Grafton Banks Finance Security Statement
Grafton Banks Finance works alongside IT Builder who provide a cloud hosting service through Microsoft Azure.
How does Microsoft host its online services?
Microsoft delivers more than 200 cloud services, including enterprise services such as Microsoft Azure, Microsoft 365, and Microsoft Dynamics 365, to customers 24x7x365. These services are hosted in Microsoft's cloud infrastructure composed of globally distributed datacentres, edge computing nodes, and service operations centres. They are supported and connected by one of the world's largest global networks, with an extensive fibre footprint.
The datacentres that power our cloud offerings focus on high reliability, operational excellence, cost-effectiveness, environmental sustainability, and a trustworthy online experience for customers and partners worldwide. Microsoft regularly tests our datacentres security through both internal and third-party audits. As a result, the most highly regulated organizations in the world trust the Microsoft cloud, which is compliant with more certifications than any other cloud service provider.
How does Microsoft protect its datacentres from unauthorized access?
Access to physical datacenter facilities is tightly controlled by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, integrated alarm systems, around-the-clock video surveillance by the operations centre, and multi-factor access control. Only required personnel are authorized to access Microsoft datacentres. Logical access to Microsoft 365 infrastructure, including customer data, is prohibited from within Microsoft datacentres.
Our Security Operations Centres use video surveillance along with integrated electronic access control systems to monitor datacenter sites and facilities. Cameras are strategically positioned for effective coverage of the facility perimeter, entrances, shipping bays, server cages, interior aisles, and other sensitive security points of interest. As part of our multi-layered security posture, any unauthorized entry attempts detected by the integrated security systems generate alerts to security personnel for immediate response and remediation.
How does Microsoft protect its datacentres from environmental hazards?
Microsoft employs a variety of safeguards to protect against environmental threats to datacenter availability. Datacentre sites are strategically selected to minimize risk from a variety of factors, including floods, earthquakes, hurricanes, and other natural disasters. Our datacentres use climate control to monitor and maintain optimized conditioned spaces for staff, equipment, and hardware. Fire detection and suppression systems and water sensors help to detect and prevent fire and water damage to equipment.
Disasters are unpredictable, but Microsoft datacentres and operations personnel prepare for disasters to provide continuity of operations should unexpected events occur. Resilient architecture and up-to-date tested continuity plans mitigate potential damage and promote swift recovery of datacenter operations. Crisis management plans provide clarity on roles, responsibilities, and mitigation activities before, during, and after a crisis. The roles and contacts defined in these plans facilitate effective escalation up the chain of command during crisis situations.
How does Microsoft verify the effectiveness of datacentre security?
We understand that for our customers to fully realize the benefits of the cloud, they must be able to trust their cloud service provider. Our infrastructure and suite of cloud services are built from the ground up to address the rigorous security and privacy requirements of our customers. We help our customers comply with national, regional, and industry-specific requirements governing the collection and use of individuals' data by providing the most comprehensive set of compliance offerings of any cloud service provider.
Our cloud infrastructure and offerings meet a broad set of international and industry-specific compliance standards, such as ISO, HIPAA, FedRAMP, and SOC, as well as country-specific standards, like Australia's IRAP, UK's G-Cloud, and Singapore's MTCS. Rigorous, third-party audits verify our adherence to the strict security controls these standards mandate. Audit reports for our datacentre infrastructure and cloud offerings are available at the Microsoft Service Trust Portal.
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to datacenter security.
External audits
ISO 27001/27002 (Azure)
Statement of Applicability
April 24, 2023
Certificate
A.11: Physical and environmental security
SOC 1 (Azure) PE-1: Datacenter physical access provisioning
PE-2: Datacenter security verification
PE-3: Datacenter user access review
PE-4: Datacenter physical access mechanisms
PE-5: Datacenter physical surveillance monitoring
PE-6: Datacenter critical environment maintenance
PE-7: Datacenter environmental controls
PE-8: Datacenter incident response
August 24, 2023
SOC 2 (Azure)
PE-1: Datacenter physical access provisioning
PE-2: Datacenter security verification
PE-3: Datacenter user access review
PE-4: Datacenter physical access mechanisms
PE-5: Datacenter physical surveillance monitoring
PE-6: Datacenter critical environment maintenance
PE-7: Datacenter environmental controls
PE-8: Datacenter incident response
Last update: October 2023