Security measures for protecting data

Microsoft Dynamics 365 Fraud Protection has implemented, and will continue to maintain, appropriate technical and organizational measures to help protect customer data and personal data. These measures are stated in the Microsoft Security Policy. This policy is available to customers, as are descriptions of the security controls that are in place for Fraud Protection and other information that customers reasonably request about Microsoft security practices and policies.

For more information about Microsoft security practices, visit the Microsoft Trust Center.

Compliance certificate URLs

Here is a list of compliance certificate URLs for Fraud Protection:

Note

Sign-in is required to access these sites.

Security documentation and standard operating procedures FAQ

Documentation Description Available/location
Penetration test full report

A full penetration test that is performed on the application or service by a reputable external third party. The penetration test report is expected to include the following information:

  • Overview of the engagement (scope, timeline, and so on)
  • Methodology
  • Executive summary
  • Technical details of the vulnerabilities that were discovered during the assessment
  • Mitigations and the vendor's response

Reports that are generated by automatic tools aren't accepted.

Yes. This report is provided on request.
Network vulnerability scan report A scan of the application or service network. Yes. This scan is part of the penetration test that is done.
Network security policy The policy for maintaining network and data security. Yes. See the Azure Security and Compliance Blueprint.
Information security policy The policy about how data is kept and stored. This policy covers employee access to data (that is, the existence of access to the internet, the ability to download items to USB drives, and so on). Yes. For more information, see the ISO 27001 report.
Data flow diagram

A diagram that identifies how the application or service is integrated with customer data and/or systems.

Yes. The product documentation covers this information.
Incident response and triage policies A document that defines what constitutes an incident and how the organization responds. Yes. For more information, see the ISO 27001 report.
Third-party audit reports Audits such as SSAE 16 SOC 2 and SAS70 Type II. Yes. For more information, see the SOC2 report.
Backup policy A document that defines the company's backup strategy. Yes. The Azure multi-region deployment strategy covers this information.
Disaster recovery document A document that defines the company's strategy for availability. Yes. For more information, see the ISO 27001 report.
Cloud Security Alliance Cloud Controls Matrix (CCM) self-assessment See the assessment framework for cloud providers on the Cloud Security Alliance website. Visit the Microsoft Service Trust Portal.
Change management policy The policy that documents how changes are introduced and approved in an environment. Yes. For more information, see the ISO 27001 report.

Security assessment FAQ

Authentication and administration

Question Response
Does the application or service support single sign-on (SSO) through Security Assertion Markup Language (SAML) 1.1, SAML 2.0, or Web Services Federation (WS-Fed)? Yes.
  • Portal: SPA - OAuth 2.0 and OpenID Connect, with implicit flow
  • Service-to-service back-end API: OAuth 2.0
  • Fingerprinting Service: Anonymous
  • Azure Stack: Shared access signature (SAS) token for storage
Does the application support Okta integration (SSO platform)? This integration isn't supported by default. Azure Active Directory (Azure AD) supports custom integrations. Because the merchant owns the tenant, the merchant can take advantage of Azure AD identity integration points. For more information, see the Azure AD documentation.
Is there a "back-door" URL that lets users or administrators bypass SSO? No.
Does the application or service support two-factor authentication (2FA)? Yes. The merchant can enable 2FA in Azure AD.
Describe the 2FA solution. 2FA is an Azure AD feature. For more information, see How it works: Azure Multi-Factor Authentication.
Does the application support application-level passwords? No. User and application identities are managed in the customer's Azure AD.
Which hash or encryption algorithm is used to protect passwords? Not applicable.
Is hash salting used? Not applicable.
Does the application or service use automatic account provisioning? How is it accomplished (for example, on-demand via SAML, automated comma-separated values (CSV) feed over secure transmission, or API)? Provide documentation. No, and not applicable.
Does the application or service use immediate account access termination, including closing open sessions? No. Azure AD token expiration aligns user access termination, not the session.
If account terminations aren't automatic, is this action performed within one hour of an account access termination request? Yes, per Azure AD policy.
Document the process. All actions must be logged. For more information, see the Azure AD documentation.
What is the session idle time-out of the application? Per Azure AD policy, the session idle time-out is in line with the token validity period.
Does the application or service use an automatic account deprovisioning process via an API? No.
Does the application or service provide a disposition strategy for content that is attached to a user's account upon deprovisioning? No. Only audit logs are tracked and retained as features per Online Services Terms (OST) guidelines and the Microsoft Privacy Statement.
Does the application or service let the administrator explicitly grant authorization to data and capabilities based on role and/or function, according to the least privilege model? Yes. Via Azure AD roles, administrators can grant access within their tenant.
A minimum expectation is support for the Administrator role, User role, Read-Only Administrator (log) role, and unprivileged Administrator (no access to content) role. Do you provide this support? The application/service doesn't have any roles besides the admin role. Users in the Administrator role are responsible for spinning out additional roles within their tenant. For information about how to add and remove roles, see Configure user access.
If there are sharing permissions in the application, does the application or service let the administrator review user requests for additional access to data? Not applicable.
Does the application or service let the administrator user distinguish "administrator users" and "regular users"? No.
Document the rights that are available for the various roles in the application or service. Examples include read-only accounts and the log audit role. For more information, see the Fraud Protection onboarding guide.

Auditing

Question Response
Does the application or service log information in an industry-standard type of event format, such as CSV, Common Event Format (CEF), or Syslog? Log data isn't shared by the product. Service metrics and key performance indicators (KPIs) are surfaced via Power BI views.
Does the application or service collect or provide data about user sign-in, sign-out, password changes, and failed sign-in attempts? Yes. For more information, see Audit activity reports in the Azure Active Directory portal.
Does the application or service collect or provide audit logs of administrator actions (user account Create/Update/Delete) or application-specific actions?

The application maintains an audit history of key changes, such as rule or list updates. User account actions and corresponding audit history are controlled via Azure AD. For more information, see the overview in Azure Active Directory reports and monitoring documentation and Audit activity reports in the Azure Active Directory portal.

For Azure AD auditing, see the core directory events for application role and group membership in List of Azure Active Directory Audit Activities.

For access to audits from the Azure AD portal, see Audit activity reports in the Azure Active Directory portal.

Does the application or service collect or provide audit logs of user actions (document or content Create/Read/Update/Delete)? Not applicable. Only the admin role is supported.
Does the application or service collect or provide audit logs of metadata actions (Create/Read/Update/Delete)? Yes. An audit history of key changes, such as list and rule updates, is maintained.
Can Microsoft provide audit trails for any activities that are performed on personally identifiable information (PII)? The only PII is in the audit history of rule and list changes. This history is read-only and can't be modified.
Can Microsoft store logs and encrypted data at rest? Logs are maintained per standard Microsoft Azure Online Services policy.
Does Microsoft have procedures in place to detect, report, and alert about the downtime of the customer instance within a reasonable time frame if the instance is down? Yes, we have advanced monitoring and alerting capabilities in place.
What information is provided to customers to validate the negotiated service level agreement (SLA)? As a customer, you can make a server-to-server call to the service and monitor the SLA directly.
How is this notification reported to customers? No proactive downtime notification is in place. It's currently part of the roadmap. Customers are notified about any incidents that are discovered via alerting through the standard communications channel.

Business continuity and disaster recovery

Question Response
Does the application or service enable unstructured data to be exported in bulk in a non-proprietary format, such as CSV? In the product, the General Data Protection Regulation (GDPR) experience lets users export data under the guidelines that are described in the section about data subject rights in the Compliance documentation.
Does the unstructured data retain security access control lists (ACLs)? No. For more information, see the GDPR documentation that is listed in Honor data subject requests.
Does the application or service enable databases to be exported in bulk in a non-proprietary format? No.
Provide a documented backup policy. A multi-region data replication and resiliency strategy is in place. For more information about the backup and restore capability, see Online backup and on-demand data restore in Azure Cosmos DB.
Does the application or service have a documented disaster recovery plan? For more information about the Microsoft enterprise business continuity management (EBCM) plan, see the Enterprise Business Continuity Management Program white paper. (Sign-in is required.)

Data security

Question Response
Can Microsoft disable the application instance in the event of a security incident? Yes.
Does the application or service protect data by using Transport Layer Security (TLS) encryption? Yes.
What level of encryption is used? TLS 1.2.
What are the procedures for allowing customers to have the resources that are required to do security penetration scanning? Corporate, External, & Legal Affairs (CELA) and Security approval from Microsoft are required.
Does the application or service have a recent third-party network security penetration test? (The test must be less than three months old.) Yes, Azure periodically performs this test.
Does the application or service have a recent third-party application security penetration test? (The test must be less than three months old.) Yes. This test will be provided on request.
Does the application or service use a secure communications method, such as TLS? Yes.
Does the application or service have a mobile client? Fraud Protection is a web-based software as a service (SaaS) offering.
Can the application be limited so that it allows traffic only from trusted networks? The application can't be limited through the user interface (UI). However, it can be limited through manual configuration.
Does the application have traffic reporting and the ability to alert about normal traffic? Yes. These capabilities are available through internal alerting and monitoring. For more information, see API call monitoring.
If the infrastructure doesn't support encryption at rest by default, does the application or service enable data at rest to be stored in an encrypted format? All data is encrypted at rest. For more information, see Data encryption in Azure Cosmos DB.
Does the system have a general retention schedule, so that the data is purged after a period? Yes. For more information, see the OST guidelines.

Governance

Question Response
Do you have a well-defined security program? Provide a brief description. Yes. For information, see the Microsoft Security Development Lifecycle (SDL).
Does Microsoft have established information security policies? Yes. For information, see the Microsoft Security Development Lifecycle (SDL).
Does Microsoft have a third-party audit report for datacenter security and policies? Yes. For more information, visit the Microsoft Service Trust Portal.
Provide a copy of the report (SSAE 16 SOC 2, SAS70 Type II, and so on). Visit the Microsoft Service Trust Portal.
Has the application or service done the Cloud Security Alliance CCM self-assessment? Yes.
Provide a copy of the self-assessment. Visit the Microsoft Service Trust Portal.
Does Microsoft have a current change management policy document? Yes.
Does the application or service have an established incident response and triage policy and established processes? Yes.