Power Virtual Agents compliance
offering
Power
Virtual Agents is a Core Online Service, as defined in the Online Service Terms
and is complaint with or covered by:
v Health Insurance
Portability and Accountability Act (HIPAA) coverage
v Health Information
Trust Alliance (HITRUST) Common Security Framework (CSF)
v Federal Risk and
Authorization Management Program (FedRAMP)
v System and
Organization Controls (SOC)
v Various
International Organization for Standardization (ISO) certifications
v Payment Card
Industry (PCI) Data Security Standard (DSS)
v The Cloud Security
Alliance (CSA) Security Trust Assurance and Risk (STAR)
v United Kingdom
Government Cloud (G-Cloud)
v Outsourced Service
Provider’s Audit Report (OSPAR)
v Korea-Information
Security Management System (K-ISMS)
v Singapore
Multi-Tier Cloud Security (MTCS) Level 3
v Spain Esquema
Nacional de Seguridad (ENS) High-Level Security Measures
Health Insurance Portability and
Accountability Act (HIPAA) coverage
HIPAA is a United States healthcare law that establishes
requirements for the use, disclosure, and safeguarding of individually
identifiable health information. It applies to covered entities—doctors'
offices, hospitals etc. That have access to patients' protected health
information (PHI), in addition to business associates—such as cloud service and
IT providers—that process PHI on their behalf.
Power Virtual Agents is covered under the Health Insurance
Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA).
You can create chatbots that handle protected health information
when your organization is bound by HIPAA.
Health Information Trust Alliance (HITRUST) Common Security Framework
(CSF)
HITRUST is an organization governed by representatives from the
healthcare industry. This are created and maintains the Common Security
Framework (CSF), a certifiable framework to help healthcare organizations and
their providers demonstrate their security and compliance consistently.
The CSF builds on HIPAA and the HITECH Act, which are US healthcare
laws that have established requirements for the use, disclosure, and
safeguarding of individually identifiable health information and enforce
non-compliance.
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP was established to provide a standardized approach for
assessing, monitoring, authorizing cloud computing products and services under
the Federal Information Security Management Act (FISMA) and to accelerate the
adoption of secure cloud solutions by federal agencies.
Microsoft’s government cloud services meet the requirements of
FedRAMP.
System
and Organization Controls (SOC)
SOC is a method for assuring control regulation within a
service. Power Virtual Agents has been audited to be compliant with SOC.
SOC audit reports are available from the Microsoft Service Trust
Portal.
ISO
Complains
Power Virtual Agents is compliant with the ISO standards listed
in the following table.
Audit reports for each are available from the Microsoft Service
Trust Portal.
|
Standard |
Name of the Report and Certificate |
Link to Standard |
|
ISO 90001:2015 |
Microsoft
Azure, Dynamics 365, and Other Online Service-ISO9001 Certificate and
Assessment Report |
ISO
9001:2015 |
|
ISO 20000 1:2011 |
Microsoft
Azure, Dynamics 365, and Other Online Service ISO20000-1 Certificate and
Assessment Report |
ISO/IEC
20000-1:2011 |
|
ISO 22301:2012 |
Microsoft
Azure, Dynamics 365, and Other Online Service ISO20000-1 Certificate
Assessment Report |
ISO/IEC
20000-1:2011 |
|
ISO 27001:2013 |
Microsoft
Azure, Dynamics 365, and other Online Service-ISO27001,27018,27017,27701 |
ISO/IEC
27001:2013 |
|
ISO 27017:2015 |
Microsoft
Azure, Dynamics 365, and Other Online Service-ISO27017 Certificate and
Microsoft Azure, Dynamics 365 |
ISO/IEC
27017:2015 |
|
ISO 27018:2019 |
Microsoft
Azure, Dynamics 365, and Other Online Service-ISO27018 Certificate and
Microsoft Azure, Dynamics 365, and Other Online Service-ISO27001, 27018 ,27017,27701
Assessment Report |
ISO/IEC
27018:2019 |
|
ISO 27701:2019 |
Microsoft
Azure, Dynamics 365, and Other Online Service-ISO27701 Certificate and
Microsoft Azure, Dynamics 365, and Other Online Services-ISO27001,27018,27701
Assessment Report |
ISO/IEC 27701: 2019
|
Payment
Card Industry (PCI) Data Security Standard (DSS)
The Payment Card Industry (PCI) Data Security Standards (DSS)
form a global information security standard designed to prevent fraud through
increased control of credit card data.
Organizations of all sizes must follow PCI DSS standards if they
accept payment cards from the five major credit card brands:
v Visa
v MasterCard
v American Express
v Discover
v Japan Credit Bureau
(JCB)
Compliance with PCI DSS is required for any
organization that stores, processes, or transmits payment and card-holder data.
The Cloud Security Alliance (CSA)
Security Trust Assurance and Risk (STAR)
The
Security Trust Assurance and Risk (STAR) Program encompasses key principles of
transparency, rigorous auditing, and harmonization of standards. Companies who
use STAR indicate best practices and validate the security posture of their
cloud offerings.
The STAR registry documents the security and privacy controls
provided by popular cloud computing offerings. Power Virtual Agents has been
audited to be compliant with CSA STAR.
United Kingdom Government Cloud
(G-Cloud)
Government Cloud (G-Cloud) is a UK government initiative to ease
procurement of cloud services by government departments and promote
government-wide adoption of cloud computing.
G-Cloud comprises a series of framework agreements
with cloud services suppliers (such as Microsoft), and a listing of their
services in an online store, the Digital Marketplace. Inclusion in the Digital
Marketplace requires a self-attestation of compliance, followed by a
verification performed by the Government Digital Service (GDS) branch at its
discretion.
Outsourced Services
Provider’s Audit Report (OSPAR)
The OSPAR framework was established Association of
Banks in Singapore (ABS), Which formulated IT security guidelines for
outsourced services providers (OSPs) that week to provide services to Singapore’s
financial institutions. Power Virtual Agents has OSPAR attention.
Korea-information Security Management
System(K-ISMS)
K-ISMS is a
country-specific ISMS framework that defines a stringent set of control
requirements designed to help ensure that organizations in Korea consistently
and securely protect their information assets.
Singapore Multi-Tier Cloud Security
(MTCS)
The MTCS Standard for Singapore was prepared under
the direction of the Information Technology Standards Committee (ITSC) of the
Infocomm Development Authority of Singapore (IDA).The ITSC promotes and
facilitates national programs to standardize IT and communications, and
Singapore's participation in international standardization activities.
Spain Esquema National de Seguridad
(ENS) High-Level Security Measures
In 2007, the Spanish government enacted Law
11/2007, which established a legal framework to give citizens electronic access
to government and public services. This law is the basis for Esquema Nacional
de Seguridad (National Security Framework), which is governed by Royal Decree
(RD) 3/2010.
