Menu

Trust Center

As a LienSysGov customer, you have entrusted our organization to help protect your data.
We value this trust, and the privacy and security of your data is one of our top concerns.
We strive to take a leadership role when it comes to security, privacy, and compliance practices
that is the reason why we selected Microsoft’s Azure Data Centers to host our software solution.

  • Independently verified

    Compliance with world class industry standards

    LienSysGov partners with customers to help them address a wide range of country, and industry-specific regulatory requirements. By providing customers with compliant, independently verified cloud services, LienSysGov makes it easier for customers to achieve compliance for the infrastructure and applications they run in Azure.

  • AICPA/SOC
    FedRAMP
    PDI DSS
    CSA

  • Relentless on security

    Excellence in cutting edge security practices

    Through cutting-edge security practices and unmatched experience running large online services, LienSysGov delivers enterprise cloud services customers can trust.

  • Your privacy matters

    We respect the privacy of your data

    Privacy is one of the foundations of LienSysGov's Trustworthy Computing. We have a longstanding commitment to privacy, which is an integral part of our product and service lifecycle.

  • Shared responsibility

    Our customers are subject to many different laws and regulations. Legal requirements in one area may be inconsistent with legal requirements applicable elsewhere. As a provider of software solutions, we must utilize common practices and features across multiple geographies and jurisdictions. To help our customers comply with their own requirements, we build our solutions with common privacy and security requirements in mind. It is ultimately up to our customers, however, to evaluate our offerings against their own requirements, so they can determine if our solutions satisfy their regulatory needs. We are committed to providing our customers with detailed information about our solutions to help them make their own regulatory assessments.

    It is also important to note that a cloud platform like Azure requires shared responsibility between the customer and LienSysGov. LienSysGov is responsible for the platform, and seeks to provide a cloud sofware that can meet the security, privacy, and compliance needs of our customers. Customers are responsible for their environment once the solution has been provisioned, including their applications, data content, access credentials, and compliance with regulatory requirements applicable to their particular locale.

  • Updates

    The information presented in the LienSysGov Trust Center is current as of the "last updated" date at top but is subject to change without notice. We encourage you to review the Trust Center periodically to be informed of new security, privacy and compliance developments.

Design and Operational Security

Microsoft, LienSysGov's cloud provider, has developed industry-leading best practices in the design and management of online services, including:

  • Security Centers of Excellence. The Microsoft Digital Crimes Unit, Microsoft Cybercrime Center, and Microsoft Malware Protection Center provide insight into evolving global security threats.
  • Security Development Lifecycle (SDL). Since 2004, all Microsoft products and services have been designed and built from the ground up using its Security Development Lifecycle - a comprehensive approach for writing more secure, reliable and privacy-enhanced code.
  • Operational Security Assurance (OSA). The Microsoft OSA program provides an operational security baseline across all major cloud services, helping ensure key risks are consistently mitigated.
  • Assume Breach. Specialized teams of Microsoft security engineers use pioneering security practices and operate with an 'assume breach' mindset to identify potential vulnerabilities and proactively eliminate threats before they become risks to customers.
  • Incident Response. Microsoft operates a global 24x7 event and incident response team to help mitigate threats from attacks and malicious activity.

Security Controls and Capabilities

Azure delivers a trusted foundation on which customers can design, build and manage their own secure cloud applications and infrastructure.

  • 24 hour monitored physical security. Datacenters are physically constructed, managed, and monitored to shelter data and services from unauthorized access as well as environmental threats.
  • Monitoring and logging. Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment and providing timely alerts. In addition, multiple levels of monitoring, logging, and reporting are available to provide visibility to customers.
  • Patching. Integrated deployment systems manage the distribution and installation of security patches. Customers can apply similar patch management processes for Virtual Machines deployed in Azure.
  • Antivirus/Antimalware protection. Microsoft Antimalware is built-in to Cloud Services and can be enabled for Virtual Machines to help identify and remove viruses, spyware and other malicious software and provide real time protection. Customers can also run antimalware solutions from partners on their Virtual Machines.
  • Intrusion detection and DDoS. Intrusion detection and prevention systems, denial of service attack prevention, regular penetration testing, and forensic tools help identify and mitigate threats from both outside and inside of Azure.
  • Zero standing privileges. Access to customer data by Microsoft operations and support personnel is denied by default. When granted, access is carefully managed and logged. Data center access to the systems that store customer data is strictly controlled via lock box processes.
  • Isolation. Azure uses network isolation to prevent unwanted communications between deployments, and access controls block unauthorized users. Virtual Machines do not receive inbound traffic from the Internet unless customers configure them to do so.
  • Azure Virtual Networks. Customers can choose to assign multiple deployments to an isolated Virtual Network and allow those deployments to communicate with each other through private IP addresses.
  • Encrypted communications. Built-in SSL and TLS cryptography enables customers to encrypt communications within and between deployments, from Azure to on-premises datacenters, and from Azure to administrators and users.
  • Private connection. Customers can use ExpressRoute to establish a private connection to Azure datacenters, keeping their traffic off the Internet.
  • Data encryption. Azure offers a wide range of encryption capabilities up to AES-256, giving customers the flexibility to implement the methods that best meets their needs.
  • Identity and access. Azure Active Directory enables customers to manage access to Azure, Office 365 and a world of other cloud apps. Multi-Factor Authentication and access monitoring offer enhanced security.

Penetration Testing

Microsoft conducts regular penetration testing to improve Azure security controls and processes. We understand that security assessment is also an important part of our customers' application development and deployment. Therefore, we have established a policy for customers to carry out authorized penetration testing on their applications hosted in Azure. Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after obtaining approval in advance.

Privacy

Privacy is one of the foundations of Microsoft's Trustworthy Computing.  Microsoft has a longstanding commitment to privacy, which is an integral part of our product and service lifecycle.  We work to be transparent in our privacy practices, offer customers meaningful privacy choices, and manage responsibly the data we store.

The Microsoft Privacy Principles, our specific privacy statements, and our internal privacy standards guide how we collect, use, and protect Customer Data.  General information about cloud privacy is available from the Microsoft Privacy Web site.  We also published a white paper Privacy in the Cloud to explain how Microsoft is addressing privacy in the realm of cloud computing.

The Azure Privacy Statement describes the specific privacy policy and practices that govern customers' use of Azure.

Location of Customer Data

Microsoft currently operates Azure in data centers around the world.  In this section, we address common customer inquiries about access and location of Customer Data.

  • Customers may specify the geographic area(s) ("geos" and "regions") of the Microsoft datacenters in which Customer Data will be stored. Available geos and regions are shown below. Please see service availability by region.

    Geo
    (Previously major region)    		 Region
    (Previously sub-region)
    United States East US (Virginia)
    East US 2 (Virginia)
    Central US (Iowa)
    West US (California)
    North Central US (Illinois)
    South Central US (Texas)

  • Microsoft may transfer Customer Data within a geo (e.g., within Europe) for data redundancy or other purposes. For example, Azure replicates Blob and Table data between two regions within the same geo for enhanced data durability in case of a major data center disaster.

  • Microsoft will not transfer Customer Data outside the geo(s) customer specifies (for example, from Europe to U.S. or from U.S. to Asia) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where customer configures the account to enable such transfer of Customer Data, including through the use of:

    • Features that do not enable geo selection such as Content Delivery Network (CDN) that provides a global caching service;
    • Web and Worker Roles, which backup software deployment packages to the United States regardless of deployment geo;
    • Preview, beta, or other pre-release features that may store or transfer Customer Data to the United States regardless of deployment geo;
    • Azure Active Directory (except for Access Control), which may store Active Directory Data globally except for the United States (where Active Directory Data remains in the United States) and Europe (where Active Directory Data is in Europe and the United States);
    • Azure Multi-Factor Authentication, which stores authentication data in the United States;
    • Azure RemoteApp, which may store end user names and device IP addresses globally, depending on where the end user accesses the service.

  • Microsoft does not control or limit the geos from which customers or their end users may access Customer Data.

Customer Data and Other Data Types

  • Customer Data is all the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the Services. For example, Customer Data includes data that you upload for storage or processing in the Services and applications that you or your end users upload for hosting in the Services. It does not include configuration or technical settings and information.
  • Administrator Data is the information about administrators (including account contact and subscription administrators) provided during sign-up, purchase, or administration of the Services, such as name, address, phone number, and e-mail address.
  • Metadata includes configuration and technical settings and information. For example, it includes the disk configuration settings for an Azure Virtual Machine or database design for an Azure SQL Database.
  • Access Control Data is used to manage access to other types of data or functions within Azure. It includes passwords, security certificates, and other authentication-related data.

Independently verified

By providing customers with compliant, independently verified cloud services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run in Azure. Microsoft provides Azure customers with detailed information about our security and compliance programs, including audit reports and compliance packages, to help customers assess our services against their own legal and regulatory requirements.

In addition, Microsoft has developed an extensible compliance framework that enables it to design and build services using a single set of controls to speed up and simplify compliance across a diverse set of regulations and rapidly adapt to changes in the regulatory landscape. More information on specific compliance programs is available here:

  • ISO 27001/27002
  • SOC 1/SSAE 16/ISAE 3402 and SOC 2
  • Cloud Security Alliance CCM
  • FedRAMP
  • FISMA
  • FBI CJIS (Azure Government)
  • PCI DSS Level 1
  • United Kingdom G-Cloud
  • Australian Government IRAP
  • Singapore MTCS Standard
  • HIPAA
  • EU Model Clauses
  • Food and Drug Administration 21 CFR Part 11
  • FERPA
  • FIPS 140-2
  • CCCPPF
  • MLPS

SOC 1/SSAE 16/ISAE 3402 and SOC 2 Attestations

Azure has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements.

The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Azure controls. The SOC 2 Type 2 audit included a further examination of Azure controls related to security, availability, and confidentiality. Azure is audited annually to ensure that security controls are maintained.

Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).

The audit included the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, management, support, and in-scope services. Customers should contact Azure Support (or new customers can contact their account representative) to request a copy of the SOC 1 Type 2 and SOC 2 Type 2 reports for Azure.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is designed to provide fundamental security principles to guide cloud vendors and to assist prospective customers in assessing the overall security risk of a cloud provider. Detailed information about how Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM version 1.2 is also published in the CSA's Security Trust and Assurance Registry (STAR). In addition, the Microsoft Approach to Cloud Transparency paper provides an overview of how Microsoft addresses various risk, governance, and information security frameworks and standards, including the CSA CCM v1.2.

Federal Risk and Authorization Management Program (FedRAMP)

Azure has been granted a Provisional Authority to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) at a Moderate impact level based upon the FIPS 199 classification. Following a rigorous security review, the JAB approved a provisional authorization that an executive department or agency can leverage to issue a security authorization and an accompanying Authority to Operate (ATO). This will allow U.S. federal, state, and local governments to more rapidly realize the benefits of the cloud using Azure.

FedRAMP is a mandatory U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services.

The FedRAMP audit included the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, management, support, and in-scope services. Government agencies can request the Azure FedRAMP security package. Microsoft intends to pursue FedRAMP certification for Azure Government.

Payment Card Industry (PCI) Data Security Standards (DSS) Level 1

Azure is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standards (DSS) as verified by an independent Qualified Security Assessor (QSA), allowing merchants to establish a secure cardholder environment and to achieve their own certification.

The PCI DSS is an information security standard designed to prevent fraud through increased controls around credit card data. PCI certification is required for all organizations that store, process or transmit payment cardholder data. Customers can reduce the complexity of their PCI DSS certification by using compliant Azure services.

The audit included the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, management, support, and in-scope services. The Azure PCI Attestation of Compliance and Azure Customer PCI Guide are available for immediate download.