Latest version:

Office 365 Security Assessment Delivery Guide
Office 365 Security Assessment /

© 2017 Microsoft Corporation.All rights reserved.This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. Office 365 customers and partners may copy, use and share these materials for planning, deployment and operation of Office 365 features.

Table of Contents

Introduction

Version History

Audience

Feedback

Engagement Overview

Objective

Recommended Skills and Experience

Timeline

Engagement Requirements

Deliverables

Office 365 Security Assessment Engagement Preparation

Preparation for the Kick-off Meeting

Preparation for the Readiness Presentations

Preparation for Day One of the On-site Workshops

Preparation for Day Two of the On-site Workshops

Delivering the Office 365 Security Assessment

General Delivery Tips

Kick-off Meeting

Day One of the On-site Workshops

On-site Engagement Overview

Office 365 Security Technical Readiness Presentation

Office 365 Security Overview

Customer Security Strategy

Review Security Questionnaire

Office 365 Secure Score Overview

Day one wrap up and Q&A

Day Two of the On-site Workshops

Day Two Briefing

Secure Score Recommendations / Discussion

Office 365 Security Roadmap Workshop

Project close-out and Next steps

Example Schedule

Day One

Day Two

Office 365 Security Assessment Assets

Engagement Tools

Office 365 Secure Score

Instructions on how to export the Secure Score data

Import the Secure Score data into the Office 356 Assessment-Remediation Checklist Tool

Office 365 Advanced Security Management

Remediation Checklist Tool

Appendix

Readiness Content

General

Readiness Presentations

Introduction

This document contains the delivery guidance for the Office 365 Security Assessment offering. The Office 365 Security Assessment is a structured engagement which uses the Office 365 Secure Score tool to evaluate and prioritize Office 365 tenantsecuritysettings of an organization. The Office 365 Security Assessment offeringhas been designed to help you as a partner create and present a customized, prioritized and actionable roadmap based on the recommendations from the Office 365 Secure Score tool to your customers.

The purpose of this document is to provide guidance on how to deliver the Office 365 Security Assessment, including details about the artefacts included within the offering.

Important! The Office 365 Security Assessment offering should be considered as an example on how to conduct an Office 365 Security Assessment using Secure Score. Theartefacts within the Office 365 assessment must be customized so that the engagement is aligned to your organization’s own value proposition, workflows, delivery methodologies, related work streams and offerings. The outcome of the Office 365 Security Assessmentis intended to assist with the development a roadmap of actionable customer recommendations used to drive additional project based work or can be used to informa repeatable lifecycle of security management tasks within a managed service offering.

The Secure Score is a numerical summary of your security posture within Office 365 based on system configurations, user behaviour and other security related measurements; it is not an absolute measurement of how likely your system or data will be breached; rather, it represents the extent to which you have adopted security controls available in Office 365 which can help offset the risk of being breached. No online service is completely immune from security breaches; the Secure Score should not be interpreted as a guarantee against security breach in any manner. ​

Version History

Table 1 – Summary of Changes

Version / Changes / Date
1.0 / Initial Release / 12-Apr-2017

Audience

The document is intended to be used by the partner and should not be distributed to the customer.

Feedback

Theartefacts within this offering will be iteratively improved based on product released as well as direct feedback from delivered engagements. To provide feedback, use the feedback process available through following web site:

Engagement Overview

The following table provides an overview of the information categories included as part of delivering the Office 365 Security Assessment:

Category / Description
Timeline / Milestone One: Up to two-hour pre-engagement kick-off meeting
Milestone Two: Two days of on-site workshops
Time and material / Estimated 24hengagement using the example schedule (expenses should be added)
Target customers / Customers who have already decided to adopt the cloud and Office 365 and have an Office 365 tenant already in place.
Partner resource requirements / Security Consultant/Architect
Project or Engagement Manager
Customer resource requirements / CSO/CISO, CEO/CFO, CIO/CTO, Enterprise/Security Architects, Security Operations
Engagement scope / The standard scope of the engagement is:
-Gain a mutual understanding of cloud security objectives and requirements
-Provide guidance, recommendations and best practices on how to successfully implement Office 365 security features
-Provide a prioritized and actionable Office 365 security roadmap. Map Office 365 security capabilities to customer security objectives and requirements
Engagement deliverables / The deliverables of the engagement are:
-Kick-off Presentation, overview of the engagement covering vision and objectives, requirements and next steps and actions
-Pre-Assessment Questionnaire, a questionnaire containing questions on cloud usage/adoption, security requirements and objectives, regulations and frameworks
-Recommendations and Roadmap Report, apresentation containing a prioritized list of Office 365 security recommendations based on Office 365 Secure Score

Objective

The engagement has following objectives:

Recommended Skills and Experience

The following table describes the recommended skill set and experience for the resourcing delivering the Office 365 Security Assessment IP:

Role / Recommended resource skill sets
Delivery Management
(Project/Engagement Manager) /
  • Basic understanding of cybersecurity
  • Basic understanding of Office 365
  • Experience managing security engagements

Security Resource
(Security Architect/Consultant) /
  • Strong cybersecurity background and knowledge
  • Good understanding of Office 365 and the security components of Office 365
  • Have prior design and implementation experience of the Office 365 Advanced Security products including:
  • Exchange Online Protection
  • Exchange Advanced Threat Protection
  • Advanced Security Management
  • Threat Intelligence
  • Advanced Data Governance
  • Azure Active Directory and multifactor authentication for Office 365

Timeline

The Office 365 Security Assessment typically consists of an up to a two-hour remote kick-off meeting followed by the 2-day on-site assessment workshops as per following suggested engagement timeline:

Engagement Requirements

This engagement requires that the customer has already acquired a productionOffice 365tenant.Scheduling an initial assessment before moving production users and data into the Office 365 tenant is recommended, if possible, for the following reason. Completing an initial assessment would ensure that the Office 365 tenant has the customer’s required security configuration before adding users and data. Doing somay reduce the risk of a breach prior by implementation of the security controls informed by the actions indicated from outcome of Microsoft Secure Score. Additional assessments should be proposed within a lifecycle of managed security services and scheduled to be run on a continuous basis to ensure that the Office 365 tenant is meeting the customer’s desired security state and to catch any configuration drift.

The following Office 365 components are used as part of the engagement:

Component / Description / License Requirements
Office 365 Secure Score / The main tool used as part of the security assessment. Secure Score analyzes Office 365 security based on security settings across the tenant and assigns a score which can be tracked over time. The tool is used as part of the engagement to create a prioritized and actionable roadmap. / Office 365 Secure Score is available to organizations with an Office 365 commercial subscription and who are in the multi-tenant and Office 365 U.S. Government Community clouds.
Office 365 Advanced Security Management / As an optional component, the assessment can use the Office 365 Advanced Security Management tool and its Discovery & Insights features to provide the customer with additional visibility into 3rd party SaaS application usage, also known as Shadow IT. / The Office 365 Advanced Security Management tool is available in Office 365 Enterprise E5 or as an add-on subscription to Office 365. A 30-day trial can be used as part of this assessment.
Note that the customer must have a supported firewall or proxy device to import usage data into Advanced Security Management. If the customer does not have a supported device, we recommend using your own demo tenant to demonstrate the Advanced Security Management functionality.

Deliverables

The following deliverables are part of the Office 365 Security Assessment:

Deliverable, Work Product / Description / Delivery Date
Kick-off Presentation / Overview of the engagement covering objectives, requirements, and next steps / Kick-off meeting
Pre-Assessment Questionnaire / A questionnaire on cloud usage/adoption, security requirements and objectives, regulations, and frameworks / After the kick-off presentation
Recommendations and Roadmap Report / Aprioritized list of Office 365 security recommendations based on Office 365 Secure Score results. / After the 2-day on-site workshops

Office 365 Security Assessment Engagement Preparation

This section includes additional details to allow the delivery resources to prepare for the engagement. It is important that all involved delivery resources go through this section in detail before delivering the engagement.

Preparation for the Kick-off Meeting

The kick-off meeting willbrief the customer on the Office 365 Security Assessment and cover the engagement vision and objectives, an engagement overview, the required tools and next steps and actions. To be prepared to deliver the kick-off meeting presentation we recommend following preparation tasks:

  • Prepare the kick-off meeting PowerPoint presentation
  • Review the content marked as “Example”, make modifications if required, and then remove the“Example” banner from the slides
  • Modify the engagement schedule
  • Modify the project governance section to match yourproject delivery methodologies
  • Review the kick-off meeting presentation content
  • Review and modify the Office 365 Security Assessment Questionnaire as required. This needs to be delivered to the customer after the kick-off meeting
  • Review any relevant Office 365 and/or security engagements that have previously been delivered to the customer
  • Confirm that all customer stakeholderswill attend the meeting
  • Review the “Security Assessment using Office 365 Secure Score” recorded presentation available within theReadiness Content section

Preparation for the Readiness Presentations

The example schedule allows you to present three out of five readiness presentations that are part of the Office 365 Security Assessment IP. The questionnaire provides guidance on what topics the customer is interested in. Confirm the three readiness presentations as part of the kick-off meeting or during the first session in the 2-day on-site workshops.

The followingOffice 365 Advanced Security readiness presentations have been included as part of the Office 365 Advanced Security Assessment IP:

  • Protect customers against Spoof Phish Malware and Spam
  • Gain visibility and control with Office 365 Advanced Security Management
  • Protect Sensitive information with Office 365 Data Loss Prevention
  • Acquire insights into proactively protecting against advanced threats
  • Advanced Data Governance

The resource delivering the readiness presentations must have a good understanding of the readiness content and have prior design and implementation experience of the Office 365 Advanced Security products.

Recommended training content for the readiness presentations can be found in the Readiness Contentsection appendix of this document.

Preparation for Day One of the On-site Workshops

Day one of the on-site workshopsfocuses on establishinga mutual understanding of the Office 365 security capabilities, the customer’s security strategy, cybersecurity posture and how the Office 365 Secure Score tool is leveragedas part of the assessment. To prepared to deliver the workshops during day one of the assessment we recommend following preparation tasks:

  • Review the completed customer questionnaire, notemissing answers and/or any items that you think needs additional discussion during the Security Questionnaire Review workshop during day one

Review and customize the workshop content delivered during day one. The example schedule is available in the

  • Example Schedule section within this document
  • Read and/or view the recommended training content within the Readiness Contentappendix of this document
  • Use the remediation checklist tool to insert the security actions that the customer exported from Office 365 Secure Score

Preparation for Day Two of the On-site Workshops

Day two of the on-site workshops focuses on prioritizingsecurity actions from the Office 365 Secure Score tool, additional technical readiness and preparing the roadmap as part of the engagement close-out presentation. We suggest you perform the following pre-work to ensure a successful execution:

  • Review notes or actions captured during day one of the on-site workshops
  • Update project governance items asrequired

Review and customize the workshop content delivered during day two. The example schedule is available in the

  • Example Schedule section within this document
  • Update the project close-out meeting to include your own security related offerings and services where appropriate. Align the outcome and deliverablesto the recommendations from Office 365 Secure Score and consider a combination of individual engagements and managed services
  • Review the recommended training content within the Readiness Content appendix of this document

Delivering the Office 365 Security Assessment

The objective of the engagement is to present customers with a customized, prioritized and actionable roadmap based on the recommendations from Office 365 Secure Score. Propose follow on engagements, including managed services, as part of the close-out presentation. For example, delivering on-goingsecurity assessmentsprovides anopportunity to introduce the customer to a managed security service and ensures that the customer implements the recommendations from the security assessment.

This section includes guidanceon delivering the various components of the Office 365 Security Assessment.

General Delivery Tips

  • Good security principals cover people, process and technology solutions. This specific engagement addresses Office 365 securitytechnology solutionsdelivered as a project service; however, there is an opportunity to present the security roadmap aslifecycle of managed services that your organization can deliver.
  • This engagement does not cover on-premises or hybrid scenarios. It specifically covers Office 365 and the security actions originating from the Office 365 Secure Score tool. It’s important to discuss the importance of end-to-end security which includes securing any on-premises or hybrid infrastructure.
  • Implementation of all Office 365 Secure Score actions will not mean that the customer is completely secure. The goal of the engagement is to improve the security posture in Office 365.
  • There is no such thing as perfect security. Security is a continuous journey towards reducing risk and raising the complexity and cost of breach and compromise.
  • The engagement is based on the recommended security actions from Office 365 Secure Score. It isimportant that the technical readiness resources have good knowledge on how to use Office 365 Secure Score as well as a solid understanding of what each security action does and the impact it might have on the customer environment. Use the readiness content to learn about Office 365 Secure Score and make sure to analyze each security action in a lab environment.
  • During the workshops, you may increase customer value by incorporating specific information and scenarios that the customer has shown an interest in. For example, use the answers from the questionnaire to potentially expand into additional Office 365 products or specific functionality that the customer would like to implement or know more about.
  • The assessment will allow you access to customer stakeholders and technical resources. Make sure you use the time to establish yourself and your organization as trusted advisors for Office 365 security.

Kick-off Meeting

The project/engagement manager typically delivers the kick-off presentation and should provide an overall engagement overview, introduction to the team, engagement scope, and the project governance approach. The technical resources should join the kick-off presentation to support the project/engagement manager with some of the technical components of the kick-off meeting.

Day One of the On-site Workshops

This section contains guidance for each of the workshops delivered as part of day one of the Office 365 Security Assessment.

  • Make sure to capture notes during the day. Review the notes after the first day to modify the schedule and/or content for day two asnecessary.

On-site Engagement Overview

The first session provides an overview of the 2-day on-site agenda, goals, and an opportunity to cover Q&A and project governance.It’s also recommended to finalise the three technical readiness presentations delivered during the on-site workshops.

  • Discuss and agree on the engagement success criteria. What does the customer expect to get out of the engagement?
  • Finalize the technical readiness presentations
  • Finalize the schedule for the on-site workshops
  • Discuss and agree on project governance items
  • Finalize workshop attendance for each workshop. It is critical to get the right audience to participate in each workshop

Office 365 Security Technical Readiness Presentation

This is the first technical readiness presentation time slot.

  • If possible, add value by weaving in related stories from your own experience with the product

Office 365 Security Overview

This session provides an overview of the approach Microsoft has taken to secure enterprise organisations in Office 365.

  • Add value by weaving in related stories from your own experience with the product if possible

Customer Security Strategy

This session allows the customer to present their goals and ambitions on their cloud security strategy.