This is the last post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.
Your employees need to access, generate, and share organizational information ranging from extremely confidential to informal; you must ensure that all information and the movement of that information comply with industry standards without inhibiting workflow. Microsoft 365 security solutions can help you know what’s happening with your data, set permissions and classifications, and discover and help prevent leaks.
How can I make it easier to manage compliance processes?
To better manage compliance processes, the first thing you’ll want to do is distribute the work out to compliance “specialists” across your organization. The Microsoft 365 Security & Compliance Center (Figure 1) makes this easy by providing a central location to assign people to specific compliance tasks, such as data loss prevention, eDiscovery, and data governance.
Figure 1: The Microsoft 365 Security & Compliance Center Dashboard.
Next, you’ll need to decide on your policies and data classifications that will allow you to take actions on data. To streamline this compliance task, Microsoft Advanced Data Governance offers automatic data classification and proactive policy recommendations—such as retention and deletion policies—throughout the data lifecycle. You can enable default system alerts to identify data governance risks, for example, detecting an employee deleting a large volume of files. You can also create custom alerts by specifying alert-matching conditions, thresholds, or other activities that require admin attention.
How do I assess data protection controls in an ever-changing compliance landscape?
The Microsoft Security Compliance Manager (Figure 2) provides tools to proactively manage evolving data privacy regulations. You can perform ongoing risk assessments on security, compliance, and privacy controls across 11 assessments, including these standards:
- ISO 27001
- ISO 27018
- NIST 800-53
- NIST CSF
- CSA CCM
Plus, regional standards and regulations, including:
As well as industry standards and regulations, such as:
- HIPAA/HITECH
- FFIEC
- NIST 800-171
- FedRAMP Moderate
- FedRAMP High
Additionally, the Compliance Manager provides you with step-by-step guidance of how to implement controls to enhance your compliance posture and keep you updated with the current compliance landscape. In addition, built-in collaboration tools to help you assign, track, and record compliance activities to prepare for internal or external audits.
Figure 2: Compliance Manager provides tools to proactively manage evolving data privacy regulations.
How can I protect my data no matter where it lives or travels?
With employees, partners, and other users sharing your data over cloud services, mobile devices, and apps, you need solutions that understand what data is sensitive and automatically protect and govern that data. The unified labeling experience for Microsoft 365 in the Security & Compliance Center provides a tool that allows you to configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location (Figure 3). You can create and customize labels that define the sensitivity of the data—for example, a label of “General” means the file doesn’t contain sensitive information, while “Highly Confidential” means the file contains very sensitive information. For each label, you can configure protection settings, such as adding encryption and access restrictions, or adding visual markings such as watermarks or headers/footers. To support data governance compliance, you can set policies for data retention, deletion, and disposition, and then automatically apply or publish these labels to users.
Figure 3: Configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location.
There are over 85 built-in sensitive information types that you can use to automatically detect common sensitive data types that may be subject to compliance requirements, such as credit card information, bank account information, passport IDs, and other personal data types. You can also create your own custom sensitive information types (such as employee ID numbers) or upload your own dictionary of terms that you want to automatically detect in documents and emails.
How can I help protect privileged accounts from compromise?
Controlling privileged access can reduce the risk of data compromise and help meet compliance obligations regarding access to sensitive data. Privileged access management (PAM) in Office 365 (Figure 4), available in the Microsoft 365 Admin Center, allows you to enforce zero standing access for your privileged administrative accounts. Zero standing access means users don’t have privileges by default. When permissions are provided, it’s at the bare minimum with just enough access to perform the specific task. Users who need to perform a high-risk task must request permissions for access, and once received all activities are logged and auditable. It’s the same principle that defines how Microsoft gives access to its datacenters and reduces the likelihood that a bad actor can gain access to your privileged accounts.
Figure 4: Privileged access management allows you to enforce zero standing access for your privileged administrative accounts.
Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether you’re planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started with FastTrack for Microsoft 365.
Want to learn more?
For more information and guidance on this topic, check out the white paper Maintain compliance with controls and visibility that adhere to global standards. You can find additional security resources on Microsoft.com.
Coming Soon! Stay tuned for our new series: “Top 10 actions you can take with Microsoft 365 Security.”
More blog posts from the deploying intelligent security scenario series:
Other blog posts from the security deployment series: