- Module 1: Learn how Microsoft implements organization-wide security and privacy governance to support the secure operation of Microsoft 365 services and maintain compliance with regulatory requirements and customer commitments.
- Describe Microsoft 365’s core services.
- List the elements of the Microsoft Policy Framework.
- Describe the Microsoft Security Policy and related standards, requirements, and procedures.
- Explain how the Microsoft 365 Information Security Policy implements the Microsoft Security and Standards Program.
- List Microsoft personnel requirements and practices.
- Module 2: Learn how Microsoft 365 identifies, assesses, responds to, and manages risks to protect customers and the Microsoft 365 environment.
- Explain how the Microsoft Enterprise Risk Management (ERM) program provides a consistent approach to enterprise risk across Microsoft.
- Describe how Microsoft 365 manages risk.
- Explain how Microsoft 365 Trust identifies risks using a variety of inputs.
- Describe how Microsoft 365 Trust analyzes and categorizes risk using impact, likelihood, and mitigating controls.
- Explain how Microsoft 365 Trust coordinates with service teams to mitigate, monitor, and report on ongoing risks in Microsoft 365 environments.
- Module 3: Learn how the architecture of Microsoft 365 implements security and privacy features to protect customers who use Microsoft 365 multi-tenant services.
- Describe the high-level architecture of Microsoft 365 services and dependencies.
- List the security principles built into Microsoft 365 architecture.
- Explain how Microsoft 365 implements network, service, and tenant isolation.
- Explain how Microsoft 365 protects its infrastructure from DDoS attacks.
- Describe how Microsoft 365 maintains service, data, and network resiliency.
- Explain how Microsoft 365 performs architecture validation to verify the security posture of Microsoft 365 services.
- Module 4: Learn how Microsoft 365 investigates, manages, and responds to security concerns to protect customers and the Microsoft 365 cloud environment.
- Describe Microsoft’s Assume Breach Strategy and Defense-in-Depth approach to security.
- Explain how Microsoft defines a Security Incident, the federated model that Microsoft uses for Security Incident Response across the organization, and how customers and Microsoft share responsibility for security in the cloud.
- Describe how Microsoft prepares to deal with security issues through training, testing, and knowledge sharing.
- Describe how the Security Incident Response team detects and analyzes potential security issues.
- Describe how issues are contained, eradicated, and how recovery is handled.
- Describe how Microsoft incorporates lessons from security incidents into our processes and procedures.
- Explain how and when Microsoft will notify your organization in the event a Security Incident affects your tenant.
- Module 5: Learn how Microsoft 365 implements the principle of Zero Standing Access (ZSA) to protect production environments and customer data using Just-In-Time (JIT) and Just-Enough-Access (JEA).
- List two different types of accounts managed by Microsoft.
- Name the tools and technologies used to control access within Microsoft 365 environments.
- Explain mandatory prerequisites for granting service team accounts.
- Describe Microsoft 365 service teams’ privileged access management process.
- Explain the process for using Microsoft 365 Customer Lockbox.
- Module 6: Learn about how Microsoft 365 uses comprehensive audit logging and monitoring to support security monitoring, maintain service availability, and meet compliance requirements.
- Explain how Microsoft 365 standardizes log data collection.
- Describe how Microsoft 365 aggregates and protects log data in centralized processing and storage services.
- List Microsoft 365’s retention policies for log data.
- Explain how Microsoft 365 analyzes log data to support security monitoring and service health monitoring.
- Module 7: Learn how Microsoft 365 proactively monitors information system assets for vulnerabilities, assesses the risks associated with discovered vulnerabilities, and remediates them in a timely manner.
- Describe Microsoft’s Assume Breach strategy in the context of vulnerability management and security monitoring.
- Explain machine state scanning and the components of PAVC in Microsoft 365.
- Describe how Microsoft 365 proactively patches its systems.
- List how Microsoft 365 anti-malware tools detect and prevent malware execution.
- Explain how Microsoft 365 detects and remediates vulnerabilities and security misconfigurations.
- Describe how Microsoft 365 uses security monitoring to detect and respond to attacks at scale.
- List the attack simulation and penetration testing activities used to validate the security posture of Microsoft 365.
- Module 8: Learn how Microsoft 365 builds resilient services to meet customer expectations in the face of faults and challenges to normal operations, maintains optimal service availability, and fulfills business continuity requirements.
- Explain how Microsoft 365 services are engineered for resiliency, including strategies such as Active/Active service design, fault isolation, and reduced blast radius.
- Describe the teams involved in the Microsoft Enterprise Business Continuity Management (EBCM) program.
- Explain Microsoft’s Business Continuity Management (BCM) lifecycle, including ongoing assessment, planning, and capability validation.
- List how often Business Continuity Plans (BCP) must be reviewed, updated, and tested.
- Explain the test methodology Microsoft uses for BCP Capability Validation.
- Describe how Microsoft 365 Services monitor availability and allocate resources using capacity planning.
- Module 9: Learn how Microsoft 365 follows Microsoft’s Security Development Lifecycle (SDL) to build security and privacy into our products and services.
- List the phases of Microsoft’s SDL process.
- Describe the training requirements for all members of Microsoft development teams.
- Explain how Microsoft development teams practice security and privacy by design.
- List the automated tools Microsoft uses to find and remediate software vulnerabilities.
- Explain how Microsoft enforces and tests operational security requirements using ongoing penetration testing.
- Describe security and privacy review requirements for code approval and release.
- Explain how Microsoft uses Component Governance (CG) to manage open source software.
- Module 10: Learn how Microsoft 365 encrypts data-at-rest and in-transit, securely manages encryption keys, and provides key management options to customers to meet their business needs and compliance obligations.
- Explain how encryption mitigates the risk of unauthorized data disclosure.
- Describe Microsoft data-at-rest and data-in-transit encryption solutions.
- Explain how Microsoft 365 implements service encryption to protect customer data at the application layer.
- Understand the differences between Microsoft managed keys and customer managed keys for use with service encryption.
- Module 11: Learn about Microsoft 365 privacy standards, the reasons we have them in place, and how they differentiate Microsoft in protecting and respecting customer data.
- Explain Microsoft’s six principles for protecting privacy.
- List key privacy roles and categories of data processed by Microsoft.
- Explain how Microsoft uses Defense-in-Depth to protect data throughout its lifecycle.
- Describe Microsoft’s data collection practices, including privacy notices, data handling, and compliance with international data transfers.
- List examples of how Microsoft processes data to provide online services.
- Explain how Microsoft restricts data transfer to third parties and provides appropriate customer notification.
- Describe Microsoft 365 data residency and retention capabilities.
- Explain how Microsoft destroys data when a subscription expires or is terminated.
- Describe Microsoft practices for supporting a customer’s compliance with GDPR Data Subject Requests and Data Protection Impact Assessments.
- Module 12: Learn how Microsoft 365 procures, monitors, and manages subprocessors to help protect data from unauthorized access and inappropriate use.
- Explain how the Supplier Security and Privacy Assurance (SSPA) program helps Microsoft online services protect customer data and personal data.
- List the types of subprocessors utilized by Microsoft and the access controls employed by each type.
- Describe how Microsoft 365’s additional subprocessor requirements limit the number of approved subprocessors and provides notice to customers when new subprocessors are approved.
- List subprocessor onboarding and ongoing subprocessor verification requirements required by the SSPA program.
- Describe Microsoft commitments to protecting customer data and personal data when a supplier contract ends.
- Module 13: Learn how Microsoft uses Defense-In-Depth to secure our datacenters against unauthorized access, environmental hazards, and other physical threats, as well as how Microsoft implements resilient architecture, business continuity, and disaster recovery to maintain the availability of our services.
- Describe how the architecture of Microsoft datacenters contributes to resilience and availability.
- Explain how Microsoft uses Threat, Vulnerability, and Risk Assessments (TVRA) to analyze datacenter risk.
- Describe how Microsoft implements environmental safeguards to protect both Microsoft datacenters and the environment.
- Explain how Microsoft uses Defense-In-Depth to physically secure Microsoft datacenters.
- Describe how Microsoft protects and tracks physical and virtual assets in Microsoft datacenters.
- Explain how Microsoft protects data stored on data bearing devices.
- Describe how datacenter business continuity, disaster recovery, and resilience strategies protect the availability of Microsoft datacenters.
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to:
Upon completion of this module, you should be able to: