The IT Compliance is designed to help IT managers, business managers, Microsoft customers, and the ecosystem of Microsoft partners plan for and address specific IT compliance requirements that relate to applicable governance, risk, and compliance (GRC) regulations, publications from standards bodies and industry organizations, organizational policies, and agreements, all of which are collectively referred to in this guidance as authority documents. The goal is to shift the effort of GRC requirements enforcement and management to Microsoft products through the configuration of existing features and functions
Organizations have to comply with regulatory requirements and control standards such as NERC, HIPAA, PCI, BASEL II, FISMA, GLBA, SOX, COBIT, FFIEC, ISO27001, and NIST-SP800 as part of their business processes. The IT department has to ensure that IT processes, technology, and people are aware of and able to meet these compliance requirements. For example, each IT division has to create, measure, and monitor control objectives as per the PCI data security standard. The division's PCI program should follow 12 requirements such as building and maintaining a secure network, and restricting physical access to credit card holder data. Similarly, NERC compliance requires each IT division to implement steps for CIP-002-1 to CIP-009-1.
IT compliance programs are complex in nature and can create inefficiencies due to the repetition of compliance tasks for different regulations and control standards. ISO 27002/COBIT control objectives for user security may overlap with the control objectives of PCI, NERC, SOX, or HIPAA. Organizations can certify each requirement once and show compliance for multiple regulations and standards. However, most of the time they perform this activity in silos, resulting in duplication and complex IT compliance processes.