Governance in MS-365 Part 1: Compliance?

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Welcome back cybrarians to
00:00
the MS365 Security Administration course.
00:00
I'm your instructor Jim Daniels.
00:00
We're on Module 5, MS365 Compliance,
00:00
starting Lesson 2,
00:00
Governance in MS365 with Compliance.
00:00
In this lesson, we're going to go over
00:00
the MS365 Compliance Center and how to access it,
00:00
the purpose and function of the compliance score,
00:00
insider risk management within MS365,
00:00
and how MS365 addresses GDPR.
00:00
Seth Godin is a bestselling author and
00:00
former dot com executive.
00:00
One of his quotes that I really appreciate.
00:00
"The industrial age brought compliance,
00:00
and compliance brought fear,
00:00
and fear brought us mediocrity."
00:00
Think about that for a while.
00:00
This whole entire lesson is on compliance.
00:00
I think what he means
00:00
is if you're so worried about compliance,
00:00
that oftentimes you don't actually excel and
00:00
push yourself to be a disruptor.
00:00
There aren't many disruptors in the compliance industry.
00:00
The MS365 Compliance Center provides easy access to
00:00
the data and tools that you need to
00:00
manage your organization's compliance needs.
00:00
He combines information protection and
00:00
governance, insider risk management,
00:00
discovery and response tools,
00:00
and the compliance management solution
00:00
for your entire MS365 environment.
00:00
The compliance score helps understand
00:00
an organization's compliance posture by use of risk-based
00:00
scoring around actions that reduce
00:00
risk around data and regulatory standards.
00:00
A compliance score is a simplified version
00:00
of compliance manager.
00:00
Compliance score helps simplify
00:00
the management in three ways.
00:00
Continuous assessments.
00:00
It automatically scans through
00:00
your MS365 environments to detect and
00:00
monitor the effectiveness of
00:00
the data protection controls that you have in place.
00:00
It also gives you recommended actions,
00:00
provide those recommendations in
00:00
step-by-step guidance for
00:00
how to implement controls to
00:00
maximize and improve your score.
00:00
It even has built-in control mapping,
00:00
helps you stay current with
00:00
the evolving compliance landscape by
00:00
providing a built-in common control framework.
00:00
Cover your assessment recommendations.
00:00
Only you are responsible for regulatory compliance.
00:00
Recommendations from the compliance score
00:00
and compliance managers should not be
00:00
interpreted as a guarantee of compliance, "Disclaimer".
00:00
It is up to you to evaluate and validate
00:00
the effectiveness of customer controls
00:00
per your regulatory environment.
00:00
If you get audited by one of those regulatory bodies,
00:00
and they say you're out of compliance, if you say, well,
00:00
my compliance score from Microsoft said I was good,
00:00
so I didn't bother checking,
00:00
they're going to just laugh at you.
00:00
Because there's always more to being in
00:00
compliance than just your Cloud environment.
00:00
It could be your physical security,
00:00
it could be your workflow,
00:00
it could be your on-premise data,
00:00
there's lots of factors into that.
00:00
You need to cover yourself and
00:00
make sure if the buck stops with you,
00:00
that you have done your best effort and
00:00
everything you can to meet those compliance regulations.
00:00
Compliance score uses several components
00:00
to help you manage your compliance activities.
00:00
As you use compliance score to assign,
00:00
test, and monitor compliance activities,
00:00
it's helpful to have a basic understanding of
00:00
the key components: controls,
00:00
assessments, templates, and groups.
00:00
Controls. A control defines
00:00
how you assess and manage system configuration,
00:00
organizational processes, and people responsible
00:00
for meeting a specific requirement of a regulation,
00:00
standard, or internal policy.
00:00
Compliance score tracks two types of
00:00
controls, Microsoft-managed controls.
00:00
These are controls for Microsoft Cloud services,
00:00
which Microsoft is responsible for implementing.
00:00
Customer-managed controls.
00:00
These are, you got it managed by
00:00
your organization which you
00:00
are responsible for implementing.
00:00
Assessments. Assessment is an evaluation of
00:00
a template that initiates
00:00
the scoring process for your organization.
00:00
Assessments group the actions
00:00
necessary to meet the requirements of a standard,
00:00
regulation, or law.
00:00
Compliance score provides your organization with
00:00
an initial assessment based on
00:00
the MS365 data protection baseline.
00:00
This assessment is a recommendation for
00:00
reducing your data protection and compliance risk.
00:00
Think of the baseline as low-hanging fruit.
00:00
This is what Microsoft recommends for you to be at.
00:00
Bare minimum, baseline.
00:00
Assessments have several components.
00:00
In scope service,
00:00
the specific set of
00:00
Microsoft services applicable to the assessment,
00:00
Microsoft managed controls,
00:00
controls that Microsoft has implemented.
00:00
Customer-managed controls, controls that
00:00
you manage as a customer. Assessment score.
00:00
The percentage of the points achieved by
00:00
completing actions within that particular assessment.
00:00
Templates. Compliance score provides
00:00
pre-configured templates for assessment.
00:00
You can also create a customer assessment by adding
00:00
your own controls and actions
00:00
to a pre-configured template.
00:00
For example, we can create a template for
00:00
your business process control or a template
00:00
for regional data protection groups.
00:00
Groups allow you to organize
00:00
assessments in a way that's illogical.
00:00
You can group the assessments
00:00
by year, compliance center,
00:00
service team, or department
00:00
within your organization or any other way.
00:00
When two different assessments in
00:00
the same group share customer-managed actions,
00:00
updates you make to the implementation details,
00:00
testing, and status for
00:00
the action in one assessment will automatically
00:00
synchronize to the same action
00:00
in any other assessments in the group.
00:00
Thinking actions in this way,
00:00
unifies you assign improvement actions across
00:00
the group and reduces the need for duplicate work.
00:00
Array for efficiency.
00:00
Here's an example of a compliance
00:00
score improvement actions train.
00:00
Here we have different recommendations;
00:00
the score impact, the regulations, the group,
00:00
which these are default,
00:00
what kind of solutions are involved,
00:00
and the assessment that is pertaining to.
00:00
When you click on one, for instance,
00:00
protect wireless access,
00:00
you can actually assign it to somebody.
00:00
So in this example, I'm assigning
00:00
this improvement action to Bob Smith.
00:00
Bob can then mark it as implemented,
00:00
the implementation date, tests date.
00:00
So you have all of this within one central location.
00:00
Insider risk management within
00:00
MS365 helps minimize internal risk.
00:00
I mean, that's the name of it.
00:00
By allowing detection, investigation,
00:00
and remediation when risky activities within
00:00
an organization is included with Office 365 E5,
00:00
as well as within the MS365 E5 suite.
00:00
It's also available for E3 users with the
00:00
E5 compliance or E5 insider risk management add-on.
00:00
The center around these principles.
00:00
Transparency, balanced employee privacy
00:00
versus organization risk with
00:00
privacy by design architecture.
00:00
Configurable. Configurable policies based on industry,
00:00
geographical, and business groups.
00:00
Integrated. Integrated workflow across
00:00
the entire MS365 compliance suite.
00:00
Actionable. It provides insights to enable
00:00
employee notifications that
00:00
investigation and employee investigations.
00:00
The insider risk management workflow
00:00
is as follows. Policy.
00:00
>> The insider risk management policies are
00:00
created using predefined templates and
00:00
policy conditions that define
00:00
what risk indicators are examined.
00:00
These conditions include how
00:00
risk indicators are used for alerts,
00:00
why users are included in those policies,
00:00
which services are prioritized,
00:00
and the monitoring time period.
00:00
Alerts. Alerts are automatically
00:00
generated by the risk indicators
00:00
and mass policy conditions.
00:00
These are displayed in the alerts dashboard.
00:00
Alerts dashboard enables a quick view
00:00
of all alerts that need review,
00:00
open alerts over time,
00:00
and alert stats for your organization.
00:00
All policy laws are
00:00
displayed with associated information to help you
00:00
quickly identify current status of
00:00
existing alerts and new alerts that need action.
00:00
Now, we get into the insider
00:00
risk case management portion,
00:00
the last three parts of the workflow.
00:00
Triage. New activities that need investigation
00:00
automatically generate alerts that are
00:00
assigned a needs review status.
00:00
Reviewers can quickly identify these alerts and
00:00
scroll through to evaluate in triage.
00:00
Investigate. Cases are creative for alerts that require
00:00
deeper review and investigation of
00:00
details and circumstances around the policy match.
00:00
Case dashboard provides an up-to-date view
00:00
of all active cases,
00:00
open cases over time,
00:00
case stats for the organization.
00:00
Reviewers can quickly filter cases by status,
00:00
date they were opened,
00:00
and the date that it was last updated.
00:00
Action. After cases are investigated,
00:00
reviewers can take action to resolve the case or
00:00
collaborate the risk with
00:00
other stakeholders within your organization.
00:00
When employees accidentally or
00:00
inadvertently violate policy condition,
00:00
a simple reminder notice can be sent to
00:00
the employee from notification templates,
00:00
you can pay for your organization.
00:00
Because notices may serve as
00:00
simple reminders or may direct the employee
00:00
to retrain a resource or guidance
00:00
to help them prevent that behavior.
00:00
Configuring insider risk management.
00:00
There are a few steps you need to go
00:00
through to enable risk management.
00:00
There are four role groups used to configure
00:00
permissions to insider risk management features.
00:00
To continue with these configuration steps,
00:00
your tenant administrators must first assign you to
00:00
the insider risk management
00:00
or insider risk management admin role group.
00:00
To access and manage
00:00
insider risk management features
00:00
after initial configuration,
00:00
users must be a member
00:00
of at least one insider risk management role group.
00:00
Step 2, enable the audit log, this is required.
00:00
Insider risk management uses audit logs for
00:00
user insights and activities
00:00
that are configured in policies.
00:00
The audit logs are a summary of
00:00
all activities associated with
00:00
insider risk management policy
00:00
or any time a policy changes.
00:00
Step 3, this is optional,
00:00
configure prereqs for templates.
00:00
Some insider risk management templates
00:00
have prereqs that must be configured for
00:00
policy indicators to generate relevant activity alerts.
00:00
Configure the appropriate prereqs on the policies
00:00
you plan to enable for your organization.
00:00
Step 4, this is required,
00:00
configure insider risk settings.
00:00
Insider risk settings apply to
00:00
all insider risk management policies
00:00
regardless to the template you choose.
00:00
Settings are configured using
00:00
the insider risk settings control
00:00
located at the top of all insider risk management tabs.
00:00
The settings control privacy,
00:00
indicators, monitoring Windows,
00:00
and intelligent detection.
00:00
Step 5, required,
00:00
create a insider risk management policy.
00:00
Of course to enable it, you have to have a policy,
00:00
otherwise it won't do anything.
00:00
Insider risk management policies include assign users
00:00
and define which types of
00:00
risk indicators are configured for alerts.
00:00
Before activities can trigger alerts,
00:00
a policy has to be configured.
00:00
Policy comes first, you have to have a policy.
00:00
Communications compliance in MS365.
00:00
This is part of the insider of
00:00
risk solution that builds on
00:00
features of supervision policies in Office 365.
00:00
Helps detect, capture, and take
00:00
remediation action for
00:00
inappropriate messages within the organization.
00:00
Customizable, preconfigured templates,
00:00
has machine learning support,
00:00
it's flexible remediation workflow,
00:00
and even integrates with third parties such as Twitter,
00:00
Facebook, LinkedIn, and other partners within MS365.
00:00
The communications compliance.
00:00
Communications compliance feature will be
00:00
used if you have certain words,
00:00
not necessarily George Carlin's list
00:00
of four-letter words,
00:00
maybe depending on your organization.
00:00
But if you had certain phrases, words,
00:00
language that you do
00:00
not want your employees using within your environment.
00:00
You can actually go
00:00
through and look at the communications.
00:00
It also will allow you,
00:00
if you're a social media manager within the PIO office,
00:00
if you integrate it and with Twitter,
00:00
Facebook, LinkedIn,
00:00
and those social media platforms,
00:00
you can get alert if certain topics are
00:00
talked about on social media
00:00
by your organization's official account.
00:00
Maybe you're a stock trading organization,
00:00
there are certain phrases or certain stocks that you
00:00
should never ever talk about to the public.
00:00
Maybe you're a medical organization and there are
00:00
certain things you should never
00:00
talk about on social media.
00:00
You can have a communication compliance policy that helps
00:00
enforce that and will actually
00:00
block it from even going out,
00:00
send an alert, send email
00:00
to the person who has that communication.
00:00
GDPR.
00:00
For my European friends,
00:00
this is a perfect four letter word for you guys.
00:00
I don't want to deal with it much in my industry.
00:00
However, I also have friends here in the US that they do
00:00
e-commerce and other types of sites that they hate GDPR.
00:00
They love it from
00:00
the standpoint of this is what people should have,
00:00
these are the basic rights
00:00
within data that people should have,
00:00
but then having to enforce it and
00:00
have all of the compliance controls for it,
00:00
that's the part that gets frustrating for them at time.
00:00
MS365 offers pre-built tools that helps you with GDPR.
00:00
Service trust portal,
00:00
compliance manager, compliance score,
00:00
it even has a GDPR dashboard,
00:00
and has a data subject request case tool.
00:00
Using the data subject requests tool,
00:00
you can create a separate case for
00:00
each request investigation,
00:00
control who has access to
00:00
the DSR case by adding people as members to the case,
00:00
only members can access that case and only see
00:00
the cases in the list of cases that they are assigned to.
00:00
Quiz. Insider risk management
00:00
requires the Office 365 audit log to be enabled.
00:00
True or false?
00:00
This graphic here, if you are a compliance officer,
00:00
this is pretty damn telling.
00:00
You have six little areas where
00:00
everybody thinks you can do as your job.
00:00
The first one, the top left,
00:00
what my friends think I do.
00:00
Yeah, that's pretty accurate.
00:00
Marketing, just thinks you run
00:00
roughshod over people that want to do things,
00:00
but you don't let them.
00:00
Senior management. This goes
00:00
with all security professionals.
00:00
They think you take the money and you're just wasting it.
00:00
You may see yourself as Captain America
00:00
or some other superhero to where
00:00
you keep your organization from being sued.
00:00
That's a really good calls.
00:00
Now, a little bit of humor. True or false?
00:00
Back to the question again.
00:00
True or false?
00:00
True. It does require
00:00
the Office 365 audit logs to be enabled because you
00:00
can't see the risk
00:00
unless they have a log to score off of.
00:00
If you don't know what a user is doing,
00:00
if you're not looking at the log
00:00
to see what they're doing,
00:00
how will you know how risky it is? You won't.
00:00
You have to have the audit logs in
00:00
order for insider risk management to function.
00:00
To recap today's lesson,
00:00
the compliance score helps
00:00
understand an organization's compliance posture,
00:00
using risk-based scoring around actions that
00:00
reduce risks around data and regulatory standards.
00:00
Insider risk management minimizes
00:00
internal risk by allowing detection,
00:00
investigation, and remediation on
00:00
risky activities within an organization.
00:00
Communications compliance helps detect, capture,
00:00
and take remediation action for
00:00
inappropriate messages within your organization.
00:00
Censorship. MS365 has several tools
00:00
available to help with GDPR,
00:00
including the service trust
00:00
portal, compliance manager score,
00:00
GDPR dashboard, and a
00:00
very handy data subject request case tool.
00:00
Thank you for joining me on this lesson.
00:00
I hope you learned something. Absolutely,
00:00
hope you'll join me for the next one. Take care.
Up Next