Protecting your data is the top priority for Microsoft Professional Services.
Microsoft Professional Services brings together a diverse team of dedicated technical architects, engineers, consultants, and support professionals who deliver proactive advisory services and rapid response to unplanned events. Our teams provide a managed customer experience tailored to each customer’s unique IT environment so you can get hands-on, tailored assistance and strategic advice when you need it.
Security is built into Microsoft Professional Services and is designed to help give you the protection you expect. Innovative and effective security control and careful handling of your data is fundamental to every process at every layer. Continuous monitoring, penetration testing, and the strict application of modern security controls—as well as robust operational processes—help make Microsoft Professional Services more resilient and resistant to attack.
Identity is fundamental to security. Microsoft Professional Services uses stringent identity management and access control to restrict access to data and systems. Our case management system may be accessed only by individuals who are supporting customers, such as agents, support engineers, and their supervisors.
Identity-based access controls
Microsoft Professional Services conducts user access reviews on an ongoing basis. Our password controls enforce complexity, periodic rotation, and suspension when specified periods of user inactivity are detected. We restrict data and system access to individuals who have a genuine business need based on the principle of least privilege. Employees and contingent staff who have access to support and consulting data, or who are in a role that could impact customer information, have privacy and security requirements embedded in their roles and responsibilities.
Security policies set the standards and define procedures for network and data protection. The Microsoft Professional Services organization adheres to the Microsoft Security Policy and ensures compliance to industry standards by maintaining a framework of more than 150 modern security controls. The Microsoft Security Policy is driven by 19 standards specific to the Professional Services organization covering areas such as access control, data handling, privacy, and business continuity.
Auditing and logging
Microsoft Professional Services takes a risk-based approach to system logging and auditing. We assess and implement a baseline set of log requirements during the system development process. Systems that present a moderate or high risk, as assessed according to sensitivity, volume, and other criteria, have data access and alteration logged. Logs generated for each system must enable the detection of security incidents if they have occurred or are in progress and must also enable investigators to have sufficient information to fully understand the events, activities, and circumstances around a security incident.
Microsoft Professional Services stores data in a network of datacenters run by Microsoft Azure Global Infrastructure. These datacenters are designed, built, and managed based on a defense in depth strategy that includes rigorous physical security to protect services and data from natural disasters and unauthorized access.
Secure apps and data
Microsoft employees are required to sign agreements that commit them to confidentiality regarding support and consulting data. Internal tools contain data protection notices to remind employees and data handlers of their responsibility for any sensitive data that the tool may contain. Microsoft holds all third parties, including contractors and subcontractors, to the same security standards as full-time employees. Subcontractors who work in facilities or on equipment controlled by Microsoft must follow Microsoft’s data protection standards. All other subcontractors must follow equivalent data protection standards. Microsoft subcontractor agreements are designed to ensure the safeguarding of customer information, including regular monitoring of the subcontractors’ work.
Encryption and rights management
Technological safeguards, such as encryption, enhance the security of support and consulting data. For data in transit, Microsoft Professional Services uses industry-standard encrypted transport protocols between user devices and Microsoft datacenters as well as within the datacenters themselves.
Microsoft Professional Services develops requirements and designs systems that prevents personnel with authorized access to support and consulting data from using it for purposes beyond those identified for their roles. Systems have limited export functionality and often employ field-level security (for example, a system may not display data fields that are not relevant to an individual’s role, even though the individual has authorized access to the system). These controls also help prevent support and consulting data from being read, copied, altered, or removed without authorization.
Incident response is an important element in a data security strategy. Microsoft Professional Services employs a robust process to facilitate coordinated incident response. This process includes the identification, containment, eradication, recovery, lessons learned, and timely communication of incidents. Upon discovery of a security incident, Microsoft uses its incident response process, including forensic investigation, to track exactly what happened, learn what data was accessed, who accessed it, and when.