There is no denying that Office 365 can make us highly productive, sharing and collaborating with coworkers, partners and clients. But, does it take care of our security and compliance issues? Is our data secure in Office 365? Yes, and no. The security of our information in Office 365 is a shared responsibility between Microsoft (the cloud provider) and us (the customers). Office 365 is a secure platform, but to truly secure our data we must make effective use of the security capabilities and features provided within the platform. We must also have strong information governance structures in place to control how information is shared and accessed through the platform. This session will provide a detailed review of the Office 365 Security and Compliance Center, including how to use the built in capabilities for alerts, data loss prevention policies, activity audit logs, advanced security management and customer lockbox. We'll also review recommended information governance and security practices based on customer experiences to help you effectively secure your information in Office 365 and uphold your end of the shared responsibility.

1. Internal Audit, Risk, Business & Technology Consulting
INFORMATION SECURITY IN OFFICE 365:
A SHARED RESPONSIBILITY
March 2017
Antonio Maio
Protiviti | Senior SharePoint Architect
Microsoft Office Server and Services MVP
Email: antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2

2. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SHARED RESPONSIBILITY
2
• Understand Cloud Provider Responsibilities
• Understand Your Responsibilities
In a cloud environment, security and information protection
must be a Shared Responsibility.
Understanding how your responsibilities are managed
requires strong Information Governance policies &
procedures.
SAAS = Office 365
PAAS = Azure Web Services, Azure Functions
IAAS = Azure VMs

3. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITY
Capabilities & Features
3

4. Internal Audit, Risk, Business & Technology Consulting
DEMONSTRATION
External Sharing Controls
OneDrive for Business Sharing Controls

5. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITY
Capabilities & Features
5

6. Internal Audit, Risk, Business & Technology Consulting
DEMONSTRATION
Office 365 Security and Compliance Center

7. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITY
Capabilities & Features
7

8. Internal Audit, Risk, Business & Technology Consulting
DEMONSTRATION
Office 365 Secure Score

9. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITY
Capabilities & Features
9

10. • Customer must approve access request, beforeMicrosoft engineer gets any access to Customertenant
Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

11. Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

12. Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

13. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINAL THOUGHTS
• Understand your Responsibilities
• Learn about Office 365 Security Capabilities
−Understand which are relevant to you and your business
• Develop a Security Role Out Plan
• Ensure the selected security procedures (and capabilities) line up with
your Information Governance Plan
13

14. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.