Baker McKenzie Baker McKenzie
How Can We Help?
  • Home
  • Client Security Statement

Client Security Statement

Client Security Statement: Microsoft 365 Shared Responsibility Model

At Baker McKenzie, we prioritize the security and confidentiality of our clients' information. As part of our commitment to safeguarding our clients’ data, we utilize Microsoft 365, a robust and secure cloud-based platform for hosting client information.

The following Microsoft 365 services are utilized:

SharePoint Online
Microsoft Teams
Power Platform
Power BI
Planner

Understanding the shared responsibility model is crucial to ensuring the highest level of security.

Shared Responsibility Model Overview

Microsoft 365 operates under a shared responsibility model, which delineates the security obligations between Microsoft and Baker McKenzie. In addition, client organizations maintain security responsibilities in relation to their organization’s usage of the Microsoft 365 client platform. This model ensures comprehensive protection by clearly defining the roles and responsibilities of each party.

Microsoft's Responsibilities:

  1. Securing the underlying infrastructure, including data centres, network components, and physical hardware.
  2. Security of the Microsoft 365 platform itself, including applications like Exchange Online, SharePoint Online, and Microsoft Teams.
  3. Application of baseline service encryption to all tenants including encryption of data stored in Exchange Online, SharePoint Online, OneDrive, and Teams.
  4. The availability of the Microsoft 365 platform and its applications.
  5. Adherence with global standards and regulations via compliance audits and certification.

Further information can be found via the following Microsoft resources:

Shared responsibility in the cloud

Securing the Microsoft Online Services infrastructure

Microsoft 365 isolation controls

Existing Microsoft customers may obtain copies of certifications and audit reports via the Microsoft Service Trust Portal.

Baker McKenzie Responsibilities:

  1. User Access Management: We manage user access and permissions within Microsoft 365 to ensure that only authorized personnel have access to sensitive information. This includes implementing strong authentication methods and regularly reviewing access rights.
  2. Data Protection: Our firm is responsible for protecting the data stored within Microsoft 365. This involves implementing monitoring and regular backups to safeguard against data breaches and loss.
  3. Logging and Monitoring: We maintain automated monitoring systems and correlation tools to detect, alarm and prevent anomalous and suspicious activity.
  4. Data Retention: We manage data retention policies to ensure that data is retained for the appropriate duration in compliance with legal and regulatory requirements. This includes setting retention periods and archiving data.
  5. Data Return: On termination of client’s use of the platform, or at client’s request, we will return client data in a timely manner.
  6. Data Disposal: If requested by the client, all commercially reasonable attempts will be made to delete any client data following return of data to the client.
  7. Change Management: We adhere to ITIL change management processes for technical change ensuring consistent evaluation, approval, and controlled implementation of changes within the Microsoft 365 client platform. We also evaluate and monitor Microsoft changes to the Microsoft 365 services to ensure compliance with Firm standards and client obligations.
  8. Security Awareness Training: We provide ongoing security awareness training to our staff to ensure they are knowledgeable about best practices for using Microsoft 365 securely. This includes recognizing phishing attempts, using strong passwords, and reporting suspicious activities.
  9. Incident Response: In the event of a security incident, our firm has established protocols for swift response and mitigation. We work closely with Microsoft to address any issues and ensure the continued protection of our clients' data.

Client Responsibilities:

  1. Data Management: Clients are responsible for managing their organization’s data within the Firm’s Microsoft 365 client platform and ensuring that any data shared within the platform is handled in accordance with their organization's data protection policies and relevant regulations.
  2. Compliance: Ensure client organization’s use of the Microsoft 365 platform complies with client organization's policies and any applicable legal or regulatory requirements. This includes client organization’s compliance with the Baker & McKenzie External Collaboration Terms of Use.
  3. User Access: Identifying, approving, and requesting access for a client organization’s individual users, and immediately informing Baker McKenzie when termination of a user’s access is required.
  4. Security Awareness: Educating the client organization’s users on the importance of security and best practices for using the Microsoft 365 Platform, including safeguarding data, recognizing phishing attempts and reporting suspicious activities.

Conclusion

By leveraging Microsoft 365 and adhering to the shared responsibility model, Baker McKenzie is dedicated to maintaining the highest standards of security for our clients. We continuously monitor and enhance our security practices to protect client information.