1 December 2022| In-person: Copenhagen, Denmark
Don’t let Microsoft 365 Governance and Compliance be a roll of the dice.
No matter the size of your business, data protection and compliance is critical.
1. Data is exploding
2. Data regulations are increasing around the world
3. Everyone is at risk of a data breach
Yet data security and compliance can feel overwhelming.
Let me show you how the Microsoft 365 Governance, Risk, and Compliance maturity model can help you reduce risk and improve compliance effectiveness by building a strategy for protecting and managing sensitive and business-critical data.
Dont let governance risk and compliance be a roll of the dice | ESPC22
1.
2. Don't let Microsoft 365 governance
and compliance be a roll of the
dice
Nikki Chapple | MVP
Principal Cloud Architect, CloudWay, UK
3. Nikki Chapple
• 30 years+ experience in IT & business transformation
• Passionate about Microsoft 365 governance & compliance
• Community speaker & blogger
• Co-host on the All things M365 compliance Podcast
nikkichapple
@chapplenikki
www.nikkichapple.com
All things M365 compliance
19. State of security maturity in the cloud environment
Not started
17%
Early stages
26%
Midstage
34%
Mature stage
23%
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM
20. Most common findings in ransomware response engagements
Ref: Microsoft Digital Defense Report 2022 | Microsoft Security
65%
of companies lacked
information
protection control
21. Microsoft recommend 5 area to focus on
Ref: Microsoft Digital
Defense Report 2022
| Microsoft Security
23. What is a Maturity Model
100
Start-ups, new
teams and
rapidly created
processes
• plus failing
functions etc.
200
Maturing
organisations
and teams
• plus inefficient
and at-risk
functions
300
Established
organisations
• Stable but not
class leading
functions
400
Successful/
efficient
organisations,
functions and
processes
• Especially regulated
functions
500
Best of breed
• Exemplars
34. Baseline - Security Score
Scope
• Microsoft 365 (inc Exchange Online)
• Azure Active Directory
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps
• Microsoft Teams
35. Baseline E5 licencing
Microsoft Compliance
Configuration Analyzer (MCCA)
• Microsoft Information Protection
• Data Loss Prevention
• Information Governance
• Records Management
• Insider Risk
• Communication Compliance
• Audit
• eDiscovery
https://bit.ly/3FegpM4
45. Level 200 Microsoft 365 posture - Limited
Security defaults in
Azure AD (MFA,
Privileged activities,
block legacy auth)
Manual Sensitivity
labels
Manual Retention
labels
46. Level 300 GRC Posture - Defined
GRC strategy
• Framework
established but
tactical
• Focus on Zero
Trust security
rather than
compliance
People
• Siloed roles &
individual
responsibilities.
Processes
• Tactical &
inconsistent
• Initial privacy risk
management
assessment
• Initial compliance
assessment
47. Level 300 Microsoft 365 posture - Basic
Recommended/
default labels
Sensitivity labels
for containers
Data Loss
Prevention
Org wide
retention
User & Container
lifecycle
governance
Compliance
Manager
baseline
Monitor Message
center
48. Level 400 GRC Posture - Predictable
GRC strategy
• Tailored, controlled &
measured
• Proactive
• Elevate your
compliance program
People
• Executive leadership
• Partnership - business,
IT & Security
• Dedicated roles.
Shared accountability
Processes
• Streamlined &
simplified with metrics
• GRC process to
identify, analyse,
control with
accountability
• Regular compliance &
privacy risk
assessments
49. Level 400 Microsoft 365 posture – Extend E5 licencing
Intelligent &
automated data
classification
Automated
protection &
retention
DLP for sensitive
data
Insider risk
management
Auditing to SIEM
Govern access
decisions based on
sensitivity
Discover and
manage shadow IT
in your network
Compliance
Manager
regulation
templates
Risk based access
controls
Endpoint
management
50. GRC
• Strategic with
continuous
assessment.
• External benchmarks
People
• Proactive
• Business enabler
• Continuous
improvement
• Best of breed
• Pervasive compliance
culture
Process
• Risk based
• Lifecycle management
• Business Continuity
management
• Continuous
improvement
• Extend to supply chain
Level 500 - Optimal
53. Practical steps
Establish board accountability
Agree strategy and priorities
Embed cultural change
Establish a programme for continuous improvement
Select initial priority areas for attention
Build tools & processes outside Purview for non-technical control
54. Best practices
You cannot go
from 1% to 100%
on one day
Take crawl-walk-
run approach
Manage based on
risk
Be realistic. Design
something that can be
implemented
You need to
know where you
are now
Involve the right
teams
57. References
• The Microsoft 365 Maturity Model – Governance, Risk, and Compliance
Competency | Microsoft Learn
• Cost of a Data Breach Report 2022 - United Kingdom | IBM
• Microsoft 365 Compliance Scenario based demo CAT Demo
• Microsoft Zero Trust Maturity Assessment Quiz
• The Comprehensive Playbook for Implementing Zero Trust Security
(azureedge.net)
• Compliance in the era of digital transformation