Supporting your risk management strategy for the cloud

06 February 2014 | Leslie Sistla, Director, Technology Strategy, Worldwide Health Industry

​When we talk with health organizations about security and data privacy for the Microsoft cloud services they’re using or plan to implement, we find that the conversation most often starts with the chief security officer and his or her team. Their primary concern is risk management. And many of them use a risk management approach similar to the one recommended by authoritative bodies such as the National Institute of Standards and Technology (NIST).

This means their risk management strategy usually involves an ongoing cycle of steps, including categorizing information systems; then selecting, implementing, and assessing security controls; and finally, authorizing information systems and monitoring the security controls.

At Microsoft, our approach to security and compliance supports these typical risk management steps. As a provider of global cloud services, we run our services with operational practices and features that are universal and can align with our customers’ risk management needs in various geographies and jurisdictions. Further, we maintain on our cloud infrastructure—which includes Office 365, Microsoft Dynamics CRM Online, and Windows Azure—the certifications and attestations from third parties to provide our customers with the confidence that the appropriate security controls are in place.

In other words, we take our role as a trusted data steward very seriously. We’re involved with health industry standards groups around the world and stay up-to-date with today’s ever-evolving regulations. For example, our services are verified to meet requirements specified in ISO 27001, EU model clauses, HIPAA BAA, and FISMA. And our data processing agreement details privacy, security, and handling of customer data, which helps our customers comply with local regulations.

We have several resources where you can learn more about how Microsoft cloud services can support your health organization’s risk management strategy and the specific security controls we have in place:

These sites provide a tremendous amount of information about what Microsoft does to earn its cloud customers’ trust.

Microsoft has been involved in trustworthy computing since 2002, and our efforts continue to evolve based on the needs of our customers. As such, customer feedback is a big part of the process, so please share yours by sending us an email or connect with us on Facebook and Twitter. We look forward to hearing from you.

Leslie Sistla
Director, Technology Strategy, Worldwide Health Industry