Microsoft Company

Microsoft Company

Privacy Policy

Microsoft offers many products that include devices for business and home use, computer software, applications, websites and server products for enterprise development. The use of these products leads to an interaction between Microsoft and its clients during either the purchase or use of the products. Customers are required to surrender some of their personal data to the company, and the company has a privacy policy that is supposed to guarantee customers of their security (Microsoft Privacy Statement, 2020). Microsoft also manages to obtain customer data by observing their behaviours when utilizing the company’s products. This includes through observation of customer choices on the privacy settings, the type of product, the shared data and available features. The company’s privacy policy explains to customers the reasons why data is collected and the benefits to the customer. The policy focuses on six key principles.

• Control – Customers must remain in control of their privacy. They are given easy to use tools and choices to help them determine what they disseminate to the company.
• Transparency – Microsoft promises transparency in its data collection and use.
• Security – it promises to protect the data customers offer to the company.
• Legal protection – the company is committed to reliable legal protection of customers’ privacy rights as a basic human right.
• Content-based targeting – The company refrains from using customer information to target ads at them.
• Customer benefits – it is committed to continuously enhance customers experience (Microsoft Privacy Statement, 2020).

However, privacy issues have remained a significant concern for most companies. Customers are required to provide more of their personal data and surrender their security to companies. For Microsoft, there have been incidents of a security breach involving customers’ data. In December 2019, a security researcher, Bob Diachenko, discovered a security breach where a customer support database that was used for storing anonymized user analytics were exposed online. The database contained personal data such as customer emails, payment information, contact numbers and IP addresses that are supposed to be protected.  Security researchers suggest that such occurrences in a large company like Microsoft pose a danger to the end-user because customer data can be accessed and used by malicious actors (Lam, 2014).

To avoid exposure of private data and breach of data security, Microsoft needs to audit the established security rules for their internal resources. The records are reported to have been accidentally exposed online without proper protection. This shows that the company’s security rules are still unreliable. Secondly, the company needs to expand the scope of security rule misconfiguration systems because, in the recent incident, the data remained exposed for almost a month without detection..

Microsoft anticipates situations when the privacy statement will conflict with terms of agreements between the company and the customer. In such cases, the company guideline is that the terms of the agreement are prioritized (Microsoft Privacy Statement, 2020). The company does this to ensure that customers experience is not affected by company policies. Microsoft seeks to balance between enterprise development needs and customer needs. One of the ways to ensure the balance is by thoroughly learning the needs of both the business and the customers. Failure to understand business needs leads to overpromising to a customer and the provision of inconsistent services and quality levels. Therefore, to be successful, a company must ensure that the customer gets the best experience while maintaining the needs of the business sustainably.

Enterprise specific policies

Microsoft would need to develop several enterprise-specific policies to help in guiding the company’s security measures in all areas. Some of the policies necessary in this area include:

Disaster recovery policy – This policy will help determine how the company deals with a successful breach of security or in case of an attack from hackers (Peltier, 2016).

Risk management policy – this policy is supposed to provide guidance on what the enterprise should do to lower cyber-attack risk levels. This policy will affect risk assessment, risk analysis, risk treatment and risk monitoring.

Network security policy – This should be put in place to guide the definition, analysis and monitoring of the security of the company’s network. Some of the areas this policy covers include vulnerability scanning, network architecture and update of security applications (Peltier, 2016).

Issue-specific policies

Microsoft should develop some issue-specific policies that can be used in controlling how company devices are handled and the responsibility of employees when interacting with sensitive company data. They should develop;

Vulnerability management policy – This policy will help Microsoft to identify classify, and mitigate vulnerabilities in their system. It enhances the level of security of the company’s resources, and its success will depend on the corporation of all members of the organization (Peltier, 2016).

Data retention policy – this policy is important to Microsoft because it will provide a protocol of how to retain information necessary for operational and regulatory needs. It will also ensure that there is a clear guideline on how to dispose of the information when the organization no longer needs it.

System-specific policies

Microsoft must develop system-specific policies that will help it to address specific system security needs. For constantly changing systems, their functionality and vulnerabilities, these policies are vital because they are flexible to address those changes (Stallings et al., 2012). Microsoft needs an information systems security policy. It offers guidelines that ensure that every member of the organization behaves appropriately regarding information security. This policy will be unique at Microsoft because it will ensure that information is handled appropriately.

The advantages of these policies

            Enterprise information security policies help by setting the direction, tone and scope for security efforts in an organization. It guides the development of security development programs and guides the behaviours of all the members of the organization. It influences attitudes, which can lead to employees’ commitment to information security and determine how they handle specific security issues. It lays out the company’s philosophy on security, and that serves as a guide to system developers and any new members who may not be aware of the company culture. As a result, EISP ensures the ability to change a company’s security standards (Peltier, 2016).

Issue-specific security policies protect critical information in the company by defining the responsibilities of both employees and managers concerning the security needs of the company. The definition allows each member to understand what their role is in securing the company’s critical data, and this makes it possible for people to be held accountable for their actions. It gives employees confidence and takes away fear because they know what is expected of them and how to accomplish it. Increased awareness of information security issues improves security practices and minimizes cases like when customer data is internally exposed online for almost a month without anyone taking note.

Finally, system security software enhances security standards by outlining accepted configurations and settings for all company computers systems. It also dictates the kinds of software that can be installed and those that cannot be installed on company systems. The policy also makes sure that mandatory software such as antivirus is installed on all systems to prevent access to the company’s critical data through an unprotected computer. This minimizes the chances of a breach and consequently enhance the company’s security practices.

How to handle policy violations

There are two reasons why employees can violate security policies. The first can be because they are not properly trained about the policy, and the second can be because they choose not to follow the policy (Gamage, Roth & McMillin, 2011). When a policy has been violated, it is important to consider the possibility of these two reasons before taking action. I would first evaluate the situation to determine what could be keeping the employee from complying. The evaluation begins with a conversation with the employee in violation of the policy. Conversations must take place immediately. The violation is committed to avoiding giving employees the impression that it is all right to violate the policy. The conversations should be documented so that if an employee promises to comply in future and then fails to comply, then an action can be taken against them. In cases where the conversation reveals that the employee does not understand the policy and this is the reason for their violation, the employee should be trained to ensure that they understand what is required from them and how to meet those expectations (Knapp & Ferrante, 2012).

Preferred Models

            For my security program at Microsoft, I would use the Bell-LaPadula Model. This model is governed by three properties, the Ds-property, Ss-property and star (*)-property (Maurer, Rüedlinger & Tackmann, 2012). The Ds-property is used for discretional security; Ss-property is used for simple security, also referred to as no read-down and star-property is used for no write-own. This mode is excellent for a security program because it ensures that a subject cannot downgrade information. Also, subjects and objects cannot change their level of security once they are designated. One disadvantage is that this model only addresses the confidentiality of information but fails to address access control. Users can never talk to lower users (Justiniano, 2020).

The Bell – La Padula model

Source: Linkedin.com

Microsoft Risk Appetite

            Microsoft faces a significant challenge of risk management in their daily business activities. It operates in almost 190 countries, with different currencies and monthly transactions exceeding $40 billion (Microsoft Corporation Annual Report, 2019).  In order to facilitate risk management across all its business dimensions, it has identified a risk universe, which is the framework within which risk is identified, assessed and monitored. The company’s risk universe is categorised into strategic risks, legal or compliance risks, operational risks and financial risks. The four major categories are further subdivided to enhance the risk identification process. Strategic risks involve business model, strategic investments, market dynamics, and business model disruption. Operational risks include sales and marketing, product and services. Legal hazards include regulatory risks, corporate governance and legal compliance while financial risk category includes treasury, tax and investor relations (Microsoft Corporation Annual Report, 2019). The company has a risk management group that is based at Microsoft Treasury. The group provides independent checks on portfolio risks and performance. It also offers risk advisory during investment decision-making (Buckley et al., 2018)

Microsoft’s valuable assets

• Applications (For example, Azure) (Microsoft Corporation Annual Report 2019).
• Data and AI
• Business applications

One threat to Microsoft’s data asset

• Cyberattacks

Mitigation of the identified Risk

One of the strategies to implement to avoid loss of data through cyber-attacks is by securing the infrastructure. Microsoft can choose to outsource its IT department to be in charge of the management and security of the IT infrastructure. The IT department, whether in-house or outsourced, monitors the network traffic for malicious activities. The infrastructure can be secured by intelligent platforms that can monitor the infrastructure and give an alert when unusual activity is noticed. These platforms also generate a trend analysis; report the performance of the system, monitor the network traffic and check user and system behaviours for any anomaly (SMC, 2020).

The next step in securing the company infrastructure is to secure web-facing applications and servers. It should ensure that the servers exposed to the internet and with an external-facing IP, are scanned frequently for any weaknesses or exploits (Kaplan & Mikes,  2012).

References

Buckley, P.J., Chen, L., Clegg, L.J. and Voss, H., 2018. Risk propensity in the foreign direct investment location decision of emerging multinationals. Journal of International Business Studies, 49(2), pp.153-171.

Gamage, T.T., Roth, T.P. and McMillin, B.M., 2011, July. Confidentiality preserving security properties for cyber-physical systems. In 2011 IEEE 35th Annual Computer Software and Applications Conference (pp. 28-37). IEEE.

Kaplan, R.S. and Mikes, A., 2012. Managing risks: a new framework. Harvard business review, 90(6), pp.48-60.

Knapp, K.J. and Ferrante, C.J., 2012. Policy awareness, enforcement and maintenance: Critical to information security effectiveness in organizations. Journal of Management Policy and Practice, 13(5), pp.66-80.

Justiniano Ivan, 2020. Security Models: Integrity, Confidentiality and Protection of the Data. Available at https://www.linkedin.com/pulse/security-models-integrity-confidentiality-protection-data-justiniano. (Accessed on 31^st March 2020).

Lam, J., 2014. Enterprise risk management: from incentives to controls. John Wiley & Sons.

Maurer, U., Rüedlinger, A. and Tackmann, B., 2012, March. Confidentiality and integrity: A constructive perspective. In Theory of Cryptography Conference (pp. 209-229). Springer, Berlin, Heidelberg.

Microsoft Corporation Annual Report 2019. Available at https://www.microsoft.com/investor/reports/ar19/index.html (Accessed on 31st March 2020).

Microsoft Privacy Statement, 2020. Available at https://privacy.microsoft.com/en-us/privacystatement [Accessed on 31st March 2020].

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Scottmadden management Consultants, 2020. The Security Operating Model: A Strategic Approach for Building a More Secure Organization. Available at https://www.scottmadden.com/insight/security-operating-model-strategic-approach-building-secure-organization/ (Accessed on 31^st March 2020).

Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., 2012. Computer security: principles and practice (pp. 978-0). Upper Saddle River, NJ, USA: Pearson Education.