SlideShare a Scribd company logo
BLETCHLEY PARK
2023
A Microsoft 365 Community
COLLABORATION CONFERENCE
Wednesday, 27th September 2023
Cracking the Code: Expert Tips for Mastering
Governance, Risk, and Compliance in Microsoft 365
Nikki Chapple, Simon Hudson
Agenda
BLETCHLEY PARK
2023
Thank you to all our Sponsors
Silver
Platinum
Gold
Silver
Community
Sponsors
GRC… bane or benefit
What do you feel about
GRC?
Entry Poll
Agenda
Overview of GRC (Governance Risk and Compliance) obligations and approaches
Thoughts on using the Maturity Model for Microsoft 365 GRC Competency to set
your objectives
Pragmatic approaches to elevating your Compliance Score
Wider technical and business thinking for de-risking your operations and
organisation
Governance, Risk and
Compliance…
it's not nice to have
It's The Law
GRC
Security
Processes
Governance
Strategies
Policies, Monitoring
Culture
Identify
Analyse
Control
Laws
Regulations
Controls
Activities
Elements
of
Governance,
Risk,
and
Compliance
Data is exploding Data regulations are increasing Risks of not being compliant
Protecting data has become
more challenging We need to simplify
compliance and to reduce risk
Why do we need Governance, Risk & Compliance?
The risks of not being compliant
Loss of
trust and
Reputation
al damage
Operational
/ Financial
impacts
and loss
Fines
How can the
Microsoft 365
Governance,
Risk, and
Compliance
Maturity
Model help?
The Maturity Model levels
100 - Initial
• Ad hoc,
reactive,
uncontrolled
200 -
Managed
• Routine,
legacy,
firefighting,
variable,
personally
managed
300 -
Defined
• Document
ed, policy-
driven,
planned,
controlled,
stable
400 -
Predictable
• Productive,
interactive,
responsive,
enhanced,
effective,
adaptable,
quality
500 -
Optimising
• Optimal,
proactive,
statistical,
improvement
-focus,
automated,
assured
More information on the maturity model ➡
Pragmatic
approaches to
GRC and the
Purview score
Purview in context
Governance, Risk and Compliance Assessment
Who, Where, How & When
Current vs.
Future state
People
Technology
Process
Strategy
Regulations
Culture Priorities
GRC Maturity
Recommendations
What & Why
Risk &
compliance
stance
Monitor and
Enhance
Align the inputs with the demonstrable
action-orientated outputs
Benchmarked against the GRC
Competency
https://learn.microsoft.com/en-us/microsoft-365/community/microsoft365-
maturity-model--governance-and-compliance
Can Copilot
help?
Wouldn’t it be great if Compliance Copilot could help with setting all this
stuff up. Maybe it needs to be exposed to all the Compliance standards
and regulations…
But that’s in the future…
Helping Copilot get
it right
• If you are planning to use Copilot, you
better make sure that you have
cleansed your documents
• Good Governance drives this
• See
https://techcommunity.microsoft.c
om/t5/microsoft-365-copilot/how-
to-prepare-for-microsoft-365-
copilot/ba-p/3851566
Using Copilot
across GRC
• Copilot can (potentially):
• Help gather information from multiple sources
across your tenant (and beyond)
• Provide summaries and reports
• Respond to GRC queries from a chat prompt
• Assist with Purview management and a Compliance
Score improvement programme.
• Collaboration summarise and actions
• Extract intent from Viva Goals
• Extract employee engagement and sentiment from
your teams
• Potentially flagging insider risks, internal bad
actors
• AI can:
• Translate technical insights into business insights
• Avoid copyright and IP issues
What about
Copilot itself
• Copilot takes the response from the
LLM and post-processes it. This
post-processing includes other
grounding calls to Microsoft Graph,
responsible AI checks, security,
compliance and privacy reviews,
and command generation.
• Prompts, responses, and data
accessed through Microsoft Graph
aren’t used to train foundation
LLMs, including those used by
Microsoft 365 Copilot.
https://learn.microsoft.com/en-
us/deployoffice/privacy/microsoft-
365-copilot
Microsoft Security
Copilot
• AI powered security analysis tool that
enables analysts to respond to threats
quickly, process signals at machine
speed, and assess risk exposure in
minutes.
• Incident Response
• Threat Hunting
• Security Reporting
• https://www.microsoft.com/en-
gb/security/business/ai-machine-
learning/microsoft-security-copilot?rtc=2
Compliance Score vs Secure Score
Purview
• Number of elements: 2000+
• Grouped into
• Security, compliance & privacy
• 9 sub-categories:
• Protect information, Govern information, Control
Access, Manage Devices, Protect against threats,
Discover and respond, Manage internal risks,
Manage compliance, Privacy Management
• 350+ Assessment templates
• Board Led
• Business, Process & Technical control driven
• (Documentation, Operational and technical)
• Requires many controls outside the reach of the
M365 /Azure platform
Entra/Defender
• Number of elements: 58
• Grouped into
• Identity, Data, Apps
• Singular security score
• IT Led
• Technical control driven
Review and prioritise in Purview
??
%
Successful Governance Risk & Compliance
- Establish People facing processes, such as policies, training, guidance,
GRC roles and responsibilities and reporting.
Staff and
Leadership
- Build organisational management tools (Processes), such as risk
registers, incident logs, action plans and processes around content lifecycle
management, reporting, notifications and incident and risk responses. Have
audit and reporting to sustain the approach.
Management tools
- Implement Technologies
- Configure tenant settings in Microsoft 365
- Monitor, plan and improve using Microsoft Purview
Technical (Microsoft
365 +) Controls
GRC Hints and Tips
• Use Copilot to assess content
across your tenant
• Provide continuous, bite sized
updates via relatable avatars
• Create GRC champions / super
users in each team and enable
them through a super user
network
• Build a GRC Portal with guidance
pages and stories.
• Publish your Compliance Score
and track over time (i.e. chart it)
https://kinataltd.sharepoint.com/sites/InformationGovernance/SitePages/Subject-Access-
Requests.aspx?web=1
Guidance + Video
Script used (from Bing Chat)
Subject Access Requests (SARs) are an important aspect of the General Data Protection
Regulation (GDPR). They allow individuals to request access to their personal data held by
organizations. Staff members should be aware of the following key points regarding SARs and
GDPR:
Recognizing a SAR: A SAR can be made verbally or in writing, including through social media. It
does not need to include specific phrases or refer to particular legislation. The request should
simply be clear that the individual is asking for their own personal data1.
Formal Requirements: The UK GDPR does not set out formal requirements for a valid request.
Therefore, an individual can make a SAR verbally or in writing, including through social
media. They can direct it to any part of your organization without specifying a particular person or
contact point1.
Training and Procedures: It is essential to train staff members who regularly interact with the
public to identify a SAR and understand the next steps1. Having a clear procedure in place and
keeping a record of all requests and outcomes is also recommended2.
Standard Forms: Providing standard forms for individuals to make requests can make it easier for
both parties. However, it is not mandatory1.
Handling Requests: Organizations have a legal responsibility to identify and handle any valid
request correctly. If you receive a request verbally, you may still need to contact the individual in
writing to confirm their identity1. It is also good practice to check with the requester if you have
understood their request correctly1.
Reasons for Request: Individuals are not required to provide reasons for making a request or
explain what they intend to do with the information1. However, knowing the purpose of the request
may help organizations locate the relevant information more effectively1.
Children and Young People: Organizations should be prepared to handle requests for
information about children or young people1.
Freedom of Information: A valid SAR can be made even if it refers to other legislation, such as the
Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002
(FOISA)1.
Remember, SARs are an important right under GDPR, and organizations must handle them
appropriately and responsibly.
How to
improve your
Microsoft 365
GRC maturity
GRC/Purview in context
Level 100 - User behaviour
Files stored in shared folders
File sharing via emails with attachments
Limited internal collaboration via Teams
No external collaboration
Level 100 - Ungoverned
Teams Groups
and sites are
ungoverned
Guests are
ungoverned
Data is not
classified
No data
lifecycle
management
No awareness
of Microsoft
365 changes
Level 200 - User behaviour
Starting to collaborate in Team chats not using Teams
Starting to use OneDrive
Shared folders still in use
Use email and file attachment to share files externally
No external collaboration
No or limited adoption
Level 200 - Security focused
Focus on
Security
MFA users
Teams Groups
and sites
creation may be
locked down
Guest access
may be blocked
Mailbox holds to
retain data
Level 300 - User behaviour
Starting to work in Teams
OneDrive for personal use, SharePoint for collaboration
Shared folders limited or being migrated into M365
Share files via links
Internal and external collaboration in Teams
Tactical User Adoption
Level 300 - Basic Governance
Risk and Compliance
Sensitivity
labels for
Groups, Teams
& Sites
Groups, Teams
& Sites
provisioning
Guest lifecycle
management
Manual MIP
labels for
content
Data Loss
Prevention
based on
labels
Selected data
retention
Conditional
Access & MFA
Level 400 - User behaviour
Teams collaboration is mainstream
What tool to use when is clear
All file shares migrated into M365
Users are clear on data criticality and data lifecycle
Embedded User Adoption
Level 400 - Risk-based governance &
compliance
Teams,
Groups &
Sites
lifecycle
management
Automated
content
classificatio
n (protection
& retention)
DLP
extended to
endpoints
and Cloud
Apps
Records
management
Insider risk
management
Risk-based
access
controls
PIM
Privileged
Accounts
Machine
Learning
classification
Syntex
3rd party
ingestion of data
DLP extended to
endpoints and
Cloud Apps
Copilot
Independent
Backup & Archive
cold storage
Level 500 – Extend and automate
What level of GRC
maturity has your
organisation achieved?
GRC Maturity Poll
Wider
technical and
business
thinking
Purview in context
The
business
context
Business
GRC
Corporate
GRC
Purview +
Azure +
other
Microsoft
365
Purview
•GRC doesn’t end at
Purview
• Address/add your
other platforms and
Line of Business
systems /
infrastructure
• E.g. Azure,
Salesforce
•Think about the
wider business
needs
Practical
steps
Establish board accountability
Agree strategy and priorities
Embed cultural change
Establish a programme for continuous
improvement
Select initial focus area in Purview for attention
Build tools & processes outside Purview for non-
technical control
The Kinata
GRC portal
Where
should you
start
Best Practice
Before you start you need to know where you are now
You cannot go from 1% to 100% in one day
Take crawl-walk-run approach
Manage based on risk
Be realistic. Design something that can be implemented
Involve the right teams
Governance, risk and
compliance is not a
project, it’s a lifestyle
Start small and grow
Look beyond
Microsoft and
definitely beyond IT
BLETCHLEY PARK
2023
Thank You!
SimonHudson
Founder, Cloud2, Kinata, Novia
Works
20+ years innovating with Microsoft
technologies
Entrepreneur in Residence,
University of Hull
M365 North user group host
simon@noviaworks.co.uk
@simonjhudson
Nikki Chapple
30+ years in IT & business
transformation
Specialist Microsoft 365 governance
& compliance
International speaker & blogger
All things M365 compliance Podcast
co-host
Nikki.chapple@cloudway.com
@chapplnikki
Nikkichapple.com
Summary
Establish board accountability and
Chief Risk officer role
Agree strategy and priorities
Embed cultural change
Establish a programme for
continuous improvement
Select initial priority areas for
attention
Build tools & processes outside
Purview for non-technical controls

More Related Content

Similar to Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23 - .pdf

Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Nikki Chapple
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s  IT GRC Tools – Key Issues and TrendsMaclear’s  IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear LLC
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
NCTechSymposium
 
IT Governance & Leadership 17 - 20 November 2014 Dubai, UAE
IT Governance & Leadership 17 - 20 November 2014 Dubai, UAEIT Governance & Leadership 17 - 20 November 2014 Dubai, UAE
IT Governance & Leadership 17 - 20 November 2014 Dubai, UAE
360 BSI
 
GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365 GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365
ayeshaurooj104
 
Microsoft Viva governance and compliance implications | Viva Explorers Commun...
Microsoft Viva governance and compliance implications | Viva Explorers Commun...Microsoft Viva governance and compliance implications | Viva Explorers Commun...
Microsoft Viva governance and compliance implications | Viva Explorers Commun...
Nikki Chapple
 
Data Governance with Profisee, Microsoft & CCG
Data Governance with Profisee, Microsoft & CCG Data Governance with Profisee, Microsoft & CCG
Data Governance with Profisee, Microsoft & CCG
CCG
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law Firms
Jim Merrifield, IGP, CIP
 
Dont let governance risk and compliance be a roll of the device | Modern Wor...
 Dont let governance risk and compliance be a roll of the device | Modern Wor... Dont let governance risk and compliance be a roll of the device | Modern Wor...
Dont let governance risk and compliance be a roll of the device | Modern Wor...
Nikki Chapple
 
Data Governance Workshop
Data Governance WorkshopData Governance Workshop
Data Governance Workshop
CCG
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365
Don Daubert
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 
Certification+: The Most Comprehensive Compliance Solution
Certification+: The Most Comprehensive Compliance SolutionCertification+: The Most Comprehensive Compliance Solution
Certification+: The Most Comprehensive Compliance Solution
PYA, P.C.
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
Stacy Willis
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
Drew Madelung
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
 
A successful GDPR Program
A successful GDPR ProgramA successful GDPR Program
A successful GDPR Program
Alberto Canadè
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
PECB
 
Data Governance and MDM | Profisse, Microsoft, and CCG
Data Governance and MDM | Profisse, Microsoft, and CCGData Governance and MDM | Profisse, Microsoft, and CCG
Data Governance and MDM | Profisse, Microsoft, and CCG
CCG
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 

Similar to Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23 - .pdf (20)

Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s  IT GRC Tools – Key Issues and TrendsMaclear’s  IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
IT Governance & Leadership 17 - 20 November 2014 Dubai, UAE
IT Governance & Leadership 17 - 20 November 2014 Dubai, UAEIT Governance & Leadership 17 - 20 November 2014 Dubai, UAE
IT Governance & Leadership 17 - 20 November 2014 Dubai, UAE
 
GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365 GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365
 
Microsoft Viva governance and compliance implications | Viva Explorers Commun...
Microsoft Viva governance and compliance implications | Viva Explorers Commun...Microsoft Viva governance and compliance implications | Viva Explorers Commun...
Microsoft Viva governance and compliance implications | Viva Explorers Commun...
 
Data Governance with Profisee, Microsoft & CCG
Data Governance with Profisee, Microsoft & CCG Data Governance with Profisee, Microsoft & CCG
Data Governance with Profisee, Microsoft & CCG
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law Firms
 
Dont let governance risk and compliance be a roll of the device | Modern Wor...
 Dont let governance risk and compliance be a roll of the device | Modern Wor... Dont let governance risk and compliance be a roll of the device | Modern Wor...
Dont let governance risk and compliance be a roll of the device | Modern Wor...
 
Data Governance Workshop
Data Governance WorkshopData Governance Workshop
Data Governance Workshop
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
Certification+: The Most Comprehensive Compliance Solution
Certification+: The Most Comprehensive Compliance SolutionCertification+: The Most Comprehensive Compliance Solution
Certification+: The Most Comprehensive Compliance Solution
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
A successful GDPR Program
A successful GDPR ProgramA successful GDPR Program
A successful GDPR Program
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
 
Data Governance and MDM | Profisse, Microsoft, and CCG
Data Governance and MDM | Profisse, Microsoft, and CCGData Governance and MDM | Profisse, Microsoft, and CCG
Data Governance and MDM | Profisse, Microsoft, and CCG
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 

More from Nikki Chapple

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Nikki Chapple
 
Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...
Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...
Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...
Nikki Chapple
 
Viva Security and Privacy CollabDays Bletchley Sept 23.pdf
Viva Security and Privacy CollabDays Bletchley Sept 23.pdfViva Security and Privacy CollabDays Bletchley Sept 23.pdf
Viva Security and Privacy CollabDays Bletchley Sept 23.pdf
Nikki Chapple
 
Commsverse 2023 Demystifying security and privacy in Viva | Commverse 2023
Commsverse 2023 Demystifying security and privacy in Viva | Commverse 2023Commsverse 2023 Demystifying security and privacy in Viva | Commverse 2023
Commsverse 2023 Demystifying security and privacy in Viva | Commverse 2023
Nikki Chapple
 
Demystifying security and compliance in Viva | European Collaboration Summit ...
Demystifying security and compliance in Viva | European Collaboration Summit ...Demystifying security and compliance in Viva | European Collaboration Summit ...
Demystifying security and compliance in Viva | European Collaboration Summit ...
Nikki Chapple
 
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
 Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl  M365C... Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl  M365C...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
Nikki Chapple
 
Build a Teams creation workflow using Power Automate | ESPC 22 Microsoft Team...
Build a Teams creation workflow using Power Automate | ESPC 22 Microsoft Team...Build a Teams creation workflow using Power Automate | ESPC 22 Microsoft Team...
Build a Teams creation workflow using Power Automate | ESPC 22 Microsoft Team...
Nikki Chapple
 
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | MN Mi...
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | MN Mi...Implementing Microsoft Teams lifecycle governance to stop Team sprawl | MN Mi...
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | MN Mi...
Nikki Chapple
 
Microsoft 365 Governance Risk and Compliance Maturity model | MM4M365 practit...
Microsoft 365 Governance Risk and Compliance Maturity model | MM4M365 practit...Microsoft 365 Governance Risk and Compliance Maturity model | MM4M365 practit...
Microsoft 365 Governance Risk and Compliance Maturity model | MM4M365 practit...
Nikki Chapple
 
Build a Teams creation workflow using Power Automate | M365 Virtual Marathon ...
Build a Teams creation workflow using Power Automate | M365 Virtual Marathon ...Build a Teams creation workflow using Power Automate | M365 Virtual Marathon ...
Build a Teams creation workflow using Power Automate | M365 Virtual Marathon ...
Nikki Chapple
 
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl | Virtu...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl | Virtu...Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl | Virtu...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl | Virtu...
Nikki Chapple
 
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | Teams...
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | Teams...Implementing Microsoft Teams lifecycle governance to stop Team sprawl | Teams...
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | Teams...
Nikki Chapple
 
Using Power Automate to manage Microsoft 365 evergreen change | MN365 - April...
Using Power Automate to manage Microsoft 365 evergreen change | MN365 - April...Using Power Automate to manage Microsoft 365 evergreen change | MN365 - April...
Using Power Automate to manage Microsoft 365 evergreen change | MN365 - April...
Nikki Chapple
 
Canadian Cloud summit - Build a Teams creation workflow using Power Automate ...
Canadian Cloud summit - Build a Teams creation workflow using Power Automate ...Canadian Cloud summit - Build a Teams creation workflow using Power Automate ...
Canadian Cloud summit - Build a Teams creation workflow using Power Automate ...
Nikki Chapple
 
Commsverse 2022 - Why you need to manage Microsoft Teams sprawl - Jun 2022
Commsverse 2022 - Why you need to manage Microsoft Teams sprawl - Jun 2022Commsverse 2022 - Why you need to manage Microsoft Teams sprawl - Jun 2022
Commsverse 2022 - Why you need to manage Microsoft Teams sprawl - Jun 2022
Nikki Chapple
 
Teams10X - Using Power Automate to Manage Teams evergreen change - Sep 2022
Teams10X -  Using Power Automate to Manage Teams evergreen change - Sep 2022Teams10X -  Using Power Automate to Manage Teams evergreen change - Sep 2022
Teams10X - Using Power Automate to Manage Teams evergreen change - Sep 2022
Nikki Chapple
 

More from Nikki Chapple (16)

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...
Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...
Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...
 
Viva Security and Privacy CollabDays Bletchley Sept 23.pdf
Viva Security and Privacy CollabDays Bletchley Sept 23.pdfViva Security and Privacy CollabDays Bletchley Sept 23.pdf
Viva Security and Privacy CollabDays Bletchley Sept 23.pdf
 
Commsverse 2023 Demystifying security and privacy in Viva | Commverse 2023
Commsverse 2023 Demystifying security and privacy in Viva | Commverse 2023Commsverse 2023 Demystifying security and privacy in Viva | Commverse 2023
Commsverse 2023 Demystifying security and privacy in Viva | Commverse 2023
 
Demystifying security and compliance in Viva | European Collaboration Summit ...
Demystifying security and compliance in Viva | European Collaboration Summit ...Demystifying security and compliance in Viva | European Collaboration Summit ...
Demystifying security and compliance in Viva | European Collaboration Summit ...
 
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
 Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl  M365C... Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl  M365C...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl M365C...
 
Build a Teams creation workflow using Power Automate | ESPC 22 Microsoft Team...
Build a Teams creation workflow using Power Automate | ESPC 22 Microsoft Team...Build a Teams creation workflow using Power Automate | ESPC 22 Microsoft Team...
Build a Teams creation workflow using Power Automate | ESPC 22 Microsoft Team...
 
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | MN Mi...
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | MN Mi...Implementing Microsoft Teams lifecycle governance to stop Team sprawl | MN Mi...
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | MN Mi...
 
Microsoft 365 Governance Risk and Compliance Maturity model | MM4M365 practit...
Microsoft 365 Governance Risk and Compliance Maturity model | MM4M365 practit...Microsoft 365 Governance Risk and Compliance Maturity model | MM4M365 practit...
Microsoft 365 Governance Risk and Compliance Maturity model | MM4M365 practit...
 
Build a Teams creation workflow using Power Automate | M365 Virtual Marathon ...
Build a Teams creation workflow using Power Automate | M365 Virtual Marathon ...Build a Teams creation workflow using Power Automate | M365 Virtual Marathon ...
Build a Teams creation workflow using Power Automate | M365 Virtual Marathon ...
 
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl | Virtu...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl | Virtu...Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl | Virtu...
Implementing Microsoft Teams Lifecycle Governance to Stop Team Sprawl | Virtu...
 
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | Teams...
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | Teams...Implementing Microsoft Teams lifecycle governance to stop Team sprawl | Teams...
Implementing Microsoft Teams lifecycle governance to stop Team sprawl | Teams...
 
Using Power Automate to manage Microsoft 365 evergreen change | MN365 - April...
Using Power Automate to manage Microsoft 365 evergreen change | MN365 - April...Using Power Automate to manage Microsoft 365 evergreen change | MN365 - April...
Using Power Automate to manage Microsoft 365 evergreen change | MN365 - April...
 
Canadian Cloud summit - Build a Teams creation workflow using Power Automate ...
Canadian Cloud summit - Build a Teams creation workflow using Power Automate ...Canadian Cloud summit - Build a Teams creation workflow using Power Automate ...
Canadian Cloud summit - Build a Teams creation workflow using Power Automate ...
 
Commsverse 2022 - Why you need to manage Microsoft Teams sprawl - Jun 2022
Commsverse 2022 - Why you need to manage Microsoft Teams sprawl - Jun 2022Commsverse 2022 - Why you need to manage Microsoft Teams sprawl - Jun 2022
Commsverse 2022 - Why you need to manage Microsoft Teams sprawl - Jun 2022
 
Teams10X - Using Power Automate to Manage Teams evergreen change - Sep 2022
Teams10X -  Using Power Automate to Manage Teams evergreen change - Sep 2022Teams10X -  Using Power Automate to Manage Teams evergreen change - Sep 2022
Teams10X - Using Power Automate to Manage Teams evergreen change - Sep 2022
 

Recently uploaded

Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 

Recently uploaded (20)

Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 

Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23 - .pdf

  • 1. BLETCHLEY PARK 2023 A Microsoft 365 Community COLLABORATION CONFERENCE Wednesday, 27th September 2023 Cracking the Code: Expert Tips for Mastering Governance, Risk, and Compliance in Microsoft 365 Nikki Chapple, Simon Hudson Agenda
  • 2. BLETCHLEY PARK 2023 Thank you to all our Sponsors Silver Platinum Gold Silver Community Sponsors
  • 3. GRC… bane or benefit What do you feel about GRC? Entry Poll
  • 4.
  • 5. Agenda Overview of GRC (Governance Risk and Compliance) obligations and approaches Thoughts on using the Maturity Model for Microsoft 365 GRC Competency to set your objectives Pragmatic approaches to elevating your Compliance Score Wider technical and business thinking for de-risking your operations and organisation
  • 6. Governance, Risk and Compliance… it's not nice to have It's The Law GRC Security
  • 8. Data is exploding Data regulations are increasing Risks of not being compliant Protecting data has become more challenging We need to simplify compliance and to reduce risk Why do we need Governance, Risk & Compliance?
  • 9. The risks of not being compliant Loss of trust and Reputation al damage Operational / Financial impacts and loss Fines
  • 10.
  • 11.
  • 12.
  • 13. How can the Microsoft 365 Governance, Risk, and Compliance Maturity Model help?
  • 14. The Maturity Model levels 100 - Initial • Ad hoc, reactive, uncontrolled 200 - Managed • Routine, legacy, firefighting, variable, personally managed 300 - Defined • Document ed, policy- driven, planned, controlled, stable 400 - Predictable • Productive, interactive, responsive, enhanced, effective, adaptable, quality 500 - Optimising • Optimal, proactive, statistical, improvement -focus, automated, assured More information on the maturity model ➡
  • 15. Pragmatic approaches to GRC and the Purview score Purview in context
  • 16. Governance, Risk and Compliance Assessment Who, Where, How & When Current vs. Future state People Technology Process Strategy Regulations Culture Priorities GRC Maturity Recommendations What & Why Risk & compliance stance Monitor and Enhance
  • 17. Align the inputs with the demonstrable action-orientated outputs Benchmarked against the GRC Competency https://learn.microsoft.com/en-us/microsoft-365/community/microsoft365- maturity-model--governance-and-compliance
  • 18. Can Copilot help? Wouldn’t it be great if Compliance Copilot could help with setting all this stuff up. Maybe it needs to be exposed to all the Compliance standards and regulations… But that’s in the future…
  • 19. Helping Copilot get it right • If you are planning to use Copilot, you better make sure that you have cleansed your documents • Good Governance drives this • See https://techcommunity.microsoft.c om/t5/microsoft-365-copilot/how- to-prepare-for-microsoft-365- copilot/ba-p/3851566
  • 20. Using Copilot across GRC • Copilot can (potentially): • Help gather information from multiple sources across your tenant (and beyond) • Provide summaries and reports • Respond to GRC queries from a chat prompt • Assist with Purview management and a Compliance Score improvement programme. • Collaboration summarise and actions • Extract intent from Viva Goals • Extract employee engagement and sentiment from your teams • Potentially flagging insider risks, internal bad actors • AI can: • Translate technical insights into business insights • Avoid copyright and IP issues
  • 21. What about Copilot itself • Copilot takes the response from the LLM and post-processes it. This post-processing includes other grounding calls to Microsoft Graph, responsible AI checks, security, compliance and privacy reviews, and command generation. • Prompts, responses, and data accessed through Microsoft Graph aren’t used to train foundation LLMs, including those used by Microsoft 365 Copilot. https://learn.microsoft.com/en- us/deployoffice/privacy/microsoft- 365-copilot
  • 22. Microsoft Security Copilot • AI powered security analysis tool that enables analysts to respond to threats quickly, process signals at machine speed, and assess risk exposure in minutes. • Incident Response • Threat Hunting • Security Reporting • https://www.microsoft.com/en- gb/security/business/ai-machine- learning/microsoft-security-copilot?rtc=2
  • 23. Compliance Score vs Secure Score Purview • Number of elements: 2000+ • Grouped into • Security, compliance & privacy • 9 sub-categories: • Protect information, Govern information, Control Access, Manage Devices, Protect against threats, Discover and respond, Manage internal risks, Manage compliance, Privacy Management • 350+ Assessment templates • Board Led • Business, Process & Technical control driven • (Documentation, Operational and technical) • Requires many controls outside the reach of the M365 /Azure platform Entra/Defender • Number of elements: 58 • Grouped into • Identity, Data, Apps • Singular security score • IT Led • Technical control driven
  • 24. Review and prioritise in Purview ?? %
  • 25. Successful Governance Risk & Compliance - Establish People facing processes, such as policies, training, guidance, GRC roles and responsibilities and reporting. Staff and Leadership - Build organisational management tools (Processes), such as risk registers, incident logs, action plans and processes around content lifecycle management, reporting, notifications and incident and risk responses. Have audit and reporting to sustain the approach. Management tools - Implement Technologies - Configure tenant settings in Microsoft 365 - Monitor, plan and improve using Microsoft Purview Technical (Microsoft 365 +) Controls
  • 26. GRC Hints and Tips • Use Copilot to assess content across your tenant • Provide continuous, bite sized updates via relatable avatars • Create GRC champions / super users in each team and enable them through a super user network • Build a GRC Portal with guidance pages and stories. • Publish your Compliance Score and track over time (i.e. chart it) https://kinataltd.sharepoint.com/sites/InformationGovernance/SitePages/Subject-Access- Requests.aspx?web=1
  • 27. Guidance + Video Script used (from Bing Chat) Subject Access Requests (SARs) are an important aspect of the General Data Protection Regulation (GDPR). They allow individuals to request access to their personal data held by organizations. Staff members should be aware of the following key points regarding SARs and GDPR: Recognizing a SAR: A SAR can be made verbally or in writing, including through social media. It does not need to include specific phrases or refer to particular legislation. The request should simply be clear that the individual is asking for their own personal data1. Formal Requirements: The UK GDPR does not set out formal requirements for a valid request. Therefore, an individual can make a SAR verbally or in writing, including through social media. They can direct it to any part of your organization without specifying a particular person or contact point1. Training and Procedures: It is essential to train staff members who regularly interact with the public to identify a SAR and understand the next steps1. Having a clear procedure in place and keeping a record of all requests and outcomes is also recommended2. Standard Forms: Providing standard forms for individuals to make requests can make it easier for both parties. However, it is not mandatory1. Handling Requests: Organizations have a legal responsibility to identify and handle any valid request correctly. If you receive a request verbally, you may still need to contact the individual in writing to confirm their identity1. It is also good practice to check with the requester if you have understood their request correctly1. Reasons for Request: Individuals are not required to provide reasons for making a request or explain what they intend to do with the information1. However, knowing the purpose of the request may help organizations locate the relevant information more effectively1. Children and Young People: Organizations should be prepared to handle requests for information about children or young people1. Freedom of Information: A valid SAR can be made even if it refers to other legislation, such as the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOISA)1. Remember, SARs are an important right under GDPR, and organizations must handle them appropriately and responsibly.
  • 28. How to improve your Microsoft 365 GRC maturity GRC/Purview in context
  • 29. Level 100 - User behaviour Files stored in shared folders File sharing via emails with attachments Limited internal collaboration via Teams No external collaboration
  • 30. Level 100 - Ungoverned Teams Groups and sites are ungoverned Guests are ungoverned Data is not classified No data lifecycle management No awareness of Microsoft 365 changes
  • 31. Level 200 - User behaviour Starting to collaborate in Team chats not using Teams Starting to use OneDrive Shared folders still in use Use email and file attachment to share files externally No external collaboration No or limited adoption
  • 32. Level 200 - Security focused Focus on Security MFA users Teams Groups and sites creation may be locked down Guest access may be blocked Mailbox holds to retain data
  • 33. Level 300 - User behaviour Starting to work in Teams OneDrive for personal use, SharePoint for collaboration Shared folders limited or being migrated into M365 Share files via links Internal and external collaboration in Teams Tactical User Adoption
  • 34. Level 300 - Basic Governance Risk and Compliance Sensitivity labels for Groups, Teams & Sites Groups, Teams & Sites provisioning Guest lifecycle management Manual MIP labels for content Data Loss Prevention based on labels Selected data retention Conditional Access & MFA
  • 35. Level 400 - User behaviour Teams collaboration is mainstream What tool to use when is clear All file shares migrated into M365 Users are clear on data criticality and data lifecycle Embedded User Adoption
  • 36. Level 400 - Risk-based governance & compliance Teams, Groups & Sites lifecycle management Automated content classificatio n (protection & retention) DLP extended to endpoints and Cloud Apps Records management Insider risk management Risk-based access controls PIM Privileged Accounts
  • 37. Machine Learning classification Syntex 3rd party ingestion of data DLP extended to endpoints and Cloud Apps Copilot Independent Backup & Archive cold storage Level 500 – Extend and automate
  • 38. What level of GRC maturity has your organisation achieved? GRC Maturity Poll
  • 39.
  • 41. The business context Business GRC Corporate GRC Purview + Azure + other Microsoft 365 Purview •GRC doesn’t end at Purview • Address/add your other platforms and Line of Business systems / infrastructure • E.g. Azure, Salesforce •Think about the wider business needs
  • 42. Practical steps Establish board accountability Agree strategy and priorities Embed cultural change Establish a programme for continuous improvement Select initial focus area in Purview for attention Build tools & processes outside Purview for non- technical control
  • 45. Best Practice Before you start you need to know where you are now You cannot go from 1% to 100% in one day Take crawl-walk-run approach Manage based on risk Be realistic. Design something that can be implemented Involve the right teams
  • 46. Governance, risk and compliance is not a project, it’s a lifestyle Start small and grow Look beyond Microsoft and definitely beyond IT
  • 48. SimonHudson Founder, Cloud2, Kinata, Novia Works 20+ years innovating with Microsoft technologies Entrepreneur in Residence, University of Hull M365 North user group host simon@noviaworks.co.uk @simonjhudson Nikki Chapple 30+ years in IT & business transformation Specialist Microsoft 365 governance & compliance International speaker & blogger All things M365 compliance Podcast co-host Nikki.chapple@cloudway.com @chapplnikki Nikkichapple.com
  • 49. Summary Establish board accountability and Chief Risk officer role Agree strategy and priorities Embed cultural change Establish a programme for continuous improvement Select initial priority areas for attention Build tools & processes outside Purview for non-technical controls