Whether your platform of choice is SharePoint on premise, Office 365, or a hybrid variation, you need to setup an Information Governance Strategy. This presentation gives you the ammunition you need to show leadership the value of setting up such a strategy (or the cost of not doing so) and provides four primary considerations for doing it.
Develop your Information Governance Strategy in Four Steps
1. Accessible content is available upon request.
Develop Your
Information Governance Strategy in 4 Steps
Jay Leask | @jayleask
AvePoint Public Sector
SharePoint Office 365 Hybrid
7. June 2017 #SPSDC
@jayleask
“ The reasonable man adapts himself
to the world: the unreasonable one
persists in trying to adapt the world
to himself. Therefore all progress
depends on the unreasonable man. ”
- George Bernard Shaw
18. June 2017 #SPSDC
@jayleask
Plan for the future
Remove what’s unnecessary
Keep what’s required
Protect what’s important
Establish a way to identify it
Find out what it really is
Reduce Cost.
Increase
Productivity.
$
Users:
Relevant Information
IT Admins:
Easier Maintenance
Compliance Officers:
Lowered Risks
22. June 2017 #SPSDC
@jayleask
Where is it?
File Share
SharePoint
Office 365
Databases
Who can access it?
Who owns it?
Who can read it?
Who can edit it?
What is it?
?
File Level Analysis
Content Level Analysis
• Redundant, outdated and
trivial (ROT) data
• File types (Music, log files,
etc..)
• Sensitive data
• Date Created
• Owner
24. June 2017 #SPSDC
@jayleask
Regulated Data
Data that requires retention / long-term archives
ITAR / export controlled data
Gold copies or replication
Sensitive Data
“Controlled Unclassified Information” (CUI)
PII / PHI / PCI data that about employees / citizens
Classified Data
Operational security (OpSec)
Intellectual Property
Classified documents
28. June 2017 #SPSDC
@jayleask
Tags
Ownership Purpose
Audience Sensitivity level
Classify
Is it a record?
Is it high business
impact?
Who should have
access?Where should it live?
29. Identify sensitivity level of
the document
Identify retention schedule
Finish with managed
keywords for search
30. June 2017 #SPSDC
@jayleask
Compliant Migration to…
End-of-Life
Another location on the
file system for archiving
Another system
(SharePoint, Office 365, storage,
etc.)
Another location for
“legal hold”
Another location on
the file system
41. June 2017 #SPSDC
@jayleask
What does Microsoft offer?
Protect The FileProtect The AccessProtect The System
RMSCASBDLP
• Enterprise-Wide Classification
• Data Governance Framework
• Risk Assessment
• Enterprise-Wide Classification
• Data Governance Framework
• Risk Assessment
44. June 2017 #SPSDC
@jayleask
Say hello to Joe
• It’s Friday 5pm and Joe
wants to go home
• He doesn’t have time to
classify documents
• Company policy:
everything in SharePoint
MUST be classified
59. June 2017 #SPSDC
@jayleask
“RECERTIFICATION”
“ATTESTATION”
“ANNUAL REVIEW”
Hey! take a look…
are the current
settings still
appropriate?
If no– make the
changes.
If yes– sign off on it.
Recertification drivers may be internal (company controls),
external (regulatory requirement) or both
60. June 2017 #SPSDC
@jayleask
We said…
“We won’t expose PII on this system”.
We implemented…
Rules to block PII from sites.
Which resulted in…
Reports to showcase violations over time.
PROVE IT
KRI – Key Risk Indicators Reports
DO IT
KCI – Key Control Indicators Product Configurations
SAY IT
Suggestions on Controls APIA Responses
61. June 2017 #SPSDC
@jayleask
Data Ownership
Who is responsible for
the stuff in here?
Are they still here and
willing to own it?
Access Permissions
Who can do what to
the stuff in here?
Does Bob still need his
access?
Classification
Tell me about the stuff
that lives in here…
Is it sensitive?
Is it important?
64. June 2017 #SPSDC
@jayleask
IT’S NOT
ALL OR
NOTHING.
On-Prem
Office 365 IaaS or
Private Cloud
“I need to maintain full control over my data and have
specific data sovereignty requirements.”
“I’d like to cut
cost and
facilitate
collaboration.”
“I’d like to
minimize
hardware but
maintain control.”
• Critical workloads
• Collaboration spaces
• Productivity apps
• Custom solutions
• Full control
• No hardware
• Sensitive workloads
• Data with location restrictions
• Legacy solutions and customizations
• Full Control
65. June 2017 #SPSDC
@jayleask
Resources
• 2016 Data Breach Ponemon Report
• Office 365 Compliance Center
• Azure Information Protection
• Microsoft Cloud App Security
• AvePoint Online Services
• AvePoint Compliance Guardian