SlideShare a Scribd company logo

m365-compliance-illustrations.pdf

‱
‱
S
ssuser21965c2

dw

Education
1 of 15
Download to read offline
v October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Microsoft 365 Information Protection and Compliance Capabilities Introduction Microsoft 365 includes a broad set of information protection and compliance capabilities. Together with Microsoft’s productivity tools, these capabilities are designed to help organizations collaborate in real time while adhering to stringent regulatory compliance frameworks. This set of illustrations uses one of the most regulated industries, financial services, to demonstrate how these capabilities can be applied to address common regulatory requirements. Feel free to adapt these illustrations for your own use. Contoso (guest members) Microsoft Teams Environment Woodgrove Bank This topic is 1 of 8 Page 1 In these illustrations, Woodgrove Bank hosts two Teams environments for projects with different participants. In each scenario, each Team’s Microsoft 365 Group provides a security boundary for membership, with Azure Active Directory enforcing multi-factor authentication and other conditional access policies for Microsoft Teams. For more information about how Microsoft 365 can help financial services institutions meet security and compliance regulations, see Key compliance and security considerations for US banking and capital markets. For more information about how Microsoft 365 can help financial services institutions meet security and compliance regulations, see Key compliance and security considerations for US banking and capital markets.
Syndicates External Investors Private Equity Firms Contoso (guest members) v Microsoft Teams Environment Woodgrove Bank IT Department Retail and Wealth Management Financial Crime Unit High level Teams logical architecture A common scenario where Teams benefits financial services is when running internal projects or programs. For example, many financial institutions have anti-money laundering and compliance programs in place. In this illustration , Woodgrove Bank hosts two Teams Environments for projects with different participants. The Anti-money laundering project includes only Woodgrove Bank employees. The “Virtual data room” for project B includes guest members from Contoso. The Virtual Data room acts as a secure place to share data that can only be accessed by authorized users. Azure Active Directory also enforces multi-factor authentication and other conditional access policies for guests. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. This topic is 2 of 8 Page 2
Identify sensitive information and prevent data loss Woodgrove Bank Contoso Microsoft Information Protection (MIP) Microsoft Teams Environment OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online User is prompted to label sensitive information Automated labeling This message includes sensitive information. OK This message includes sensitive information. OK Microsoft 365 allows all organizations to identify sensitive data within the organization through a combination of powerful capabilities, including Microsoft Information Protection (MIP), and Office 365 Data Loss Prevention (DLP). MIP enables organizations to classify documents and emails intelligently by using sensitivity labels, applied manually or through machine-learning. The following scenario illustrates how sensitive information can be labeled either through machine learning or manually (shown below through user prompting and education). DLP can scan these labels to enforce data loss prevention policies. Sensitivity labels This topic is 3 of 8 Page 3 Sensitivity labels Continued on next page
Data loss prevention Once sensitivity labels are applied across the data, DLP can be used to identify documents, emails, and conversation by scanning these for the sensitivity labels. It then enforces appropriate policies on this data and lets you monitor, protect, and prevent accidental sharing of sensitive information. It also helps users stay compliant without interrupting their workflow. The following illustration demonstrates DLP enforcing policies for data that matches several sensitive information types (Policy 1) and data labeled ‘Highly Confidential’ (Policy 2). We see that if an attempt is made to share data marked ‘Highly Confidential’ outside of allowed recipients, DLP blocks the sharing of the information and prevents data loss. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Woodgrove Bank Contoso (guests) Microsoft Teams Environment Data Loss Prevention policies OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online 2 1 2 1 2
Govern data and manage compliance requirements for retention Retention policies and retention labels Microsoft 365 provides flexible capabilities to define retention policies and retention labels to intelligently implement records-management requirements. Retention settings that you configure can help compliance with industry regulations requiring you to retain content for a minimum period of time, reduce risk in case of litigation or security breaches, and share knowledge in an effective, agile way. You can use both retention policies and retention labels to assign retention settings. Both of these come with specific ways to help comply with rules defined by financial regulatory bodies such as SEC Rule 17a-4(f), which requires regulated entities to "Preserve the records exclusively in a non-rewriteable, non-erasable format." Microsoft 365 accomplishes this by applying a Preservation Lock to a Retention Policy or Label Policy (in the case of Regulatory Record labels), which ensures that the policy cannot be turned off or made less restrictive. Retention Policies and Regulatory Record labels are touched upon in later illustrations (topic 5 of 8). There is no limit to the number of retention labels that are supported for a tenant. However, 10,000 is the maximum number of policies that are supported for a tenant and these include the policies that apply the labels. The broad differences between these two methods are shown in the facing diagram. How are they used? Where are they applied? Persistence of label/policy Meeting regulatory compliance requirements Retention policy Retention label Assigns the same retention settings for content at a container level: e.g at site or mailbox level. Assigns the retention settings at an item level (folder, document, email). A single policy can be applied automatically to multiple or specific at container levels – for example, SharePoint sites or group mailboxes. Labels are applied to individual items – such as documents, email, or videos at folder level. If an item is edited, deleted, or moved, a copy of the content is automatically retained as it existed when you applied the retention settings. The retention label persists if the data is copied or moved to a different site or mailbox within that same M365 environment. Retention period settings Retention period is calculated from the age of when content is created or modified, not from when the policy is applied. These support starting retention periods from when content was labeled, or are event-based (in addition to the age of the content or when it was last modified). This is implemented through a retention policy with a Preservation Lock applied to it. Administrators cannot disable or delete a policy once a preservation hold is applied. This is implemented through a special type of label called Regulatory records with Preservation Lock applied to the associated label policy. Regulatory record labels must be applied by the end user. Retention labels and Retention policies can be utilized together to help you meet your compliance requirements. This topic is 4 of 8 Page 5 Continued on next page
Retention policy application A retention policy lets you proactively retain, delete - or both retain and then delete - content very efficiently by assigning the same retention settings for content by container at a site or mailbox level. A retention policy can support multiple containers, but a single retention policy cannot include all supported containers (Teams, SharePoint etc). When you configure a retention policy, you can choose to retain content indefinitely or for a specific number of days, months, or years. The retention period is calculated from the age of the content (from when it was created or modified), not from when the retention policy is applied. The following diagram shows Retention policies being applied to data in different containers in the M365 environment. Woodgrove Bank Microsoft Teams Retention Policies Audit logging notes changes made to policy SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online Continued on next page
Woodgrove Bank Create Retention Labels Audit logging notes changes made to labels October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Retention label application Retention labels help you retain and delete data at an item level (document, email, or folder). After labels are created, you will create a retention label policy to specify the locations where these labels can be applied. A retention label can be applied automatically based on sensitive information types, keywords or properties, a trainable classifier, a SharePoint Syntex document understanding model, or as a default label in SharePoint. End-users can also manually apply labels to SharePoint documents and Exchange emails. Retention labels can also be used to mark items as a record or a regulatory record When this happens and the content remains in Microsoft 365, the label places further restrictions on the content that helps you meet regulatory requirements. Retention labels don't persist if data is moved outside your Microsoft 365 tenant. Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online
Govern data and manage compliance requirements for retention: WORM requirement Retention policies and Preservation locks Several financial regulations require that electronic data must be stored in a non-erasable format (WORM: Write-Once-Read-Many). When a retention policy is locked: no one can turn it off, containers can be added but not removed, policy compliant content can't be modified or deleted by an administrator during the retention period. Preservation Lock helps you be compliant with these financial regulations by ensuring that after a retention policy’s lock is turned on, it cannot be turned off or made less restrictive. In summary, a locked retention policy can be increased or extended, but it can't be reduced or turned off. Below we see the Preservation Lock applied to data that needs to meet the WORM requirement. Woodgrove Bank Retention Policies Audit logging notes changes made to policy Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online Continued on next page This topic is 4 of 8 Page 8
Retention labels and Regulatory records Retention Labels may be configured as Regulatory Records to preserve data in case a document is deleted. After the regulatory record label is published to a label policy, that policy must be locked with a Preservation Lock to be fully compliant with 17a-4. After it is applied to content, nobody, not even a global administrator, can remove the label. In addition, retention labels configured for regulatory records have the following admin restrictions: (1) retention periods can't be made shorter, only extended, (2) these labels must be applied by using retention label policies, and (3) After you have added/saved these labels to a retention label policy, you can't remove these labels from locations, only add new locations. Regulatory records cannot be applied automatically to content. Below we see the Regulatory records applied to data that needs to meet the WORM requirement. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Woodgrove Bank Create Retention Labels Audit logging notes changes made to labels Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online
Establish ethical walls with information barriers October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Financial institutions can be subject to regulations preventing certain employee roles from exchanging information or collaborating with other roles. FINRA has published rules 2241(b)(2)(G), 2242(b)(2) (D), (b)(2)(H)(ii) and (b)(2)(H)(iii) that require instituting policies and information barriers between roles in banking services, sales, or trading - preventing exchange of information with analysts. Information barriers allow ethical walls within the Office 365 environment, allowing policies that define all communications between groups of users in Teams. The example below shows policy enforcement that creates an information barrier between the Financial Advisor and Investment Banker segments. Segments are defined via Azure Active Directory. Woodgrove Bank OneDrive for Business OneDrive for Business Exchange Online Exchange Online Information Barrier policy Investment banker segment Financial Advisor segment Microsoft Teams Environment SharePoint Online SharePoint Online This topic is 5 of 8 Page 10 2 1
Communication compliance — Implement supervisory control FINRA has established supervisory functions within financial organizations to monitor employee activities to help achieve compliance with applicable securities laws; such as FINRA Rule 3110 (Supervision) and FINRA Rule 3120 (Supervisory Control System). Microsoft 365 enables organizations to pre-configure policies to capture communications for monitoring and review by authorized supervision. The illustration below shows two policies applied to employee communications. Similar to other information protection capabilities, the conditions for these policies can be based on sensitive information types (such as Policy 1). A random percentage of the communications are logged for subsequent review in the communication compliance mailbox. Woodgrove Bank OneDrive for Business OneDrive for Business Exchange Online Exchange Online SharePoint Online SharePoint Online Microsoft Teams Environment Communication Compliance policy Office 365 unified audit log Continued on next page This topic is 6 of 8 Page 11 2 1
Flexible remediation workflows Communication compliance policies scan and capture messages across communication channels to help you quickly review and remediate compliance issues. Built-in remediation workflows let you identify and take action on messages (monitored by reviews on audit logs) with policy matches in your organization. Reviewers get a dashboard in which they can review and act on flagged communications, that potentially violate policies, and mark flagged items as resolved. The illustration below describes a scenario where certain logged communications trigger incidents needing review. A reviewer investigates these incidents through built in, flexible remediation workflows. Woodgrove Bank Communication Compliance policy Microsoft Teams Environment October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. 2 1 2 1
Protect against data exfiltration and insider risk Insider risk management Enabling employees with online collaboration tools that can be accessed anywhere inherently brings a risk of data exfiltration to the organization. Insider risk management in Microsoft 365 can correlate signals from a user's Windows 10 desktop, such as copying files to a USB drive or emailing a personal email account, as well as HR events such as review, separation, etc. with activities from online services such as Office 365 email, SharePoint Online, Microsoft Teams, or OneDrive for Business, to identify data exfiltration patterns. Signals Devices Microsoft 365 Human Resources events Microsoft Information Protection Other data sources Microsoft Defender ATP Data loss prevention Sharing Download Etc. Departures Retirements Etc. Offensive language Custom trainable ML classifiers Etc. Machine learning Reasoning across indicators over time Risk management Alerts Cases Investigations Actions For a video walkthrough of insider risk management capabilities, see aka.ms/insiderriskguide. For a video walkthrough of insider risk management capabilities, see aka.ms/insiderriskguide. This topic is 7 of 8 Page 13 Continued on next page
Insider risk management workflows The insider risk management workflow helps you identify, investigate, and take action to address internal risks in your organization. With focused policy templates, comprehensive activity signaling across the Microsoft 365 service, and alert and case management tools, you can use actionable insights to quickly identify and act on risky behavior. The illustration below describes a scenario where certain user activities trigger policy conditions. These automatically generate alerts and are assigned a Needs review status. Reviewers can quickly identify and review, evaluate, and triage these alerts on a case-by-case basis. Woodgrove Bank Microsoft Teams Environment Insider Risk policies OneDrive for Business OneDrive for Business Exchange Online Exchange Online SharePoint Online SharePoint Online October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. 2 1
Ingestion of third-party application data October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Microsoft 365 lets administrators use data connectors to import and archive third-party data to mailboxes in your Microsoft 365 organization. One primary benefit of this is that you can apply various compliance solutions to that after it's been imported, helping ensure that your non-Microsoft data is in compliance with relevant regulations and standards. The following illustration shows an example of Bloomberg chat being ingested by a data connector into mailboxes associated with the user profiles in your M365 environment. You can apply a retention policy to user mailboxes to retain and then delete third-party data (and other mailbox content) after retention period expires. You can also use retention labels to trigger a disposition review when the retention period for third-party data expires. Importing and archiving this third-party data can be used to ensure communication compliance, minimize insider risk, and apply retention settings to be compliant with necessary regulations. . M365 Environment User mailbox User mailbox User mailbox Microsoft cloud Bloomberg Message Connector Bloomberg Message Connector Retention policies Retention policies Retention labels Retention labels Communication Compliance policy Communication Compliance policy Insider Risk policies Insider Risk policies M365 compliance center Compliance capabilities that can be applied to ingested third party data include: This topic is 8 of 8 Page 15 For more information, see Archive third- party data. For more information, see Archive third- party data. 1 2 3 4

Recommended

M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365Joanne Klein
 
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionaMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionAlbert Hoitingh
 
Microsoft Teams Governance and Security Best Practices - Joel Oleson
Microsoft Teams Governance and Security Best Practices - Joel OlesonMicrosoft Teams Governance and Security Best Practices - Joel Oleson
Microsoft Teams Governance and Security Best Practices - Joel OlesonJoel Oleson
 
meta360 - enterprise data governance and metadata management
meta360 - enterprise data governance and metadata managementmeta360 - enterprise data governance and metadata management
meta360 - enterprise data governance and metadata managementBojana Ciric
 
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapteIT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChaptemariuse18nolet
 
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docxIT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docxvrickens
 
SC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsSC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsFredBrandonAuthorMCP
 
SPSTC18 Laying Down the Law - Governing Your Data in O365
SPSTC18 Laying Down the Law - Governing Your Data in O365SPSTC18 Laying Down the Law - Governing Your Data in O365
SPSTC18 Laying Down the Law - Governing Your Data in O365David Broussard
 

Recommended

M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365
M365 Virtual Marthon: Protecting your Teamwork across Microsoft 365Joanne Klein
 
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionaMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionAlbert Hoitingh
 
Microsoft Teams Governance and Security Best Practices - Joel Oleson
Microsoft Teams Governance and Security Best Practices - Joel OlesonMicrosoft Teams Governance and Security Best Practices - Joel Oleson
Microsoft Teams Governance and Security Best Practices - Joel OlesonJoel Oleson
 
meta360 - enterprise data governance and metadata management
meta360 - enterprise data governance and metadata managementmeta360 - enterprise data governance and metadata management
meta360 - enterprise data governance and metadata managementBojana Ciric
 
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapteIT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChaptemariuse18nolet
 
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docxIT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docx
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte.docxvrickens
 
SC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsSC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsFredBrandonAuthorMCP
 
SPSTC18 Laying Down the Law - Governing Your Data in O365
SPSTC18 Laying Down the Law - Governing Your Data in O365SPSTC18 Laying Down the Law - Governing Your Data in O365
SPSTC18 Laying Down the Law - Governing Your Data in O365David Broussard
 
M365 updates for GDPR
M365 updates for GDPRM365 updates for GDPR
M365 updates for GDPR🔐 Sebastian PawƂowski
 
One name unify them all
One name unify them allOne name unify them all
One name unify them allBizTalk360
 
Global Security and Compliance Community conference 2021
Global Security and Compliance Community conference 2021Global Security and Compliance Community conference 2021
Global Security and Compliance Community conference 2021Albert Hoitingh
 
Data governance in Office 365
Data governance in Office 365Data governance in Office 365
Data governance in Office 365CloudFronts Technologies LLP.
 
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...IRJET Journal
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityDrew Madelung
 
March 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know WebinarMarch 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know WebinarRobert Crane
 
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...IRJET Journal
 
MSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information ProtectionMSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information ProtectionKesavan Munuswamy
 
PrÀsentation share point
PrÀsentation share pointPrÀsentation share point
PrÀsentation share pointcoda-efurt
 
Interior Designs
Interior DesignsInterior Designs
Interior Designsarun kumar
 
Sharepoint Architecture
Sharepoint Architecture Sharepoint Architecture
Sharepoint Architecture arun kumar
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDrew Madelung
 
A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365David J Rosenthal
 
Azure-Casestudy.pptx
Azure-Casestudy.pptxAzure-Casestudy.pptx
Azure-Casestudy.pptxssuser2ae8bb
 
Microsoft PPT_Sharepoint_introduction
Microsoft PPT_Sharepoint_introductionMicrosoft PPT_Sharepoint_introduction
Microsoft PPT_Sharepoint_introductionDipti Bohra
 
Understanding Microsoft Teams Security & Compliance features and plan for Gov...
Understanding Microsoft Teams Security & Compliance features and plan for Gov...Understanding Microsoft Teams Security & Compliance features and plan for Gov...
Understanding Microsoft Teams Security & Compliance features and plan for Gov...Ravikumar Sathyamurthy
 
Security and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITSecurity and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITMicrosoft
 
A blueprint for data in a multicloud world
A blueprint for data in a multicloud worldA blueprint for data in a multicloud world
A blueprint for data in a multicloud worldMehdi Charafeddine
 
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...Mithi Software Technologies Pvt Ltd
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 

More Related Content

Similar to m365-compliance-illustrations.pdf

One name unify them all
One name unify them allOne name unify them all
One name unify them allBizTalk360
 
Global Security and Compliance Community conference 2021
Global Security and Compliance Community conference 2021Global Security and Compliance Community conference 2021
Global Security and Compliance Community conference 2021Albert Hoitingh
 
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...IRJET Journal
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityDrew Madelung
 
March 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know WebinarMarch 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know WebinarRobert Crane
 
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...IRJET Journal
 
MSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information ProtectionMSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information ProtectionKesavan Munuswamy
 
PrÀsentation share point
PrÀsentation share pointPrÀsentation share point
PrÀsentation share pointcoda-efurt
 
Interior Designs
Interior DesignsInterior Designs
Interior Designsarun kumar
 
Sharepoint Architecture
Sharepoint Architecture Sharepoint Architecture
Sharepoint Architecture arun kumar
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDrew Madelung
 
A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365David J Rosenthal
 
Azure-Casestudy.pptx
Azure-Casestudy.pptxAzure-Casestudy.pptx
Azure-Casestudy.pptxssuser2ae8bb
 
Microsoft PPT_Sharepoint_introduction
Microsoft PPT_Sharepoint_introductionMicrosoft PPT_Sharepoint_introduction
Microsoft PPT_Sharepoint_introductionDipti Bohra
 
Understanding Microsoft Teams Security & Compliance features and plan for Gov...
Understanding Microsoft Teams Security & Compliance features and plan for Gov...Understanding Microsoft Teams Security & Compliance features and plan for Gov...
Understanding Microsoft Teams Security & Compliance features and plan for Gov...Ravikumar Sathyamurthy
 
Security and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITSecurity and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITMicrosoft
 
A blueprint for data in a multicloud world
A blueprint for data in a multicloud worldA blueprint for data in a multicloud world
A blueprint for data in a multicloud worldMehdi Charafeddine
 
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...Mithi Software Technologies Pvt Ltd
 

Similar to m365-compliance-illustrations.pdf (20)

M365 updates for GDPR
M365 updates for GDPRM365 updates for GDPR
M365 updates for GDPR
 
One name unify them all
One name unify them allOne name unify them all
One name unify them all
 
Global Security and Compliance Community conference 2021
Global Security and Compliance Community conference 2021Global Security and Compliance Community conference 2021
Global Security and Compliance Community conference 2021
 
Data governance in Office 365
Data governance in Office 365Data governance in Office 365
Data governance in Office 365
 
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...
IRJET- An Data Sharing in Group Member with High Security using Symmetric Bal...
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
 
March 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know WebinarMarch 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know Webinar
 
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
IRJET- A Research Paper on Block Design-based Key Agreement for Group Dat...
 
MSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information ProtectionMSFT Cloud Architecture Information Protection
MSFT Cloud Architecture Information Protection
 
PrÀsentation share point
PrÀsentation share pointPrÀsentation share point
PrÀsentation share point
 
Interior Designs
Interior DesignsInterior Designs
Interior Designs
 
Sharepoint Architecture
Sharepoint Architecture Sharepoint Architecture
Sharepoint Architecture
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss Prevention
 
A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365
 
Azure-Casestudy.pptx
Azure-Casestudy.pptxAzure-Casestudy.pptx
Azure-Casestudy.pptx
 
Microsoft PPT_Sharepoint_introduction
Microsoft PPT_Sharepoint_introductionMicrosoft PPT_Sharepoint_introduction
Microsoft PPT_Sharepoint_introduction
 
Understanding Microsoft Teams Security & Compliance features and plan for Gov...
Understanding Microsoft Teams Security & Compliance features and plan for Gov...Understanding Microsoft Teams Security & Compliance features and plan for Gov...
Understanding Microsoft Teams Security & Compliance features and plan for Gov...
 
Security and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITSecurity and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of IT
 
A blueprint for data in a multicloud world
A blueprint for data in a multicloud worldA blueprint for data in a multicloud world
A blueprint for data in a multicloud world
 
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...
Minimize Disruptions. Gain Agility with new path-breaking upgrades to our pla...
 

Recently uploaded

Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Dr. Mazin Mohamed alkathiri
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 

Recently uploaded (20)

Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 

m365-compliance-illustrations.pdf

  • 1. v October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Microsoft 365 Information Protection and Compliance Capabilities Introduction Microsoft 365 includes a broad set of information protection and compliance capabilities. Together with Microsoft’s productivity tools, these capabilities are designed to help organizations collaborate in real time while adhering to stringent regulatory compliance frameworks. This set of illustrations uses one of the most regulated industries, financial services, to demonstrate how these capabilities can be applied to address common regulatory requirements. Feel free to adapt these illustrations for your own use. Contoso (guest members) Microsoft Teams Environment Woodgrove Bank This topic is 1 of 8 Page 1 In these illustrations, Woodgrove Bank hosts two Teams environments for projects with different participants. In each scenario, each Team’s Microsoft 365 Group provides a security boundary for membership, with Azure Active Directory enforcing multi-factor authentication and other conditional access policies for Microsoft Teams. For more information about how Microsoft 365 can help financial services institutions meet security and compliance regulations, see Key compliance and security considerations for US banking and capital markets. For more information about how Microsoft 365 can help financial services institutions meet security and compliance regulations, see Key compliance and security considerations for US banking and capital markets.
  • 2. Syndicates External Investors Private Equity Firms Contoso (guest members) v Microsoft Teams Environment Woodgrove Bank IT Department Retail and Wealth Management Financial Crime Unit High level Teams logical architecture A common scenario where Teams benefits financial services is when running internal projects or programs. For example, many financial institutions have anti-money laundering and compliance programs in place. In this illustration , Woodgrove Bank hosts two Teams Environments for projects with different participants. The Anti-money laundering project includes only Woodgrove Bank employees. The “Virtual data room” for project B includes guest members from Contoso. The Virtual Data room acts as a secure place to share data that can only be accessed by authorized users. Azure Active Directory also enforces multi-factor authentication and other conditional access policies for guests. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. This topic is 2 of 8 Page 2
  • 3. Identify sensitive information and prevent data loss Woodgrove Bank Contoso Microsoft Information Protection (MIP) Microsoft Teams Environment OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online User is prompted to label sensitive information Automated labeling This message includes sensitive information. OK This message includes sensitive information. OK Microsoft 365 allows all organizations to identify sensitive data within the organization through a combination of powerful capabilities, including Microsoft Information Protection (MIP), and Office 365 Data Loss Prevention (DLP). MIP enables organizations to classify documents and emails intelligently by using sensitivity labels, applied manually or through machine-learning. The following scenario illustrates how sensitive information can be labeled either through machine learning or manually (shown below through user prompting and education). DLP can scan these labels to enforce data loss prevention policies. Sensitivity labels This topic is 3 of 8 Page 3 Sensitivity labels Continued on next page
  • 4. Data loss prevention Once sensitivity labels are applied across the data, DLP can be used to identify documents, emails, and conversation by scanning these for the sensitivity labels. It then enforces appropriate policies on this data and lets you monitor, protect, and prevent accidental sharing of sensitive information. It also helps users stay compliant without interrupting their workflow. The following illustration demonstrates DLP enforcing policies for data that matches several sensitive information types (Policy 1) and data labeled ‘Highly Confidential’ (Policy 2). We see that if an attempt is made to share data marked ‘Highly Confidential’ outside of allowed recipients, DLP blocks the sharing of the information and prevents data loss. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Woodgrove Bank Contoso (guests) Microsoft Teams Environment Data Loss Prevention policies OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online 2 1 2 1 2
  • 5. Govern data and manage compliance requirements for retention Retention policies and retention labels Microsoft 365 provides flexible capabilities to define retention policies and retention labels to intelligently implement records-management requirements. Retention settings that you configure can help compliance with industry regulations requiring you to retain content for a minimum period of time, reduce risk in case of litigation or security breaches, and share knowledge in an effective, agile way. You can use both retention policies and retention labels to assign retention settings. Both of these come with specific ways to help comply with rules defined by financial regulatory bodies such as SEC Rule 17a-4(f), which requires regulated entities to "Preserve the records exclusively in a non-rewriteable, non-erasable format." Microsoft 365 accomplishes this by applying a Preservation Lock to a Retention Policy or Label Policy (in the case of Regulatory Record labels), which ensures that the policy cannot be turned off or made less restrictive. Retention Policies and Regulatory Record labels are touched upon in later illustrations (topic 5 of 8). There is no limit to the number of retention labels that are supported for a tenant. However, 10,000 is the maximum number of policies that are supported for a tenant and these include the policies that apply the labels. The broad differences between these two methods are shown in the facing diagram. How are they used? Where are they applied? Persistence of label/policy Meeting regulatory compliance requirements Retention policy Retention label Assigns the same retention settings for content at a container level: e.g at site or mailbox level. Assigns the retention settings at an item level (folder, document, email). A single policy can be applied automatically to multiple or specific at container levels – for example, SharePoint sites or group mailboxes. Labels are applied to individual items – such as documents, email, or videos at folder level. If an item is edited, deleted, or moved, a copy of the content is automatically retained as it existed when you applied the retention settings. The retention label persists if the data is copied or moved to a different site or mailbox within that same M365 environment. Retention period settings Retention period is calculated from the age of when content is created or modified, not from when the policy is applied. These support starting retention periods from when content was labeled, or are event-based (in addition to the age of the content or when it was last modified). This is implemented through a retention policy with a Preservation Lock applied to it. Administrators cannot disable or delete a policy once a preservation hold is applied. This is implemented through a special type of label called Regulatory records with Preservation Lock applied to the associated label policy. Regulatory record labels must be applied by the end user. Retention labels and Retention policies can be utilized together to help you meet your compliance requirements. This topic is 4 of 8 Page 5 Continued on next page
  • 6. Retention policy application A retention policy lets you proactively retain, delete - or both retain and then delete - content very efficiently by assigning the same retention settings for content by container at a site or mailbox level. A retention policy can support multiple containers, but a single retention policy cannot include all supported containers (Teams, SharePoint etc). When you configure a retention policy, you can choose to retain content indefinitely or for a specific number of days, months, or years. The retention period is calculated from the age of the content (from when it was created or modified), not from when the retention policy is applied. The following diagram shows Retention policies being applied to data in different containers in the M365 environment. Woodgrove Bank Microsoft Teams Retention Policies Audit logging notes changes made to policy SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online Continued on next page
  • 7. Woodgrove Bank Create Retention Labels Audit logging notes changes made to labels October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Retention label application Retention labels help you retain and delete data at an item level (document, email, or folder). After labels are created, you will create a retention label policy to specify the locations where these labels can be applied. A retention label can be applied automatically based on sensitive information types, keywords or properties, a trainable classifier, a SharePoint Syntex document understanding model, or as a default label in SharePoint. End-users can also manually apply labels to SharePoint documents and Exchange emails. Retention labels can also be used to mark items as a record or a regulatory record When this happens and the content remains in Microsoft 365, the label places further restrictions on the content that helps you meet regulatory requirements. Retention labels don't persist if data is moved outside your Microsoft 365 tenant. Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online
  • 8. Govern data and manage compliance requirements for retention: WORM requirement Retention policies and Preservation locks Several financial regulations require that electronic data must be stored in a non-erasable format (WORM: Write-Once-Read-Many). When a retention policy is locked: no one can turn it off, containers can be added but not removed, policy compliant content can't be modified or deleted by an administrator during the retention period. Preservation Lock helps you be compliant with these financial regulations by ensuring that after a retention policy’s lock is turned on, it cannot be turned off or made less restrictive. In summary, a locked retention policy can be increased or extended, but it can't be reduced or turned off. Below we see the Preservation Lock applied to data that needs to meet the WORM requirement. Woodgrove Bank Retention Policies Audit logging notes changes made to policy Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online Continued on next page This topic is 4 of 8 Page 8
  • 9. Retention labels and Regulatory records Retention Labels may be configured as Regulatory Records to preserve data in case a document is deleted. After the regulatory record label is published to a label policy, that policy must be locked with a Preservation Lock to be fully compliant with 17a-4. After it is applied to content, nobody, not even a global administrator, can remove the label. In addition, retention labels configured for regulatory records have the following admin restrictions: (1) retention periods can't be made shorter, only extended, (2) these labels must be applied by using retention label policies, and (3) After you have added/saved these labels to a retention label policy, you can't remove these labels from locations, only add new locations. Regulatory records cannot be applied automatically to content. Below we see the Regulatory records applied to data that needs to meet the WORM requirement. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Woodgrove Bank Create Retention Labels Audit logging notes changes made to labels Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online
  • 10. Establish ethical walls with information barriers October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Financial institutions can be subject to regulations preventing certain employee roles from exchanging information or collaborating with other roles. FINRA has published rules 2241(b)(2)(G), 2242(b)(2) (D), (b)(2)(H)(ii) and (b)(2)(H)(iii) that require instituting policies and information barriers between roles in banking services, sales, or trading - preventing exchange of information with analysts. Information barriers allow ethical walls within the Office 365 environment, allowing policies that define all communications between groups of users in Teams. The example below shows policy enforcement that creates an information barrier between the Financial Advisor and Investment Banker segments. Segments are defined via Azure Active Directory. Woodgrove Bank OneDrive for Business OneDrive for Business Exchange Online Exchange Online Information Barrier policy Investment banker segment Financial Advisor segment Microsoft Teams Environment SharePoint Online SharePoint Online This topic is 5 of 8 Page 10 2 1
  • 11. Communication compliance — Implement supervisory control FINRA has established supervisory functions within financial organizations to monitor employee activities to help achieve compliance with applicable securities laws; such as FINRA Rule 3110 (Supervision) and FINRA Rule 3120 (Supervisory Control System). Microsoft 365 enables organizations to pre-configure policies to capture communications for monitoring and review by authorized supervision. The illustration below shows two policies applied to employee communications. Similar to other information protection capabilities, the conditions for these policies can be based on sensitive information types (such as Policy 1). A random percentage of the communications are logged for subsequent review in the communication compliance mailbox. Woodgrove Bank OneDrive for Business OneDrive for Business Exchange Online Exchange Online SharePoint Online SharePoint Online Microsoft Teams Environment Communication Compliance policy Office 365 unified audit log Continued on next page This topic is 6 of 8 Page 11 2 1
  • 12. Flexible remediation workflows Communication compliance policies scan and capture messages across communication channels to help you quickly review and remediate compliance issues. Built-in remediation workflows let you identify and take action on messages (monitored by reviews on audit logs) with policy matches in your organization. Reviewers get a dashboard in which they can review and act on flagged communications, that potentially violate policies, and mark flagged items as resolved. The illustration below describes a scenario where certain logged communications trigger incidents needing review. A reviewer investigates these incidents through built in, flexible remediation workflows. Woodgrove Bank Communication Compliance policy Microsoft Teams Environment October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. 2 1 2 1
  • 13. Protect against data exfiltration and insider risk Insider risk management Enabling employees with online collaboration tools that can be accessed anywhere inherently brings a risk of data exfiltration to the organization. Insider risk management in Microsoft 365 can correlate signals from a user's Windows 10 desktop, such as copying files to a USB drive or emailing a personal email account, as well as HR events such as review, separation, etc. with activities from online services such as Office 365 email, SharePoint Online, Microsoft Teams, or OneDrive for Business, to identify data exfiltration patterns. Signals Devices Microsoft 365 Human Resources events Microsoft Information Protection Other data sources Microsoft Defender ATP Data loss prevention Sharing Download Etc. Departures Retirements Etc. Offensive language Custom trainable ML classifiers Etc. Machine learning Reasoning across indicators over time Risk management Alerts Cases Investigations Actions For a video walkthrough of insider risk management capabilities, see aka.ms/insiderriskguide. For a video walkthrough of insider risk management capabilities, see aka.ms/insiderriskguide. This topic is 7 of 8 Page 13 Continued on next page
  • 14. Insider risk management workflows The insider risk management workflow helps you identify, investigate, and take action to address internal risks in your organization. With focused policy templates, comprehensive activity signaling across the Microsoft 365 service, and alert and case management tools, you can use actionable insights to quickly identify and act on risky behavior. The illustration below describes a scenario where certain user activities trigger policy conditions. These automatically generate alerts and are assigned a Needs review status. Reviewers can quickly identify and review, evaluate, and triage these alerts on a case-by-case basis. Woodgrove Bank Microsoft Teams Environment Insider Risk policies OneDrive for Business OneDrive for Business Exchange Online Exchange Online SharePoint Online SharePoint Online October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. 2 1
  • 15. Ingestion of third-party application data October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Microsoft 365 lets administrators use data connectors to import and archive third-party data to mailboxes in your Microsoft 365 organization. One primary benefit of this is that you can apply various compliance solutions to that after it's been imported, helping ensure that your non-Microsoft data is in compliance with relevant regulations and standards. The following illustration shows an example of Bloomberg chat being ingested by a data connector into mailboxes associated with the user profiles in your M365 environment. You can apply a retention policy to user mailboxes to retain and then delete third-party data (and other mailbox content) after retention period expires. You can also use retention labels to trigger a disposition review when the retention period for third-party data expires. Importing and archiving this third-party data can be used to ensure communication compliance, minimize insider risk, and apply retention settings to be compliant with necessary regulations. . M365 Environment User mailbox User mailbox User mailbox Microsoft cloud Bloomberg Message Connector Bloomberg Message Connector Retention policies Retention policies Retention labels Retention labels Communication Compliance policy Communication Compliance policy Insider Risk policies Insider Risk policies M365 compliance center Compliance capabilities that can be applied to ingested third party data include: This topic is 8 of 8 Page 15 For more information, see Archive third- party data. For more information, see Archive third- party data. 1 2 3 4