The document discusses compliance management in Office 365, highlighting the importance of customer controls for data protection, incident response, and legal compliance across various jurisdictions. It details built-in capabilities for data loss prevention, archiving, eDiscovery, and communication protection to establish a secure digital environment. The content also outlines how compliance is driven by factors such as geography, industry, and laws, with specific examples related to sensitive information in different countries.

2. Compliance in Office 365
Edge Pereira
Sandy Millar
From Avanade Australia
OSS304

4. Source: Gartner Report: IT Governance, Risk, and Compliance Management Solutions, http://www.gartner.com/resId=1884814

8. Levels and activities are driven by many factors
For example
• Public or private sector
• Industry vertical
• Business activities
• Geography
• Laws or regulation
Example Avanade

10. Built-in Office 365 capabilities
(global compliance)
Customer controls for
compliance for internal policies
• Access Control
• Auditing and Logging
• Continuity Planning
• Incident Response
• Risk Assessment
• Communications Protection
• Identification and Authorisation
• Information Integrity
• Awareness and Training
• Data Loss Prevention
• Archiving
• eDiscovery
• Encryption
• S/MIME
• Legal Hold
• Rights Management

12. •
•
•
•
•
•

13. It is all about customer controls!
Remembering
“A control is a process, function, in fact anything
that supports maintaining compliance”

14. Identify Monitor Protect Educate

16. “Data loss/leak prevention solution is a system that is designed
to detect potential data breach / data ex-filtration transmissions
and prevent them by monitoring, detecting and blocking
sensitive data while in-use (endpoint actions), in-motion
(network traffic), and at-rest (data storage).“[1]
[1] http://en.wikipedia.org/wiki/Data_loss_prevention_software
“Quotation...”
Good definition
http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf

18. •
•
•
•
•

19. •
•
•
credit cards, and SWIFT codes)
medical account number and TFN)
driver's license)
driver's license and passport number)

20. Country PII Financial Health
USA
US State Security Breach Laws,
US State Social Security Laws, COPPA
GLBA & PCI-DSS
(Credit, Debit Card, Checking and
Savings, ABA, Swift Code)
Limited Investment:
US HIPPA,
UK Health Service,
Canada Health
Insurance card
Rely on Partners
and ISVs
Germany
EU data protection,
Drivers License, Passport National Id
EU Credit, Debit Card,
IBAN, VAT, BIC, Swift Code
UK
Data Protection Act,
UK National Insurance, Tax Id, UK Driver
License, Passport
EU Credit, Debit Card,
IBAN, BIC, VAT, Swift Code
Canada
PIPED Act,
Social Insurance, Drivers License
Credit Card,
Swift Code
France
EU data protection,
Data Protection Act,
National Id (INSEE),
Drivers License, Passport
EU Credit, Debit Card,
IBAN, BIC, VAT,
Swift Code
Japan
PIPA,
Resident Registration, Social Insurance,
Passport, Driving License
Credit Card,
Bank Account,
Swift Code

21. •
•
•
Australian sensitive
information types
provided by Microsoft
• Bank Account Number
• Driver's License Number
• Medicare Account
Number
• Passport Number
• Tax File Number

23. • Protect communications
• Basic level of built-in anti-malware and enhanced spam
filtering to help protect your email environment from
threats
Enforce policy
Data loss prevention (DLP) controls that can detect sensitive data in email
before it is sent and automatically block, hold or notify the sender
Simplify management
Unified administration of anti-spam, anti-malware and data loss prevention
within Exchange

25. [2] Wikipedia (http://en.wikipedia.org/wiki/Electronic_discovery)

26. Find relevant content (documents, emails, Lync conversions)DISCOVERY
PRESERVATION
Place content on legal hold to prevent content modification
and/or removal
Collect and send relevant content for processing
Prepare files for review
PRODUCTION
REVIEW
Lawyers determine which content will be
supplied to opposition
Provide relevant content to opposition
COLLECTION
PROCESSING

27. •
•
•
•

28. Provide a high level of immutability by:
• Preserving data in source
• Protecting from deletion
• Protecting from tampering
Provides easy management via:
• Rich query, location and time based content target
• Across Exchange, Lync and SharePoint
• Using Exchange Admin or eDiscovery Centres

29. •
•

30. •
•
•
•
•
•

31. • Recoverable Items quotas separate from mailbox quotas and
need to be monitored
• Hybrid data sources

36. Comprehensive view of DLP policy
performance
Downloadable Excel workbook
Drill into specific departures from
policy to gain business insights

42. Protect communications

43. Governance, risk management, and compliance
Office 365 Service Descriptions

46. Additional Slides

47. DLP extensibility points

48. Content analysis process
Joseph F. Foster
Visa: 4485 3647 3952 7352
Expires: 2/2012
Get
Content
4485 3647 3952 7352  a 16 digit number
is detected
RegEx
Analysis
1. 4485 3647 3952 7352  matches checksum
2. 1234 1234 1234 1234  does NOT match
Function
Analysis
1. Keyword Visa is near the number
2. A regular expression for date (2/2012)
is near the number
Additional
Evidence
1. There is a regular expression that matches
a check sum
2. Additional evidence increases confidence
Verdict

49. Office 365 Message Encryption – Encrypt messages to any SMTP
address
Information Rights Management – Encrypt content and restrict
usage; usually within own organization or trusted partners
S/MIME – Sign and encrypt messages to users using certificates