Welcome back submarines to the M s 3 65 Security Administration. Course
I'm your starter, Jim Dangles were on module five M s, 3. 65. Compliance
Starting. Listen to governance in unnecessary 65.
in this lesson, we're gonna go over the M s 3 65 compliance center.
The purpose and function of the compliance score
inside a risk management within in this very 65.
And how in this for 65 addresses GDP are
Seth Godin is a best selling author and former dot com executive.
When his quotes that really appreciate
the industrial age, broken clients
and compliance brought fear and fear brought us mediocrity.
Think about it for a while.
This whole entire lesson is on compliance.
I think what he means
is, if you're so worried about compliance,
that all, sometimes you don't actually excel and push yourself
There aren't many disruptors in the compliance industry.
The necessary 60 file a compliant center provides easy access to the data in tools that you need to manage your organization's compliance needs.
He combines information protection and governance inside a risk management discovery and response tools
and a compliance management solution
for your entire ministrations of our environment.
The compliance score
helps understand organizations compliance posture by using a risk based scoring
around actions that reduce risk around data and regulatory standards.
Compliance scores a simplified version of compliance manager.
It's a compliant score. Help simplify the management and three ways continuous assessments.
It automatically scans through your mistress 65 environments to detect and monitor the effectiveness
of the data protection control was that you have in place.
It also gives you recommended actions,
provides his recommendations instead by step guidance
or how to implement controls to maximize and improve your score.
It even has building control. Mapping helps you stay current with the evolving compliance landscape
by providing a built in common control framework.
only you are responsible for regulatory compliance.
Recommendations from the compliance score and compliance manager should not be interpreted
as a guarantee of compliance.
Quote unquote disclaimer.
It is up to you to evaluate and validate the effectiveness of customer controls per your regulatory environment.
one of those regulatory
and they say you're out of compliance.
If you say well my compliance going from Microsoft said. I was good, so I didn't bother checking.
They're going to laugh at you
because it's always more
the ingestion or cloud environment.
You could be your physical security being your workflow.
It could be your one premise data. There's lots of factors into the
you need to cover yourself
and make sure that the buck stops with you,
that you have done your best effort
and everything you can. To me,
there's compliance regulations.
Compliance Score uses several components to help you manage your compliance activities
as you use compliant score to assign test amount of their compliance activities.
It's helpful to have a basic understanding of the key components.
Controls, assessments, templates and groups.
control. Defines how you assess and manage system configuration, organisational processes
and people responsible for meeting a specific
requirement of a regulation standard or internal policy.
Complying Score tracks two types of controls.
Microsoft Manners controls
these for controls for Microsoft Cloud Services, which Microsoft is responsible for implementing
customer manners controls. These are you got it managed by your organisation, which you are responsible for. Implementing
Assessment is an evaluation of a template that initiates a scoring process for your organization.
Assessments group The actions necessary
to meet the requirements of a standard
compliance score provides your organization with an initial assessment
based on the Emissary 60 Final Data Protection baseline.
This assessment is a recommendation
for reducing your data protection and compliance risk.
Think of the baseline as a low hanging fruit.
This is what Microsoft recommends for you to be at
bare minimum Baseline
assessments have several components
in scope service. A specific set of Microsoft services applicable to the assessment
Microsoft Manners controls. Controls them, like herself, is implemented.
Customer manage controls controls that you manage. Asked customer
percentage of the points achieved by completing actions within that particular assessment.
Compliant score provides pre configured templates for assessment.
You can also create a custom assessment by adding your own controls and actions to a priest configures template,
for example, you can create it simply for your business process control
or a template for reason on data protection.
groups allow you to organize assessments. In a way, it's a logical
you can group the assessments by year Compliance standards service
team or department with the organization or any other way
with two different assessments in the same group. Share customer Mainers Actions updates you make to the implementation, details, testing and status for the action and one assessment.
We're automatically synchronize
to the same action in any other assessments in the group.
Sinking actions in this way unifies
the sign improvement actions across the group
and reduces the need for duplicate work
array for efficiency.
Here's an example of a compliance score improvement actions strain.
Here We have different recommendations.
the regulations, the group, these air default
what kind of solutions are involved. And the assessment that is pertaining to
when you click on one, for instance, protect wireless access,
you can actually assign it to somebody. So in this example, on assigning this improvement action to Bob Smith
involved can then market is implemented Implementation Day
test test date. So you have all of this within one central location.
Insider risk management within administrate 65 helps minimize internal risk.
Kind of had I mean, that's the name of right,
allowing detection, investigation and remediation when risky activities within an organization
this included with office 3. 65 e five
as well as within the industry. 65. If I Sweet
It's also available for E three users with the E five compliance or he five. Insider risk management. Adeline.
It is center around these principles. Transparency
Balanced employee privacy burst his organization Risk with privacy about design, architecture,
configurable policies based on industry, geographical and business groups.
integrated workflow across the entire industry. 60. File of compliance. Sweet,
it provides insights to enable employees notifications, daddy investigation and employees investigations.
The insider risk mayors when work for
the inside of risk management policies or created using pre defined templates
and policy conditions that define what risk indicators are examined.
These conditions include how risk indicators are used for alerts
why users are included in those policies which services or prioritized and the monitoring time Period
Alerts are automatically generated by the risk indicators that match policy conditions.
These are displayed in the alerts. Dashboard
Lars Dashboard enables a quick view of all arts that need review,
open alerts over time
and a large stance for your organization.
All policy large for displayed with associated information to help you quickly identify the current status of existing ours and new alerts that need action.
Now we get into the insider risk case management portion
the last 3/4 of the work for
New activities that need investigation automatically generate alerts that are assigned a needs review status.
Reviewers can quickly identify these alerts and scroll through to evaluate and triage.
cases are creative. Four alerts that require deeper review and investigation of details and circumstances were on the policy match
case. National War provides an up to date view of all active cases.
Open cases Overtime case stats for your organization. Reviewers can quickly filter cases by status date. They were open in the date that it was last updated
After cases are investigated,
reviewers can take action to resolve the case.
We'll collaborate the risk with other stakeholders within your organization.
When the poise accidentally or inadvertently violate policy condition.
A simple ra modernizers can be sent to the employees
from notifications in place.
You configure for your organization.
These notices may serve as simple reminders
or may direct the employees to the training resource or guidance to help them prevent that behavior.
Configure an insider risk management.
There are a few sets you need to go through me to enable risk management.
Therefore, Roll Gertz used to configure permissions
inside a risk management features.
To continue with these configurations steps
your tenant administrators must first assign you toothy inside or risk management or inside a risk management admin Robert
to access and managed insider risk management features. After initial configuration,
users must be a member
of at least one insider risk management. Robert
enable the auto long. This is required
inside a risk Management uses audit logs for user in size and activities that are configured and policies.
A lot of laws are a summary of all activities associated with insider risk management policy
War Anytime policy changes
Step 30 This is optional.
Configure pre RECs for templates.
Some inside of risk management in place have pre RECs that must be configured for policy indicators.
To generate relevant activity, warts
configure the appropriate pre rex on the policies
you plan to enable for your organization.
Step four. This is required. Configure. Insider risk settings
inside of wrist settings apply to all inside of risk management policies. Regards to the template you choose settings are configured using the insider risks settings control. Located at the top of all inside of risk management tabs.
The settings control privacy
indicators. Monitoring Windows and intelligent detection.
Create a insider risk management policy course to enable you have to have a policy. Otherwise it
inside a risk. Management policies include a sign users and define which types of risk indicators are configured for alerts
before activities. Controllers. It policy has to be configured
policy. Come first, you have to have a policy
communications compliance and M s. 3 65. This is part of the inside of resolution that bills on features of supervision policies in office. 3 65
else detect, capture and take remediation actions. Inappropriate messages within the organization.
Customizable pretty configured templates as machine learning support. It's flexible remediation, workflow and even integrates with third parties such as Twitter, Facebook like Dan and other partners with any mess for 65.
So the communications components
communications components feature would be used if you have certain words, Not necessarily George Carlin's list of four letter words,
maybe depending on your organization,
but if you have certain
phrases, words, language
that you do not want your employees using within your environment,
your national go through marketing communications.
It also will allow you if you're a social media manager within the P i o office. If you integrated AM with Twitter Facebook link, then those social media platforms.
if starting topics are talking about
one social media by your organization's official account.
So maybe your stock trading organization there certain phrases of certain stocks that you should never, ever talk about to the public,
maybe your A medical organization. And there are certain things you should never
talk about. Social media.
You can have a true indication compliance policy that helps enforce that
Well, actually, block it from even going out. Sending the Ark sent a email to the person who has that communication
for my European friends.
This is a car fit for a letter word for you guys.
I don't want to deal with it much in my industry. However, I also have friends here in the U. S that they do e commerce and other types of sites that they hey Judy pure.
They love it from the standpoint of
this is what people should have. These are the basic rights within data that people should have,
but them having to enforce it
have all of the compliance controls. Fourth, that's the part that is frustrating for them in time.
So MSNBC survive offers pre built tools that helps you with GDP are
compliance manager compliant. Score. It even has a GDP, are dashboard
and has a data subject request case full.
Using the data subject Request Hole, you can create a separate case for each
Control. Who has access to the DSR case by adding people as members to the case. Only members can access that case and only see the cases in the list of cases that they are assigned to
Insider risk management requires the office 3 65 all along to be enabled. True
You know this graphic here. If you are a compliance officer,
this is pretty *** telling. You have a six little areas what everybody thinks you do as your job.
The first one, the top left with my friends Think I do.
that's pretty pretty accurate.
Marketing just thinks you run roughshod over. People don't want to do things, but you don't let them.
Senior management. This goes with all security professionals.
I think you take the money, and they just you just delighted that you're just wasting it.
You may see yourself as Captain America or some other superheroes where you keep your organization from being
That's a good calls. That's a real your calls.
A little bit humor. So true or false? Back to the question again. True or false?
True, it does require the office 3 65 audit logs to be enabled because you can't see the risk
unless they have a log to score off.
If you don't know what and users doing,
you know, looking at the long to see what they're doing.
How will you know how rescue just you want? So you have to have the audit logs in order a fortune inside of a risk management to function
To recap. Today's lesson. The compliance score helps understand the organization's compliance posture, using risk based scoring
around actions that reduce risk around data and regulatory standards
inside a risk management minimizes internal risk
by allowing detection, investigation and remediation
when risky activities within the organization.
Communications compliance helps detect, capture and take remediation action for inappropriate messages
within your organization.
M s 3 65 has several tools available to help with GDP are included in the service Trust portal Compliance manager Score GDP are dashboard and a very handy data subject Request case tool.
Thank you for joining me on this lesson. I hope you aren't something
and that absolutely look for joining me for the next one.