1 December 2022| In-person: Copenhagen, Denmark Don’t let Microsoft 365 Governance and Compliance be a roll of the dice. No matter the size of your business, data protection and compliance is critical. 1. Data is exploding 2. Data regulations are increasing around the world 3. Everyone is at risk of a data breach Yet data security and compliance can feel overwhelming. Let me show you how the Microsoft 365 Governance, Risk, and Compliance maturity model can help you reduce risk and improve compliance effectiveness by building a strategy for protecting and managing sensitive and business-critical data.

2. Don't let Microsoft 365 governance
and compliance be a roll of the
dice
Nikki Chapple | MVP
Principal Cloud Architect, CloudWay, UK

3. Nikki Chapple
• 30 years+ experience in IT & business transformation
• Passionate about Microsoft 365 governance & compliance
• Community speaker & blogger
• Co-host on the All things M365 compliance Podcast
nikkichapple
@chapplenikki
www.nikkichapple.com
All things M365 compliance

4. This Photo by Unknown Author is licensed under CC BY

5. No matter the size of your business, data
protection and compliance is critical

6. Remember data is your responsibility

7. Digital technology
revolution
Data regulations
complexity
Cyber threats become
endemic
Yet data protection and compliance can feel overwhelming

8. ~70%
of companies are subject to compliance
with more than five compliance standards

9. 34.7bn
identity threats blocked
Ref: Microsoft Digital Defense Report 2022 | Microsoft Security

10. USD 4.35m
Average total cost of a data breach
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

11. USD 164
Average per record cost of a data breach
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

12. 45%
of breaches occurred in the cloud
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

13. The risks of not being compliant
Loss of trust
and
Reputational
damage
Operational
/ Financial
impacts and
loss
Fines

17. We need to do
more to
protect our
data
Don't let Microsoft 365
governance & compliance
be a roll of the dice

18. So how mature are organisations?

19. State of security maturity in the cloud environment
Not started
17%
Early stages
26%
Midstage
34%
Mature stage
23%
Ref: Cost of a Data Breach Report 2022 - United Kingdom | IBM

20. Most common findings in ransomware response engagements
Ref: Microsoft Digital Defense Report 2022 | Microsoft Security
65%
of companies lacked
information
protection control

21. Microsoft recommend 5 area to focus on
Ref: Microsoft Digital
Defense Report 2022
| Microsoft Security

22. Introducing the Governance, Risk, and
Compliance Maturity Model

23. What is a Maturity Model
100
Start-ups, new
teams and
rapidly created
processes
• plus failing
functions etc.
200
Maturing
organisations
and teams
• plus inefficient
and at-risk
functions
300
Established
organisations
• Stable but not
class leading
functions
400
Successful/
efficient
organisations,
functions and
processes
• Especially regulated
functions
500
Best of breed
• Exemplars

24. Processes
Governance
Strategies
Policies, Monitoring
Culture
Identify
Analyse
Control
Laws
Regulations
Controls
Activities
Governance, Risk, and
Compliance Maturity
Model
https://bit.ly/3gLLFsx

25. 5
Steps for using the Governance,
Risk, and Compliance Maturity
Model to improve your data security
posture

26. 1
This is not just a
technology project
Ref: Microsoft Digital Defense Report 2022 | Microsoft Security

27. GRC
What &
Why
GRC
stance
Benchma
rk
Current
vs.
Future
State
Who,
Where,
How &
When
Monitor
and
Enhance
2
Governance, Risk
and Compliance is
not a project

28. 2
Protect
your data
at multiple
levels
Content
Containers
Applications
Identities,
Devices,
Locations
Regulations
& Policies

29. 4
Take a risk-
based
approach

30. 5
This is a
journey so
you need to
know where
you start

31. Assess your risk & compliance stance

32. Baseline
Microsoft Zero Trust Maturity
Assessment Quiz
• Identities
• Endpoints
• Apps
• Infrastructure
• Data
• Network
https://bit.ly/3OLS57y

33. Baseline - Security Score - Microsoft 365 Defender portal

34. Baseline - Security Score
Scope
• Microsoft 365 (inc Exchange Online)
• Azure Active Directory
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps
• Microsoft Teams

35. Baseline E5 licencing
Microsoft Compliance
Configuration Analyzer (MCCA)
• Microsoft Information Protection
• Data Loss Prevention
• Information Governance
• Records Management
• Insider Risk
• Communication Compliance
• Audit
• eDiscovery
https://bit.ly/3FegpM4

36. Baseline - Compliance Score

37. Compliance Manager scope
Protect
information
Privacy
management
Govern
information
Control access
Manage
devices
Protect
against threats
Discover and
respond
Manage
internal risks
Manage
compliance

38. How are Compliance Scores calculated?

39. Extend - Assessment templates

40. Understand the licencing implications
Business Basic
Business Premium
E3
E5 https://m365maps.com/

41. Improve your GRC maturity

42. Level 100 organisation GRC Posture - Not started
GRC
• Not
understood
People
• Undefined
roles &
responsibilities
Process
• Adhoc &
reactive

43. Level 100 Microsoft 365 posture - Not started
Default tenant
settings
Security
defaults may
not be applied
No data
protection
Default
retention

44. Level 200 GRC Posture - Reactive
GRC
•Compliance
& risk needs
understood
People
•No formal
roles & low
awareness
•IT Admin
responsible
Processes
•Adhoc

45. Level 200 Microsoft 365 posture - Limited
Security defaults in
Azure AD (MFA,
Privileged activities,
block legacy auth)
Manual Sensitivity
labels
Manual Retention
labels

46. Level 300 GRC Posture - Defined
GRC strategy
• Framework
established but
tactical
• Focus on Zero
Trust security
rather than
compliance
People
• Siloed roles &
individual
responsibilities.
Processes
• Tactical &
inconsistent
• Initial privacy risk
management
assessment
• Initial compliance
assessment

47. Level 300 Microsoft 365 posture - Basic
Recommended/
default labels
Sensitivity labels
for containers
Data Loss
Prevention
Org wide
retention
User & Container
lifecycle
governance
Compliance
Manager
baseline
Monitor Message
center

48. Level 400 GRC Posture - Predictable
GRC strategy
• Tailored, controlled &
measured
• Proactive
• Elevate your
compliance program
People
• Executive leadership
• Partnership - business,
IT & Security
• Dedicated roles.
Shared accountability
Processes
• Streamlined &
simplified with metrics
• GRC process to
identify, analyse,
control with
accountability
• Regular compliance &
privacy risk
assessments

49. Level 400 Microsoft 365 posture – Extend E5 licencing
Intelligent &
automated data
classification
Automated
protection &
retention
DLP for sensitive
data
Insider risk
management
Auditing to SIEM
Govern access
decisions based on
sensitivity
Discover and
manage shadow IT
in your network
Compliance
Manager
regulation
templates
Risk based access
controls
Endpoint
management

50. GRC
• Strategic with
continuous
assessment.
• External benchmarks
People
• Proactive
• Business enabler
• Continuous
improvement
• Best of breed
• Pervasive compliance
culture
Process
• Risk based
• Lifecycle management
• Business Continuity
management
• Continuous
improvement
• Extend to supply chain
Level 500 - Optimal

51. Machine
Learning
classification
Event based
retention
Adaptive
scopes
retention
Syntex
3rd party
ingestion of
data
Immutable
backup
Level 500 Microsoft 365 posture – Maximise E5 licencing

52. Summary

53. Practical steps
Establish board accountability
Agree strategy and priorities
Embed cultural change
Establish a programme for continuous improvement
Select initial priority areas for attention
Build tools & processes outside Purview for non-technical control

54. Best practices
You cannot go
from 1% to 100%
on one day
Take crawl-walk-
run approach
Manage based on
risk
Be realistic. Design
something that can be
implemented
You need to
know where you
are now
Involve the right
teams

55. Governance, risk
and compliance
is not a project,
it’s a lifestyle
Start small and grow

57. References
• The Microsoft 365 Maturity Model – Governance, Risk, and Compliance
Competency | Microsoft Learn
• Cost of a Data Breach Report 2022 - United Kingdom | IBM
• Microsoft 365 Compliance Scenario based demo CAT Demo
• Microsoft Zero Trust Maturity Assessment Quiz
• The Comprehensive Playbook for Implementing Zero Trust Security
(azureedge.net)
• Compliance in the era of digital transformation