Dont let governance risk and compliance be a roll of the dice | ESPC22

Don't let Microsoft 365 governance
and compliance be a roll of the
dice
Nikki Chapple | MVP
Principal Cloud Architect, CloudWay, UK

Nikki Chapple
• 30 years+ experience in IT & business transformation
• Passionate about Microsoft 365 governance & compliance
• Community speaker & blogger
• Co-host on the All things M365 compliance Podcast
nikkichapple
@chapplenikki
www.nikkichapple.com
All things M365 compliance

This Photo by Unknown Author is licensed under CC BY

No matter the size of your business, data
protection and compliance is critical

Remember data is your responsibility

Digital technology
revolution
Data regulations
complexity
Cyber threats become
endemic
Yet data protection and compliance can feel overwhelming

~70%
of companies are subject to compliance
with more than five compliance standards

34.7bn
identity threats blocked
Ref: Microsoft Digital Defense Report 2022 | Microsoft Security

USD 4.35m
Average total cost of a data breach
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

USD 164
Average per record cost of a data breach

45%
of breaches occurred in the cloud

The risks of not being compliant
Loss of trust
and
Reputational
damage
Operational
/ Financial
impacts and
loss
Fines

We need to do
more to
protect our
data
Don't let Microsoft 365
governance & compliance
be a roll of the dice

So how mature are organisations?

State of security maturity in the cloud environment
Not started
17%
Early stages
26%
Midstage
34%
Mature stage
23%

Most common findings in ransomware response engagements
65%
of companies lacked
information
protection control

Microsoft recommend 5 area to focus on
Ref: Microsoft Digital
Defense Report 2022
| Microsoft Security

Introducing the Governance, Risk, and
Compliance Maturity Model

What is a Maturity Model
100
Start-ups, new
teams and
rapidly created
processes
• plus failing
functions etc.
200
Maturing
organisations
and teams
• plus inefficient
and at-risk
functions
300
Established
organisations
• Stable but not
class leading
functions
400
Successful/
efficient
organisations,
functions and
processes
• Especially regulated
functions
500
Best of breed
• Exemplars

Processes
Governance
Strategies
Policies, Monitoring
Culture
Identify
Analyse
Control
Laws
Regulations
Controls
Activities
Governance, Risk, and
Compliance Maturity
Model
https://bit.ly/3gLLFsx

5
Steps for using the Governance,
Risk, and Compliance Maturity
Model to improve your data security
posture

1
This is not just a
technology project

GRC
What &
Why
GRC
stance
Benchma
rk
Current
vs.
Future
State
Who,
Where,
How &
When
Monitor
and
Enhance
2
Governance, Risk
and Compliance is
not a project

2
Protect
your data
at multiple
levels
Content
Containers
Applications
Identities,
Devices,
Locations
Regulations
& Policies

5
This is a
journey so
you need to
know where
you start

Assess your risk & compliance stance

Baseline
Microsoft Zero Trust Maturity
Assessment Quiz
• Identities
• Endpoints
• Apps
• Infrastructure
• Data
• Network
https://bit.ly/3OLS57y

Baseline - Security Score - Microsoft 365 Defender portal

Baseline - Security Score
Scope
• Microsoft 365 (inc Exchange Online)
• Azure Active Directory
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps
• Microsoft Teams

Baseline E5 licencing
Microsoft Compliance
Configuration Analyzer (MCCA)
• Microsoft Information Protection
• Data Loss Prevention
• Information Governance
• Records Management
• Insider Risk
• Communication Compliance
• Audit
• eDiscovery
https://bit.ly/3FegpM4

Compliance Manager scope
Protect
information
Privacy
management
Govern
information
Control access
Manage
devices
Protect
against threats
Discover and
respond
Manage
internal risks
Manage
compliance

How are Compliance Scores calculated?

Understand the licencing implications
Business Basic
Business Premium
E3
E5 https://m365maps.com/

Level 100 organisation GRC Posture - Not started
GRC
• Not
understood
People
• Undefined
roles &
responsibilities
Process
• Adhoc &
reactive

Level 100 Microsoft 365 posture - Not started
Default tenant
settings
Security
defaults may
not be applied
No data
protection
Default
retention

Level 200 GRC Posture - Reactive
GRC
•Compliance
& risk needs
understood
People
•No formal
roles & low
awareness
•IT Admin
responsible
Processes
•Adhoc

Level 200 Microsoft 365 posture - Limited
Security defaults in
Azure AD (MFA,
Privileged activities,
block legacy auth)
Manual Sensitivity
labels
Manual Retention
labels

Level 300 GRC Posture - Defined
GRC strategy
• Framework
established but
tactical
• Focus on Zero
Trust security
rather than
compliance
People
• Siloed roles &
individual
responsibilities.
Processes
• Tactical &
inconsistent
• Initial privacy risk
management
assessment
• Initial compliance
assessment

Level 300 Microsoft 365 posture - Basic
Recommended/
default labels
Sensitivity labels
for containers
Data Loss
Prevention
Org wide
retention
User & Container
lifecycle
governance
Compliance
Manager
baseline
Monitor Message
center

Level 400 GRC Posture - Predictable
GRC strategy
• Tailored, controlled &
measured
• Proactive
• Elevate your
compliance program
People
• Executive leadership
• Partnership - business,
IT & Security
• Dedicated roles.
Shared accountability
Processes
• Streamlined &
simplified with metrics
• GRC process to
identify, analyse,
control with
accountability
• Regular compliance &
privacy risk
assessments

Level 400 Microsoft 365 posture – Extend E5 licencing
Intelligent &
automated data
classification
Automated
protection &
retention
DLP for sensitive
data
Insider risk
management
Auditing to SIEM
Govern access
decisions based on
sensitivity
Discover and
manage shadow IT
in your network
Compliance
Manager
regulation
templates
Risk based access
controls
Endpoint
management

GRC
• Strategic with
continuous
assessment.
• External benchmarks
People
• Proactive
• Business enabler
• Continuous
improvement
• Best of breed
• Pervasive compliance
culture
Process
• Risk based
• Lifecycle management
• Business Continuity
management
• Continuous
improvement
• Extend to supply chain
Level 500 - Optimal

Machine
Learning
classification
Event based
retention
Adaptive
scopes
retention
Syntex
3rd party
ingestion of
data
Immutable
backup
Level 500 Microsoft 365 posture – Maximise E5 licencing

Practical steps
Establish board accountability
Agree strategy and priorities
Embed cultural change
Establish a programme for continuous improvement
Select initial priority areas for attention
Build tools & processes outside Purview for non-technical control

Best practices
You cannot go
from 1% to 100%
on one day
Take crawl-walk-
run approach
Manage based on
risk
Be realistic. Design
something that can be
implemented
You need to
know where you
are now
Involve the right
teams

Governance, risk
and compliance
is not a project,
it’s a lifestyle
Start small and grow

References
• The Microsoft 365 Maturity Model – Governance, Risk, and Compliance
Competency | Microsoft Learn
• Cost of a Data Breach Report 2022 - United Kingdom | IBM
• Microsoft 365 Compliance Scenario based demo CAT Demo
• Microsoft Zero Trust Maturity Assessment Quiz
• The Comprehensive Playbook for Implementing Zero Trust Security
(azureedge.net)
• Compliance in the era of digital transformation

Dont let governance risk and compliance be a roll of the dice | ESPC22

Recommended

Recommended

More Related Content

Similar to Dont let governance risk and compliance be a roll of the dice | ESPC22

Similar to Dont let governance risk and compliance be a roll of the dice | ESPC22 (20)

More from Nikki Chapple

More from Nikki Chapple (17)

Recently uploaded

Recently uploaded (20)

Dont let governance risk and compliance be a roll of the dice | ESPC22