Whether your platform of choice is SharePoint on premise, Office 365, or a hybrid variation, you need to setup an Information Governance Strategy. This presentation gives you the ammunition you need to show leadership the value of setting up such a strategy (or the cost of not doing so) and provides four primary considerations for doing it.

1. Accessible content is available upon request.
Develop Your
Information Governance Strategy in 4 Steps
Jay Leask | @jayleask
AvePoint Public Sector
SharePoint Office 365 Hybrid

2. June 2017 #SPSDC
@jayleask
Identify the Challenges Define the Value Develop the Strategy

3. June 2017 #SPSDC
@jayleask

4. June 2017 #SPSDC
@jayleask
%
F O R T U N E 5 0 0 C O M PA N I E S
F R O M T H E 1 9 5 0 s A R E G O N E

5. June 2017 #SPSDC
@jayleask
1999 - IPO
2004 – 9000 stores
2010 – Bankrupt
2013 – RIP

7. June 2017 #SPSDC
@jayleask
“ The reasonable man adapts himself
to the world: the unreasonable one
persists in trying to adapt the world
to himself. Therefore all progress
depends on the unreasonable man. ”
- George Bernard Shaw

8. June 2017 #SPSDC
@jayleask
Everyone
has
a Voice
Everyone is
a
Contributor
Access from
Anywhere

9. June 2017 #SPSDC
@jayleask

10. June 2017 #SPSDC
@jayleask

11. ©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc.
Why do you need brakes?

12. ©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc.

13. June 2017 #SPSDC
@jayleask

14. June 2017 #SPSDC
@jayleask
Hackers proved
to be far less of
a threat than
simple, human
error

15. June 2017 #SPSDC
@jayleask
We need to establish confidence

16. Per Breached Record Per Breach Event

17. June 2017 #SPSDC
@jayleask

18. June 2017 #SPSDC
@jayleask
Plan for the future
Remove what’s unnecessary
Keep what’s required
Protect what’s important
Establish a way to identify it
Find out what it really is
Reduce Cost.
Increase
Productivity.
$
Users:
Relevant Information
IT Admins:
Easier Maintenance
Compliance Officers:
Lowered Risks

19. June 2017 #SPSDC
@jayleask

20. Discover and Classify
1

21. June 2017 #SPSDC
@jayleask

22. June 2017 #SPSDC
@jayleask
Where is it?
File Share
SharePoint
Office 365
Databases
Who can access it?
Who owns it?
Who can read it?
Who can edit it?
What is it?
?
File Level Analysis
Content Level Analysis
• Redundant, outdated and
trivial (ROT) data
• File types (Music, log files,
etc..)
• Sensitive data
• Date Created
• Owner

23. June 2017 #SPSDC
@jayleask

24. June 2017 #SPSDC
@jayleask
Regulated Data
Data that requires retention / long-term archives
ITAR / export controlled data
Gold copies or replication
Sensitive Data
“Controlled Unclassified Information” (CUI)
PII / PHI / PCI data that about employees / citizens
Classified Data
Operational security (OpSec)
Intellectual Property
Classified documents

25. June 2017 #SPSDC
@jayleask

26. Activity: How Do You Classify?

27. June 2017 #SPSDC
@jayleask

28. June 2017 #SPSDC
@jayleask
Tags
Ownership Purpose
Audience Sensitivity level
Classify
Is it a record?
Is it high business
impact?
Who should have
access?Where should it live?

29. Identify sensitivity level of
the document
Identify retention schedule
Finish with managed
keywords for search

30. June 2017 #SPSDC
@jayleask
Compliant Migration to…
End-of-Life
Another location on the
file system for archiving
Another system
(SharePoint, Office 365, storage,
etc.)
Another location for
“legal hold”
Another location on
the file system

31. Define Data
Governance Policies
2

32. June 2017 #SPSDC
@jayleask
How is Governance viewed
in most organizations?

33. June 2017 #SPSDC
@jayleask
How do you know where to park?

34. June 2017 #SPSDC
@jayleask
Personal/My Sites
Governance
Visibility
Project/Team Sites
Community Sites
Portal

35. June 2017 #SPSDC
@jayleask
Build “controls”
into containers
Make sure no
one messes with
your controls
Ensure the system
is used as intended

36. June 2017 #SPSDC
@jayleask

37. June 2017 #SPSDC
@jayleask

38. Proactively Enforce Policies
3

39. June 2017 #SPSDC
@jayleask

40. June 2017 #SPSDC
@jayleask

41. June 2017 #SPSDC
@jayleask
What does Microsoft offer?
Protect The FileProtect The AccessProtect The System
RMSCASBDLP
• Enterprise-Wide Classification
• Data Governance Framework
• Risk Assessment
• Enterprise-Wide Classification
• Data Governance Framework
• Risk Assessment

42. June 2017 #SPSDC
@jayleask

43. June 2017 #SPSDC
@jayleask

44. June 2017 #SPSDC
@jayleask
Say hello to Joe
• It’s Friday 5pm and Joe
wants to go home
• He doesn’t have time to
classify documents
• Company policy:
everything in SharePoint
MUST be classified

45. June 2017 #SPSDC
@jayleask
Defining policy

46. June 2017 #SPSDC
@jayleask
Uploading files

47. June 2017 #SPSDC
@jayleask
Violation identified

48. June 2017 #SPSDC
@jayleask
Classification & Compliance Enforced

49. Admins, Compliance and
Governance stakeholders

50. June 2017 #SPSDC
@jayleask
Example: Matter Center

51. June 2017 #SPSDC
@jayleask
Example: External Collaboration

52. June 2017 #SPSDC
@jayleask

53. June 2017 #SPSDC
@jayleask

54. June 2017 #SPSDC
@jayleask

55. June 2017 #SPSDC
@jayleask

56. June 2017 #SPSDC
@jayleask

58. Report and Audit
4

59. June 2017 #SPSDC
@jayleask
“RECERTIFICATION”
“ATTESTATION”
“ANNUAL REVIEW”
Hey! take a look…
are the current
settings still
appropriate?
If no– make the
changes.
If yes– sign off on it.
Recertification drivers may be internal (company controls),
external (regulatory requirement) or both

60. June 2017 #SPSDC
@jayleask
We said…
“We won’t expose PII on this system”.
We implemented…
Rules to block PII from sites.
Which resulted in…
Reports to showcase violations over time.
PROVE IT
KRI – Key Risk Indicators Reports
DO IT
KCI – Key Control Indicators Product Configurations
SAY IT
Suggestions on Controls APIA Responses

61. June 2017 #SPSDC
@jayleask
Data Ownership
Who is responsible for
the stuff in here?
Are they still here and
willing to own it?
Access Permissions
Who can do what to
the stuff in here?
Does Bob still need his
access?
Classification
Tell me about the stuff
that lives in here…
Is it sensitive?
Is it important?

62. June 2017 #SPSDC
@jayleask

63. June 2017 #SPSDC
@jayleask

64. June 2017 #SPSDC
@jayleask
IT’S NOT
ALL OR
NOTHING.
On-Prem
Office 365 IaaS or
Private Cloud
“I need to maintain full control over my data and have
specific data sovereignty requirements.”
“I’d like to cut
cost and
facilitate
collaboration.”
“I’d like to
minimize
hardware but
maintain control.”
• Critical workloads
• Collaboration spaces
• Productivity apps
• Custom solutions
• Full control
• No hardware
• Sensitive workloads
• Data with location restrictions
• Legacy solutions and customizations
• Full Control

65. June 2017 #SPSDC
@jayleask
Resources
• 2016 Data Breach Ponemon Report
• Office 365 Compliance Center
• Azure Information Protection
• Microsoft Cloud App Security
• AvePoint Online Services
• AvePoint Compliance Guardian

66. June 2017 #SPSDC
@jayleask

67. June 2017 #SPSDC
@jayleask

68. Let’s Connect