This document summarizes information about improving governance, risk, and compliance (GRC) maturity. It discusses establishing a GRC framework and assessing the current maturity level, which can range from not started to optimal. It then provides examples of actions organizations can take to improve their GRC maturity for both general GRC posture and specific to Microsoft 365. These include defining roles and processes, applying security defaults, implementing data protection and retention, and extending capabilities with additional licensing. The key steps are to start by prioritizing areas and establishing accountability, then continuously improving through a strategic risk-based approach.

2. #MWCP23 Modern Workplace Conference Paris 2023 27 & 28 Mars 2023
Diamond 💎
Platinum 🪩
Gold 🏅

3. Suivez-nous tout au long de l’année !
Follow us all year round!
https://ams.community
https://twitter.com/mwcparis
#MWCP23
https://modern-workplace.pro
https://twitter.com/aOSComm
https://www.linkedin.com/company/
ams-community
https://www.linkedin.com/company/
mwcp
https://www.facebook.com/
modernworkplaceconferenceparis
https://www.facebook.com/
aOSCommunity (FR)
https://www.facebook.com/
aosComm (EN)

4. Nikki Chapple
Principal Cloud Architect | MVP

7. Agenda
1. Why Governance Risk and
Compliance (GRC) is important
2. The consequence of poor GRC
maturity
3. Benefits of the GRC maturity model
4. Baseline your current GRC maturity
5. How to improve your GRC maturity

8. Why
Governance
Risk and
Compliance
(GRC) is
important

9. No matter the size of
your business, data
protection and
compliance is critical

10. Remember data is your responsibility

11. OS
OS
The landscape is fragmented, creating risks

12. ~70%
of companies are subject
to compliance with more
than five compliance
standards

13. 80%
>80% of corporate data is
“dark” – it’s not classified,
protected or governed
Ref: FoIBM. Future of Cognitive Computing. November 2015

14. 88%
of organisations no longer
have confidence to detect
& prevent loss of sensitive
data
Ref: Forrester. Security Concerns, Approaches and Technology
Adoption. December 2018

15. 83%
83% of companies
experience challenges in
ensuring regulatory &
industry compliance from
ineffective data
management
Ref: Vanson Bourne. Realizing the Power of Enterprise Data. 2019.

16. USD
4.35m
Average total cost of a
data breach
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

17. USD 164
Average per record cost of a
data breach
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

18. 45%
of breaches occurred in the
cloud
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

19. The
consequence
of poor (GRC)
maturity

23. Benefits of the
GRC maturity
model

24. What is a Maturity Model
100
Start-ups,
new teams &
rapidly
created
processes
• plus failing
functions etc
200
Maturing
organisations
and teams
• plus inefficient
and at-risk
functions
300
Established
organisations
• Stable but
not class
leading
functions
400
Successful/
efficient
organisations,
functions and
processes
• Especially
regulated
functions
500
Best of
breed
• Exemplars

25. Governance, Risk, and Compliance Maturity
Model
https://bit.ly/3gLLFsx
Microsoft 365 Maturity Model
Governance Risk and Compliance

26. GRC
What &
Why
GRC
stance
Benchmark
Current
vs.
Future
State
Who,
Where,
How &
When
Monitor
and
Enhance
1
Governance,
Risk and
Compliance is
not a project

27. 2
Include the
right
stakeholders
Ref: Microsoft Digital Defense Report 2022 | Microsoft Security

28. 3
Governance
in depth
Data
Containers
Applications
Endpoints
Cloud

29. 4
Take a risk-
based
approach

30. 5
This is a
journey so you
need to know
where you start

31. State of security maturity in the cloud
environment
Not started
17%
Early stages
26%
Midstage
34%
Mature stage
23%
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

32. Baseline your
current GRC
maturity

33. Baseline: Microsoft Zero Trust Maturity
Assessment Quiz
Identities
Endpoints
Apps
Infrastructure
Data
Network
https://www.microsoft.com/en-gb/security/business/zero-
trust/maturity-model-assessment-tool

37. Baseline: Configuration Analyzer for Microsoft
Purview (CAMP)
Microsoft Information Protection
Data Loss Prevention
Information Governance
Records Management
Insider Risk
Communication Compliance
Audit
eDiscovery
https://learn.microsoft.com/en-us/microsoft-
365/compliance/compliance-manager-
mcca?view=o365-worldwide

41. Baseline: Compliance Manager
Protect
information
Privacy
management
Govern
information
Control access
Manage
devices
Protect
against
threats
Discover and
respond
Manage
internal risks
Manage
compliance
https://compliance.microsoft.com/

43. How are Compliance Scores calculated?

44. Extend - Assessment templates

45. Understand the licencing implications
Business
Basic
Business
Premium
E3 E5
https://m365maps.com/

50. How to
improve your
GRC maturity

51. Level 100 organisation GRC Posture - Not
started
GRC
• Not
understood
People
• Undefined
roles &
responsibilities
Process
• Adhoc &
reactive

52. Level 100 Microsoft 365 posture - Not started
Default tenant
settings
Security
defaults may
not be applied
No data
protection
Default
retention

53. Level 200 GRC Posture - Reactive
GRC
•Compliance
& risk needs
understood
People
•No formal
roles & low
awareness
•IT Admin
responsible
Processes
•Adhoc

54. Level 200 Microsoft 365 posture - Limited
Security defaults in
Azure AD (MFA,
Privileged activities,
block legacy auth)
Manual encryption
of emails or
password protect
files
No retention or use
of Legal hold
Guest access
blocked or
uncontrolled guest
access

55. Level 300 GRC Posture - Defined
GRC strategy
• Framework
established but
tactical
• Focus on Zero
Trust security
rather than
compliance
People
• Siloed roles &
individual
responsibilities.
Processes
• Tactical &
inconsistent
• Initial privacy risk
management
assessment
• Initial compliance
assessment

56. Level 300 Microsoft 365 posture - Standard
Sensitivity labels
for containers
Recommended/
default sensitivity
labels for content
Data Loss
Prevention based
on labels
Org wide
retention policies
User & Container
lifecycle
governance
Governed guest
access
Compliance
Manager
baseline
Monitor Message
center

57. Level 400 GRC Posture - Predictable
GRC strategy
• Tailored, controlled &
measured
• Proactive
• Elevate your
compliance program
People
• Executive leadership
• Partnership - business,
IT & Security
• Dedicated roles.
Shared accountability
Processes
• Streamlined &
simplified with metrics
• GRC process to
identify, analyse,
control with
accountability
• Regular compliance &
privacy risk
assessments

58. Level 400 Microsoft 365 posture – Extend
with E5 licencing
Intelligent &
automated data
classification
Automated
protection &
retention
Extend DLP to
cloud apps and
endpoints
Insider risk
management
Formal records
management
Compliance
Manager
regulation
templates

59. GRC
• Strategic with
continuous
assessment.
• External benchmarks
People
• Proactive
• Business enabler
• Continuous
improvement
• Best of breed
• Pervasive compliance
culture
Process
• Risk based
• Lifecycle management
• Business Continuity
management
• Continuous
improvement
• Extend to supply chain
Level 500 - Optimal

60. Machine
Learning
classification
Content AI with
Microsoft Syntex
3rd party
ingestion of data
Data controls
extended beyond
Microsoft 365
Immutable
backup
Level 500 Microsoft 365 posture – Extend
beyond Microsoft 365 and automation

61. Summary

62. Practical steps
Establish board accountability and Chief Risk Officer role
Agree strategy and priorities
Embed cultural change
Establish a programme for continuous improvement
Select initial priority areas for attention
Build tools & processes outside Purview for non-technical controls

63. Best practices
You cannot go
from 1% to
100% on one
day
Take crawl-
walk-run
approach
Manage based
on risk
Be realistic. Design
something that can
be implemented
You need to
know where
you are now
Involve the right
teams

64. Don't let Microsoft 365
governance & compliance
be a roll of the dice

65. Merci pour
votre
attention !
Thanks
for your
attention!