Microsoft 365 Compliance
3 likes2,192 views
The document discusses Microsoft's compliance and risk management solutions within the Microsoft 365 ecosystem, emphasizing the challenges posed by a rapidly evolving regulatory landscape and the various risks associated with data management. It highlights the importance of intelligent compliance tools for data protection, internal risk management, and the role of shared responsibilities between customers and the provider. Additionally, it touches upon compliance management processes, data governance, and industry standards for safeguarding sensitive information.
Microsoft 365 Compliance
- 1. Microsoft 365 Compliance Intelligent compliance and risk management solutions David J. Rosenthal Vice President, Digital Business Microsoft Technology Center, New York City October 24, 2019
- 2. Data is exploding It’s created, stored, and shared everywhere Platforms SaaS Remote Corporate Structured Private cloud SMS Vendors Unstructured Public Emails Documents Records
- 3. The landscape is fragmented and confusing
- 5. Hundreds of compliance requirements Hundreds of vendors
- 6. Data regulations are increasing around the world Protection of Personal Information Act 2013 (POPI) Australia Privacy Principles 2014 General Data Privacy Law Data Protection in Act (pending) Federal Data Protection Law 2000 California Consumer Privacy Act (CCPA) 2018 Personal Information Protection and Electronic Documents Act (PIPEDA) Act on Protection of Personal Information (APPI) 2017 Personal Information Protection Act (PIPA) 2011 Personal Information Security Specification 2018 Personal Data Protection Act (PDPA 2012) Personal Data Protection Bill 2018 The Privacy Protection Act (PPA) 2017 General Data Protection Regulation (GDPR 2016)
- 7. BUSINESSES AND USERS ARE GOING TO EMBRACE TECHNOLOGY ONLY IF THEY CAN TRUST IT. Satya Nadella Actions of a trusted partner
- 8. Actions of a trusted partner Customers own any patents and industrial design rights that result from our shared innovation work We proactively collaborate with customers and regulators We do not provide any government with the ability to break encryption, nor do we provide any government with encryption keys We do not share business customer data with our advertiser -supported services, nor do we mine it for marketing or advertising We do not engineer back doors for governments into our products We extended GDPR data subject rights to all consumers worldwide
- 9. Intelligent compliance and risk management solutions Information Protection & Governance Internal Risk Management Discover & Respond Protect and govern data anywhere it lives Identify and remediate critical insider risks Quickly investigate and respond with relevant data Compliance Management Simplify and automate risk assessments
- 10. Simplify and automate risk assessments COMPLIANCE MANAGEMENT
- 11. The regulatory landscape is complex and shifting 215+ updates per day from 900 regulatory bodies¹ 40% of firms spent 4+ hrs/ week creating and amending reports¹ 65% of firms ranked “design and implementation of internal processes” the biggest GDPR hurdle2 1. Thomson Reuters Regulatory Intelligence - Cost of Compliance 2018 2. http://resources.compuware.com/research-improved-gdpr-readiness-businesses-still-at-risk-of-non-compliance
- 12. Shared responsibility model Customer management of risk Data classification and data accountability Shared management of risk Identity & access management | End point devices Provider management of risk Physical | Networking Cloud customer Cloud provider Responsibility On-Prem IaaS PaaS SaaS Data classification and accountability Application level controls Network controls Host infrastructure Physical security Client & end-point protection Identity & access management
- 13. Examples of shared responsibilities: NIST Personnel control Strict screening for employees, vendors, and contractors, and conduct trainings through onboarding process Personnel control Allocate and staff sufficient resources to operate an organization-wide privacy program, including awareness- raising and training Access to production environment Set up access controls that strictly limit standing access to customer’s data or production environment Access to production environment Set up access control policy and SOP, leveraging Customer Lockbox / identity management solutions Protect data Encrypt data based on org’s compliance obligations. E.g. encrypt PII in transit between users, using its own encryption key, etc. Protect data Encrypt data at rest and in transit based on industrial standards (BitLocker, TLS, etc.) Organization responsibility responsibility 800-53
- 14. Compliance Manager Manage your compliance from one place Compliance Manager is a dashboard that provides the Compliance Score and a summary of your data protection and compliance stature as well as recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate and validate the effectiveness of customer controls as per your regulatory environment. Recommendations from Compliance Manager and Compliance Score should not be interpreted as a guarantee of compliance. Ongoing risk assessment An intelligent score reflects your compliance posture against regulations or standards Actionable insights Recommended actions to improve your data protection capabilities Simplified compliance Streamlined workflow across teams and richly detailed reports for auditing preparation
- 16. Protect and govern data anywhere it lives INFORMATION PROTECTION & GOVERNANCE
- 17. Discovering and managing data is challenging 88% of organizations no longer have confidence to detect and prevent loss of sensitive data¹ >80% of corporate data is “dark” – it’s not classified, protected or governed² #1 Protecting and governing sensitive data is biggest concern in complying with regulations 1. Forrester. Security Concerns, Approaches and Technology Adoption. December 2018 2. IBM. Future of Cognitive Computing. November 2015 3. Microsoft GDPR research, 2017
- 18. Do you have a strategy for protecting and managing sensitive and business critical data? Do you know where your business critical and sensitive data resides and what is being done with it? Do you have control of this data as it travels inside and outside of your organization? Are you using multiple solutions to classify, label, and protect this data?
- 19. Information Protection & Governance Protect and govern data – anywhere it lives 88% Understand your data landscape and identify important data across your hybrid environment Automatically retain, delete, and store data and records in compliant manner Apply flexible protection actions including encryption, access restrictions and visual markings Powered by an intelligent platform KNOW YOUR DATA 88% GOVERN YOUR DATA PROTECT YOUR DATA Unified approach to automatic data classification, policy management, analytics and APIs
- 20. Know Your Data Identify oversharing, mismanagement or misuse of important documents Understand volume, scope and location of sensitive information Visibility into sensitive information types detected across documents and emails Identify exposure & risks; guide policy configuration Act on recommendations to enable policies to better protect and govern data Helps inform taxonomy and policies for sensitivity labeling and retention labeling
- 21. Protect Your Data: Information Protection Customize protection policies based on data sensitivity Broad coverage Protect sensitive information across devices, apps, on- premises file repositories and cloud services Streamlined administration Configure sensitivity labels and protection policies in single place and apply across endpoints and services Built-in experiences Integrated natively into Office apps, Office 365 services and 3rd-party services Flexible labeling options Choose between automatic labeling, manual end-user driven labeling or recommended labeling
- 22. Govern Your Data: Information Governance Automatically govern data across your environment Records Management Ensure core business records are properly declared and stored immutability with full audit visibility to meet regulatory obligations Streamlined administration Configure retention labels and policies in single place and apply automatically across services Built-in experiences Investigate and validate how and when labels are being applied. Defensibly dispose of content after disposition review
- 23. Identify and remediate critical insider risks INTERNAL RISK MANAGEMENT
- 24. 90% of enterprises feel vulnerable to insider risk 57% indicate they are most vulnerable to loss of confidential data 51% Concerned with negligent insider behaviors Identifying and mitigating risks is challenging https://www.veriato.com/docs/default-source/whitepapers/insider-threat-report-2018.pdf
- 25. Organizations face a broad range of risks from insiders Data spillage Confidentiality violations IP theft Workplace violence Regulatory compliance violations Fraud Policy violations Insider trading Conflicts of interest Leaks of sensitive data Data handling violations Workplace harassment
- 26. Defensible insights Productivity reporting, full audit of review activities and policy tracking Communications Supervision Intelligent policies Refine digital communications with intelligent conditions, sensitive info types, inclusions & exclusions and percent sample Efficient reviews Review experience built into Compliance center, tag and comment on content and bulk resolution
- 27. Built in Encryption and Key Mgmt OME/AIP TLS Service Encryption BitLocker Capabilities for added protection and control Additional customer controls for added protection and control Meets rigorous industry standards Data is encrypted by default at-rest and in-transit Option to manage and control your own encryption keys to help meet compliance needs
- 28. Privileged Access Management Controlling privileged access by Microsoft service engineers and by your administrators Privileged workflow The principle of zero standing access Just in time and just enough access Logging and auditing
- 29. Quickly investigate and respond with relevant data DISCOVER & RESPOND
- 30. Cost of compliance can be significant 51% of companies of >$1B revenue, indicate at least one regulatory proceeding pending² 44% of organizations report they have had more than one internal investigation requiring outside counsel² 50% of organizations have spent more time over last 3 years address regulatory requests² 1. Strategy Analytics. “Global Mobile Workforce Forecast Update 2016-2022.” Oct 2016. 2. Entrepreneur.com. “Password Statistics: The Bad, The Worse, and The Ugly.” June 3, 2015. 3. DARKReading. “Data Breach Record Exposure Up 205% from 2016.” Nov 8, 2017.
- 31. Are you able to intelligently reduce the volume of data to find what’s relevant? Are you able to track activity to fulfill compliance obligations? Do you have a process in place to review the data before its shared?
- 32. Collection into document working sets Manage static sets of documents within a case, that can be independently searched, analyzed, shared, and acted upon. Advanced eDiscovery Quickly find and respond with only the relevant information Custodian Management and Communications Preserve content by custodian, send hold notifications and track acknowledgements Deep crawling and indexing Deep processing (e.g. much higher size limits, non-Microsoft file types, …) to extract and index text & metadata Cull your data intelligently with ML Use predictive coding, near duplicate detection, email threading, Themes and ML models to identify potential high value content Review and take action on documents View content via a native and text viewer, organize documents with tags and redact sensitive information prior to export
- 33. Data Investigations Quickly locate, triage, and remediate sensitive data incidents in your organization Validate with built-in review Review content in-place to validate sensitive or malicious content Advanced search to quickly collect relevant data Quickly search across Office 365 with conditions, keywords and more to refine targeted search Identify and investigate persons of interest Identify and manage persons of interest within an investigation to ensure related content and people are in scope Take action & remediate sensitive data incidents Identify sensitive content in-place and take immediate action to soft delete, hard delete or tag for further processing Complete audit log and escalation All actions logged and ability to provide legal hold escalation via the review and action process
- 34. Audit log and alerts Comprehensive long-term audit supports continuous compliance Establish alerts based on organization specific criteria Comprehensive coverage across Office 365 services Unified Audit log search and alert experience
- 35. Microsoft 365 compliance partners Controle EY PWC Light House BDO KPMG Avaleris Inc N1 SOFTWARE e SERVICOS DE INFORMATICA LTDA-ME Soarsoft International Global Computing and Telecoms Performanta Meeco Experteq IT Services Pty Ltd Crayon EY KPMG PWC Software one EY EY KPMG Makronet Atos Global Comparex DXC Technology PWC Accenture Bechtle Global InfoWAN PHAT Consulting GmbH Crayon CGI Group UK New Signature Ai3 Capgemini Nelite VNext 4WARD Aquest BDO Ziv Haft See more partners here: https://blogs.partner.microsoft.com/mpn/gdpr-leaders-needed-help-customers-navigate-gdpr-journey/
- 36. Consider a different approach Reduce number of solution vendors and leverage shared responsibility Know, protect and govern your sensitive data throughout its lifecycle Implement more intelligent, built-in compliance solutions
- 37. Contact Information © 2019 Razor Technology www.razor-tech.com David Rosenthal VP & General Manager Digital Business @DavidJRosenthal SlideShare Blog: www.razor-tech.com 5 Tower Bridge 300 Barr Harbor Dr., Suite 705 West Conshohocken, PA 19428 www.razor-tech.com David.Rosenthal@razor-tech.com Cell: 215.801.4430 Office: 866.RZR.DATA LETS KEEP IN TOUCH 37
- 38. Intelligent compliance and risk management solutions Microsoft 365 Compliance
- 39. Discussion