Compliance and Microsoft Hosted Services

All organizations must comply with some set of laws, regulations, and industry standards. Using Microsoft’s hosted services, including Office 365 and Azure, can trigger changes in an organization’s policies and procedures for complying with government and nongovernment regulations and standards. Many organizations would like to adopt Microsoft-hosted services to reduce capital spending and get other benefits, but they fear doing so will complicate compliance with their applicable regulations and standards. Although Microsoft tests the compliance of its services against various regulations and standards to prove that compliance is possible, its hosted-services customers still bear overall responsibility for ensuring compliance.

Regulations and Standards

Each organization’s business purpose will define the set of laws, regulations, and standards it must comply with. For example, many U.S. organizations must conform to regulations stemming from the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the subsequent 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. These regulations apply to organizations (called “covered entities”) with personally identifiable health information and organizations (called “business associates”) that process health information for covered entities. An example of an industry standard is the Payment Card Industry (PCI) Data Security Standard (DSS), which defines security standards that apply to organizations storing, processing, or transmitting payment and cardholder data for any of the five major credit card brands.