Compliance Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

4 hours 24 minutes
Video Transcription
Hello and welcome to this Microsoft 365 Fundamentals Video training course. My name is Chris Damico. I'm your instructor. I'm gonna be taking you through this next lesson where discussing compliance. This is still in the third module of the Siri's. So let's get cracking.
All right, So learning objectives for this video, it says this video. I mean this this lesson for this lesson. So we're gonna learn about the three pillars of compliance. Andi, about the compliance manager tool as well. That's built into Microsoft 365
as well as the Microsoft Compliance Center. So let's get cracking.
All right, let's start with a few privacy law pieces. So
there are certain rights that customers will have regarding them. Most customers most, you know, even staff have the right to access and correct data stored about them.
They also have the right to define a data retention period.
Andi Granting governments and regulatory bodies the right to access records for investigative purposes is something that businesses well not should do. You shouldn't just do it without question, but you should be ready to do if needs be.
Eso Most of this will pop under what we call GDP are, which is fast becoming
probably the biggest privacy law in the world. It covers most of Europe, if not all of it, including some places that are not in Europe. But basically, if you work with data that comes from any you citizen, then you need to know about GDP are
with this. You can also look into defining exactly how data can and cannot be used.
So the business needs to basically define the purpose for having the data in the first place. That's the idea behind it
on. But then, there are also privacy laws for defining privacy controls so that private data actually remains private. That's actually part off the system that's called privacy by design.
All right, so some of those are some of the kind of immediate privacy laws that come into play that swipe the screen. And let's look at some of the different privacy laws out there, including GDP are which will come up.
The 1st 1 is the Health Insurance Portability and Accountability Act, so this imposes strict privacy regulations on protected health information within the U. S.
Then they also have fisma, which is the federal information Security Modernization Act, which dictates how United States federal agencies protect information.
There's a lot of these things out there.
GDP are we've just been speaking about that. This is one that hits close to home for me because I do it for a living. It basically gives rights to people to manage personal data collected by an organization.
Then we have for part of the Family Educational Rights and Privacy Act, which covers the use or disclosure of student education records, including student information sent in email or email attachments. Onder. The interesting thing is, all of the U. S laws that I'm talking about here,
actually a covered for the U under GDP are they've kind of lump them all together.
Then we have pepita eso, puppy, ppd or pipi No, depending on how you say it is the Personal Information Protection and Electronic Documents Act. This address is how private sector organizations collect use on disclose personal information
in regards to commercial business is probably the closest to GPR without being GDP are.
And then finally, on this list we have the G l B A. The Gramm Leach Bliley Act on the Gramm Leach Bliley Act basically protects nonpublic personal information.
So to some of the most common ones that you'll come across certainly in the U and the U. K.
All right, let's have a quick chat about the three pillars. So there are three problems to this. Obviously that's when they call them the Three pillars.
The first is assess. So this is where you assess the compliance risk
Onda the posture as well with actionable insights. So you look into it and you figure it out basically.
Then we go into the practicality that protects site. This is where you protect and govern sensitive data across applications, cloud services, devices, everything basically
and then finally is respond. This is where you respond to data discovery requests.
I want to say in an intelligent manner by
what I mean by in an intelligent manner is to basically say that you don't sit there and go through everything with a fine tooth. Comb yourself. You use AI and tools to get you to the point where you can respond to these data requests.
So this is the Microsoft low. They're the kind of graphic for this. They've put Teoh simplify assessment of compliance risk and posture with actionable insights. That's what I mentioned earlier. Integrated Protection and governments. So that's the protect side
on, then intelligently response today to Discovery Quest by leveraging a I to find the most relevant data.
That's they say it a lot better than I do. But that's their word. So that's that. So you can see here in this circle going around this way
in what way
is assess, protect, respond. So to assess you would start with Compliance Manager, which is part of the service Trust Portal portal, and we would actually go into that in the next slice a bear with me.
Which brings us around to kind of the middle of the protection section, where you work on input, information protection and governments. That's kind of the classifications side of things. Encryption is obviously involved in protection as well as access control. Who can access what my boy
respond search and discovery and auditing. So you want to keep logs. You want to make sure those logs are accurate and that they're easy to actually understand them. Read.
All right, let's move on to what I mentioned just now. The service Trust portal. Let's move over to that. Here we go. All right. So I didn't mention in there the compliance manager. This is a dashboard for all the assessments and the policies surrounding
the standards. Basically nice and easy to understand. But that's basically what the compliance manager is.
Trust documents are things like audit reports on data protection information about how Microsoft operates as your dynamics marks of 365 everything. So trust documents are actually written by Microsoft,
and they brought into the trust portal so that you can actually see
how they deal with things, because it can be that some companies will say, Well, you're using this system. Do you know how they handle? I don't know. Data protection in dynamics 365 And you can pull up these documents and say, actually, yes, yes, I do know this is how they do it.
Then there's regional compliance. So this is regionally specific compliance information. So we spoke about, for example, GDP are
so these are legal opinions that describe Microsoft cloud services in different countries. If you touch anything in the EU, regardless of whether you are in the U, you probably are involved with GDP are just because you work with you citizens. Effectively. Eso that's kind of it will give you compliance is for the different regions that you operate within.
And then finally is data privacy. This is information about the capabilities in Microsoft services that you can use to address privacy requirements as well as documentation.
So these are the kind of four key areas of the service trust portal. When they come together, they give you this massive compliance. Sweet. Basically, on the actual compliance manager that I mentioned right here at the top actually looks a little bit like this. So this is kind of what you're looking at again.
You can see that they kind of break it down into the different categories off. So they've got nest in there.
There's 27,001 GDP. Are is up here for for 365 They got GDP. Offer dynamics here again with his your honest 27,000 1 27,000 and 18 is there for your as well. You can see that they kind of break it down and they explain what you need to be doing. So whether or no,
these bars here are basically
the top one is anything that you manage eso you to make basically manually take control off on the bottom One is basically what Microsoft will manage for you. Ideally, you want this bar to be way, way bigger than this bomb because you want to do the minimum amount of work. You're paying another company
toe, use their service. So you don't really want to get too involved in this. You have something very, very specific.
All right, let's move on to data retention. So the main question with data attention is wide Barber. I mean, it's it might be a silly question when you first hear it, but actually, when you think about it, it's quite apt. Why should you bother data attention? So
there's a couple of reasons probably the two that stand out biggest for me are
is good for PR for public relations and kind of marketing where if you say to people, look, we're not gonna hold your data for everyone, just hold it for two years or one year or whatever is
it makes them feel that they can trust you more because you're not abusing that trust effectively. And then also, why bother? Well,
if isn't done right, it can be a PR disaster. There's there's a huge backlash that's occurred very recently in the UK regarding data retention when certain companies were explaining that they were trying to retain data under GDP are for up to 50 years.
It's like if you've got data that's 50 years old, what are the chances of it being that accurate if you don't keep it
in regular cycle and circulation? It's that kind of thing.
However, there are mandatory environments, tax forms that need to be retained for a minimum period of time. You can't get rid of those, then mandatory. You're not going to be right here in this country. We have HMRC Her Majesty's Revenue and Customs, which is like the tax office, basically on day, ask you to keep records for seven years,
so that means straight off the bat you cannot lose any taxable invoices forms anything like that for seven years. You need to keep records either digitally or physically, whatever you want to do. But seven years is that that time period? That's just one example.
Press materials that need to be permanently deleted when they reach a certain age like, what's the point in keeping press materials that have already been used and probably out of date? By the time you come around to using them again,
you know what? Why, why bother that? So it's a good question. Competitive research that needs to be both retained. Andi permanently deleted on your notice. I am underlining the relevant parts here because I believe that they are the most keywords in these sentences, so research will need to be retained.
But once it's out of date, well, you might as well get rid of it.
This is a big one. Work visas that must be marked as a record. Martyrs, a record is an actual term in a lot of laws to do with data retention.
It basically means that you're marking it. To say that you must never get rid of these s o. They can't be modified. They can't be deleted and got rid off. They should have some sort of classifications or label to say, Do not touch these unless 100% certain,
in fact, no. Even then I would say 150% certain.
And in terms of the way that you can do it. It can be manual or it can be automatic, and there are specific types off sensitive information. So the automatic side of things you can use
types you can use keywords that matched queries on. But the key thing with using the automatic section manual obviously requires someone to put it requires user input, basically, is what I'm trying to say. There. Someone has to actually do it. Automatic is done by an AI.
The benefit of using an automatic system
is that you do not.
I need to train your users on all of your classifications. Yuk unjust. Tell the AI to do it for you, and then users can just look after the documents that they need to Andi. Also, you don't need to rely on uses to classify all content correctly. You don't have to sit there. Gunnell Did they put it in the right place? Maybe they didn't.
Maybe I should go into that and do an audit Sunday or whatever. If you just got automatic, the I will deal with that for you
on then. Also, you users don't need to know about data governance policies, which means that there's less training involved. You don't need to spend time explaining to users what GDP are is if users have no reason to get involved with Gina PR. It's really that simple.
So the key to this is to apply a default retention label to a document library. You, for example, in SharePoint on Microsoft 365 groups. Sites
on you can also implement record management across Microsoft. 365 that can include email as well as files. Eso You can say that when it sees certain keywords and things like that, they're actually it will just do specific things with those emails and documents. So very handy little little system that's in place there.
All right, so with all of that in mind, I'm going to stop the video here in our next video. We're going to be starting on encryption, so join me there and we will carry on
Up Next
Microsoft 365 Fundamentals [MS-900]

Microsoft 365 Fundamentals is a course designed to help both those looking for more information at a foundational level on the Microsoft 365 platform and service, as well as those looking to take the exam itself.

Instructed By