Learn how Microsoft safeguards customer data

Upon completion of this module, you should be able to:

• Describe Microsoft 365’s core services.
• List the elements of the Microsoft Policy Framework.
• Describe the Microsoft Security Policy and related standards, requirements, and procedures.
• Explain how the Microsoft 365 Information Security Policy implements the Microsoft Security and Standards Program.
• List Microsoft personnel requirements and practices.

Upon completion of this module, you should be able to:

• Explain how the Microsoft Enterprise Risk Management (ERM) program provides a consistent approach to enterprise risk across Microsoft.
• Describe how Microsoft 365 manages risk.
• Explain how Microsoft 365 Trust identifies risks using a variety of inputs.
• Describe how Microsoft 365 Trust analyzes and categorizes risk using impact, likelihood, and mitigating controls.
• Explain how Microsoft 365 Trust coordinates with service teams to mitigate, monitor, and report on ongoing risks in Microsoft 365 environments.

Upon completion of this module, you should be able to:

• Describe the high-level architecture of Microsoft 365 services and dependencies.
• List the security principles built into Microsoft 365 architecture.
• Explain how Microsoft 365 implements network, service, and tenant isolation.
• Explain how Microsoft 365 protects its infrastructure from DDoS attacks.
• Describe how Microsoft 365 maintains service, data, and network resiliency.
• Explain how Microsoft 365 performs architecture validation to verify the security posture of Microsoft 365 services.

Upon completion of this module, you should be able to:

• Describe Microsoft’s Assume Breach Strategy and Defense-in-Depth approach to security.
• Explain how Microsoft defines a Security Incident, the federated model that Microsoft uses for Security Incident Response across the organization, and how customers and Microsoft share responsibility for security in the cloud.
• Describe how Microsoft prepares to deal with security issues through training, testing, and knowledge sharing.
• Describe how the Security Incident Response team detects and analyzes potential security issues.
• Describe how issues are contained, eradicated, and how recovery is handled.
• Describe how Microsoft incorporates lessons from security incidents into our processes and procedures.
• Explain how and when Microsoft will notify your organization in the event a Security Incident affects your tenant.

Upon completion of this module, you should be able to:

• List two different types of accounts managed by Microsoft.
• Name the tools and technologies used to control access within Microsoft 365 environments.
• Explain mandatory prerequisites for granting service team accounts.
• Describe Microsoft 365 service teams’ privileged access management process.
• Explain the process for using Microsoft 365 Customer Lockbox.

Upon completion of this module, you should be able to:

• Explain how Microsoft 365 standardizes log data collection.
• Describe how Microsoft 365 aggregates and protects log data in centralized processing and storage services.
• List Microsoft 365’s retention policies for log data.
• Explain how Microsoft 365 analyzes log data to support security monitoring and service health monitoring.

Upon completion of this module, you should be able to:

• Describe Microsoft’s Assume Breach strategy in the context of vulnerability management and security monitoring.
• Explain machine state scanning and the components of PAVC in Microsoft 365.
• Describe how Microsoft 365 proactively patches its systems.
• List how Microsoft 365 anti-malware tools detect and prevent malware execution.
• Explain how Microsoft 365 detects and remediates vulnerabilities and security misconfigurations.
• Describe how Microsoft 365 uses security monitoring to detect and respond to attacks at scale.
• List the attack simulation and penetration testing activities used to validate the security posture of Microsoft 365.

Upon completion of this module, you should be able to:

• Explain how Microsoft 365 services are engineered for resiliency, including strategies such as Active/Active service design, fault isolation, and reduced blast radius.
• Describe the teams involved in the Microsoft Enterprise Business Continuity Management (EBCM) program.
• Explain Microsoft’s Business Continuity Management (BCM) lifecycle, including ongoing assessment, planning, and capability validation.
• List how often Business Continuity Plans (BCP) must be reviewed, updated, and tested.
• Explain the test methodology Microsoft uses for BCP Capability Validation.
• Describe how Microsoft 365 Services monitor availability and allocate resources using capacity planning.

Upon completion of this module, you should be able to:

• List the phases of Microsoft’s SDL process.
• Describe the training requirements for all members of Microsoft development teams.
• Explain how Microsoft development teams practice security and privacy by design.
• List the automated tools Microsoft uses to find and remediate software vulnerabilities.
• Explain how Microsoft enforces and tests operational security requirements using ongoing penetration testing.
• Describe security and privacy review requirements for code approval and release.
• Explain how Microsoft uses Component Governance (CG) to manage open source software.

Upon completion of this module, you should be able to:

• Explain how encryption mitigates the risk of unauthorized data disclosure.
• Describe Microsoft data-at-rest and data-in-transit encryption solutions.
• Explain how Microsoft 365 implements service encryption to protect customer data at the application layer.
• Understand the differences between Microsoft managed keys and customer managed keys for use with service encryption.

Upon completion of this module, you should be able to:

• Explain Microsoft’s six principles for protecting privacy.
• List key privacy roles and categories of data processed by Microsoft.
• Explain how Microsoft uses Defense-in-Depth to protect data throughout its lifecycle.
• Describe Microsoft’s data collection practices, including privacy notices, data handling, and compliance with international data transfers.
• List examples of how Microsoft processes data to provide online services.
• Explain how Microsoft restricts data transfer to third parties and provides appropriate customer notification.
• Describe Microsoft 365 data residency and retention capabilities.
• Explain how Microsoft destroys data when a subscription expires or is terminated.
• Describe Microsoft practices for supporting a customer’s compliance with GDPR Data Subject Requests and Data Protection Impact Assessments.

Upon completion of this module, you should be able to:

• Explain how the Supplier Security and Privacy Assurance (SSPA) program helps Microsoft online services protect customer data and personal data.
• List the types of subprocessors utilized by Microsoft and the access controls employed by each type.
• Describe how Microsoft 365’s additional subprocessor requirements limit the number of approved subprocessors and provides notice to customers when new subprocessors are approved.
• List subprocessor onboarding and ongoing subprocessor verification requirements required by the SSPA program.
• Describe Microsoft commitments to protecting customer data and personal data when a supplier contract ends.

Upon completion of this module, you should be able to:

• Describe how the architecture of Microsoft datacenters contributes to resilience and availability.
• Explain how Microsoft uses Threat, Vulnerability, and Risk Assessments (TVRA) to analyze datacenter risk.
• Describe how Microsoft implements environmental safeguards to protect both Microsoft datacenters and the environment.
• Explain how Microsoft uses Defense-In-Depth to physically secure Microsoft datacenters.
• Describe how Microsoft protects and tracks physical and virtual assets in Microsoft datacenters.
• Explain how Microsoft protects data stored on data bearing devices.
• Describe how datacenter business continuity, disaster recovery, and resilience strategies protect the availability of Microsoft datacenters.