Configuring Compliance Rules in Microsoft Teams

Moving your data and applications to the cloud is one thing. Maintaining compliance too is something else altogether, and many SMBs and organizations see it as a deterrence. As such, what do you have to do to comply with regional or international regulations if you upgrade from Skype for Business to Microsoft Teams—a cloud-based solution that introduces advanced workplace communication and collaboration capabilities?

Compliance Frameworks Available in Teams

Powered by the Office 365 cloud infrastructure, Teams supports several compliance frameworks. It makes it possible for organizations to move their applications to the cloud without breaching applicable data security, privacy, and integrity regulations.

Is Microsoft Teams HIPPA Compliant?

Fortunately, yes. HIPAA is one of the several tier C frameworks the platform supports by default. While it’s your responsibility to classify the data, Microsoft provides the tools you need to comply and ensure the security of any protected health information you’re sharing, storing, or sending over the cloud.

Is Microsoft Teams SSAE Compliant?

Another supported standard is the SSAE 18. It defines the rules for assessing the internal controls of a service organization, such as a SaaS provider. An independent service auditor conducts the attestation, after which they may produce a SOC1 report, verifying the accuracy and adequacy of the described financial controls. On the other hand, a SOC2 report covers a service organization’s controls for data/information security and confidentiality, availability, and processing integrity.

ISO 27001 and ISO 27018 Standards

Leveraging the Office 365 enterprise-grade cloud requires conformity to the ISO 27001 and ISO 27018 standards. Microsoft Teams supports the two frameworks, which provide several assurances, including visibility into customers’ data to facilitate compliance with all relevant information security regulations. The standards also govern the handling of customer data for purposes like marketing. They dictate the protection of personally identifiable information (PII) too.

Is Microsoft Teams NIST Compliant?

The answer lies between yes and no. That’s because the underlying Office 365 cloud infrastructure doesn’t provide full built-in support for some of the standards the NIST developed. For example, you may need to partner with a managed services or SaaS provider to make Teams compliant with the NIST 800-171 standard.

Is Microsoft Teams FINRA Compliant?

If you’re a broker-dealer, you may be wondering, is Microsoft Teams FINRA Compliant? Through the Office 365 Security and Compliance Center, your Teams Administrators may set and enforce information retention policies in compliance with the supervisory regulation FINRA 3110. Using the platform’s “preservation” feature, admins can specify the duration of time for which Teams chat and channel data remains available. They can remain available for scrutiny even after employees have deleted it on their devices. Deletion policies enable organizations to minimize liability by getting rid of specific correspondence after a particular time period, automatically or manually.

Other Frameworks

Other frameworks available in Teams are EU Model Clauses and US and EU customer data residency regulations.

Performing a Compliance Audit in Teams

Cropped shot of unrecognizable business people using their wireless devices in the office

The Office 365 Security and Compliance Center lets you track and audit Microsoft Teams use by administrators and other employees. While on the Audit log search page, you can switch the capability on by clicking the “Start recording user and admin activity”. The audit log tracks user and admin activity for the duration of your subscription plan. For example, Office 365 E3 stores events performed in the past 90 days. You may download system activity reports through automation via the platform’s Management Activity API.

If a user adds a chatbot or channel to a team, an audit log search can reveal who and when. It can also tell who added a connector or tab to a channel. If a user removes or modifies these items, the system logs their activity too.

Likewise, you can monitor changes to organization settings. For example, the disabling/enabling of Microsoft Teams, capacity to schedule private or channel meetings, video conferencing, or screen sharing. There’s also an audit trail for the assignment of team member roles.

Searching

To search user/admin activity in Teams, log in to your Office 365 account (Microsoft recommends that you use a private browsing session). Go to the Security & Compliance Center, and locate the Search & investigation link to the left. Next, click “Audit log search”. You may look up information based on specific activities, users, timeframes, folders, web pages, or files. Just supply the relevant parameters on the Audit log search page that comes up.

The search results feature a maximum of 5000 latest events, although the system displays only 150 per pane. The information for each incident includes the date and time, the IP address of the user device, and the user/admin responsible. It also reveals the object, such as a team channel, and the activity the user performed on the object, for example, deletion or renaming.

Setting Up Compliance Reports and Insights for Teams

You can extract actionable, in-depth intelligence for Microsoft Teams via the Office 365 Security & Compliance Center. The system delivers smart reports and insights that uncover system attacks and suspicious activities, such as unsuccessful logins. For example, by clicking Threat Management, and then Dashboard, you can track detected threats. The Insights section reveals suspicious domains. It answers questions like, who are your organization’s most targeted users, and what are the sources of potentially malicious email messaging? After reviewing each questionable domain, you may block it or add it to the safe senders’ list.

The reports dashboard provides intelligence on the system and email security as well as data loss prevention. For instance, you may access the threat protection status report and track all malware. This is due to the Advanced Threat Protection. Accompanying these insights are practical recommendations, such as reviewing your anti-spam or anti-malware controls and protocols.

It’s also possible to drill down security analytics to specifics, such as via the “top insights & recommendations” link on the reports dashboard. This generates a list of items, including users most vulnerable to breach incidences. You may click on an item to extract additional details and security recommendations.

Are your company’s Microsoft Teams users complying with your content labeling and record tagging protocols? The data governance report can answer that question. Just like the other analytics, this information is available via the Office 365 Security & Compliance Center.

Learn More About Microsoft Teams Compliance Regulations

Stringent regulations shouldn’t deter you from upgrading to Microsoft Teams to leverage its advanced communication and collaboration capabilities. At Agile IT, we’ve moved over 1,000, 000 users to the cloud, including organizations in finance, health, biotech, and the government.

Need help navigating the compliance tools available in your Microsoft platforms, including Teams and Azure? Schedule a call with us!