This document summarizes information about improving governance, risk, and compliance (GRC) maturity. It discusses establishing a GRC framework and assessing the current maturity level, which can range from not started to optimal. It then provides examples of actions organizations can take to improve their GRC maturity for both general GRC posture and specific to Microsoft 365. These include defining roles and processes, applying security defaults, implementing data protection and retention, and extending capabilities with additional licensing. The key steps are to start by prioritizing areas and establishing accountability, then continuously improving through a strategic risk-based approach.
3. Suivez-nous tout au long de l’année !
Follow us all year round!
https://ams.community
https://twitter.com/mwcparis
#MWCP23
https://modern-workplace.pro
https://twitter.com/aOSComm
https://www.linkedin.com/company/
ams-community
https://www.linkedin.com/company/
mwcp
https://www.facebook.com/
modernworkplaceconferenceparis
https://www.facebook.com/
aOSCommunity (FR)
https://www.facebook.com/
aosComm (EN)
7. Agenda
1. Why Governance Risk and
Compliance (GRC) is important
2. The consequence of poor GRC
maturity
3. Benefits of the GRC maturity model
4. Baseline your current GRC maturity
5. How to improve your GRC maturity
12. ~70%
of companies are subject
to compliance with more
than five compliance
standards
13. 80%
>80% of corporate data is
“dark” – it’s not classified,
protected or governed
Ref: FoIBM. Future of Cognitive Computing. November 2015
14. 88%
of organisations no longer
have confidence to detect
& prevent loss of sensitive
data
Ref: Forrester. Security Concerns, Approaches and Technology
Adoption. December 2018
15. 83%
83% of companies
experience challenges in
ensuring regulatory &
industry compliance from
ineffective data
management
Ref: Vanson Bourne. Realizing the Power of Enterprise Data. 2019.
24. What is a Maturity Model
100
Start-ups,
new teams &
rapidly
created
processes
• plus failing
functions etc
200
Maturing
organisations
and teams
• plus inefficient
and at-risk
functions
300
Established
organisations
• Stable but
not class
leading
functions
400
Successful/
efficient
organisations,
functions and
processes
• Especially
regulated
functions
500
Best of
breed
• Exemplars
25. Governance, Risk, and Compliance Maturity
Model
https://bit.ly/3gLLFsx
Microsoft 365 Maturity Model
Governance Risk and Compliance
31. State of security maturity in the cloud
environment
Not started
17%
Early stages
26%
Midstage
34%
Mature stage
23%
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM
33. Baseline: Microsoft Zero Trust Maturity
Assessment Quiz
Identities
Endpoints
Apps
Infrastructure
Data
Network
https://www.microsoft.com/en-gb/security/business/zero-
trust/maturity-model-assessment-tool
34.
35.
36.
37. Baseline: Configuration Analyzer for Microsoft
Purview (CAMP)
Microsoft Information Protection
Data Loss Prevention
Information Governance
Records Management
Insider Risk
Communication Compliance
Audit
eDiscovery
https://learn.microsoft.com/en-us/microsoft-
365/compliance/compliance-manager-
mcca?view=o365-worldwide
54. Level 200 Microsoft 365 posture - Limited
Security defaults in
Azure AD (MFA,
Privileged activities,
block legacy auth)
Manual encryption
of emails or
password protect
files
No retention or use
of Legal hold
Guest access
blocked or
uncontrolled guest
access
55. Level 300 GRC Posture - Defined
GRC strategy
• Framework
established but
tactical
• Focus on Zero
Trust security
rather than
compliance
People
• Siloed roles &
individual
responsibilities.
Processes
• Tactical &
inconsistent
• Initial privacy risk
management
assessment
• Initial compliance
assessment
56. Level 300 Microsoft 365 posture - Standard
Sensitivity labels
for containers
Recommended/
default sensitivity
labels for content
Data Loss
Prevention based
on labels
Org wide
retention policies
User & Container
lifecycle
governance
Governed guest
access
Compliance
Manager
baseline
Monitor Message
center
57. Level 400 GRC Posture - Predictable
GRC strategy
• Tailored, controlled &
measured
• Proactive
• Elevate your
compliance program
People
• Executive leadership
• Partnership - business,
IT & Security
• Dedicated roles.
Shared accountability
Processes
• Streamlined &
simplified with metrics
• GRC process to
identify, analyse,
control with
accountability
• Regular compliance &
privacy risk
assessments
58. Level 400 Microsoft 365 posture – Extend
with E5 licencing
Intelligent &
automated data
classification
Automated
protection &
retention
Extend DLP to
cloud apps and
endpoints
Insider risk
management
Formal records
management
Compliance
Manager
regulation
templates
59. GRC
• Strategic with
continuous
assessment.
• External benchmarks
People
• Proactive
• Business enabler
• Continuous
improvement
• Best of breed
• Pervasive compliance
culture
Process
• Risk based
• Lifecycle management
• Business Continuity
management
• Continuous
improvement
• Extend to supply chain
Level 500 - Optimal
60. Machine
Learning
classification
Content AI with
Microsoft Syntex
3rd party
ingestion of data
Data controls
extended beyond
Microsoft 365
Immutable
backup
Level 500 Microsoft 365 posture – Extend
beyond Microsoft 365 and automation
62. Practical steps
Establish board accountability and Chief Risk Officer role
Agree strategy and priorities
Embed cultural change
Establish a programme for continuous improvement
Select initial priority areas for attention
Build tools & processes outside Purview for non-technical controls
63. Best practices
You cannot go
from 1% to
100% on one
day
Take crawl-
walk-run
approach
Manage based
on risk
Be realistic. Design
something that can
be implemented
You need to
know where
you are now
Involve the right
teams