SharePoint Governance and Compliance

136 views

Published on

SPC Adriatics 2016 - SharePoint Governance and Compliance

Published in: Software
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
136
On SlideShare
0
From Embeds
0
Number of Embeds
59
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SharePoint Governance and Compliance

  1. 1. • • • • • • • • • •
  2. 2. Governance Framework
  3. 3. Executive stakeholders Business division leaders Financial stakeholders Software development leaders IT managers Technical specialists Trainers Influential information workers Information architects or taxonomists Compliance officers
  4. 4. • • • • • • • • • • • •
  5. 5. • • • • • •
  6. 6. Communications Sponsor roadmap Training Coaching Resistance management Change management tools Individual phases of change (ADKAR® ) Awareness Desire Reinforcement™ Knowledge Ability
  7. 7. Transparency and Control Office 365
  8. 8. Continuous Compliance in Office 365 Built-in capabilities for compliance with standards Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Customer controls for compliance with internal policies Admin Controls like Data Loss Prevention, Archiving, E- Discovery to enable organizational compliance
  9. 9. SSAE/SOC ISO27001 EUMC FERPA FISMA/FedRAMP HIPAA HITECH ITAR HMG IL2 CJIS Article 29 + SOC 2 Global Global Europe U.S. U.S. U.S. U.S. U.S. UK U.S. Europe Global Finance Global Europe Education Government Healthcare Healthcare Defense Government Law Enforcement Europe Global Standards Certifications Market Region +EU Data Protection Authorities validate Microsoft’s approach to privacy
  10. 10. How Office 365 does Compliance Physical Security Security Best Practices Secure Network Layer Data Encryption Office 365 Service | Control Sets | Certifications DLP OME SMIME RBAC RMS Account Mgmt. Incident Monitoring Data Encryption Encryption of stored data and more… Data Minimization & Retention New Cert’s and more… Access Control Built-in Capabilities Customer Controls
  11. 11. 0.43M 1.53M 3.94M 9.50M 39 122 172 313 457 653 Compliance Controls ISO27001 HIPAA BAA DPASAS70 FedRAMP CJIS SOC 2 Type 2 ISO27018 MLPS OFFICIAL IRS1075 DISA IL2 1017 3 3 3 4 9 10 13 Workloads in Boundary Transparency Milestones Proof of ISO report FISMA quarterly contmon reports Finserv summits FedRAMP monthly contmon reports Control sharing, deep contmon, trust.microsoft.com for finserv 2010 2011 2013 2014 2015 ITARMT BPOS-D FERPA SOC 1 Type 2 EU Model Clauses FISMA EU Safe Harbor 2008 2009 2010 2011 2012 2013 2014 201x 3 4 5 8 9 17 Total certifications / standards compliant to 2
  12. 12. Risk Confidentiality Integrity Availability On Premises Cloud On Premises Cloud On Premises Cloud Mitigate Customer Shared Customer Microsoft Customer Microsoft Accept Customer Shared Customer Shared Customer Shared Transfer - Microsoft (Contracts & Compliance) - Microsoft (Contracts & Compliance) - Microsoft (SLA)
  13. 13. http://trust.office365.com – direct link at Data Maps
  14. 14. Ever Evolving Approach to Compliance Market & Competitive Intelligence Compliance Management Framework Regulatory Impact Analysis (RSIA) Define Security, and Privacy controls Determine Implementation Requirements Implement Controls Document Implementation Continuous Monitoring Independent verification (Audits) Remediation Prioritize
  15. 15. Have services independently audited for compliance with this standard Key Principles - Cloud providers must: Not use data for advertising or marketing unless express consent is obtained Be transparent about data location and how data is handled Be accountable to determine if customer data was impacted by a breach of information security Communicate to customers and regulators in the event of a breach Provide customers with control over how their data is used
  16. 16. How Office 365 does Compliance Physical Security Security Best Practices Secure Network Layer Data Encryption Office 365 Service | Control Sets | Certifications DLP OME SMIME RBAC RMS Account Mgmt. Incident Monitoring Data Encryption Encryption of stored data and more… Data Minimization & Retention New Cert’s and more… Access Control Built-in Capabilities Customer Controls
  17. 17. Control Effectiveness Assessment (Audit) Schedule Nov 2014 Dec 2015 Jan 2015 Feb 2015 Mar 2015 Apr 2015 May 2015 Jun 2015 Jul 2015 Aug 2015 Sep 2015 Oct 2015 Nov 2015 ISO FedRAMP MT ISAE3402/SOC ITAR ISO Control Effectiveness Assessment (Audit) Schedule Nov 2014 Dec 2015 Jan 2015 Feb 2015 Mar 2015 Apr 2015 May 2015 Jun 2015 Jul 2015 Aug 2015 Sep 2015 Oct 2015 Nov 2015 ISO FedRAMP MT ISAE3402/SOC ISO Audit cadence
  18. 18. Trust but verify Share latest audit reports (Third-party verification) Compliance Program (Right to Examine*) Transparency and Control through Continuous monitoring * For larger highly regulated customers
  19. 19.  Part of the responsibility for the secure management of the service lies with each customer. Managing Risk Office 365 supports a high degree of customer configuration • Account Management • Access control • Segregation of duties • Awareness and training • Support requests • Use flexible customer controls in Office 365 Customers must put the following controls in place to ensure the security of their data
  20. 20. Compliance controls Helps to Identify monitor protect Sensitive data through deep content analysis Identify Protect Monitor End user education
  21. 21. ALERT CLASSIFY ENCRYPT APPEND OVERRIDE REVIEW REDIRECT BLOCK Flexible tools for policy enforcement that provide the right level of control Transport Rules Rights Management Data Loss Prevention
  22. 22. Email archiving and retention Preserve Search Secondary mailbox with separate quota Managed through EAC or PowerShell Available on-premises, online, or through EOA Automated and time- based criteria Set policies at item or folder level Expiration date shown in email message Capture deleted and edited email messages Time-Based In-Place Hold Granular Query-Based In-Place Hold Optional notification Web-based eDiscovery Center and multi-mailbox search Search primary, In-Place Archive, and recoverable items Delegate through roles-based administration De-duplication after discovery Auditing to ensure controls are met In-Place Archive Governance Hold eDiscovery
  23. 23. Privacy by design means that we do not use your information for anything other than providing you services No advertising products out of Customer Data No scanning of email or documents to build analytics or mine data Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information
  24. 24. Office 365 Trust Center http://trust.office365.com Office 365 Blog http://blogs.office.com/ • Enabling transparency and control • Enhancing transparency and control for Office 365 customers • Customer Lockbox • Office 365 management activity API for security and compliance monitoring Whitepapers Overview of Security http://aka.ms/securitywhitepaper Overview of Security and Compliance in Office 365 Customer controls for Information Protection http://aka.ms/customercontrolsm Law Enforcement Requests Report http://www.microsoft.com/about/corporatecitizenship/en- us/reporting/transparency/

×