Security measures for protecting data

This article describes technical and organizational measures that help protect customer data and personal data in Microsoft Dynamics 365 Fraud Protection.

Dynamics 365 Fraud Protection has implemented, and will continue to maintain, appropriate technical and organizational measures to help protect customer data and personal data as stated in the Microsoft Security Policy, which is available to customers. Descriptions of the security controls that are in place for Fraud Protection and other information that customers commonly request about Microsoft security practices and policies are also available to customers.

For more information about Microsoft security practices, visit the Microsoft Trust Center.

Compliance certificate URLs

The following list contains compliance certificate URLs for Fraud Protection.

Note

Sign-in is required to access these sites.

Security documentation availability

The following table lists and describes available security documentation and how to access the documentation.

Documentation Description Available?
Penetration test full report

A full penetration test that is performed on the application or service by a reputable external third party. The penetration test report is expected to include the following information:

  • Overview of the engagement (for example, scope and timeline)
  • Methodology
  • Executive summary
  • Technical details of the vulnerabilities that were discovered during the assessment
  • Mitigations and the vendor's response

Reports that are generated by automatic tools aren't accepted.

Yes. This report is provided on request.
Network vulnerability scan report A scan of the application or service network. Yes. This scan is done as part of the penetration test.
Network security policy The policy for maintaining network and data security. Yes. For more information, see the Azure Security and Compliance Blueprint.
Information security policy The policy about how data is kept and stored. This policy covers employee access to data (for example, access to the internet and the ability to download items to USB drives). Yes. For more information, see the ISO 27001 report.
Data flow diagram

A diagram that identifies how the application or service is integrated with customer data and/or systems.

Yes. The product documentation includes this information.
Incident response and triage policies A document that defines what constitutes an incident and how the organization responds. Yes. For more information, see the ISO 27001 report.
Third-party audit reports Audits such as SSAE 16 SOC 2 and SAS70 Type II. Yes. For more information, see the SOC2 report.
Backup policy A document that defines the company's backup strategy. Yes. The Azure multi-region deployment strategy includes this information.
Disaster recovery document A document that defines the company's strategy for availability. Yes. For more information, see the ISO 27001 report.
Cloud Security Alliance Cloud Controls Matrix (CCM) self-assessment The assessment framework for cloud providers. For more information, see Cloud Security Alliance and the Microsoft Service Trust Portal.
Change management policy The policy that documents how changes are introduced and approved in an environment. Yes. For more information, see the ISO 27001 report.

Additional resources

Security assessment FAQ

Privacy and security FAQ