52 | 23 |
|
53 | | -The following are descriptions of compliance regulations in various industries and geographies: |
| 24 | +You need to translate these diverse regulatory requirements into a cohesive security architecture that enables the business while maintaining compliance. |
54 | 25 |
|
55 | | -<!--[](/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance#hipaa)--> |
| 26 | +## What will you learn? |
56 | 27 |
|
57 | | -## HIPAA |
58 | | - |
59 | | -A healthcare application that processes protected health information (PHI) is subject to both the privacy rule and the security rule encompassed within the Health Insurance Portability and Accountability Act (HIPAA). At a minimum, HIPAA could likely require that a healthcare business must receive written assurances from the cloud provider that it will safeguard any PHI received or created. |
60 | | - |
61 | | -<!--[](/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance#pci)--> |
62 | | - |
63 | | -## PCI |
64 | | - |
65 | | -The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card payment systems, including Visa, Mastercard, American Express, Discover, and JCB. The PCI standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit-card fraud. Validation of compliance is performed annually, either by an external qualified security assessor (QSA) or by a firm-specific internal security assessor (ISA) who creates a report on compliance (ROC) for organizations handling large volumes of transactions, or by a self-assessment questionnaire (SAQ) for companies. |
66 | | - |
67 | | -<!--[](/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance#personal-data)--> |
68 | | - |
69 | | -## Personal data |
70 | | - |
71 | | -Personal data is information that could be used to identify a consumer, employee, partner, or any other living or legal entity. Many emerging laws, particularly those dealing with privacy and personal data, require that businesses comply and report on compliance and any breaches that occur. |
72 | | - |
73 | | -<!--[](/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance#gdpr)--> |
74 | | - |
75 | | -<!--[](/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance#compliant-foundation-in-azure)--> |
76 | | - |
77 | | -## Compliant foundation in Azure |
78 | | - |
79 | | -To help customers meet their own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry, in both breadth (total number of offerings) and depth (number of customer-facing services in assessment scope). Azure compliance offerings are grouped into four segments: |
80 | | - |
81 | | -- Global |
82 | | -- US government |
83 | | -- Industry |
84 | | -- Regional |
| 28 | +In this module, you learn how to: |
85 | 29 |
|
86 | | -Azure compliance offerings are based on various types of assurances, including formal certifications, attestations, validations, authorizations, and assessments produced by independent third-party auditing firms, as well as contractual amendments, self-assessments, and customer guidance documents produced by Microsoft. Each offering description in this document provides an up-to-date scope statement indicating which Azure customer-facing services are in scope for the assessment, along with links to downloadable resources to assist customers with their own compliance obligations. |
| 30 | +- Translate compliance requirements into security solutions using Zero Trust principles |
| 31 | +- Address compliance requirements with Microsoft Purview including AI governance templates |
| 32 | +- Design a solution to address privacy requirements with Microsoft Priva |
| 33 | +- Design Azure Policy solutions to address security and compliance requirements |
| 34 | +- Evaluate infrastructure compliance across multicloud environments using Microsoft Defender for Cloud |
87 | 35 |
|
88 | | -The Microsoft Trust Center provides more detailed information about [Azure compliance offerings](https://www.microsoft.com/trust-center/compliance/compliance-overview). Additionally, all downloadable documentation is available to certain Azure customers from the [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) in the following sections: |
| 36 | +## Prerequisites |
89 | 37 |
|
90 | | -- **Audit reports:** Includes sections for FedRAMP, GRC assessment, ISO, PCI DSS, and SOC reports. |
91 | | -- **Data protection resources:** Includes compliance guides, FAQ and white papers, and pen test and security assessment sections. |
| 38 | +- Advanced experience and knowledge in identity and access, platform protection, security operations, securing data, and securing applications |
| 39 | +- Experience with hybrid and cloud implementations |
| 40 | +- Familiarity with common compliance frameworks such as ISO 27001, SOC 2, PCI-DSS, or HIPAA |
0 commit comments