(Updated July 5, 2015)
We advise organizations concerned with stringent regulatory requirements to consider SharePoint Online, a highly secure option with a large number of compliance features and certifications. Formotus mobile solutions can connect to any kind of SharePoint including SharePoint Online, which is available by subscription as part of Microsoft Office 365.
We recommend Office 365 Enterprise E3 to our customers because it includes InfoPath Designer and InfoPath Forms Services along with full-featured SharePoint Online.
Top 10 compliance standards of Office 365
Source: Microsoft Trust Center
1. Health Insurance Portability and Accountability Act (HIPAA): HIPAA imposes on our customers that may be “covered entities” under the law security, privacy, and reporting requirements regarding the processing of electronic protected health information. Microsoft developed Office 365 to provide physical, administrative, and technical safeguards to help our customers comply with HIPAA. We will sign a HIPAA Business Associate Agreement (BAA)with any customer.
2. Data processing agreements (DPAs): We provide customers with additional contractual assurances through DPAs regarding Microsoft handling and safeguarding of customer data. By signing DPAs, we commit to over 40 specific security commitments collected from regulations worldwide. Click here to sign. (Enterprise agreement customers should contact their account representative to obtain a DPA.)
3. Federal Information Security Management Act (FISMA) requires U.S. federal agencies to develop, document, and implement controls to secure their information and information systems. Federal Risk and Authorization Program (FedRAMP) is a federal risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services.
4. ISO 27001: ISO 27001 is one of the best security benchmarks available in the world. Office 365 has been verified to meet the rigorous set of physical, logical, process and management controls defined by ISO 27001:2013. This also includes ISO 27018 Privacy controls in the most recent audit. Inclusion of these new ISO 27018 controls in the ISO assessment will further help Office 365 validate to customers the level of protection Office 365 provides to protect the privacy of customer data.
5. European Union (EU) Model Clauses: The EU Data Protection Directive, a key instrument of EU privacy and human rights law, requires our customers in the EU to legitimize the transfer of personal data outside of the EU. The EU model clauses are recognized as a preferred method for legitimizing the transfer of personal data outside the EU for cloud computing environments. Offering the EU model clauses involves investing and building the operational controls and processes required to meet the exacting requirements of the EU model clauses. Unless a cloud service provider is willing to agree to the EU model clauses, a customer might lack confidence that it can comply with the EU Data Protection Directive’s requirements for the transfer of personal data from the EU to jurisdictions that do not provide “adequate protection” for personal data. The EU model clauses FAQ describes the Microsoft regulator-endorsed approach for the EU model clauses.
6. U.S.–EU Safe Harbor framework: The U.S.-EU Safe Harbor framework also enables customers to legally transfer personal data outside of the EU under the EU Data Protection Directive. Office 365 follows the principles and processes stipulated by the U.S.-EU Safe Harbor framework.
7. Family Educational Rights and Privacy Act (FERPA): FERPA imposes requirements on U.S. educational organizations regarding the use or disclosure of student education records, including email and attachments. Microsoft agrees to use and disclosure restrictions imposed by FERPA that limit our use of student education records, including agreeing to not scan emails or documents for advertising purposes.
8. Statement on Standards for Attestation Engagements No. 16 (SSAE 16): Office 365 has been audited by independent third parties and can provide SSAE16 SOC 1 Type I and Type II and SOC 2 Type II reports on how the service implements controls.
9. Canadian Personal Information Protection and Electronic Documents Act (PIPEDA): The Canadian Personal Information Protection and Electronic Documents Act pertains to how private sector organizations collect, use, and disclose personal information in the course of commercial business. Microsoft supports compliance with PIPEDA through our administration of Office 365.
10. Gramm–Leach–Bliley Act (GLBA): The Gramm–Leach–Bliley Act requires financial institutions to put processes in place to protect their clients’ nonpublic personal information. GLBA enforces policies to protect information from foreseeable threats in security and data integrity. Customers subject to GLBA can use Office 365 and comply with GLBA requirements.