Updated Office 365 security and compliance guidance for the UK public sector

By Stuart Aston, National Security Officer, Microsoft UK

14/04/2021

In 2019, we worked alongside the GDS and the National Cyber Security Centre (NCSC) to release Office 365 security and compliance guidance for our UK Public Sector customers. Today, we’re pleased to release our updated version for use at OFFICIAL. This updated guidance reflects the current threats, experiences with forensic investigations and the technology changes from the release of the original document. Our services team continued to work in close collaboration with the NCSC and Cabinet Office to ensure that it appropriately manages government’s risks, as well as those organisations in the defence, critical infrastructure spaces and their supply chains.

Updated Office 365 security and compliance guidance

[msce_cta layout=”link_only” align=”left” linktype=”blue” linkurl=”https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWBft1″ linkscreenreadertext=”Download the updated guidance” linktext=”Download the updated guidance” ][/msce_cta]

As with the previous versions, we have taken the approach of Good, Better and Best. This also reflects in the more recent Bring You Own Device guidance for OFFICIAL. In addition, it includes specific guidance for Privileged Administration as a foundational layer that all organisations need to adopt to adequately manage their risks. Our updated guidance includes on premises environments. Additionally, it includes more complex hybrid environments, including where IT organisations manage and support the workloads and infrastructure they are hosted on.

Each of the Good, Better, and Best sections contains guidance for the following areas:

Identity: Recommended controls describing how to secure the identities that are used to authenticate against Office 365 services.
Office 365 Service Configuration: Recommended controls for Office 365 environment that describe specific settings to secure the service thus raising the security posture of the organisation’s Office 365 tenant.

For most central government organisations, and providers of essential services, we anticipate that you would need to adopt the tools and techniques of Better. This means you can sufficiently match technical controls to your desired security posture.

Updated Office 365 security and compliance guidance

This guidance will help the reader understand why the specific security controls are recommended. It also provides links to configuration guidance. This will allow organisations to understand how the features and capabilities in Office 365 can be used to ensure a common bar has been achieved for their Office 365 tenant.

This represents a significant update to the previously available material. We would strongly recommend that all organisations adopt the latest version of the guidance at the earliest possible opportunity.

[msce_cta layout=”image_center” align=”center” linktype=”blue” imageurl=”https://www.microsoft.com/en-us/industry/blog/wp-content/uploads/sites/22/2021/03/WIN20_PRO_RemoteWorking_014-1-scaled.jpeg” linkurl=”https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWBft1″ linkscreenreadertext=”Download the updated guidance” linktext=”Download the updated guidance” imageid=”47744″ ][/msce_cta]