articleschannelstagsspacestoolkit
Microsoft Dev Blogs

Microsoft 365 Certification control spotlight: Data access management

View Original
thumbnail

Data Access Management

Data access management is a critical aspect of ensuring the security of sensitive data. Microsoft 365 Certification emphasizes the importance of restricting access to authorized users and applications to minimize the risk of data breaches.

Principles of Least Privilege

Certification requirements include establishing a documented process for access requests that follows the principles of least privilege. ISVs are expected to have a clearly defined access request procedure for their apps, ensuring that only individuals with a legitimate business need have access to sensitive data and encryption keys.

Access Control Procedures

ISVs are required to maintain a list of individuals with access to data and/or encryption keys, providing a business justification for each individual. This list should include a formal approval process that aligns access privileges with job functions. Access requests should require approval to confirm that access is essential for an individual's job responsibilities, preventing unauthorized access.

Third-Party Risk Management

When utilizing third parties for storing or processing Microsoft 365 data, ISVs must conduct comprehensive due diligence and management processes. This includes ensuring that third parties comply with legal obligations, such as those required under GDPR. ISVs are expected to maintain detailed records of all third parties with whom they share data, including services provided, reasons for sharing data, key contact information, and legal or compliance obligations.

Data Sharing Agreements

Certification requires that data sharing agreements with third parties are reviewed to ensure that they are processing data only as necessary and understand their security obligations. This helps mitigate the risk of third parties mishandling sensitive data.

Next Steps

To learn more about how Microsoft 365 Certification validates data access management controls, visit the Microsoft 365 Certification data at rest control evidence requirements. You can start the certification process by visiting the Microsoft Partner Center dashboard and selecting your app from the Marketplace offers overview.