Module 6 - Insider Risk.pptx

CONDITIONS AND TERMS OF USE:
© Microsoft Corporation. All rights reserved.
You may use these training materials solely for your personal internal reference and non-commercial purposes. You may not
distribute, transmit, resell or otherwise make these training materials available to any other person or party without express
permission from Microsoft Corporation. URL’s or other internet website references in the training materials may change without
notice. Unless otherwise noted, any companies, organizations, domain names, e-mail addresses, people, places and events
depicted in the training materials are for illustration only and are fictitious. No real association is intended or inferred. THESE
TRAINING MATERIALS ARE PROVIDED “AS IS”; MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED IN
THESE TRAINING MATERIALS.

Given the dynamic nature of Microsoft cloud tools, you
may experience user interface changes that were made
in the Microsoft 365 tenant after the development of this
content that do not match up with information or
screenshots found in this presentation.
If this occurs, we ask that you try to adapt to the changes
and address any questions to your instructor.
Disclaimer: User Interface Changes & Features

After completing this learning unit, you will:
• Understand the scenario to use Insider Risk Management
• Understand the scenario to use Compliance Communication
• Understand the scenario to use Information Barrier
Objectives

In this module we will cover:
• Insider Risk Management
• Communication Compliance
• Information Barriers
Agenda

Insider Risk
Module section Insider Risk Management
Content Release Date 10/09/2020
Permission
Requirements
Insider Risk Management, Insider Risk Management
Admin, Insider Risk Management Analysts and Insider Risk
Management Investigators
License
Requirements
• Microsoft 365 A5/E5 subscription (paid or trial version)
• Microsoft 365 A3/E3 subscription + the Microsoft 365 A5/E5 Compliance add-on
• Microsoft 365 A3/E3 subscription + the Microsoft 365 A5/E5 Insider Risk
Management add-on
*License discussions should always be discussed with your account CSAM to determine
specifics. We make best guess to what it is at this moment when content was created.
Some licenses are user checked and some are service checked. To be compliant a user must
be licensed to benefit from a feature even if the user can use the feature regardless of
having a license assigned.

• Part of the new insider risk solution set in Microsoft 365
• Minimize internal risks by enabling you to detect, investigate, and act on risky
activities within your organization
• Works with Pre-defined and custom policies
• Risk analysts in your organization can quickly take appropriate actions to make sure
users are compliant with your organization's compliance standards
• Help you overcome many modern challenges associated with compliance
• Scanning increasing types of activities and volume files action (download, copy,
etc.)
What is Insider Risk Management?

Insider risk management may help address:
• Data theft by departing employee
• Intentional or unintentional leak of sensitive or confidential information
• Actions and behaviors that violate corporate policies
Insider Risk Management Scenarios

Insider Risk Management Dashboard

• To access Insider risk management, from
the M365 admin center, select
Compliance, then Insider risk
management or directly from
https://compliance.microsoft.com
• If you don’t see the Insider risk
management option, you will need to
ensure you have been added to the
Insider Risk Management role.
How to access…

• Microsoft Teams
• Exchange Online
• SharePoint sites
• OneDrive accounts
Supported Channels

• Sensitive info type: Select Add sensitive info type and
select the sensitivity types you want to prioritize. For
example, "U.S. Bank Account Number" and "Credit Card
Number".
• Sensitivity labels: Select Add sensitivity label and select the
labels you want to prioritize. For example, "Confidential"
and "Secret".
Supported Content

Workflow
IRM uses the
following
workflow to
identify risks
within your
organization:

Pre-defined templates and policy conditions:
• Departing employee data theft
• Data leaks
• Offensive language in email
Phase 1: Policies

New Policy: Departing employee theft

Demo:
• Policy: Departing
employee theft
• Explore policy creation
options
Create a policy

• Step 1: Create an app in Azure Active Directory
• Step 2: Prepare a CSV file with your HR data
• Step 3: Create the HR connector
• Step 4: Run the sample script to upload your HR data
.HRConnector.ps1 -tenantId <tenantId> -appId <appId> -appSecret <appSecret> -jobId <jobId> -csvFilePath '<csvFilePath>’
• Step 5: Monitor the HR connector
• Step 6: Schedule the script to run automatically
Set up a connector to import HR data

Demo:
• Policy: Data Leaks
options
Create a policy

• DLP must be configured to send Incident report with High
severity level.
• Make sure you understand and properly configure the in-
scope users in both the DLP and insider risk management
policies.
Data leaks – DLP requirements

New policy: Offensive language in emails

Demo:
• Policy: Offensive
language in emails
options
Create a policy

• Automatically generated by risk indicators that match
policy conditions and are displayed in the Alerts
dashboard.
• Policies generate a certain amount of low, medium, and
high severity alerts, but you can increase or decrease the
alert volume to suit your needs.
Phase 2: Alerts

• Each report widget displays information for last 30 days.
• Can filter by Status, Severity, Time detected and Policy.
• You can search the alert name for a specific word.
Phase 2: Alerts (cont.)

• New activities that need investigation automatically
generate alerts that are assigned a “Needs review” status.
• Alerts are resolved by:
• Opening a new case
• Assigning the alert to an existing case
• Dismissing the alert
• Triage process:
• Reviewers can view alert details for the policy match
• View user activity associated with the match
• See the severity of the alert
• Review user profile information
Phase 3: Triage

• Cases are created for alerts that require deeper review and
investigation.
• This area is where risk activity indicators, policy conditions,
alerts details, and employee details are synthesized into an
integrated view for reviewers.
Phase 4: Investigate

The primary investigation tools in this area are:
• User activity: Displayed in an interactive chart that plots risk activities over time
and by risk level for current or past activities.
• Content Explorer: All data files and email messages associated with alert risk
activities are automatically captured and displayed in the Content Explorer.
• Case notes: Reviewers provide notes for a case in this section.
Phase 4: Investigate (cont.)

• The case queue lists all active and closed cases, in addition
to the current state of the following case attributes:
• Case name
• Status
• User
• Time case opened
• Total policy alerts
• Last updated
• Last updated by
Case Attributes

• The Case details pane is available on all case management
tabs and summarizes the case details for risk analysts and
investigators. It includes:
• Case name
• Case status
• User's risk score
• Alerts confirmed
• Content at risk
Case Overview

The User activity tab is one of the most powerful tools
for internal risk analysis and investigation for cases:
1. Date and window time filters: By default, the last six months of alerts
confirmed in the case are displayed in the User activity chart.
2. Risk alert activity and details: Risk activities are visually displayed as
colored bubbles in the User activity chart. Details include:
• Date
• Risk activity category
• Risk score
• Number of events associated with the alert
Tools: User activity (1/2)

3. Risk activity legend: Color-coded legend helps you quickly determine risk
category for each alert
4. Risk activity chronology: Full chronology of all risk alerts associated with the
case are listed, including all the details available in the corresponding alert
bubble
5. Case actions: Options for resolving the case are on the case action toolbar:
• resolve a case
• send an email notice to the employee
• escalate the case for a data or employee investigation
Tools: User activity (2/2)

• The Content Explorer tab allows risk analysts and
investigators to review copies of all individual files and
email messages associated with risk alerts.
• If the employee downloads hundreds of files from
SharePoint Online to a USB device, all the downloaded
files for the alert are captured.
• Content Explorer is a powerful tool with basic and
advanced search and filtering features.
Tools: Content Explorer

• The Case notes tab in the case is where risk analysts and
investigators share comments, feedback, and insights
about their work for the case.
• Notes are permanent additions to a case and cannot be
edited or deleted after the note is saved.
• Risk analysts and investigators can add more contributors.
Tools: Case notes

Risk analysts and investigators can take different actions for
cases:
• Send a notice
• Escalate for investigation
• Run automated tasks with Power Automate flows for the case
• View or create a Microsoft Teams team for the case
• Share the case
• Resolve the case
Phase 5: Action

• In the Microsoft 365 compliance center, go to Insider risk
management and select the Cases tab.
• Select a case, then select the Send e-mail notice button on
the case action toolbar.
• Select the Choose a notice template drop-down control to
select the notice template for the notice.
• Review the notice fields and update as appropriate.
• Select Send to send the notice to the employee.
Send a notice

• Select a case, then select the Escalate for investigation
button on the case action toolbar.
• Enter a name for the new employee investigation.
• Select Confirm to create the employee investigation.
Escalate for investigation

• Select a case, then select Automate
• Choose the Power Automate flow to run, then select Run
flow
• After the flow has completed, select Done
Run automated tasks with Power Automate
flows for the case

• Select a case, then select View Microsoft Teams team *
View or create a Microsoft Teams team for the
case
* Microsoft Teams integration for insider risk
management must be enabled in settings

• Select a case, then select Share the case, and select:
• ServiceNow - open an incident, or request a change with your ServiceNow
organization
• Email - Shares a link to the insider risk management case in an email
• Copy link - Copies a link to the insider risk management case to your clipboard
Share the case

• Select a case, then select the Resolve case button on the
case action toolbar.
• Select the Resolve as drop-down control to select the
resolution classification for the case.
• Enter the reasons for the resolution classification
in the Action taken text field.
• Select Resolve to close the case.
Resolve the case

Insider risk settings apply to all insider risk management
policies with the following available settings:
• Privacy
• Indicators
• Policy timeframes
• Intelligent detections
• Export alerts
• Priority user groups
• Priority physical assets
• Power Automate flows
• Microsoft Teams
Insider risk settings

You can choose one of the following settings:
• Show anonymized versions of usernames
• Do not show anonymized versions of usernames
Settings: Privacy

• Office indicators: These include policy indicators for SharePoint sites, Teams, and
email messaging.
• Device indicators: These include policy indicators for activity such as sharing files
over the network or with devices.
• Security policy violation indicator: These include indicators from Microsoft
Defender ATP related to unapproved or malicious software installation or bypassing
security controls.
• Risk score boosters: These include raising the risk score for unusual activities or
past policy violations. Enabling risk score boosters increase risk scores and the
likelihood of alerts for these types of activities.
Settings: Indicators

The following policy timeframes are available:
• Activation window
• Past activity detection
Settings: Policy timeframes

Use these settings to control overall alert volume, file type
exclusions, file volume limits, detection sensitivity and
domains:
• Anomaly detections: File type exclusions & volume cut off limit
• Alert volume: Fewer alerts, Default volume or More alerts
• Microsoft Defender Advanced Threat Protection: To have better visibility of
security violation in your organization, you can import and filter Microsoft
Defender ATP alerts for activities used in policies
• Domains: Unallowed domains, Allowed domains or Third-party domains
Settings: Intelligent detections

Insider risk management alert information is exportable to
security information and event management (SIEM) services.
Settings: Export alerts

Prioritizing the examination and scoring of the activities of
these users can help alert you to potential risks that may
have higher consequences for your organization
Settings: Priority user groups

Physical assets represent priority locations in your
organization
Physical badging data connector configured, insider risk
management integrates signals from your physical control
and access systems with other user risk activities
Settings: Priority physical assets

• Notify users when they're added to an insider risk
policy
• Request information from HR or business about a user
in an insider risk case
• Notify manager when a user has an insider risk alert
• Add calendar reminder to follow up on an insider risk
case
Settings: Power Automate flows

• Compliance analysts and investigators can easily use
Microsoft Teams for collaboration on insider risk
management cases
• Coordinate and review response activities for cases in private Teams channels
• Securely share and store files and evidence related to individual cases
• Track and review response activities by analysts and investigators
Settings: Microsoft Teams

Any questions on
Insider Risk
Management?

Lab:
Using your LOD-provided
lab environment, complete
the Insider risk
management (Module 6 –
Tasks 1 and 2) lab and
think how you can apply
this knowledge in your
daily operations.
Insider Risk
Management

Communication Compliance
Module section Communication compliance
Permission
Requirements
Supervisory Review Administrator, Case Management,
Compliance Administrator and Review
License
Requirements
Management add-on

• Part of the new insider risk solution set in Microsoft 365.
• Helps you minimize communication risks by helping you
detect, capture, and take remediation actions for
inappropriate messages.
• Works with Pre-defined and custom policies.
• Reviewers can investigate scanned email, Microsoft Teams,
Yammer or third-party communication.
What is Communication Compliance?

• Help you overcome many modern challenges associated
with compliance:
• Scanning increasing types of communication channels
• The increasing volume of message data
• Regulatory enforcement and the risk of fines
What is Communication Compliance? (Cont.)

Communication compliance may help address these
concerns:
• Corporate Policies
• Risk Management
• Regulatory Compliance
Scenarios

Communication Compliance Dashboard

• To access Communication Compliance ,
from the M365 admin center, select
Compliance, then Communication
Compliance. Or directly from
https://compliance.microsoft.com
• If you don’t see the Communication
Compliance option, you will need to
ensure you have been added to the
Supervisory Review Administrator role.
How to access

• Microsoft Teams
• Exchange Online
• Skype for Business Online
• Yammer
• Third-party sources: including Instant Bloomberg,
Facebook, Twitter, and others
Supported Communication Channels

To simplify your setup, you can create groups for people
who have their communication reviewed and groups for
people who review those communications.
Supported Group Types

Workflow
Communication
compliance
workflow allows
you to use
actionable
insights to
quickly resolve
detected
compliance
issues.

You can choose from the following policy templates:
• Offensive language and anti-harassment
• Sensitive information
• Regulatory compliance
• Custom policy
Phase 1: Configure

Create a policy
From
Policies tab
From
Communication
Compliance
dashboard

New Policy: Offensive language and anti-
harassment

New Policy: Sensitive information

New Policy: Regulatory Compliance

You can look deeper into the issues detected as matching,
using this actions:
• Alerts
• Issue management
• Document review
• Reviewing user activity history
• Filters
Phase 2: Investigate

This view allows you to quickly see which communication
compliance policies are generating the most alerts ordered
by severity.
Alerts

• Each policy listed includes the count of alerts that need review.
• Selecting a policy displays all the pending alerts for matches to the
policy.
Policies

Filters Results
You can save as default
filter

In addition to scanning for exact terms matching
communication compliance policies, near duplicate
detection groups textually similar terms and messages
together to help speed up your review process.
Exact and near duplicate detection

Workflow
Communication
compliance
workflow allows
you to use
actionable
insights to quickly
resolve detected
compliance
issues.

You can remediate communication compliance issues you've
investigated using the following options:
• Resolve
• Tag a message
• Notify the user
• Escalate to another reviewer
• Mark as a false positive
• Create a case
Phase 3: Remediate

Common actions:
• Tag As
• Escalate
• False positive
Step 1: Examine the message basics

View options:
• Source view
• Text view
• Annotate view
• User history
Step 2: Examine the message details

• Resolve
• Tag As
• Notify (next 2 slides)
• Escalate
• Create a case (Advanced eDiscovery)
• Near Duplicate
• Near Duplicate
• Exact Duplicate
• False positive
• View message details
• Download
• View item history
• Group by family
Step 3: Decide on a remediation action

Action available:
• View message details
• View item history
• Download (zip file)
• Group by family
Step 4: Archiving

Use Communication Compliance dashboards, reports,
export logs, and events recorded in the unified Office 365
audit logs to continually evaluate and improve your
compliance posture.
Monitor & Report

• Supervision Policies will no longer be available for creation,
and policies will eventually be removed, after an extended
period of read only access.
• If you use Supervision Policies, be aware that:
• Beginning June 15th, 2020, tenants will not have the ability to create new
Supervision policies.
• Beginning August 31st, 2020, existing policies will stop capturing new messages.
• Beginning October 26th, 2020, existing policies will be deleted.
Transitioning from Supervision Policies

Any questions on
Communication
Compliance?

Lab: Communication
Compliance
the Communication
Compliance (Module 6 –
Tasks 3 and 4) lab and
think how you can apply
this knowledge in your
daily operations.

Information Barriers
Module section Information Barrier
Permission
Requirements
Global administrator, Compliance administrator or IB
Compliance Management
License
Requirements
Management add-on

• Enforce communication policies
• Designed to properly control the flow of information from
one part of the organization to another
• Quarantine information to avoid a breach of confidentiality
• Restrict information sharing between users
• Enforce an “ethical wall”
When to use Information Barriers

Scenarios
Banking & Finance Education
Separating advisory and brokering
department, protect insider information
from being shared
Students in one school cannot look find
contact details of students from
different school
Professional
Services
Group of people inside a company is only
allowed to chat with a specific customer
(a domain) via federation or guest access
during a client engagement
Do not show the presence information for
a group of people
Department of
Defense
Law Firms
Prevent information obtained while
representing a client from being disclosed
to employees in the same firm who
represent other clients

Policy examples
Investment Bankers cannot communicate
with Financial Advisors

Information barrier policies determine and prevent the
following kinds of unauthorized communications via Teams:
• Searching for user
• Adding a member to a team
• Starting a chat session with someone
• Starting a group chat
• Inviting someone to join a meeting
• Sharing a screen
• Placing a call
What happens with Information Barriers

• 1:1 chat - New communication is blocked and the chat
conversation will become read-only.
• Group chat - The user along with the other users who
violate the policy may be removed from group chat and
new communication with the group will not be allowed.
• Team - Any users who have been removed from the group
are removed from the team and will not be able to see or
participate in existing or new conversations.
How policy changes impact existing chats

Teams policies and SharePoint sites
When a team is created a SharePoint site is provisioned.
SharePoint site and files honor the organization’s IB.
Only the users whose IB segment matches per IB policy are
allowed access.

• Make sure prerequisites are met!
• Verify that you have the required licenses and permissions
• Make sure no Exchange address book policies are in place
• Make sure audit logging is turned on
• Plan policies (Planning is key back out is not easy).
• Segment users in organization.
• Define and apply Information Barrier policies.
Basic workflow for Information Barriers

Prerequisite: Scoped directory search

• Audit logging - In order to look up the status of a policy
application, audit logging must be turned on. We
recommend doing this before you begin to define
segments or policies.
• It may take up to 60 minutes for the change to take effect.
Prerequisite: Enable audit logging
PowerShell cmdlets
available on notes

• No address book policies – Make sure no Exchange
address book policies are in place.
• Information barriers are based on address book policies,
but the two kinds of policies are not compatible.
• If you do have such policies, remove the policies first.
• Once information barrier policies are enabled and you
have hierarchical address book enabled, all users who are
not included in an information barrier segment will see
the hierarchical address book in Exchange online.
Prerequisite: No existing address policies
PowerShell cmdlets
available on notes

• Currently, information barrier policies are defined and managed in the Office 365
Security & Compliance Center using PowerShell cmdlets
Connect to Office 365 Security & Compliance Center PowerShell
• You will also need the Az module
Install Az Module
Prerequisite: PowerShell Info Barrier cmdlets
PowerShell cmdlets
available on notes

• Determine what policies are needed.
• "Block" policies prevent one group from communicating with another group.
• "Allow" policies allow a group to communicate with only certain other, specific
groups.
• Make a list of segments to define.
• Identify which attributes to use (Make sure your directory
has values for attributes).
• Define segments in terms of policy filters.
Segment users in your organization

Segment attributes
AAD property name Exchange property name Value type
Co Co String
Company Company String
Department Department String
ExtensionAttribute1-15 CustomAttribute1-15 String
MSExchExtensionCustomAttribute1-5 ExtensionCustomAttriute1-5 String
MailNickname Alias String
PhysicalDeliveryOfficeName Office String
PostalCode PostalCode String
ProxyAddresses EmailAddresses String
StreetAddress StreetAddress String
TargetAddress ExternalEmailAddress String
UsageLocation UsageLocation A valid two-letter country/region ISO 3166 value
UserPrincipalName UserPrincipalName String
Mail WindowsEmailAddress String
Description Description String
MemberOf MemberOfGroup String (can be DN, ExtDirOId or Proxy)

Contoso scenario
*Contoso has five departments: HR, Sales, Marketing, Research, and Manufacturing.
Segment* Can talk to Cannot talk to
HR Everyone (no restrictions)
Manufacturing HR, Marketing Anyone other than HR or Marketing
Marketing Everyone (no restrictions)
Research HR, Marketing, Manufacturing Sales
Sales HR, Marketing, Manufacturing Research

• Defining segments does not impact users
New-OrganizationSegment -Name "segmentname" -UserGroupFilter
"attribute -eq 'attributevalue'"
New-OrganizationSegment -Name "HR" -UserGroupFilter "Department -eq
'HR'"
• Try not to define complex segment definitions:
• "Location -eq 'Local'" -and "Position -ne 'Temporary'"
• "MemberOf -eq 'group1@contoso.com'' -and MemberOf -ne
'group3@contoso.com'"
• "(MemberOf -eq 'group1@contoso.com' -or MemberOf -eq
'group2@contoso.com') -and MemberOf -ne 'group3@contoso.com'
Create the segments

New-OrganizationSegment -Name "HR" -UserGroupFilter "Department -
eq 'HR'"
New-OrganizationSegment -Name "Manufacturing" -UserGroupFilter
"Department -eq 'Manufacturing'"
New-OrganizationSegment -Name "Marketing" -UserGroupFilter
"Department -eq 'Marketing'"
New-OrganizationSegment -Name "Engineering" -UserGroupFilter
"Department -eq 'Research'"
New-OrganizationSegment -Name "Sales" -UserGroupFilter "Department
-eq 'Sales'"
Create the segments: Contoso scenario
PowerShell cmdlets
available on notes

• Choose from two kinds (block or allow).
• Ideally, you'll use the minimum number of policies.
• Define your policies (do not apply yet) making sure that
you do not assign more than one policy to a segment.
• Make sure to set those policies to inactive status until you
are ready to apply them.
• When you want to block segments from communicating
with each other, you define two policies one for each
direction as each policy blocks one way only.
Policy definition

New-InformationBarrierPolicy -Name "Allow-HR-to-All" -AssignedSegment "HR" -
SegmentsAllowed "HR","Manufacturing","Marketing","Engineering","Sales" -State
Inactive
New-InformationBarrierPolicy -Name "Allow-Manufacturing-to-HR-Marketing" -
AssignedSegment "Manufacturing" -SegmentsAllowed
"HR","Manufacturing","Marketing" -State Inactive
New-InformationBarrierPolicy -Name "Allow-Marketing-to-All" -AssignedSegment
"Marketing" -SegmentsAllowed
"HR","Manufacturing","Marketing","Engineering","Sales" -State Inactive
New-InformationBarrierPolicy -Name "Block-Engineering-to-Sales-Manufacturing" -
AssignedSegment "Engineering" -SegmentsBlocked "Manufacturing","Sales" -State
Inactive
New-InformationBarrierPolicy -Name "Block-Sales-to-Engineering-Manufacturing" -
AssignedSegment "Sales" -SegmentsBlocked "Manufacturing","Engineering" -State
Inactive
Policy definition: Contoso scenario
PowerShell cmdlets
available on notes

• Set policies to active status
• Run the policy application
• Can take 30 minutes or so to start
• If your organization is large, it can take 24 hours (or more) for this process to
complete. (As a general guideline, it takes about an hour to process 5,000 user
accounts.)
• View policy status
Application

$a = Get-InformationBarrierPolicy | Where-Object {$_.State -ne
"Active"}
$a | foreach {Set-InformationBarrierPolicy -Identity $_.GUID -
State Active}
Start-InformationBarrierPoliciesApplication
Get-InformationBarrierPoliciesApplicationStatus -All
Application: Contoso scenario
PowerShell cmdlets
available on notes

Excel
Workbook to help you
Note: The current workbook version is limited to one-by-one segment per policy

User experience if policy violated
Action User Experience if policy is violated
Adding members to a team The user will not show up in search
Start a new private chat The chat is not created, and an error message
appears
Invited a user to join a
meeting
The user will not join the meeting and an
error message appears
Screen sharing is initiated The screen share won’t be allowed, and an
error message appears
Placing a phone call (VOIP) The voice call is blocked

Adding members to a team or private chat

Users move between departments

• Issue:
• User is unable to find or communicate with another user in Microsoft Teams
• User cannot see (or select) another user in Microsoft Teams
• User can see, but cannot send messages to, another user in Microsoft Teams
• Actions:
• Determine if the user has an information barrier policy applied
• Determine whether the users are in the correct segments
• Determine whether filters are applied correctly in information barriers
People blocked from communicating?
PowerShell cmdlets
available on notes

• Issue:
• Is the user in the correct segment(s)?
• Actions:
• Make sure your segments are defined correctly.
• Run the Get-OrganizationSegment <AssignedSegment>
• Review the details for the segment. If necessary, edit a segment, and then run
• The application, might say not started for up to 30 minutes because it is
implemented as poll job internally in the data center that will pickup every 30
minutes or so. If your organization is large, it can take 24 hours (or more) for this
process to complete.
Is the user in the correct segment(s)?
PowerShell cmdlets
available on notes

• Issue(s):
• After you have defined segments, defined information barrier policies, and have
attempted to apply those policies, you may find that the policy is applying to
some recipients, but not to others.
• Actions:
• Get-InformationBarrierPoliciesApplicationStatus cmdlet, search the
output for text like this:
• Failed Recipients: 2
• Search in the audit log.
Policy not applied to all designated users
PowerShell cmdlets
available on notes

• Make sure that your organization does not have Exchange
address book policies in place. Such policies will prevent
information barrier policies from being applied.
• Connect to Exchange Online PowerShell.
• Run the Get-AddressBookPolicy cmdlet and review the
results:
• Exchange address book policies are listed? Remove address book policies.
• No address book policies exist? Review your audit logs to find out why policy
application is failing.
• View status of user accounts, segments, policies, or policy
application.
Policies not being applied at all

Your request failed to complete. Please retry. Error Details:
Microsoft.Exchange.Management.Tasks.AsymmetricPoliciesException,IB
Policies are not symmetric.
Please ensure that the policies are defined two-ways. For example,
if there is a policy where Segment1 cannot communicate with
Segment2, then there must be another policy where Segment2 cannot
communicate with Segment1.
Status: ProtocolError
Status code: InternalServerError (500)
Status description: Internal Server Error
Application errors: not symmetrical

New-InformationBarrierPolicy -Name "Manufacturing-HRMarketing" -
AssignedSegment "Manufacturing" -SegmentsAllowed "HR","Marketing" -
State Inactive
Microsoft.Exchange.Management.Tasks.SegmentCannotCommunicateWithIts
elfException,Segment
3564975b-0014-4cf1-afcf-3a6fba1b8ae0 associated with this policy
will not be able to communicate with itself. Please correct the
SegmentsAllowed or
SegmentsBlocked parameter.
Application errors: cannot talk to myself

New-InformationBarrierPolicy -Name "Manufacturing-HRMarketing" -
AssignedSegment "Manufacturing" -SegmentsAllowed
"HR","Marketing","Manufacturing" -State Inactive
Microsoft.Exchange.Management.Tasks.IBPolicyChangedWhileApplyInProg
ressException,Information Barrier Policies cannot be created or
modified while Apply is in progress.
Application errors: in progress

New-InformationBarrierPolicy -Name "Manufacturing-HRMarketing2" -
AssignedSegment "Manufacturing" -SegmentsAllowed "HR","Marketing" -
State Inactive
System.InvalidOperationException,This information barrier segment
"Manufacturing" can't be used
to create information barrier policy because it is being used by
another information barrier policy. Please choose a different
information barrier segment.
Application errors: segment can’t be used

Any questions on
Information Barriers?

Lab: Information Barrier
the Information Barrier
(Module 6 – Tasks 5 and
6) lab and think how you
can apply this knowledge
in your daily operations.

• Question #1: What are the 3 scenarios to use Insider Risk Management?
Knowledge Check
• Question #2: What are the 4 policy templates for Communication Compliance ?
• Question #3: What are the channels supported by Information Barriers?
(1) Departing employee; (2) Intentional or unintentional leak of sensitive or confidential
information; (3) Violation corporate policies
(1) Offensive language; (2) Sensitive information;
(3) Regulatory compliance and (4) Conflict of interest.
Microsoft Teams, SharePoint and OneDrive

Module 6 - Insider Risk.pptx

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Module 6 - Insider Risk.pptx

Similar to Module 6 - Insider Risk.pptx (20)

Recently uploaded

Recently uploaded (20)

Module 6 - Insider Risk.pptx