Cyber and Technology Risk Management Forum, Park City, UT

Risk Assurance Framework

Resilience and business continuity Service provider reputation and competence

Limits on data use and access

Confidentiality

Audit & inspection

Conditions on subcontracting

Security standards

Data location

Data segregation/isolation

Conditions on termination

Review, monitoring & control

Documentation

Financial services compliance program

Visibility on the full value chain (Regulator ability to inspect)

Customer accountability and control over that value chain – including Cloud

FOR ALL FSI's

OPTIONAL PROGRAMS FOR FSI's • Additional access to information: – Audit Webcasts & Annual Summit – Advanced Roadmap – Security Incident Reviews • Access to Microsoft compliance and security experts • Access to external auditors • Ability to influence via future audit scope Compliance Program

FOR ALL CUSTOMERS

ON DEMAND

• Regulator Right to Examine • Audit Rights • Provision for change in Legal or Compliance Environment • Contractual Right to the Compliance Program • Business Resolution • Exit and Transition Assistance (FSI Amendment)

• Right to Audit Physical Datacenters • Interview Engineers & Engineering Leadership • Inspect Audit Evidence • Request New Evidence

• Privacy, Security, and Data Processing commitments including GDPR • Access to Audit Reports • Commit to location of customer data at rest • Commitments on law enforcement requests • Compliance with industry standards

Online Services Terms

Compliance Program