t +61 2 6100 7714 | a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e [email protected]
foresightconsulting.com.au
Mr. James Kavanagh National Security Officer Microsoft Australia
Level 4, 6 National Circuit, Barton, ACT 2600 02 March 2015
Microsoft Office 365 IRAP Assessment – Letter of Compliance Dear Mr. Kavanagh,
This document is to act as a letter of compliance for the Microsoft Office 365 cloud service.
From December 2014 through February 2015 Foresight Consulting was engaged to conduct an IRAP assessment of the Microsoft Office 365 (“Office 365”) platform, consistent with the process prescribed in the Australian Government Information Security Manual(ISM) and Protective Security Policy Framework. The assessment was conducted by Peter Baussmann who is a registered assessor within the Australian Signals Directorate Information Security Registered Assessors Program (IRAP). Microsoft Office 365 was assessed with regard to ISM controls for unclassified but sensitive information referred to as UNCLASSIFIED (DLM). Within the ISM, these are identified as Government system (G) controls.
The scope of assessment included the following services:
Office 365 Services (Exchange Online, SharePoint Online, Skype For Business and supporting service workloads);
Microsoft Cloud and Infrastructure Operations (providers of the global network and physical infrastructure); and
Australian Data Centre facilities.
Foresight conducted the IRAP assessment in two stages:
The first stage determined whether the system architecture (including information security documentation) is based on sound security principles and has addressed all applicable controls from the ISM.
The second stage determined whether the controls, as approved by the system owner and reviewed during the first stage, have been implemented and are operating effectively. Validation included onsite inspections, personnel interviews, process demonstrations, configuration reviews and review of existing certification reports and evidence.
Foresight Consulting also reviewed the Australian Office 365 System Security Plan and have prepared a detailed Report of Compliance documenting applicability and compliance with specific controls. A summary of assessment findings is provided in the attached table.
The principal finding of this assessment process is that the applicable Information Security Manual controls are in place and fully effective within Office 365 for the processing, storage and transmission of UNCLASSIFIED (DLM) Australian Government data.
If in the future, a significant change occurs to services within scope of this assessment, Microsoft should advise an IRAP assessor for consideration of reassessment. Microsoft should also review the latest versions of the Australian
Government Information Security Manual as they are published for changes to controls applicable to the service. Regards,
Peter Baussmann, CISSP, CISM, CCSA, PCI-QSA, PCI-P, ASD IRAP Assessor Principal Security Consultant, Foresight Consulting
t +61 2 6100 7714 | a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e [email protected] foresightconsulting.com.au ISM Chapter Control Effectiveness E ff ec ti ve N ot E ff ec ti ve
Statement on Control Effectiveness
Information Security Risk Management
Risk Assessment Foresight found the controls in place to be
effective for the management of Office 365 information security risks.
Security Risk Management Plan
Roles and Responsibilities
Chief Information Security Officer Foresight found that the roles identified met the
intent of the roles described within the ISM and that team responsibilities were clearly defined.
IT Security Advisor
IT Security Manager
IT Security Officer
System Owner
System Users
Information Security Documentation
Documentation Framework The Information Security Policies in place provide
clear policy guidance and are considered to be an effective security control for Office 365.
Information Security Policy
System Security Plan
The Microsoft Office 365 Australia SSP clearly details security controls for the system and is considered to be an effective security documentation control for Office 365. Standard Operating Procedures
The Microsoft Standard Operating Procedures reviewed addressed all security control areas and are considered to meet the intent of the
applicable controls within the ISM. Incident Response Plan
Microsoft Incident Management Standard Operating Procedures meet the ISM
requirements for an Incident Response Plan and are assessed to be effective security controls. Business Continuity and Disaster Recovery
Plan
Business continuity and disaster recovery are suitably addressed and Office 365 is considered compliant with the ISM controls relating to availability, business continuity and disaster recovery.
Information Security Monitoring
Vulnerability Management Microsoft’s vulnerability management practices
t +61 2 6100 7714 | a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e [email protected] foresightconsulting.com.au ISM Chapter Control Effectiveness E ff ec ti ve N ot E ff ec ti ve
Statement on Control Effectiveness
assessment, remediation and ongoing management of vulnerabilities. Change Management
The change management process is considered an effective security control for managing changes to Office 365.
Cyber Security Incidents
Detecting, Reporting and Managing Cyber Security Incidents
Microsoft’s incident management practices are considered compliant with the ISM and an effective security control for detecting, reporting and managing security incidents relating to Office 365.
Physical & Environmental Security Physical Security for Systems
The physical security controls in place meet or exceed ISM requirements for storage of UNCLASSIFIED (DLM) data.
Personnel Security for Information Systems Information Security Awareness &
Training
Review of personnel security measures and interviews with security personnel provided assurance to Foresight that personnel security is managed effectively within the organisation. Authorisations, Security Clearances &
Briefings
Communications Security Communications Security
Communications security within assessed data centres is considered effective to meet the intent of the applicable controls within the ISM
Communications Security section for the handling of UNCLASSIFIED (DLM) information. Product Security
Product Security
Microsoft’s product security processes, combined with supporting vulnerability management, software and media security processes are assessed as an effective implementation of the ISM Product Security controls.
Media Security Media Security
Foresight found effective media security controls are in place for the handling, sanitisation, destruction and disposal of media.
t +61 2 6100 7714 | a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e [email protected] foresightconsulting.com.au ISM Chapter Control Effectiveness E ff ec ti ve N ot E ff ec ti ve
Statement on Control Effectiveness
Asset Management
Foresight found that asset management is performed effectively within Microsoft consistent with the requirements for UNCLASSIFIED (DLM) information.
Software Security SOE
Operating system security controls are
considered effective for the handling and storage of UNCLASSIFIED (DLM) information.
Application Whitelisting
The application whitelisting controls in place meet the intent of the ISM for the effective control of permitted executables.
Software Application Development
Foresight found that the approach Microsoft takes to software security including secure development and deployment meets or exceeds the security requirements of the ISM.
Database Systems
Microsoft database security controls meet the compliance requirements for Database Systems within the ISM.
Access Control Privileged Access
Privileged access to systems is appropriately managed and monitored with controls assessed as effective with regard to applicable ISM controls.
Event Logging and Auditing
Microsoft’s collection and management of Office 365 system and network event logs is a thorough and effective mechanism and meets the ISM requirements for event logging and auditing. Secure Administration
Secure Administration
Foresight found that the reviewed security controls for secure administration are considered effective.
Network Security
Network Management, Design and
Configuration
The network management and configuration mechanisms are considered effective security controls for the transmission and handling of UNCLASSIFIED (DLM) data.
t +61 2 6100 7714 | a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e [email protected] foresightconsulting.com.au ISM Chapter Control Effectiveness E ff ec ti ve N ot E ff ec ti ve
Statement on Control Effectiveness
Ensuring Service Continuity
The DDoS controls in place are considered operationally effective and meet the service continuity compliance requirements of the ISM. Intrusion Detection and Prevention
The intrusion detection mechanisms within Office 365 are considered effective security controls for detecting malicious or unusual activities within a cloud environment and meet the intent of the controls contained within the ISM.
Cryptography
Cryptographic Security
The cryptographic functions used within Office 365 are considered to be effective security controls.
Cross Domain Security Cross Domain Security
The firewalling capability implemented within Office 365 is considered effective for the protection of UNCLASSIFIED (DLM) information. Data Transfers
Data Transfers
The security mechanisms in place for data transfer meet the intent of the ISM and are considered effective security controls for the transfer of UNCLASSIFIED (DLM) information.
