Exam MS-500 topic 4 question 11 discussion

Correction: Assign Action itemshttps://docs.microsoft.com/en-us/microsoft-365/compliance/meet-data-protection-and-regulatory-reqs-using-microsoft-cloud?view=o365-worldwide#assessments-in-compliance-manager -Shows that actions are required to evaluate compliance the compliance manager can't be used to determine if an org is "compliant or not." The Compliance Score does not express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. No service can guarantee that you are compliant with a standard or regulation, and the Compliance Score should not be interpreted as a guarantee in any way.

I think it should be: - Review Actions -Shows that actions are required to evaluate compliance

The first section really should allow multiple selections, or better yet allow you to put choices in order. If you want to improve your GDPR compliance: 1. Start with your current assessment (that's available and showing in the portal). 2. Review the actions suggested. Is the assessment correct? Does something need to get fixed? 3. Assign the actions. Remediate the controls which did not pass and/or have gaps. *** at this point, your GDPR compliance has actually improved -- good job! *** 4. Run a new assessment. *** at this point, the compliance portal will show your improvement *** The question is about the score you see in the portal and making it higher, so if I can only pick one, I go with my step 4 above -- perform an assessment. If someone did steps 1-3, I expect the score will be higher. Regarding the second section: Tools are great, but auditors make the call on whether you are compliant with regulation. For several reasons, I would never deploy a tool that automatically leaves a discoverable record stating "compliant" or "not compliant" with GDPR.

Its got to be perform an assessment... Just assigning action items wont improve your score... You have to complete the assessment against the standard you want.

3 & 3 is correct!

I agree with Yaco33 and Joshing... Technically neither assigning or reviewing the Improvement Actions will increase the compliance score. It's only when you change the implementation and testing to passed will it improve the score but I guess by Microsoft's documentation you would in an ideal world assign the action for someone to implement. (( the score only changes if these action items are being handled. and you can assign individual items to users in orderfor them to cary out whatever is required for that action, being a simple review or something else. )) An assessment isn't required as the image shows there are already three assessments in progress for GDPR. It even shows they are on the assessments tab in Compliance Manager. GDPR wouldn't show up here if the assessment hadn't been created. So definitely not the correct answer. The second answer is correct though (actions are required to evaluate compliance)

Technical neither assigning or reviewing the Improvement Actions will increase the compliance score. It's only when you change the implementation and testing to passed will it improve the score but I guess by Microsoft's documentation you would in an ideal world assign the action to someone to implement. An assessment isn't required as the image shows there are already three assessments in progress. It even shows they are on the assessments tab in Compliance Manager. GDPR wouldn't show up here if the assessment hadn't been created. So definitely not the correct answer. The second answer is correct though.

I would go with "perform an assessment" and "shows that actions are required to evaluate compliance "

Correct Answers are: Assign action items. See "Improvement actions" section : https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide Shows that actions are required to evaluate compliance. "If I have a high score, does it mean I’m fully compliant? No. Your compliance score measures your progress in completing recommended actions that help reduce risks around data protection and regulatory standards. It does not express an absolute measure of organizational compliance with regard to a particular standard or regulation. Compliance Manager, and your compliance score, should not be interpreted as a guarantee in any way." https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-faq?view=o365-worldwide

You are likely to find that many of the noted actions are already complete when you review them. You simply need to review them, set an implementation and test date, and earn the points. The noted score does not mean you are not compliant. It means you need to assess the recommended actions and confirm if you have them set or not.

1. To increase the GDPR Compliance Score for Microsoft Office 365, you must: Perform an assessment. "Compliance Manager displays the total score for Office 365 ASSESSMENTS in the upper right-hand corner of the tile. This is the overall total Compliance Score for the Assessment and is the accumulation of points received for each control assessment..." From: https://docs.microsoft.com/en-us/microsoft-365/compliance/meet-data-protection-and-regulatory-reqs-using-microsoft-cloud?view=o365-worldwide#understanding-the-compliance-score

Organization is non complaint: The Compliance Score is a core component of the way that Compliance Manager helps organizations understand and manage their compliance. The Compliance Score for an assessment is an expression of the company's compliance with a given standard or regulation as a number, where the higher the score (up to the maximum number of points allocated for the Assessment), the better the company's compliance posture. Understanding the compliance scoring methodology in which assessment controls are assigned risk severity values between 1- 10 (low to high), and how completed control assessments add to the total compliance score is crucial to organizations for prioritizing their actions. https://docs.microsoft.com/en-us/microsoft-365/compliance/meet-data-protection-and-regulatory-reqs-using-microsoft-cloud?view=o365-worldwide#understanding-the-compliance-score

the score is comprised by many improvement action. some actions require just to be read/reviewed, some require interactive approach and mitigation. but the score only changes if these action items are being handled. and you can assign individual items to users in orderfor them to cary out whatever is required for that action, being a simple review or something else. remember that IT dep is not going to be responsible for the way the data is clasified by business for example. so it cannot and should not even attempt to handle each of the improvement actions that are surfaced in the portal. So assigning items is the right answer here

How is the organization non-compliant? Do we need to complete certain percentage of "customer managed actions" for being compliant.

This is a tricky one. Last one is correct (does not prove if compliant). Based on the wording it could either be review or perform an assessment. When clicking review for an action item it does give you the option to state it has been implemented which increases your score. Poor wording/answer selection as usual

Assigning or reviewing action doesn't increase the score ! You need to pass the assessment ... For me answer are : 1. Perform an assessment & 2. Show that actions are required to evaluate compliance.

Yaco is right, check this link: https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-faq?view=o365-worldwide#if-i-have-a-high-score-does-it-mean-im-fully-compliant