Sample assessment for the tenant Mustermann GmbH
of the tenant Mustermann GmbH
Extracts of the assessment of the tenant Mustermann GmbH
The tenant Mustermann GmbH uses services that send person-related data to the United States (USA). It is necessary to perform an assessment of the risks of the features used or partially disable features and services. Some of the services used are not part of the „Microsoft 365 Apps for Enterprise“ and are operated outside of Microsoft’s scope and control. A risk assessment of these apps is necessary. After a close look into the services used, it becomes clear that the tenant Mustermann GmbH also uses „Azure Cognitive Services„, including „Speech-to-Text“, in Microsoft Teams. These functions are critical in the view of Mustermann GmbH.
The tenant Mustermann GmbH does not have a sufficient licensing situation for important functions (information protection and information governance), including the encryption of person-related data in SharePoint Online, OneDrive and Exchange Online, and can only implement deletion concepts through complex manual (organizational) actions – functions such as „retention labels“ are not available in the tenant due to a lack of licenses.
- Encryption of sensitive information is not implemented properly.
- The tenant Mustermann GmbH has potential to reduce the number of administrators and should take identity governance actions in the Azure Active Directory (e.g., Azure Active Directory Privileged Identity Management).
- The tenant Mustermann GmbH has risks in handling third-party apps that are used (for example, through Graph API connections) – data protection impact assessments should be made, and third-party app permissions should be reviewed.
- The tenant Mustermann GmbH does not yet have a process for dealing with guest users and access by guest users to sensitive infomation. Measures in the area of Azure Active Directory Identity Governance should be implemented (such as Access Reviews for Microsoft 365 guest users).
- The client Mustermann GmbH allows video recordings in Microsoft Teams meetings and should implement a deletion concept for recordings (e.g. via retention labels) in order to securely delete personal-related data or deactivate the function. Organizational actions could also be implemented to deal with recordings in a legally compliant way.
- The tenant Mustermann GmbH uses some Built-In features (from Microsoft’s point of view, these are so-called „optionally connected services“, which are, however, activated in the default state of delivery of Microsoft 365) in Microsoft Teams, where person-related data is transferred to these third-party services in the United States. These functions can only be used with significant risk – deactivation should be considered, otherwise a data protection impact assessment would become necessary as a minimum. Details and information on how to deal with these services are provided to customers of PRW® Compliance Set: M365 in the review meeting.
- The tenant Mustermann GmbH has not yet adopted suitable actions to effectively detect threats regarding Microsoft 365, nor has it been able to take action due to a lack of knowledge of threats. For example, compromised identities are not detected and anomalies (such as unauthorized access to sensitive information) are not identified. Appropriate measures should be implemented to effectively detect threats. Details on how to implement effective threat management will be provided to PRW® Compliance Set: M365 customers in the review meeting.
The tenant Mustermann GmbH sends sensitive telemetry data from Microsoft Office to Microsoft servers in the United States, partially from the Windows 10 and Windows 11 operating systems in use. Data protection supervisory authorities require that a regular audit of the data transfers to Microsoft is performed. Exemplary data traffic leaving the user’s computer or data streams from Microsoft software to Microsoft servers or other destinations are to be identified and evaluated. A well-known data protection supervisory authority even claims on its website:
„Where corresponding configuration options are not available, in order to prevent the transfer of personal telemetry data, it must be ensured by contractual, technical or organizational action (e.g., by filtering Internet requests via a suitable infrastructure of the responsible entity) that there is verifiably no transfer of telemetry data to Microsoft.“ (original text translated from german).
For the tenant Mustermann GmbH, it is necessary to verify the compliance of the operating systems in use and the deployed Microsoft Office products and to adopt additional actions to better prevent telemetry data transfers to Microsoft servers from Microsoft Office and Windows. Implementation actions are recommended as part of the review of results.