Compliance Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

4 hours 24 minutes
Video Transcription
All right, ladies and gentlemen, welcome back to part two off this module. Or should I say this lesson in module three? We are currently sat at data discovery requests We're gonna carry on very shortly. The last part, if you haven't been following, we did discuss zero standing access
on the way that Microsoft uses it in its environment and they call it the customer lockbox.
But let's carry on with data discovery requests on. We'll get cracking now. So in my case of 365 this is called advanced e discovery on what this does is it allows you to catalog and review and also importantly, redact information
that the you might need to give to a customer, especially if they've done something like a customer subject access request or something similar.
So what you're looking at here is the AI based ability for it to go and get that information for you, and then you can review it and see if anything needs to be removed. Maybe there's your company sensitive information. Or maybe there's another customers details in the same section of that document,
and you can't you want to redact that the details of the customer that's not involved in the request?
this is a big number. The average size of data
per custodian I per customer per user off a system has
increased in size by 20 times. That's massive. It's on. That's in recent years as well. They were not talking like over decades or anything like that would probably like. Um, within the last few years, I would have thought certainly single figures. But the
the important thing out of this that sounds like an astronomical size in terms of like the growth rate of the size, not the size physically itself,
but the actual cost. To find the relevant data has actually gone down on DAT is because of these new AI systems is now about 85% less costly to do a subject access request than what it was I would say 34 years ago,
if not within the last two years, maybe even especially with GDP, our GDP are just burst into life. All these ai driven subject access requests systems and it's just driven the cost into the ground because they're all competing with each other for customers. It's great. I love it makes my job so easy.
So, yeah, with these systems with this advanced e discovery, this is what Microsoft actually called their system.
You can do things like holding, searching, refining, analysis, review and export Holding would be, for example, if someone has an email and they go, Oh, I don't need that email. I just delete it and you press delete. You can hold the deletion for a period of time
so that you have this ability to go back and actually look at the data
for, say, six months a year. Whatever it might be, in case there's some sort of legal involvement on. People are just trying to cover their tracks by deleting emails that coming in through the server. So that's what we mean by holding.
They're obviously searching. Refining analysis, review export. These are all parts that come from those requests. It allows people to then look at the data, make sure it's relevant, then make it, you know, succinct. So it's it's focused on, then export it out into a format that people can use like a comma, separated value file
and excel spread. She, in fact, you can't use excel in GDP are because it's a proprietary system.
It has to be a system like a txt file or see SV
or anything that
can be read generically effectively. But that's where where data discovery requests come in and how they operate effectively.
Now let's have a quick look at the compliance center here. So compliant center. This is a workplace for risk management compliance on privacy professionals. Basically, they're people who work in the environments to do with making sure that data on bond
systems are always compliant with the law.
On this is what it looks like. The compliance center that where, as I mentioned in previous videos, don't worry too much about the detail of it. It's just to show you a kind of brief glimpse into the world of what the compliance center would look like. Eso You know what you're looking at? Effectively eso you're given, for example, a score here,
it shows you how many steps remaining
you can assess which applications are compliant and which are not in this block. There's lots of different things you can do with them right now. We're gonna phase that out,
Andi, make it disappear into the background. We're gonna carry on. So it does integrate with compliance Manager, which were mentioned in previous videos. Andi, it gives you good visibility into your compliance posture, your position against key regulations.
So things like so 27,001
GDP are. If you work in the US, you've got hipper and you know the other ones that we mentioned in previous videos. But it gives you good visibility into them and is easy to follow on. Also, you can perform risk assessments and follow guidance on on the actual screens
so it will walk you through how to do the risk assessments, and you will give it
relevant information based on your organization On out. At the other end will pop a report that says whether or not you are in the right position, and if you're no, it will give you guidance to make sure you become your you get to the right position.
It then has label analytic. So we discussed about labels and classification before, so you can analyze and validate how sensitivity and retention labels are being used on. You can make sure that the right labels are being applied to the right documents as well It allows you to like spot checks, for example,
and then M cast, which is Microsoft. Cloud up security helps you toe identify compliance risks across applications. Eso it will make sure that applications are up today. You know, they're being used in the right place on the right devices. It will also help you to discover shadow I t
shut away. T if you've never seen it before, is where
people will be fed up with the way that their I t works in a company and they will take it upon themselves to bring in their own I t equipment to fix a problem. I've had it, I think, twice in my career over about 20 years
on the biggest one was when someone decided that they wanted. They didn't have any more network points in where they were, where they were situated in their office. So rather than ask the i T department to run more network points to them, they brought in their own router and plugged the router in and then plug things into the router,
effectively giving them what they thought giving them ports. And then when we found out that
there was another rogue D H C P server on the network that was giving out I p addresses. We had a whale of a time searching the network to try and find it, and eventually we found this little box plugged in on a poor at this person's desk
and promptly put, pulled out and told them to take it home on day. I'm not sure what happened to the staff member, but I'm pretty certain there Manager had quite a stern talking with them
on. Yeah, so going back to this and you can monitor non compliant behavior as well. So if people are copying files to USB sticks, that kind of thing, attaching sensitive files to emails when they shouldn't be, it will allow you to see those and actually do things about.
All right, let's move on then. So we're coming up to the end here. Let's do our world famous pop quiz is world famous because, you know, people watch these videos all over the world. Just give me that, honestly, just give you So what are the three pillars of compliance?
I will give you a hint with this because they may not necessarily. We talked about the four key pillows, the three key pillars. We talk about the three pillars of compliance. I'll give you the three letters that they start with.
Those are the three letters.
So pause the video. If you want to have a quick think or go back and watch. I believe it was in the last video on Duh. Come back here when you're ready.
All right, welcome back. If you said
assess, protect respond,
you would be absolutely correct. And it all starts with service. Trust portal. That was where we discussed this. So
let's summarize then. So in today's videos, we discussed
the three pillars of compliance.
We discussed the
compliance manager, Tool
Onda. We also discussed the Compliance Center for Microsoft, and we discussed how this the three pillars from here. Remember, it's a P R. As we just saw in the pop quiz how they fit into these sections here
on basically the tools that come with them. The ability for e discovery to occur
if we're doing the checking of on auditing of subject access requests, we talked about the customer lockbox that comes into play if a customer needs to give their credentials across but you shouldn't ever be giving details directly to anyone, even your system. Admin, really?
But it's it all comes into play. And we discussed, you know, we talked about the service trust portal as well.
So you have, like, this central dashboard that allows you to kind of get on with things without having to open up six different dashboards to get things done. Andi. Yeah, It's Microsoft have given a lot of thought into the tools that they use for compliance.
Andi, it makes everyone's lives easier. I can vouch for that because I use it on a daily basis
to do my job. My my main job itself as their data compliance manager. So yeah.
Right. Well, I hope this video has been informative for you. And I would like to thank you for watching. I will see you in the next video.
Up Next
Microsoft 365 Fundamentals [MS-900]

Microsoft 365 Fundamentals is a course designed to help both those looking for more information at a foundational level on the Microsoft 365 platform and service, as well as those looking to take the exam itself.

Instructed By