Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Create a Compliance Strategy for Office 365

531 views

Published on

SharePoint, OneDrive, Microsoft Teams, Exchange, Skype…there are a lot of collaboration tools for creating and content in the Microsoft stack. Highly regulated and government organizations have advanced compliance and records management needs, some of which are tricky to meet with out of the box Microsoft tools, such as Cloud App Security, Azure Information Protection and Advanced Data Governance in Office 365. How can you ensure that content is retained properly for compliance purposes and that the proper processes are in place to ensure compliance?

In this session, you will learn about Microsoft’s out of the box compliance and records management features, as well as how to extend them to meet advanced requirements. Whether you are a decision maker, IT Pro tasked with implementation, or an information management professional tasked with compliance, this workshop is for you.

Published in: Technology
  • Be the first to comment

Create a Compliance Strategy for Office 365

  1. 1. # Time Topic 1 8:30 – 8:40 AM Introductions 2 8:40 – 9:00 AM Records Management and Compliance Scenarios 3 9:00 – 10:00 AM Cloud App Security, Azure Information Protection & Azure Rights Management 4 10:00 – 10:15 AM BREAK 5 10:15 – 11:00 AM Advanced Data Governance 6 11:00 – 11:15 AM How to Enable the Records Management and Compliance Scenarios Using Microsoft Technology 7 11:15 – 11:30 AM Options for Filling the Gaps
  2. 2. *Consult your legal council Privacy rights related to health data Implementation of a security management process Protocols and expectations for breaches and HIPAA violations
  3. 3. Source: Office of the National Coordinator for Health Information Technology (ONC)
  4. 4. Source: Microsoft Trust Center
  5. 5. Perform good records management practices Train employees to follow policies and processes Have documented processes in place to protect data (and follow them) Allow people to access their data and ensure data integrity
  6. 6. Perform good records management practices Train employees to follow policies and processes Have documented processes in place to protect data (and follow them) Allow people to access their data and ensure data integrity
  7. 7. Risk of Non-Disposal Risk of Not Being Declared a Record Risk of Deletion Classify Information Maintenance Dispose Document Created Document Managed Document Finalized Record Managed Disposal
  8. 8. DisseminateMaintain & AdministerCreate Manage Content Invisible Compliance Records Management
  9. 9. Microsoft Trust Center
  10. 10. Retention IRM DLP Outside Microsoft Technologies Microsoft Technologies
  11. 11. Microsoft Cloud App Security is a CASB (Cloud Access Security Broker) that can help you bring the protection you have on-premises to your cloud apps, gaining comprehensive visibility, auditing capabilities, and granular controls to help ensure your sensitive data stays safe. Microsoft Cloud App Security provides a comprehensive, intelligent security solution that brings visibility, real-time control, and security to your cloud applications.
  12. 12. Deep visibility • Identify cloud apps on your network and gain visibility into Shadow IT • Cloud App Security recognizes more than 15,000 cloud apps—no agents required • Evaluates the risk of these apps based on more than 60 parameters Powerful reporting and analytics • On-going risk detection and details on users, including • abnormal usage patterns • upload/download traffic • Transactions • help you identify anomalies right away
  13. 13. Data loss prevention (DLP) • Enables granular control policies • Single-click remediation • Document quarantine • Sharing restrictions • Apply policies—out of the box or customized—to apps from Microsoft or other vendors • Scan and classify files in the cloud, and apply Azure Information Protection labels for protection—including encryption Compliance • Supports your compliance journey with regulatory mandates such as Payment Card Industry (PCI), Health Insurance Accountability and Portability Act (HIPAA), Sarbanes- Oxley (SOX), General Data Protection Regulation (GDPR), and others. • Factors compliance with regulations into the risk assessment score for each app • Helps you further control and protect sensitive files through policies and governance
  14. 14. Real-time monitoring and control • Helps you limit activities performed within user sessions in SaaS apps based on user identity, location, device state, and detected sign-in risk level • Allow access to SaaS apps but protect downloads from unfamiliar locations • Block downloads of sensitive documents from unmanaged devices
  15. 15. Behavioral analytics • Identify anomalies in cloud usage that may indicate a data breach • Learns how each user interacts with each SaaS app and, through behavioral analytics, assesses the risks in each transaction Integration with existing SIEM and DLP solutions • Cloud App Security helps preserve your familiar workflow • Enables a consistent policy across on-premises and cloud activities, while automating security procedures to better protect your cloud applications Mitigation of ransomware attacks • Offers a built-in policy template to detect potential ransomware activity • Specify governance actions to suspend suspect users and prevent further encryption of the user’s files
  16. 16. https://docs.microsoft.com/en-us/cloud-app-security/risk-score
  17. 17. Classify ProtectLabel
  18. 18. Auto-applied based on sensitive information types Auto-applied based on a search query The label is a record A user has manually applied a label Auto-applied based on a location Another label is older Except when…
  19. 19. When you create auto-apply labels for sensitive information, you see the same list of policy templates as when you create a data loss prevention (DLP) policy.
  20. 20. Query-based labels use the search index to identify content. • Email properties • Site properties • Contact properties • Sensitive data types • Site content shared with external users • Site content shared within your organization
  21. 21. Can only apply a default label to a document library Items inside a document set do inherit the default label If you move an item with a default label from one library to another library with no default label, the old default label is removed
  22. 22. A label that classifies content as a record needs to be applied manually; it can't be auto-applied For SharePoint content, any user in the default Members group (the Contribute permission level) can apply a record label to content Only the site collection administrator can remove or change that label after it's been applied You can apply a label to a folder in Exchange but not SharePoint or OneDrive
  23. 23. For SharePoint content, any user in the default Members group (the Contribute permission level) can apply a record label to content
  24. 24. If there are multiple rules that assign an auto-apply label and content meets the conditions of multiple rules, the label for the oldest rule is assigned. PERIOD. NO OTHER OPTION.
  25. 25. Labels are auto-applied Label policy is synced to locations Status = Success (On) Labels applied automatically to content within 7 days
  26. 26. If the label is… Then the label policy can be applied to… Exchange SharePoint OneDrive Groups Published to end users X X X X Auto-applied based on sensitive information types X X Auto-applied based on a query X X X X
  27. 27. PROS CONS THIRD PARTY TOOL Use to identify and action sensitive content Application of Label can be 1-7 days Provides real time classification of content A label can be used by RecordPoint to refine a classification No hierarchy of labels Can prioritize labels No automatic application of labels to sites, content types, Has localized certifications Generic functionality that doesn’t meet local standards Can use a label as input Need to have an E5 license for automatic labelling Works with any SharePoint license No automatic labelling for records Automatic labelling of records and all content Have to apply document library labels to each location Can apply classifications from a central location
  28. 28. Attached to a label. Can do the following: • Trigger a disposition review at the end of the retention period, so that SharePoint and OneDrive documents must be reviewed before they can be deleted. • Start the retention period from when the content was labeled, instead of the age of the content or when it was last modified.
  29. 29. • Retaining content so that it can’t be permanently deleted before the end of the retention period. • Deleting content permanently at the end of the retention period. Entire Locations Include or Exclude Organization Wide (limit of 10 org-wide policies and entire-location policies combined) SharePoint OneDrive for Business Groups Skype for Business Exchange Email Exchange Public Folder Users (up to 1000) Groups (up to 1000) Locations (up to 100 sites)
  30. 30. Retention wins over deletion Longest retention period wins Explicit inclusion wins over implicit inclusion Shortest deletion period wins
  31. 31. 1. If the content is modified or deleted during the retention period 2. If the content is not modified or deleted during the retention period 2 1 Preservation Hold Library Document Library First-Stage Recycle Bin Second-Stage Recycle Bin Cleanup Retention Period User Purge Cleanup Permanent Deletion Permanent Deletion 93 Days 7 Days
  32. 32. PROS CONS THIRD PARTY TOOL Simple content clean-up for non-records content A limit of 10 organization wide and location based retention policies No limit on the number of retention policies Covers Skype for Business and Exchange Content Keeps documents for 93 days after disposition approval Dispose of document immediately on approval No certification of destruction Provides a fully auditable certification of destruction Covers social feeds and file share content, with more coming Legal hold integrates with Office 365 Can retain content in places
  33. 33. Labels Retentioning Complex Labelling Third Party Complex Retentioning Third Party Manage Multiple Content Sources Third Party Records Management Third Party Physical Records Third Party High Certifications (DoD) Third Party

×