Professional Documents
Culture Documents
Assessment
Delivery Guide
Office 365 Security Assessment
Latest version: http://aka.ms/o365securityassessment
© 2017 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views
expressed in this document, including URL and other Internet Web site references, may change without notice.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
Office 365 customers and partners may copy, use and share these materials for planning, deployment and
operation of Office 365 features.
Document1 Page 1 of 34
Latest version: http://aka.ms/o365securityassessment
Table of Contents
Introduction .................................................................................................................................................................................. 4
Version History ....................................................................................................................................................................... 4
Audience ................................................................................................................................................................................... 4
Feedback ................................................................................................................................................................................... 4
Engagement Overview ............................................................................................................................................................. 5
Objective ................................................................................................................................................................................... 6
Recommended Skills and Experience ................................................................................................................................. 6
Timeline ..................................................................................................................................................................................... 7
Engagement Requirements................................................................................................................................................ 7
Deliverables .............................................................................................................................................................................. 8
Office 365 Security Assessment Engagement Preparation......................................................................................... 8
Preparation for the Kick-off Meeting ............................................................................................................................. 8
Preparation for the Readiness Presentations .............................................................................................................. 9
Preparation for Day One of the On-site Workshops ................................................................................................ 9
Preparation for Day Two of the On-site Workshops ............................................................................................. 10
Delivering the Office 365 Security Assessment............................................................................................................ 12
General Delivery Tips ......................................................................................................................................................... 12
Kick-off Meeting.................................................................................................................................................................. 12
Day One of the On-site Workshops............................................................................................................................. 13
On-site Engagement Overview ................................................................................................................................. 13
Office 365 Security Technical Readiness Presentation ......................................................................................... 13
Office 365 Security Overview ..................................................................................................................................... 13
Customer Security Strategy ........................................................................................................................................ 13
Review Security Questionnaire .................................................................................................................................. 13
Office 365 Secure Score Overview ........................................................................................................................... 13
Day one wrap up and Q&A ........................................................................................................................................ 14
Day Two of the On-site Workshops............................................................................................................................. 14
Day Two Briefing ............................................................................................................................................................ 14
Secure Score Recommendations / Discussion .................................................................................................... 14
Office 365 Security Roadmap Workshop .............................................................................................................. 14
Project close-out and Next steps ............................................................................................................................. 15
Example Schedule ................................................................................................................................................................... 16
Day One .................................................................................................................................................................................. 16
Day Two .................................................................................................................................................................................. 17
Document1 Page 2 of 34
Latest version: http://aka.ms/o365securityassessment
Document1 Page 3 of 34
Latest version: http://aka.ms/o365securityassessment
Introduction
This document contains the delivery guidance for the Office 365 Security Assessment offering. The
Office 365 Security Assessment is a structured engagement which uses the Office 365 Secure Score
tool to evaluate and prioritize Office 365 tenant security settings of an organization. The Office 365
Security Assessment offering has been designed to help you as a partner create and present a
customized, prioritized and actionable roadmap based on the recommendations from the Office 365
Secure Score tool to your customers.
The purpose of this document is to provide guidance on how to deliver the Office 365 Security
Assessment, including details about the artefacts included within the offering.
Important! The Office 365 Security Assessment offering should be considered as an example on
how to conduct an Office 365 Security Assessment using Secure Score. The artefacts within the
Office 365 assessment must be customized so that the engagement is aligned to your
organization’s own value proposition, workflows, delivery methodologies, related work
streams and offerings. The outcome of the Office 365 Security Assessment is intended to assist
with the development a roadmap of actionable customer recommendations used to drive
additional project based work or can be used to inform a repeatable lifecycle of security
management tasks within a managed service offering.
The Secure Score is a numerical summary of your security posture within Office 365 based on system
configurations, user behaviour and other security related measurements; it is not an absolute
measurement of how likely your system or data will be breached; rather, it represents the extent to
which you have adopted security controls available in Office 365 which can help offset the risk of
being breached. No online service is completely immune from security breaches; the Secure Score
should not be interpreted as a guarantee against security breach in any manner.
Version History
Table 1 – Summary of Changes
Audience
The document is intended to be used by the partner and should not be distributed to the customer.
Feedback
The artefacts within this offering will be iteratively improved based on product released as well as
direct feedback from delivered engagements. To provide feedback, use the feedback process
available through following web site: http://aka.ms/securityassessmentfeedback
Document1 Page 4 of 34
Latest version: http://aka.ms/o365securityassessment
Engagement Overview
The following table provides an overview of the information categories included as part of delivering
the Office 365 Security Assessment:
Category Description
Timeline Milestone One: Up to two-hour pre-engagement kick-off meeting
Milestone Two: Two days of on-site workshops
Time and material Estimated 24h engagement using the example schedule (expenses should be
added)
Target customers Customers who have already decided to adopt the cloud and Office 365 and
have an Office 365 tenant already in place.
Partner resource Security Consultant/Architect
requirements Project or Engagement Manager
Customer CSO/CISO, CEO/CFO, CIO/CTO, Enterprise/Security Architects, Security
resource Operations
requirements
Engagement The standard scope of the engagement is:
scope - Gain a mutual understanding of cloud security objectives and
requirements
- Provide guidance, recommendations and best practices on how to
successfully implement Office 365 security features
- Provide a prioritized and actionable Office 365 security roadmap. Map
Office 365 security capabilities to customer security objectives and
requirements
Engagement The deliverables of the engagement are:
deliverables - Kick-off Presentation, overview of the engagement covering vision
and objectives, requirements and next steps and actions
- Pre-Assessment Questionnaire, a questionnaire containing questions
on cloud usage/adoption, security requirements and objectives,
regulations and frameworks
- Recommendations and Roadmap Report, a presentation containing
a prioritized list of Office 365 security recommendations based on
Office 365 Secure Score
Document1 Page 5 of 34
Latest version: http://aka.ms/o365securityassessment
Objective
The engagement has following objectives:
Document1 Page 6 of 34
Latest version: http://aka.ms/o365securityassessment
Timeline
The Office 365 Security Assessment typically consists of an up to a two-hour remote kick-off meeting
followed by the 2-day on-site assessment workshops as per following suggested engagement
timeline:
• Kick-off meeting
• Provide pre-assessment questionnaire
• Provide instructions on how to export Office 365 Secure Score data
Week One
Engagement Requirements
This engagement requires that the customer has already acquired a production Office 365 tenant.
Scheduling an initial assessment before moving production users and data into the Office 365 tenant
is recommended, if possible, for the following reason. Completing an initial assessment would ensure
that the Office 365 tenant has the customer’s required security configuration before adding users and
data. Doing so may reduce the risk of a breach prior by implementation of the security controls
informed by the actions indicated from outcome of Microsoft Secure Score. Additional assessments
should be proposed within a lifecycle of managed security services and scheduled to be run on a
continuous basis to ensure that the Office 365 tenant is meeting the customer’s desired security state
and to catch any configuration drift.
The following Office 365 components are used as part of the engagement:
Document1 Page 7 of 34
Latest version: http://aka.ms/o365securityassessment
Discovery & Insights features to day trial can be used as part of this
provide the customer with assessment.
additional visibility into 3rd
party SaaS application usage, Note that the customer must have a
also known as Shadow IT. supported firewall or proxy device to
import usage data into Advanced
Security Management. If the
customer does not have a supported
device, we recommend using your
own demo tenant to demonstrate the
Advanced Security Management
functionality.
Deliverables
The following deliverables are part of the Office 365 Security Assessment:
Document1 Page 8 of 34
Latest version: http://aka.ms/o365securityassessment
The following Office 365 Advanced Security readiness presentations have been included as part of the
Office 365 Advanced Security Assessment IP:
The resource delivering the readiness presentations must have a good understanding of the readiness
content and have prior design and implementation experience of the Office 365 Advanced Security
products.
Recommended training content for the readiness presentations can be found in the Readiness
Content section appendix of this document.
Review the completed customer questionnaire, note missing answers and/or any items that
you think needs additional discussion during the Security Questionnaire Review workshop
during day one
Review and customize the workshop content delivered during day one. The example schedule is
available in the
Document1 Page 9 of 34
Latest version: http://aka.ms/o365securityassessment
Review notes or actions captured during day one of the on-site workshops
Update project governance items as required
Review and customize the workshop content delivered during day two. The example schedule is
available in the
Document1 Page 10 of 34
Latest version: http://aka.ms/o365securityassessment
Document1 Page 11 of 34
Latest version: http://aka.ms/o365securityassessment
This section includes guidance on delivering the various components of the Office 365 Security
Assessment.
Kick-off Meeting
The project/engagement manager typically delivers the kick-off presentation and should provide an
overall engagement overview, introduction to the team, engagement scope, and the project
governance approach. The technical resources should join the kick-off presentation to support the
project/engagement manager with some of the technical components of the kick-off meeting.
Document1 Page 12 of 34
Latest version: http://aka.ms/o365securityassessment
Make sure to capture notes during the day. Review the notes after the first day to modify the
schedule and/or content for day two as necessary.
Discuss and agree on the engagement success criteria. What does the customer expect to get
out of the engagement?
Finalize the technical readiness presentations
Finalize the schedule for the on-site workshops
Discuss and agree on project governance items
Finalize workshop attendance for each workshop. It is critical to get the right audience to
participate in each workshop
If possible, add value by weaving in related stories from your own experience with the product
Add value by weaving in related stories from your own experience with the product if possible
Use the customer security strategy presentation to guide the customer on topics for the
session
Listen to the customer and take notes. Pay attention to concerns/topics that you can address
as either individual consulting engagements and/or managed services. Add these solutions to
the close-out presentation and the roadmap which you will present at the end of the
engagement
Demonstrate the functionality of secure score using your own lab environment as well as the
remediation checklist tool which is included as part of the Office 365 Security Assessment
Document1 Page 13 of 34
Latest version: http://aka.ms/o365securityassessment
Use the remediation checklist tool to work through each security action from Office 365
Secure Score. For each security action:
o Explain what the Security Action does and if required, demonstrate the functionality
using a demo Office 365 tenant
o Work with the customer to prioritize the security action and add additional comments
in the remediation checklist tool
Add value by weaving in related stories from your own experience with the product if possible
Add value by weaving in related stories from your own experience with the product if possible
Use the list of the prioritized Office 365 Secure Score actions to update the roadmap within
the close-out presentation
Consider the potential for risk, difficultly of implementation, and impact ratings suggested by
each Office 365 Secure Score action. Discuss the implications with your customer in depth as
you prioritize and build the roadmap of actions. Consider time frames to fully implement and
a lifecycle of managed services opportunities for your organization.
Document1 Page 14 of 34
Latest version: http://aka.ms/o365securityassessment
Document1 Page 15 of 34
Latest version: http://aka.ms/o365securityassessment
Example Schedule
Day One
Customer Scheduled
Workshop Description Outcome Time
attendees time, room
Provides an
overview of the 2-
Agreed plan and
On-site day on-site agenda,
schedule for the All project 60 <Time>,
Engagement goals and an
2-day on-site team minutes <Room>
Overview opportunity to
assessment.
cover Q&A and
project governance.
Lunch 60 minutes
Document1 Page 16 of 34
Latest version: http://aka.ms/o365securityassessment
Day Two
Scheduled
Customer
Workshop Description Outcome Time time,
attendees
room
Overview of the
second day
Agreed upon All
agenda, goals, 30 <Time>,
Day Two Briefing schedule for day project
and an minutes <Room>
two. team
opportunity to
cover Q&A.
Workshop
covering current Prioritization of
Secure Score All
Office 365 Secure Office 365 120 <Time>,
Recommendations project
Score and Secure Score minutes <Room>
/ Discussion team
recommended security actions.
security actions.
Technical Technical
Office 365 Security readiness readiness
Technical presentation time provided to Security
Readiness slot. Or, Shadow customer team. Engineers 60 <Time>,
Presentation IT Analysis
or Security minutes <Room>
Workshop using
or Shadow IT Office 365 Understanding Architect
Analysis Workshop Advanced Security of current usage
Management. of Shadow IT.
Lunch 60 minutes
Workshop to
create an Office
365 security Defined high-
roadmap based level security Security
Office 365 Security Engineers
on the security roadmap based 60 <Time>,
Roadmap
requirements and on Office 365 Security minutes <Room>
Workshop
the prioritization Secure Score Architect
of the Office 365 security actions.
Secure Score
actions.
Document1 Page 17 of 34
Latest version: http://aka.ms/o365securityassessment
Provide an
Close-out engagement
All
Project close-out presentation and summary and 60 <Time>,
project
and Next steps discussion of next clear steps with minutes <Room>
team
steps. tangible
outcomes.
This document.
Office 365 Security Engagement kick-off presentation PowerPoint presentation
Assessment-Kick-off Meeting giving the customer an overview
of the engagements.
Office 365 Security Overview of the 2-day on-site PowerPoint presentation
Assessment-On-site workshops and project
Engagement Overview governance items.
Office 365 Security Microsoft vision for security and PowerPoint presentation
Assessment-Security and compliance in Office 365.
Compliance in Office 365
Office 365 Security Recommended discovery topics PowerPoint presentation
Assessment-Customer Security which needs to be covered by the
Strategy customer.
Office 365 Security Security questionnaire to be given Word document
Assessment-Questionnaire to the customer after the kick-off
presentation covering Office 365
and security objectives.
Office 365 Security Presentation covering how to PowerPoint presentation
Assessment-Protect customers protect against email based
against Spoof Phish Malware threats.
and Spam
Office 365 Security Presentation covering Office 365 PowerPoint presentation
Assessment-Gain visibility and Advanced Security Management.
control with Office 365
Advanced Security
Management
Office 365 Security Presentation covering Office 365 PowerPoint presentation
Assessment-Protect Sensitive Data Loss Prevention.
information with Office 365
Data Loss Prevention
Office 365 Security Presentation covering Office 365 PowerPoint presentation
Assessment-Acquire insights Threat Intelligence.
into proactively protecting
against advanced threats
Document1 Page 18 of 34
Latest version: http://aka.ms/o365securityassessment
Engagement Tools
This section is for use by the partner technical specialists to learn how to use the tools as part of the
Office 365 Security Assessment.
Note that Secure Score does not account for all possible security controls and is limited to security
controls within Office 365. Additional security controls will be added to the Secure Score tool over
time and this fact should be discussed with your customer as you propose the detect, protect,
respond security lifecycle of managed services your organization may provide.
To assist with the prioritization of the security action recommendations provided by Secure Score you
will use the “Office 365 Security Assessment-Remediation Checklist Tool-vX.X.xlsx” excel
spreadsheet. Instruct the customer to use following instructions to export the security actions and
controls to CSV so that you can copy & paste the recommended security actions in to the “Office 365
Security Assessment-Remediation Checklist Tool-vX.X.xlsx” excel spreadsheet.
Document1 Page 19 of 34
Latest version: http://aka.ms/o365securityassessment
1. Open the Office 365 Secure Score tool: https://securescore.office.com. Note that the customer
must sign in using their Office 365 tenant admin login credentials.
2. Verify that they have a calculated Secure Score showing in the Secure Score tool.
3. Select the Score Analyzer tab.
Document1 Page 20 of 34
Latest version: http://aka.ms/o365securityassessment
4. Select the Export button and select to export the “CSV – Action List” as well as the “CSV –
Control List”. Choose to save the two files to the local computer.
5. Ask the customer to send or share the exported CSV files to you, using a secure method of
transfer such as OneDrive.
Document1 Page 21 of 34
Latest version: http://aka.ms/o365securityassessment
Import the Secure Score data into the Office 356 Assessment-Remediation Checklist Tool
Once you receive the exported files from the customer use following procedure to import the Secure
Score data into the Office 356 Assessment-Remediation Checklist Tool:
1. Open the “CSV – Action List” excel file and copy and paste all content from row two and below
in to the ActionList tab on cell A2 within the “Office 365 Security Assessment-Remediation
Checklist Tool-vX.X.xlsx” excel spreadsheet.
2. Open the “CSV – Control List” excel file and copy and paste all content from row two and
below in to the ControlList tab on cell A2 within the “Office 365 Security Assessment-
Remediation Checklist Tool-vX.X.xlsx” excel spreadsheet.
3. In the “Office 365 Security Assessment-Remediation Checklist Tool-vX.X.xlsx” excel
spreadsheet, select the Data menu in Excel and select Refresh All. This will update the data
model used in the pivot table.
Document1 Page 22 of 34
Latest version: http://aka.ms/o365securityassessment
4. Go to the Results tab to view the Secure Score security actions sorted under User Impact and
Implementation Cost.
Document1 Page 23 of 34
Latest version: http://aka.ms/o365securityassessment
5. Work through each Secure Score security action and provide a priority based on what you
know about your customer’s current and desired security posture. For example: Quick Win 1-3
months, 3-6 months and 6 months and beyond. Additional instructions on how to use the
remediation checklist tool can be found in the Remediation Checklist ToolError! Reference s
ource not found. section.
Document1 Page 24 of 34
Latest version: http://aka.ms/o365securityassessment
Threat detection - Identify high-risk and abnormal usage, security incidents, and threats
Enhanced control - Shape your Office 365 environment with granular security controls and
policies
Discovery & insights - Gain enhanced visibility and context into your Office 365 usage and
shadow IT
The Office 365 Assessment uses the Discovery & Insights features to provide the customer with
additional visibility of the use of Shadow IT within their organization as part of the “Office 365
Security Assessment-Gain visibility and control with Office 365 Advanced Security
Management-vX.X.pptx” readiness session. The Office 365 Assessment does not make use of any
other Advanced Security Management functionality including threat detection and or enhanced
control features.
Important! If the customer does not have a license for Office 365 Advanced Security
Management, they can sign up for a free 30-day trial from the Office 365 Admin center, Billing,
Purchase services section as per below screenshot. This will allow the customer to import their
specific firewall or proxy log to allow you to demonstrate their current usage of Shadow IT
during the “Office 365 Security Assessment-Gain visibility and control with Office 365
Advanced Security Management-vX.X.pptx” readiness session. Note that the specific firewall or
proxy must be supported by the Advanced Security Management tool as per:
https://support.office.com/en-us/article/Create-app-discovery-reports-in-Advanced-Security-
Management-3e68e691-1fc4-4d3e-a2c0-d3134eb64055?ui=en-US&rs=en-US&ad=US
In case it’s not possible to use the Office 365 Advanced Security Management tool connected
to the customer’s Office 365 tenant, or it’s not possible to import the firewall or proxy logs,
you should prepare a demo tenant and use a provided sample log file to be used during the
“Office 365 Security Assessment-Gain visibility and control with Office 365 Advanced Security
Management-vX.X.pptx” readiness session.
Document1 Page 25 of 34
Latest version: http://aka.ms/o365securityassessment
Use following instructions to assist the customer with the import of customer firewall or proxy logs if
using customer specific data or a sample log if using a dedicated demo tenant.
1. Open the Office 365 Security & Compliance center, and select Go to Advanced Security
Management under Alerts, Manage Advanced Alerts.
Document1 Page 26 of 34
Latest version: http://aka.ms/o365securityassessment
3. Type the name of the report, and select the data source. Note, if you are not using customer
specific data, select “Blue Coat ProxySG -Access log (W3C)” as data source for a
workaround. After selecting the Data source, select “View and Verify…”.
Document1 Page 27 of 34
Latest version: http://aka.ms/o365securityassessment
4. If using customer specific data, verify the log format together with the customer. If using
sample data using a dedicated demo tenant, select “Download sample log” to download a
sample log. Select close.
Document1 Page 28 of 34
Latest version: http://aka.ms/o365securityassessment
5. Under “Choose traffic logs”, select browse and select either the customer specific log or the
extracted sample log.
6. Select Create to generate the report. Note that it can be a time-consuming process to import
the logs dependent on the size of the file being imported. For this reason, make sure to
initiate the import process well in advance of the workshops. For example, the import of the
sample “Blue Coat ProxySG -Access log (W3C)” usually takes around 30 minutes.
Document1 Page 29 of 34
Latest version: http://aka.ms/o365securityassessment
Document1 Page 30 of 34
Latest version: http://aka.ms/o365securityassessment
Import the Secure Score data exported by the customer into the tool. See the This section is for use
by the partner technical specialists to learn how to use the tools as part of the Office 365 Security
Assessment.
1. Office 365 Secure Score section for details on how to export the data from Secure Score and
insert this into the remediation checklist tool.
2. As part of the workshops, work together with the customer to understand and prioritize the
security actions.
3. Copy the prioritized set of security actions as well as the charts in to the “Office 365 Security
Assessment-Close-out Presentation-vX.X.pptx” presentation which will be delivered at the
end of the engagement.
The results tab is where you view and prioritize security actions. You can filter the security actions
based on following categories:
You will see several columns within the Results tab. Note that all content except the Priority and
Comment columns will be automatically filled in after you have inserted the secure score data
received from the customer and refreshed the data within the excel spreadsheet.
Column Description
User Impact Impact of implemented security control on users:
Low – little to no user productivity impact
Moderate – some user productivity impact
Implementation Approximate cost and complexity of implementing the security action:
Cost Low – Features that can typically be turned on without additional
licenses
Moderate – Features that are complex to turn on and/or require
additional licenses
Security Action Name of security action.
Name
Security Action Description of security action.
Description
Document1 Page 31 of 34
Latest version: http://aka.ms/o365securityassessment
Document1 Page 32 of 34
Latest version: http://aka.ms/o365securityassessment
Appendix
Readiness Content
This appendix contains recommended learning material that each delivery resource should go
through before delivering the Office 365 Security Assessment.
General
Explore and get familiar with the content in the Office 365 Trust Center
Explore and get familiar with the content in the Microsoft Secure site
Explore and get familiar with the content in the Secure Productive Enterprise site
Explore and get familiar with the content in the Microsoft Cloud Service Trust Portal
Explore and get familiar with the Office Drumbeat content
Get familiar with the Plan for Office 365 security and information protection capabilities poster
Read the Office 365 - Architecture and Procedure documents
Read the Controlling Access to Office 365 and Protecting Content on Devices document
Read Microsoft Office 365 Mapping of Cloud Security Alliance Cloud Control Matrix 3.0.1
document
Get the latest Microsoft security updates from the Microsoft Secure Blog
Create a demo environment and explore the Office 365 Advanced Security features as well as
Office 365 Secure Score. Partners can create Office 365 demo tenants at
http://demos.microsoft.com/
Readiness Presentations
To prepare you to deliver the included readiness presentation we recommend getting familiar with
below content:
All Partner University recordings are available at the Partner University site. These recordings include
all readiness presentations that you can deliver as part of the Security Assessment offering.
Document1 Page 33 of 34
Latest version: http://aka.ms/o365securityassessment
Protect your sensitive information with Office 365 Data Loss Prevention
Customize and tune Microsoft Office 365 Data Loss Prevention
Customer Lockbox:
Advanced eDiscovery:
Threat Intelligence:
Document1 Page 34 of 34