Cracking the Code- Expert Tips for Mastering GRC | CollabDays Bletchley | Sept 23
3 likes192 views
This document summarizes a conference session on mastering governance, risk, and compliance (GRC) in Microsoft 365. The session covered establishing a GRC program through people, processes, and technology. Speakers recommended starting with high-level board support and prioritization before focusing initially on key areas and embedding cultural change through continuous improvement. Both technical controls in Purview and non-technical processes were addressed.
Cracking the Code- Expert Tips for Mastering GRC | CollabDays Bletchley | Sept 23
- 1. BLETCHLEY PARK 2023 A Microsoft 365 Community COLLABORATION CONFERENCE Wednesday, 27th September 2023 Cracking the Code: Expert Tips for Mastering Governance, Risk, and Compliance in Microsoft 365 Nikki Chapple, Simon Hudson Agenda
- 2. BLETCHLEY PARK 2023 Thank you to all our Sponsors Silver Platinum Gold Silver Community Sponsors
- 3. GRC… bane or benefit What do you feel about GRC? Entry Poll
- 5. Agenda Overview of GRC (Governance Risk and Compliance) obligations and approaches Thoughts on using the Maturity Model for Microsoft 365 GRC Competency to set your objectives Pragmatic approaches to elevating your Compliance Score Wider technical and business thinking for de-risking your operations and organisation
- 6. Governance, Risk and Compliance… it's not nice to have It's The Law GRC Security
- 8. Data is exploding Data regulations are increasing Risks of not being compliant Protecting data has become more challenging We need to simplify compliance and to reduce risk Why do we need Governance, Risk & Compliance?
- 9. The risks of not being compliant Loss of trust and Reputation al damage Operational / Financial impacts and loss Fines
- 13. How can the Microsoft 365 Governance, Risk, and Compliance Maturity Model help?
- 14. The Maturity Model levels 100 - Initial • Ad hoc, reactive, uncontrolled 200 - Managed • Routine, legacy, firefighting, variable, personally managed 300 - Defined • Document ed, policy- driven, planned, controlled, stable 400 - Predictable • Productive, interactive, responsive, enhanced, effective, adaptable, quality 500 - Optimising • Optimal, proactive, statistical, improvement -focus, automated, assured More information on the maturity model ➡
- 15. Pragmatic approaches to GRC and the Purview score Purview in context
- 16. Governance, Risk and Compliance Assessment Who, Where, How & When Current vs. Future state People Technology Process Strategy Regulations Culture Priorities GRC Maturity Recommendations What & Why Risk & compliance stance Monitor and Enhance
- 17. Align the inputs with the demonstrable action-orientated outputs Benchmarked against the GRC Competency https://learn.microsoft.com/en-us/microsoft-365/community/microsoft365- maturity-model--governance-and-compliance
- 18. Can Copilot help? Wouldn’t it be great if Compliance Copilot could help with setting all this stuff up. Maybe it needs to be exposed to all the Compliance standards and regulations… But that’s in the future…
- 19. Helping Copilot get it right • If you are planning to use Copilot, you better make sure that you have cleansed your documents • Good Governance drives this • See https://techcommunity.microsoft.c om/t5/microsoft-365-copilot/how- to-prepare-for-microsoft-365- copilot/ba-p/3851566
- 20. Using Copilot across GRC • Copilot can (potentially): • Help gather information from multiple sources across your tenant (and beyond) • Provide summaries and reports • Respond to GRC queries from a chat prompt • Assist with Purview management and a Compliance Score improvement programme. • Collaboration summarise and actions • Extract intent from Viva Goals • Extract employee engagement and sentiment from your teams • Potentially flagging insider risks, internal bad actors • AI can: • Translate technical insights into business insights • Avoid copyright and IP issues
- 21. What about Copilot itself • Copilot takes the response from the LLM and post-processes it. This post-processing includes other grounding calls to Microsoft Graph, responsible AI checks, security, compliance and privacy reviews, and command generation. • Prompts, responses, and data accessed through Microsoft Graph aren’t used to train foundation LLMs, including those used by Microsoft 365 Copilot. https://learn.microsoft.com/en- us/deployoffice/privacy/microsoft- 365-copilot
- 22. Microsoft Security Copilot • AI powered security analysis tool that enables analysts to respond to threats quickly, process signals at machine speed, and assess risk exposure in minutes. • Incident Response • Threat Hunting • Security Reporting • https://www.microsoft.com/en- gb/security/business/ai-machine- learning/microsoft-security-copilot?rtc=2
- 23. Compliance Score vs Secure Score Purview • Number of elements: 2000+ • Grouped into • Security, compliance & privacy • 9 sub-categories: • Protect information, Govern information, Control Access, Manage Devices, Protect against threats, Discover and respond, Manage internal risks, Manage compliance, Privacy Management • 350+ Assessment templates • Board Led • Business, Process & Technical control driven • (Documentation, Operational and technical) • Requires many controls outside the reach of the M365 /Azure platform Entra/Defender • Number of elements: 58 • Grouped into • Identity, Data, Apps • Singular security score • IT Led • Technical control driven
- 24. Review and prioritise in Purview ?? %
- 25. Successful Governance Risk & Compliance - Establish People facing processes, such as policies, training, guidance, GRC roles and responsibilities and reporting. Staff and Leadership - Build organisational management tools (Processes), such as risk registers, incident logs, action plans and processes around content lifecycle management, reporting, notifications and incident and risk responses. Have audit and reporting to sustain the approach. Management tools - Implement Technologies - Configure tenant settings in Microsoft 365 - Monitor, plan and improve using Microsoft Purview Technical (Microsoft 365 +) Controls
- 26. GRC Hints and Tips • Use Copilot to assess content across your tenant • Provide continuous, bite sized updates via relatable avatars • Create GRC champions / super users in each team and enable them through a super user network • Build a GRC Portal with guidance pages and stories. • Publish your Compliance Score and track over time (i.e. chart it) https://kinataltd.sharepoint.com/sites/InformationGovernance/SitePages/Subject-Access- Requests.aspx?web=1
- 27. Guidance + Video Script used (from Bing Chat) Subject Access Requests (SARs) are an important aspect of the General Data Protection Regulation (GDPR). They allow individuals to request access to their personal data held by organizations. Staff members should be aware of the following key points regarding SARs and GDPR: Recognizing a SAR: A SAR can be made verbally or in writing, including through social media. It does not need to include specific phrases or refer to particular legislation. The request should simply be clear that the individual is asking for their own personal data1. Formal Requirements: The UK GDPR does not set out formal requirements for a valid request. Therefore, an individual can make a SAR verbally or in writing, including through social media. They can direct it to any part of your organization without specifying a particular person or contact point1. Training and Procedures: It is essential to train staff members who regularly interact with the public to identify a SAR and understand the next steps1. Having a clear procedure in place and keeping a record of all requests and outcomes is also recommended2. Standard Forms: Providing standard forms for individuals to make requests can make it easier for both parties. However, it is not mandatory1. Handling Requests: Organizations have a legal responsibility to identify and handle any valid request correctly. If you receive a request verbally, you may still need to contact the individual in writing to confirm their identity1. It is also good practice to check with the requester if you have understood their request correctly1. Reasons for Request: Individuals are not required to provide reasons for making a request or explain what they intend to do with the information1. However, knowing the purpose of the request may help organizations locate the relevant information more effectively1. Children and Young People: Organizations should be prepared to handle requests for information about children or young people1. Freedom of Information: A valid SAR can be made even if it refers to other legislation, such as the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOISA)1. Remember, SARs are an important right under GDPR, and organizations must handle them appropriately and responsibly.
- 28. How to improve your Microsoft 365 GRC maturity GRC/Purview in context
- 29. Level 100 - User behaviour Files stored in shared folders File sharing via emails with attachments Limited internal collaboration via Teams No external collaboration
- 30. Level 100 - Ungoverned Teams Groups and sites are ungoverned Guests are ungoverned Data is not classified No data lifecycle management No awareness of Microsoft 365 changes
- 31. Level 200 - User behaviour Starting to collaborate in Team chats not using Teams Starting to use OneDrive Shared folders still in use Use email and file attachment to share files externally No external collaboration No or limited adoption
- 32. Level 200 - Security focused Focus on Security MFA users Teams Groups and sites creation may be locked down Guest access may be blocked Mailbox holds to retain data
- 33. Level 300 - User behaviour Starting to work in Teams OneDrive for personal use, SharePoint for collaboration Shared folders limited or being migrated into M365 Share files via links Internal and external collaboration in Teams Tactical User Adoption
- 34. Level 300 - Basic Governance Risk and Compliance Sensitivity labels for Groups, Teams & Sites Groups, Teams & Sites provisioning Guest lifecycle management Manual MIP labels for content Data Loss Prevention based on labels Selected data retention Conditional Access & MFA
- 35. Level 400 - User behaviour Teams collaboration is mainstream What tool to use when is clear All file shares migrated into M365 Users are clear on data criticality and data lifecycle Embedded User Adoption
- 36. Level 400 - Risk-based governance & compliance Teams, Groups & Sites lifecycle management Automated content classificatio n (protection & retention) DLP extended to endpoints and Cloud Apps Records management Insider risk management Risk-based access controls PIM Privileged Accounts
- 37. Machine Learning classification Syntex 3rd party ingestion of data DLP extended to endpoints and Cloud Apps Copilot Independent Backup & Archive cold storage Level 500 – Extend and automate
- 38. What level of GRC maturity has your organisation achieved? GRC Maturity Poll
- 40. Wider technical and business thinking Purview in context
- 41. The business context Business GRC Corporate GRC Purview + Azure + other Microsoft 365 Purview •GRC doesn’t end at Purview • Address/add your other platforms and Line of Business systems / infrastructure • E.g. Azure, Salesforce •Think about the wider business needs
- 42. Practical steps Establish board accountability Agree strategy and priorities Embed cultural change Establish a programme for continuous improvement Select initial focus area in Purview for attention Build tools & processes outside Purview for non- technical control
- 45. Best Practice Before you start you need to know where you are now You cannot go from 1% to 100% in one day Take crawl-walk-run approach Manage based on risk Be realistic. Design something that can be implemented Involve the right teams
- 46. Governance, risk and compliance is not a project, it’s a lifestyle Start small and grow Look beyond Microsoft and definitely beyond IT
- 48. SimonHudson Founder, Cloud2, Kinata, Novia Works 20+ years innovating with Microsoft technologies Entrepreneur in Residence, University of Hull M365 North user group host simon@noviaworks.co.uk @simonjhudson Nikki Chapple 30+ years in IT & business transformation Specialist Microsoft 365 governance & compliance International speaker & blogger All things M365 compliance Podcast co-host Nikki.chapple@cloudway.com @chapplnikki Nikkichapple.com
- 49. Summary Establish board accountability and Chief Risk officer role Agree strategy and priorities Embed cultural change Establish a programme for continuous improvement Select initial priority areas for attention Build tools & processes outside Purview for non-technical controls