Microsoft Teams - Compliance

Microsoft Teams – Compliance

Team’s lets you communicate collaborate & share content across your business giving your business manageability whilst working remotely, but what are the standards of Microsoft compliance & how does Teams follow those?

Compliance

There are many different policies that can be applied to the different areas of Teams such as channels, chats & attachments to make your tenant more compliant with the data it handles. There are also compliance standards that Microsoft follow and apply to your data by default making your business feel more comfortable with how data is being handled. Below we are going to look at how Microsoft are compliant, how your data travels & some of policies that can be applied.

Microsoft Compliance Standards

Microsoft Teams is Tier D compliant which includes the following standards: ISO 27001, ISO 27018, SSAE16 SOC 1 & SOC 2, HIPAA and EU Model Clauses (EUMC).

Microsoft have a compliance framework that classifies Office 365 application/services into four categories. Each category is then defined by specific commitments to compliance that must be met. Those categories are A, B, C and D. Services in categories C/D are enabled by default and include industry leading compliance commitments. Services with A/B come with the control to turn on or off per organisation. Teams does also support Cloud Security Alliance Compliance.

Of course, the security & compliance does not stop there, Microsoft are always enhancing security. They have a process called Microsoft Security Development Lifecycle (SDL). When developers are working on software privacy requirements are defined & integrated into the SDL to enhance security in new developments on products or services.

Microsoft Online Services Privacy Statements puts their commitment to keeping data secure in writing & details the data protection policies. Check it out here….

Microsoft Primary Principles when handling your data include:

• Control – Putting your business in control of privacy with easy to use tools
• Transparency – Being transparent about data collection & use so that you make informed decisions
• Security – Protecting data with strong security and encryption
• Strong Legal Protections – Respecting your local privacy laws and fight for legal protection of your privacy as a right
• No content-based targeting – Not using your email, chat, files to target advertisements
• Benefit to you – When Microsoft do collect data it is used to benefit you, making your experience better

Global Security Accreditation's

Please see below some of the global accreditation's that Microsoft Office 365 & Teams adheres too:

• CIS Benchmark CSA-STAR attestation    CSA-STAR certification  CSA-STAR self-assessment
• ISO 20000-1:2011,  ISO22301, ISO27001
• ISO27017, ISO27018, ISO27701, ISO 9001
• SOC
• WCAG

Teams Data Flow

The below diagram shows the flow of data from Teams to Exchange & SharePoint for Files and Teams Messages:

This is how Teams Meetings and call data is flowed to the Exchange:

Compliance Tools:

Information Barriers can be put in place by your administrator to prevent people communicating who have no business need to do so. This can be a great tool to prevent the spread of data across departments that should not have unauthorised data being sent to them. The policies set can impact 1 to 1 user chats, group chats or Team level chats to stop users sharing data to people who do not need to see it.

Communication Compliance – Policies can be configured to users to examine Microsoft Teams communications. This includes offensive Language, sensitive information and any information that relates to internal/regulatory standards. This can be applied across public/private Team’s, individual chats & attachments being sent. This is a great set of tools to keep users safe!

Retention Policies – Useful to setup to ensure data that is important is retained for regulatory, legal & business reasons. They can also be used to remove content & communications that are not relevant and do not need to be retained. Policies can be used to keep data for a certain amount of time before being deleted.

Data Location: The data within Teams is located in the geographic region that has been set by your Office 365 administrator. The United Kingdom is a supported region within Office 365 so our recommendation would be to check with your Office 365 administrator and ensure that this is set. Data being kept within the UK is important to UK businesses as it prevents your data travelling overseas.

A quick tip to check (if you are an Office 365 administrator already) would be to go to the Microsoft 365 Admin Centre – Settings – Organisational Profile & scroll down to data location.

It is important to know how your data is handled and what security standards are being adhered too especially when you are putting your company data in the hands of a third-party company.

If you would like to discuss any of the policies above, please feel free to give us a call on 01925 838 386 or email us on [email protected]