Uploaded byssuser21965c2
PDF, PPTX121 views

m365-compliance-illustrations.pdf

Microsoft 365 includes capabilities for information protection, compliance, and retention policies. These capabilities allow organizations to collaborate while meeting regulatory requirements. For example, a bank can use Teams environments and sensitivity labels to securely share information for internal projects. Data loss prevention policies can then prevent accidental sharing of sensitive labeled data outside the organization. Retention policies and labels help manage regulatory compliance for retaining data by automatically keeping information for specified periods.

Embed presentation

Download as PDF, PPTX
v October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Microsoft 365 Information Protection and Compliance Capabilities Introduction Microsoft 365 includes a broad set of information protection and compliance capabilities. Together with Microsoft’s productivity tools, these capabilities are designed to help organizations collaborate in real time while adhering to stringent regulatory compliance frameworks. This set of illustrations uses one of the most regulated industries, financial services, to demonstrate how these capabilities can be applied to address common regulatory requirements. Feel free to adapt these illustrations for your own use. Contoso (guest members) Microsoft Teams Environment Woodgrove Bank This topic is 1 of 8 Page 1 In these illustrations, Woodgrove Bank hosts two Teams environments for projects with different participants. In each scenario, each Team’s Microsoft 365 Group provides a security boundary for membership, with Azure Active Directory enforcing multi-factor authentication and other conditional access policies for Microsoft Teams. For more information about how Microsoft 365 can help financial services institutions meet security and compliance regulations, see Key compliance and security considerations for US banking and capital markets. For more information about how Microsoft 365 can help financial services institutions meet security and compliance regulations, see Key compliance and security considerations for US banking and capital markets.
Syndicates External Investors Private Equity Firms Contoso (guest members) v Microsoft Teams Environment Woodgrove Bank IT Department Retail and Wealth Management Financial Crime Unit High level Teams logical architecture A common scenario where Teams benefits financial services is when running internal projects or programs. For example, many financial institutions have anti-money laundering and compliance programs in place. In this illustration , Woodgrove Bank hosts two Teams Environments for projects with different participants. The Anti-money laundering project includes only Woodgrove Bank employees. The “Virtual data room” for project B includes guest members from Contoso. The Virtual Data room acts as a secure place to share data that can only be accessed by authorized users. Azure Active Directory also enforces multi-factor authentication and other conditional access policies for guests. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. This topic is 2 of 8 Page 2
Identify sensitive information and prevent data loss Woodgrove Bank Contoso Microsoft Information Protection (MIP) Microsoft Teams Environment OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online User is prompted to label sensitive information Automated labeling This message includes sensitive information. OK This message includes sensitive information. OK Microsoft 365 allows all organizations to identify sensitive data within the organization through a combination of powerful capabilities, including Microsoft Information Protection (MIP), and Office 365 Data Loss Prevention (DLP). MIP enables organizations to classify documents and emails intelligently by using sensitivity labels, applied manually or through machine-learning. The following scenario illustrates how sensitive information can be labeled either through machine learning or manually (shown below through user prompting and education). DLP can scan these labels to enforce data loss prevention policies. Sensitivity labels This topic is 3 of 8 Page 3 Sensitivity labels Continued on next page
Data loss prevention Once sensitivity labels are applied across the data, DLP can be used to identify documents, emails, and conversation by scanning these for the sensitivity labels. It then enforces appropriate policies on this data and lets you monitor, protect, and prevent accidental sharing of sensitive information. It also helps users stay compliant without interrupting their workflow. The following illustration demonstrates DLP enforcing policies for data that matches several sensitive information types (Policy 1) and data labeled ‘Highly Confidential’ (Policy 2). We see that if an attempt is made to share data marked ‘Highly Confidential’ outside of allowed recipients, DLP blocks the sharing of the information and prevents data loss. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Woodgrove Bank Contoso (guests) Microsoft Teams Environment Data Loss Prevention policies OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online 2 1 2 1 2
Govern data and manage compliance requirements for retention Retention policies and retention labels Microsoft 365 provides flexible capabilities to define retention policies and retention labels to intelligently implement records-management requirements. Retention settings that you configure can help compliance with industry regulations requiring you to retain content for a minimum period of time, reduce risk in case of litigation or security breaches, and share knowledge in an effective, agile way. You can use both retention policies and retention labels to assign retention settings. Both of these come with specific ways to help comply with rules defined by financial regulatory bodies such as SEC Rule 17a-4(f), which requires regulated entities to "Preserve the records exclusively in a non-rewriteable, non-erasable format." Microsoft 365 accomplishes this by applying a Preservation Lock to a Retention Policy or Label Policy (in the case of Regulatory Record labels), which ensures that the policy cannot be turned off or made less restrictive. Retention Policies and Regulatory Record labels are touched upon in later illustrations (topic 5 of 8). There is no limit to the number of retention labels that are supported for a tenant. However, 10,000 is the maximum number of policies that are supported for a tenant and these include the policies that apply the labels. The broad differences between these two methods are shown in the facing diagram. How are they used? Where are they applied? Persistence of label/policy Meeting regulatory compliance requirements Retention policy Retention label Assigns the same retention settings for content at a container level: e.g at site or mailbox level. Assigns the retention settings at an item level (folder, document, email). A single policy can be applied automatically to multiple or specific at container levels – for example, SharePoint sites or group mailboxes. Labels are applied to individual items – such as documents, email, or videos at folder level. If an item is edited, deleted, or moved, a copy of the content is automatically retained as it existed when you applied the retention settings. The retention label persists if the data is copied or moved to a different site or mailbox within that same M365 environment. Retention period settings Retention period is calculated from the age of when content is created or modified, not from when the policy is applied. These support starting retention periods from when content was labeled, or are event-based (in addition to the age of the content or when it was last modified). This is implemented through a retention policy with a Preservation Lock applied to it. Administrators cannot disable or delete a policy once a preservation hold is applied. This is implemented through a special type of label called Regulatory records with Preservation Lock applied to the associated label policy. Regulatory record labels must be applied by the end user. Retention labels and Retention policies can be utilized together to help you meet your compliance requirements. This topic is 4 of 8 Page 5 Continued on next page
Retention policy application A retention policy lets you proactively retain, delete - or both retain and then delete - content very efficiently by assigning the same retention settings for content by container at a site or mailbox level. A retention policy can support multiple containers, but a single retention policy cannot include all supported containers (Teams, SharePoint etc). When you configure a retention policy, you can choose to retain content indefinitely or for a specific number of days, months, or years. The retention period is calculated from the age of the content (from when it was created or modified), not from when the retention policy is applied. The following diagram shows Retention policies being applied to data in different containers in the M365 environment. Woodgrove Bank Microsoft Teams Retention Policies Audit logging notes changes made to policy SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online Continued on next page
Woodgrove Bank Create Retention Labels Audit logging notes changes made to labels October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Retention label application Retention labels help you retain and delete data at an item level (document, email, or folder). After labels are created, you will create a retention label policy to specify the locations where these labels can be applied. A retention label can be applied automatically based on sensitive information types, keywords or properties, a trainable classifier, a SharePoint Syntex document understanding model, or as a default label in SharePoint. End-users can also manually apply labels to SharePoint documents and Exchange emails. Retention labels can also be used to mark items as a record or a regulatory record When this happens and the content remains in Microsoft 365, the label places further restrictions on the content that helps you meet regulatory requirements. Retention labels don't persist if data is moved outside your Microsoft 365 tenant. Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online
Govern data and manage compliance requirements for retention: WORM requirement Retention policies and Preservation locks Several financial regulations require that electronic data must be stored in a non-erasable format (WORM: Write-Once-Read-Many). When a retention policy is locked: no one can turn it off, containers can be added but not removed, policy compliant content can't be modified or deleted by an administrator during the retention period. Preservation Lock helps you be compliant with these financial regulations by ensuring that after a retention policy’s lock is turned on, it cannot be turned off or made less restrictive. In summary, a locked retention policy can be increased or extended, but it can't be reduced or turned off. Below we see the Preservation Lock applied to data that needs to meet the WORM requirement. Woodgrove Bank Retention Policies Audit logging notes changes made to policy Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online Continued on next page This topic is 4 of 8 Page 8
Retention labels and Regulatory records Retention Labels may be configured as Regulatory Records to preserve data in case a document is deleted. After the regulatory record label is published to a label policy, that policy must be locked with a Preservation Lock to be fully compliant with 17a-4. After it is applied to content, nobody, not even a global administrator, can remove the label. In addition, retention labels configured for regulatory records have the following admin restrictions: (1) retention periods can't be made shorter, only extended, (2) these labels must be applied by using retention label policies, and (3) After you have added/saved these labels to a retention label policy, you can't remove these labels from locations, only add new locations. Regulatory records cannot be applied automatically to content. Below we see the Regulatory records applied to data that needs to meet the WORM requirement. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Woodgrove Bank Create Retention Labels Audit logging notes changes made to labels Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online
Establish ethical walls with information barriers October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Financial institutions can be subject to regulations preventing certain employee roles from exchanging information or collaborating with other roles. FINRA has published rules 2241(b)(2)(G), 2242(b)(2) (D), (b)(2)(H)(ii) and (b)(2)(H)(iii) that require instituting policies and information barriers between roles in banking services, sales, or trading - preventing exchange of information with analysts. Information barriers allow ethical walls within the Office 365 environment, allowing policies that define all communications between groups of users in Teams. The example below shows policy enforcement that creates an information barrier between the Financial Advisor and Investment Banker segments. Segments are defined via Azure Active Directory. Woodgrove Bank OneDrive for Business OneDrive for Business Exchange Online Exchange Online Information Barrier policy Investment banker segment Financial Advisor segment Microsoft Teams Environment SharePoint Online SharePoint Online This topic is 5 of 8 Page 10 2 1
Communication compliance — Implement supervisory control FINRA has established supervisory functions within financial organizations to monitor employee activities to help achieve compliance with applicable securities laws; such as FINRA Rule 3110 (Supervision) and FINRA Rule 3120 (Supervisory Control System). Microsoft 365 enables organizations to pre-configure policies to capture communications for monitoring and review by authorized supervision. The illustration below shows two policies applied to employee communications. Similar to other information protection capabilities, the conditions for these policies can be based on sensitive information types (such as Policy 1). A random percentage of the communications are logged for subsequent review in the communication compliance mailbox. Woodgrove Bank OneDrive for Business OneDrive for Business Exchange Online Exchange Online SharePoint Online SharePoint Online Microsoft Teams Environment Communication Compliance policy Office 365 unified audit log Continued on next page This topic is 6 of 8 Page 11 2 1
Flexible remediation workflows Communication compliance policies scan and capture messages across communication channels to help you quickly review and remediate compliance issues. Built-in remediation workflows let you identify and take action on messages (monitored by reviews on audit logs) with policy matches in your organization. Reviewers get a dashboard in which they can review and act on flagged communications, that potentially violate policies, and mark flagged items as resolved. The illustration below describes a scenario where certain logged communications trigger incidents needing review. A reviewer investigates these incidents through built in, flexible remediation workflows. Woodgrove Bank Communication Compliance policy Microsoft Teams Environment October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. 2 1 2 1
Protect against data exfiltration and insider risk Insider risk management Enabling employees with online collaboration tools that can be accessed anywhere inherently brings a risk of data exfiltration to the organization. Insider risk management in Microsoft 365 can correlate signals from a user's Windows 10 desktop, such as copying files to a USB drive or emailing a personal email account, as well as HR events such as review, separation, etc. with activities from online services such as Office 365 email, SharePoint Online, Microsoft Teams, or OneDrive for Business, to identify data exfiltration patterns. Signals Devices Microsoft 365 Human Resources events Microsoft Information Protection Other data sources Microsoft Defender ATP Data loss prevention Sharing Download Etc. Departures Retirements Etc. Offensive language Custom trainable ML classifiers Etc. Machine learning Reasoning across indicators over time Risk management Alerts Cases Investigations Actions For a video walkthrough of insider risk management capabilities, see aka.ms/insiderriskguide. For a video walkthrough of insider risk management capabilities, see aka.ms/insiderriskguide. This topic is 7 of 8 Page 13 Continued on next page
Insider risk management workflows The insider risk management workflow helps you identify, investigate, and take action to address internal risks in your organization. With focused policy templates, comprehensive activity signaling across the Microsoft 365 service, and alert and case management tools, you can use actionable insights to quickly identify and act on risky behavior. The illustration below describes a scenario where certain user activities trigger policy conditions. These automatically generate alerts and are assigned a Needs review status. Reviewers can quickly identify and review, evaluate, and triage these alerts on a case-by-case basis. Woodgrove Bank Microsoft Teams Environment Insider Risk policies OneDrive for Business OneDrive for Business Exchange Online Exchange Online SharePoint Online SharePoint Online October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. 2 1
Ingestion of third-party application data October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Microsoft 365 lets administrators use data connectors to import and archive third-party data to mailboxes in your Microsoft 365 organization. One primary benefit of this is that you can apply various compliance solutions to that after it's been imported, helping ensure that your non-Microsoft data is in compliance with relevant regulations and standards. The following illustration shows an example of Bloomberg chat being ingested by a data connector into mailboxes associated with the user profiles in your M365 environment. You can apply a retention policy to user mailboxes to retain and then delete third-party data (and other mailbox content) after retention period expires. You can also use retention labels to trigger a disposition review when the retention period for third-party data expires. Importing and archiving this third-party data can be used to ensure communication compliance, minimize insider risk, and apply retention settings to be compliant with necessary regulations. . M365 Environment User mailbox User mailbox User mailbox Microsoft cloud Bloomberg Message Connector Bloomberg Message Connector Retention policies Retention policies Retention labels Retention labels Communication Compliance policy Communication Compliance policy Insider Risk policies Insider Risk policies M365 compliance center Compliance capabilities that can be applied to ingested third party data include: This topic is 8 of 8 Page 15 For more information, see Archive third- party data. For more information, see Archive third- party data. 1 2 3 4

More Related Content

PPTX
SC-900 Capabilities of Microsoft Compliance Solutions
byFredBrandonAuthorMCP
 
PDF
March 2023 CIAOPS Need to Know Webinar
byRobert Crane
 
PPTX
Labelling in Microsoft 365 - Retention & Sensitivity
byDrew Madelung
 
PPTX
Create a Compliance Strategy for Office 365
byErica Toelle
 
PPTX
Labelling in Microsoft 365 - Retention & Sensitivity
byDrew Madelung
 
PPTX
Understanding Records Management in Office 365
byRecordPoint
 
PPTX
Global Security and Compliance Community conference 2021
byAlbert Hoitingh
 
PPTX
Advanced data governance in Office 365
byAlbert Hoitingh
 
SC-900 Capabilities of Microsoft Compliance Solutions
byFredBrandonAuthorMCP
 
March 2023 CIAOPS Need to Know Webinar
byRobert Crane
 
Labelling in Microsoft 365 - Retention & Sensitivity
byDrew Madelung
 
Create a Compliance Strategy for Office 365
byErica Toelle
 
Labelling in Microsoft 365 - Retention & Sensitivity
byDrew Madelung
 
Understanding Records Management in Office 365
byRecordPoint
 
Global Security and Compliance Community conference 2021
byAlbert Hoitingh
 
Advanced data governance in Office 365
byAlbert Hoitingh
 

Similar to m365-compliance-illustrations.pdf

PPTX
Microsoft Teams Governance and Security Best Practices - Joel Oleson
byJoel Oleson
 
PPTX
Data governance in Office 365
byCloudFronts Technologies LLP.
 
PPTX
M365 Virtual Marathon: Retention in Office 365 - the Where What and How
byJoanne Klein
 
PPTX
Ensure your compliance in Microsoft Teams with Information Protection and Gov...
byJasper Oosterveld
 
PPTX
Microsoft Information Protection: Your Security and Compliance Framework
byAlistair Pugin
 
PDF
Webinar: Protect your teams work across office 365
byShareGate
 
PPTX
Securing SharePoint & OneDrive in Office 365
byDrew Madelung
 
PPTX
677082374-Endpoint-DLP-Overview-peru-colombiapptx
byJuanAlvarez415405
 
PDF
IRMS UG Principles of Retention in Microsoft 365
byJoanne Klein
 
PPTX
SharePoint and Office 365 Data Compliance Made Easy: Site Classifications, La...
byJoel Oleson
 
PPTX
The SharePoint Records Management Story
byErica Toelle
 
PPTX
Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...
byJoanne Klein
 
PDF
One name unify them all
byBizTalk360
 
PPTX
2018 advanced data governance - slide share
byAlbert Hoitingh
 
PPTX
Tuga it 2018 advanced data governance
byAlbert Hoitingh
 
PPTX
SPFest Chicago - Information Management and Data Governance in Office 365
byJoanne Klein
 
PPTX
St. Louis SharePoint User Group - Security and Compliance in O365 for SharePo...
byAjay Iyer
 
PPTX
HSPUG presentation - Advanced Data Governance
byDavid Broussard
 
PDF
June 2020 Microsoft 365 Need to Know Webinar
byRobert Crane
 
PDF
[Sy] How to Develop Your Office 365 Information Governance Strategy in 4 Steps
byEuropean Collaboration Summit
 
Microsoft Teams Governance and Security Best Practices - Joel Oleson
byJoel Oleson
 
Data governance in Office 365
byCloudFronts Technologies LLP.
 
M365 Virtual Marathon: Retention in Office 365 - the Where What and How
byJoanne Klein
 
Ensure your compliance in Microsoft Teams with Information Protection and Gov...
byJasper Oosterveld
 
Microsoft Information Protection: Your Security and Compliance Framework
byAlistair Pugin
 
Webinar: Protect your teams work across office 365
byShareGate
 
Securing SharePoint & OneDrive in Office 365
byDrew Madelung
 
677082374-Endpoint-DLP-Overview-peru-colombiapptx
byJuanAlvarez415405
 
IRMS UG Principles of Retention in Microsoft 365
byJoanne Klein
 
SharePoint and Office 365 Data Compliance Made Easy: Site Classifications, La...
byJoel Oleson
 
The SharePoint Records Management Story
byErica Toelle
 
Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...
byJoanne Klein
 
One name unify them all
byBizTalk360
 
2018 advanced data governance - slide share
byAlbert Hoitingh
 
Tuga it 2018 advanced data governance
byAlbert Hoitingh
 
SPFest Chicago - Information Management and Data Governance in Office 365
byJoanne Klein
 
St. Louis SharePoint User Group - Security and Compliance in O365 for SharePo...
byAjay Iyer
 
HSPUG presentation - Advanced Data Governance
byDavid Broussard
 
June 2020 Microsoft 365 Need to Know Webinar
byRobert Crane
 
[Sy] How to Develop Your Office 365 Information Governance Strategy in 4 Steps
byEuropean Collaboration Summit
 

Recently uploaded

PPTX
Role of the Uninstall Hook in Odoo 18 Module Cleanup
byCeline George
 
PDF
Basics of Systematic Literature Search - Nasra Gathoni
bySystematic Reviews Network (SRN)
 
DOCX
TOXICITY AND ITS MANAGEMENT 6th sem unit 5, PHARMACOLOGY-III B. PHARMACY
byjagdeepsinghynr7
 
PPTX
How to Automate Quality Checks in Odoo 18 Quality App
byCeline George
 
PDF
Handwritten notes of Toxicity 1. Genotoxicity 2 Carcinogenicity 3 Teratogenic...
byjagdeepsinghynr7
 
PDF
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
PPTX
CROP RESIDUE MANAGEMANT AND ITS EFFECT ON SOIL HEALTH
byShraddha Maurya
 
PPTX
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
PPTX
ICH Harmonization A Global Pathway to Unified Drug Regulation.pptx
byDr. Smita Kumbhar
 
PPTX
Rectal Surgery in Senior Citiizens .pptx
byJohn Thanakumar
 
PPTX
Hypothesis. its definition and typrs pptx
byMakarand Joshi
 
PDF
Prescription Writing- Elements, Parts, and Exercises
byDr. Ishita Agarwal
 
PPTX
CLASS -9 POLITICAL SCIENCE PPT CHAPTER -5 DEMOCRATIC RIGHTS.pptx
bydushyantchavhan
 
PDF
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
PDF
Orchard Floor Managment.pdf Orchard Floor Management
bybisensharad
 
PPTX
SOCIAL SYSTEM.......................pptx
byAneetaSharma15
 
PPTX
Pain. definition, causes, factor influencing pain & pain assessment.pptx
byPompi Begum
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
Unit I — Introduction to Anatomical Terms and Organization of the Human Body
byRAKESH SAJJAN
 
Role of the Uninstall Hook in Odoo 18 Module Cleanup
byCeline George
 
Basics of Systematic Literature Search - Nasra Gathoni
bySystematic Reviews Network (SRN)
 
TOXICITY AND ITS MANAGEMENT 6th sem unit 5, PHARMACOLOGY-III B. PHARMACY
byjagdeepsinghynr7
 
How to Automate Quality Checks in Odoo 18 Quality App
byCeline George
 
Handwritten notes of Toxicity 1. Genotoxicity 2 Carcinogenicity 3 Teratogenic...
byjagdeepsinghynr7
 
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
CROP RESIDUE MANAGEMANT AND ITS EFFECT ON SOIL HEALTH
byShraddha Maurya
 
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
ICH Harmonization A Global Pathway to Unified Drug Regulation.pptx
byDr. Smita Kumbhar
 
Rectal Surgery in Senior Citiizens .pptx
byJohn Thanakumar
 
Hypothesis. its definition and typrs pptx
byMakarand Joshi
 
Prescription Writing- Elements, Parts, and Exercises
byDr. Ishita Agarwal
 
CLASS -9 POLITICAL SCIENCE PPT CHAPTER -5 DEMOCRATIC RIGHTS.pptx
bydushyantchavhan
 
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
Orchard Floor Managment.pdf Orchard Floor Management
bybisensharad
 
SOCIAL SYSTEM.......................pptx
byAneetaSharma15
 
Pain. definition, causes, factor influencing pain & pain assessment.pptx
byPompi Begum
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Unit I — Introduction to Anatomical Terms and Organization of the Human Body
byRAKESH SAJJAN
 

m365-compliance-illustrations.pdf

  • 1.
    v October 2020 ©2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Microsoft 365 Information Protection and Compliance Capabilities Introduction Microsoft 365 includes a broad set of information protection and compliance capabilities. Together with Microsoft’s productivity tools, these capabilities are designed to help organizations collaborate in real time while adhering to stringent regulatory compliance frameworks. This set of illustrations uses one of the most regulated industries, financial services, to demonstrate how these capabilities can be applied to address common regulatory requirements. Feel free to adapt these illustrations for your own use. Contoso (guest members) Microsoft Teams Environment Woodgrove Bank This topic is 1 of 8 Page 1 In these illustrations, Woodgrove Bank hosts two Teams environments for projects with different participants. In each scenario, each Team’s Microsoft 365 Group provides a security boundary for membership, with Azure Active Directory enforcing multi-factor authentication and other conditional access policies for Microsoft Teams. For more information about how Microsoft 365 can help financial services institutions meet security and compliance regulations, see Key compliance and security considerations for US banking and capital markets. For more information about how Microsoft 365 can help financial services institutions meet security and compliance regulations, see Key compliance and security considerations for US banking and capital markets.
  • 2.
    Syndicates External Investors Private Equity Firms Contoso(guest members) v Microsoft Teams Environment Woodgrove Bank IT Department Retail and Wealth Management Financial Crime Unit High level Teams logical architecture A common scenario where Teams benefits financial services is when running internal projects or programs. For example, many financial institutions have anti-money laundering and compliance programs in place. In this illustration , Woodgrove Bank hosts two Teams Environments for projects with different participants. The Anti-money laundering project includes only Woodgrove Bank employees. The “Virtual data room” for project B includes guest members from Contoso. The Virtual Data room acts as a secure place to share data that can only be accessed by authorized users. Azure Active Directory also enforces multi-factor authentication and other conditional access policies for guests. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. This topic is 2 of 8 Page 2
  • 3.
    Identify sensitive informationand prevent data loss Woodgrove Bank Contoso Microsoft Information Protection (MIP) Microsoft Teams Environment OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online User is prompted to label sensitive information Automated labeling This message includes sensitive information. OK This message includes sensitive information. OK Microsoft 365 allows all organizations to identify sensitive data within the organization through a combination of powerful capabilities, including Microsoft Information Protection (MIP), and Office 365 Data Loss Prevention (DLP). MIP enables organizations to classify documents and emails intelligently by using sensitivity labels, applied manually or through machine-learning. The following scenario illustrates how sensitive information can be labeled either through machine learning or manually (shown below through user prompting and education). DLP can scan these labels to enforce data loss prevention policies. Sensitivity labels This topic is 3 of 8 Page 3 Sensitivity labels Continued on next page
  • 4.
    Data loss prevention Oncesensitivity labels are applied across the data, DLP can be used to identify documents, emails, and conversation by scanning these for the sensitivity labels. It then enforces appropriate policies on this data and lets you monitor, protect, and prevent accidental sharing of sensitive information. It also helps users stay compliant without interrupting their workflow. The following illustration demonstrates DLP enforcing policies for data that matches several sensitive information types (Policy 1) and data labeled ‘Highly Confidential’ (Policy 2). We see that if an attempt is made to share data marked ‘Highly Confidential’ outside of allowed recipients, DLP blocks the sharing of the information and prevents data loss. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Woodgrove Bank Contoso (guests) Microsoft Teams Environment Data Loss Prevention policies OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online 2 1 2 1 2
  • 5.
    Govern data andmanage compliance requirements for retention Retention policies and retention labels Microsoft 365 provides flexible capabilities to define retention policies and retention labels to intelligently implement records-management requirements. Retention settings that you configure can help compliance with industry regulations requiring you to retain content for a minimum period of time, reduce risk in case of litigation or security breaches, and share knowledge in an effective, agile way. You can use both retention policies and retention labels to assign retention settings. Both of these come with specific ways to help comply with rules defined by financial regulatory bodies such as SEC Rule 17a-4(f), which requires regulated entities to "Preserve the records exclusively in a non-rewriteable, non-erasable format." Microsoft 365 accomplishes this by applying a Preservation Lock to a Retention Policy or Label Policy (in the case of Regulatory Record labels), which ensures that the policy cannot be turned off or made less restrictive. Retention Policies and Regulatory Record labels are touched upon in later illustrations (topic 5 of 8). There is no limit to the number of retention labels that are supported for a tenant. However, 10,000 is the maximum number of policies that are supported for a tenant and these include the policies that apply the labels. The broad differences between these two methods are shown in the facing diagram. How are they used? Where are they applied? Persistence of label/policy Meeting regulatory compliance requirements Retention policy Retention label Assigns the same retention settings for content at a container level: e.g at site or mailbox level. Assigns the retention settings at an item level (folder, document, email). A single policy can be applied automatically to multiple or specific at container levels – for example, SharePoint sites or group mailboxes. Labels are applied to individual items – such as documents, email, or videos at folder level. If an item is edited, deleted, or moved, a copy of the content is automatically retained as it existed when you applied the retention settings. The retention label persists if the data is copied or moved to a different site or mailbox within that same M365 environment. Retention period settings Retention period is calculated from the age of when content is created or modified, not from when the policy is applied. These support starting retention periods from when content was labeled, or are event-based (in addition to the age of the content or when it was last modified). This is implemented through a retention policy with a Preservation Lock applied to it. Administrators cannot disable or delete a policy once a preservation hold is applied. This is implemented through a special type of label called Regulatory records with Preservation Lock applied to the associated label policy. Regulatory record labels must be applied by the end user. Retention labels and Retention policies can be utilized together to help you meet your compliance requirements. This topic is 4 of 8 Page 5 Continued on next page
  • 6.
    Retention policy application Aretention policy lets you proactively retain, delete - or both retain and then delete - content very efficiently by assigning the same retention settings for content by container at a site or mailbox level. A retention policy can support multiple containers, but a single retention policy cannot include all supported containers (Teams, SharePoint etc). When you configure a retention policy, you can choose to retain content indefinitely or for a specific number of days, months, or years. The retention period is calculated from the age of the content (from when it was created or modified), not from when the retention policy is applied. The following diagram shows Retention policies being applied to data in different containers in the M365 environment. Woodgrove Bank Microsoft Teams Retention Policies Audit logging notes changes made to policy SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online Continued on next page
  • 7.
    Woodgrove Bank Create RetentionLabels Audit logging notes changes made to labels October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Retention label application Retention labels help you retain and delete data at an item level (document, email, or folder). After labels are created, you will create a retention label policy to specify the locations where these labels can be applied. A retention label can be applied automatically based on sensitive information types, keywords or properties, a trainable classifier, a SharePoint Syntex document understanding model, or as a default label in SharePoint. End-users can also manually apply labels to SharePoint documents and Exchange emails. Retention labels can also be used to mark items as a record or a regulatory record When this happens and the content remains in Microsoft 365, the label places further restrictions on the content that helps you meet regulatory requirements. Retention labels don't persist if data is moved outside your Microsoft 365 tenant. Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online
  • 8.
    Govern data andmanage compliance requirements for retention: WORM requirement Retention policies and Preservation locks Several financial regulations require that electronic data must be stored in a non-erasable format (WORM: Write-Once-Read-Many). When a retention policy is locked: no one can turn it off, containers can be added but not removed, policy compliant content can't be modified or deleted by an administrator during the retention period. Preservation Lock helps you be compliant with these financial regulations by ensuring that after a retention policy’s lock is turned on, it cannot be turned off or made less restrictive. In summary, a locked retention policy can be increased or extended, but it can't be reduced or turned off. Below we see the Preservation Lock applied to data that needs to meet the WORM requirement. Woodgrove Bank Retention Policies Audit logging notes changes made to policy Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online Continued on next page This topic is 4 of 8 Page 8
  • 9.
    Retention labels andRegulatory records Retention Labels may be configured as Regulatory Records to preserve data in case a document is deleted. After the regulatory record label is published to a label policy, that policy must be locked with a Preservation Lock to be fully compliant with 17a-4. After it is applied to content, nobody, not even a global administrator, can remove the label. In addition, retention labels configured for regulatory records have the following admin restrictions: (1) retention periods can't be made shorter, only extended, (2) these labels must be applied by using retention label policies, and (3) After you have added/saved these labels to a retention label policy, you can't remove these labels from locations, only add new locations. Regulatory records cannot be applied automatically to content. Below we see the Regulatory records applied to data that needs to meet the WORM requirement. October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Woodgrove Bank Create Retention Labels Audit logging notes changes made to labels Microsoft Teams SharePoint Site OneDrive for Business OneDrive for Business SharePoint Online SharePoint Online Exchange Online Exchange Online
  • 10.
    Establish ethical wallswith information barriers October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Financial institutions can be subject to regulations preventing certain employee roles from exchanging information or collaborating with other roles. FINRA has published rules 2241(b)(2)(G), 2242(b)(2) (D), (b)(2)(H)(ii) and (b)(2)(H)(iii) that require instituting policies and information barriers between roles in banking services, sales, or trading - preventing exchange of information with analysts. Information barriers allow ethical walls within the Office 365 environment, allowing policies that define all communications between groups of users in Teams. The example below shows policy enforcement that creates an information barrier between the Financial Advisor and Investment Banker segments. Segments are defined via Azure Active Directory. Woodgrove Bank OneDrive for Business OneDrive for Business Exchange Online Exchange Online Information Barrier policy Investment banker segment Financial Advisor segment Microsoft Teams Environment SharePoint Online SharePoint Online This topic is 5 of 8 Page 10 2 1
  • 11.
    Communication compliance —Implement supervisory control FINRA has established supervisory functions within financial organizations to monitor employee activities to help achieve compliance with applicable securities laws; such as FINRA Rule 3110 (Supervision) and FINRA Rule 3120 (Supervisory Control System). Microsoft 365 enables organizations to pre-configure policies to capture communications for monitoring and review by authorized supervision. The illustration below shows two policies applied to employee communications. Similar to other information protection capabilities, the conditions for these policies can be based on sensitive information types (such as Policy 1). A random percentage of the communications are logged for subsequent review in the communication compliance mailbox. Woodgrove Bank OneDrive for Business OneDrive for Business Exchange Online Exchange Online SharePoint Online SharePoint Online Microsoft Teams Environment Communication Compliance policy Office 365 unified audit log Continued on next page This topic is 6 of 8 Page 11 2 1
  • 12.
    Flexible remediation workflows Communicationcompliance policies scan and capture messages across communication channels to help you quickly review and remediate compliance issues. Built-in remediation workflows let you identify and take action on messages (monitored by reviews on audit logs) with policy matches in your organization. Reviewers get a dashboard in which they can review and act on flagged communications, that potentially violate policies, and mark flagged items as resolved. The illustration below describes a scenario where certain logged communications trigger incidents needing review. A reviewer investigates these incidents through built in, flexible remediation workflows. Woodgrove Bank Communication Compliance policy Microsoft Teams Environment October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. 2 1 2 1
  • 13.
    Protect against dataexfiltration and insider risk Insider risk management Enabling employees with online collaboration tools that can be accessed anywhere inherently brings a risk of data exfiltration to the organization. Insider risk management in Microsoft 365 can correlate signals from a user's Windows 10 desktop, such as copying files to a USB drive or emailing a personal email account, as well as HR events such as review, separation, etc. with activities from online services such as Office 365 email, SharePoint Online, Microsoft Teams, or OneDrive for Business, to identify data exfiltration patterns. Signals Devices Microsoft 365 Human Resources events Microsoft Information Protection Other data sources Microsoft Defender ATP Data loss prevention Sharing Download Etc. Departures Retirements Etc. Offensive language Custom trainable ML classifiers Etc. Machine learning Reasoning across indicators over time Risk management Alerts Cases Investigations Actions For a video walkthrough of insider risk management capabilities, see aka.ms/insiderriskguide. For a video walkthrough of insider risk management capabilities, see aka.ms/insiderriskguide. This topic is 7 of 8 Page 13 Continued on next page
  • 14.
    Insider risk managementworkflows The insider risk management workflow helps you identify, investigate, and take action to address internal risks in your organization. With focused policy templates, comprehensive activity signaling across the Microsoft 365 service, and alert and case management tools, you can use actionable insights to quickly identify and act on risky behavior. The illustration below describes a scenario where certain user activities trigger policy conditions. These automatically generate alerts and are assigned a Needs review status. Reviewers can quickly identify and review, evaluate, and triage these alerts on a case-by-case basis. Woodgrove Bank Microsoft Teams Environment Insider Risk policies OneDrive for Business OneDrive for Business Exchange Online Exchange Online SharePoint Online SharePoint Online October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. 2 1
  • 15.
    Ingestion of third-partyapplication data October 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com. Microsoft 365 lets administrators use data connectors to import and archive third-party data to mailboxes in your Microsoft 365 organization. One primary benefit of this is that you can apply various compliance solutions to that after it's been imported, helping ensure that your non-Microsoft data is in compliance with relevant regulations and standards. The following illustration shows an example of Bloomberg chat being ingested by a data connector into mailboxes associated with the user profiles in your M365 environment. You can apply a retention policy to user mailboxes to retain and then delete third-party data (and other mailbox content) after retention period expires. You can also use retention labels to trigger a disposition review when the retention period for third-party data expires. Importing and archiving this third-party data can be used to ensure communication compliance, minimize insider risk, and apply retention settings to be compliant with necessary regulations. . M365 Environment User mailbox User mailbox User mailbox Microsoft cloud Bloomberg Message Connector Bloomberg Message Connector Retention policies Retention policies Retention labels Retention labels Communication Compliance policy Communication Compliance policy Insider Risk policies Insider Risk policies M365 compliance center Compliance capabilities that can be applied to ingested third party data include: This topic is 8 of 8 Page 15 For more information, see Archive third- party data. For more information, see Archive third- party data. 1 2 3 4