Last Updated on November 25, 2019
I have been around long enough to remember when the phrase “Microsoft security” was an oxymoron. But it’s amazing how things have changed in the last five years or so. Microsoft has really come into its own as a thought leader on security.
Recently Microsoft introduced a great new term that I love: HBI (High Business Impact) data. HBI is essentially a vendor risk classification scheme that applies to vendors/partners that access critical data (e.g., financial data, source code, facial recognition data, Social Security numbers, credit card data, sales account data, sales and marketing plans, etc.).
It appears as though Microsoft really understands the security risks associated with HBI as it is requiring third parties across a diverse set of disciplines (e.g., call centers, manufacturers, Microsoft Consulting Partners) that access this data to attain ISO 27001 certification in order to maintain their good standing as a Microsoft vendor/partner.
What I like about the term HBI is that it really resonates with people. Recently I was working with a client to help them get their initial vendor risk classifications for their Vendor Risk Management program established, and I wasn’t really getting the point across with traditional terms like “high risk” data. When I said, “Microsoft uses the term High Business Impact data …” the conversation took on a whole new and positive direction. Even better, one of the attendees pulled up the specific types of data that are classified as HBI on Microsoft’s website and we were off to the races. As you might imagine there is also an MBI (Moderate Business Impact), LBI (Low Business Impact) and Public designation in their classification scheme.
Kudos to Microsoft… for setting the bar high on Vendor Risk Management practices.