Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7

Video Transcription

00:00
Welcome back submarines to the M s 3 65 Security Administration. Course
00:06
I'm your starter, Jim Dangles were on module five M s, 3. 65. Compliance
00:12
Starting. Listen to governance in unnecessary 65.
00:16
With
00:17
compliance
00:19
in this lesson, we're gonna go over the M s 3 65 compliance center.
00:23
How to access it?
00:25
The purpose and function of the compliance score
00:28
inside a risk management within in this very 65.
00:33
And how in this for 65 addresses GDP are
00:38
Seth Godin is a best selling author and former dot com executive.
00:42
When his quotes that really appreciate
00:46
the industrial age, broken clients
00:49
and compliance brought fear and fear brought us mediocrity.
00:54
Think about it for a while.
00:56
This whole entire lesson is on compliance.
00:59
I think what he means
01:00
is, if you're so worried about compliance,
01:04
that all, sometimes you don't actually excel and push yourself
01:08
to be disruptor.
01:11
There aren't many disruptors in the compliance industry.
01:15
The necessary 60 file a compliant center provides easy access to the data in tools that you need to manage your organization's compliance needs.
01:26
He combines information protection and governance inside a risk management discovery and response tools
01:32
and a compliance management solution
01:34
for your entire ministrations of our environment.
01:38
The compliance score
01:38
helps understand organizations compliance posture by using a risk based scoring
01:44
around actions that reduce risk around data and regulatory standards.
01:49
Compliance scores a simplified version of compliance manager.
01:53
It's a compliant score. Help simplify the management and three ways continuous assessments.
02:00
It automatically scans through your mistress 65 environments to detect and monitor the effectiveness
02:07
of the data protection control was that you have in place.
02:09
It also gives you recommended actions,
02:12
provides his recommendations instead by step guidance
02:15
or how to implement controls to maximize and improve your score.
02:20
It even has building control. Mapping helps you stay current with the evolving compliance landscape
02:24
by providing a built in common control framework.
02:29
Carter. You're
02:30
assessment recommendations
02:35
only you are responsible for regulatory compliance.
02:38
Recommendations from the compliance score and compliance manager should not be interpreted
02:44
as a guarantee of compliance.
02:46
Quote unquote disclaimer.
02:47
It is up to you to evaluate and validate the effectiveness of customer controls per your regulatory environment.
02:58
If you get audited,
03:00
one of those regulatory
03:01
bodies
03:02
and they say you're out of compliance.
03:05
If you say well my compliance going from Microsoft said. I was good, so I didn't bother checking.
03:10
They're going to laugh at you
03:12
because it's always more
03:14
being a compliant,
03:15
the ingestion or cloud environment.
03:19
You could be your physical security being your workflow.
03:23
It could be your one premise data. There's lots of factors into the
03:28
you need to cover yourself
03:30
and make sure that the buck stops with you,
03:34
that you have done your best effort
03:37
and everything you can. To me,
03:39
there's compliance regulations.
03:42
Compliance Score uses several components to help you manage your compliance activities
03:47
as you use compliant score to assign test amount of their compliance activities.
03:52
It's helpful to have a basic understanding of the key components.
03:55
Controls, assessments, templates and groups.
04:00
Controls
04:01
control. Defines how you assess and manage system configuration, organisational processes
04:09
and people responsible for meeting a specific
04:12
requirement of a regulation standard or internal policy.
04:16
Complying Score tracks two types of controls.
04:19
Microsoft Manners controls
04:23
these for controls for Microsoft Cloud Services, which Microsoft is responsible for implementing
04:29
customer manners controls. These are you got it managed by your organisation, which you are responsible for. Implementing
04:36
assessments.
04:39
Assessment is an evaluation of a template that initiates a scoring process for your organization.
04:45
Assessments group The actions necessary
04:47
to meet the requirements of a standard
04:49
regulation or law
04:53
compliance score provides your organization with an initial assessment
04:57
based on the Emissary 60 Final Data Protection baseline.
05:00
This assessment is a recommendation
05:02
for reducing your data protection and compliance risk.
05:05
Think of the baseline as a low hanging fruit.
05:10
This is what Microsoft recommends for you to be at
05:14
bare minimum Baseline
05:15
assessments have several components
05:17
in scope service. A specific set of Microsoft services applicable to the assessment
05:25
Microsoft Manners controls. Controls them, like herself, is implemented.
05:30
Customer manage controls controls that you manage. Asked customer
05:34
assessment score
05:35
percentage of the points achieved by completing actions within that particular assessment.
05:42
10 points
05:43
Compliant score provides pre configured templates for assessment.
05:46
You can also create a custom assessment by adding your own controls and actions to a priest configures template,
05:54
for example, you can create it simply for your business process control
05:58
or a template for reason on data protection.
06:00
Glimpse
06:01
groups allow you to organize assessments. In a way, it's a logical
06:06
you can group the assessments by year Compliance standards service
06:11
team or department with the organization or any other way
06:15
with two different assessments in the same group. Share customer Mainers Actions updates you make to the implementation, details, testing and status for the action and one assessment.
06:27
We're automatically synchronize
06:29
to the same action in any other assessments in the group.
06:33
Sinking actions in this way unifies
06:36
the sign improvement actions across the group
06:40
and reduces the need for duplicate work
06:43
array for efficiency.
06:46
Here's an example of a compliance score improvement actions strain.
06:50
Here We have different recommendations.
06:53
The score impact,
06:55
the regulations, the group, these air default
06:59
what kind of solutions are involved. And the assessment that is pertaining to
07:05
when you click on one, for instance, protect wireless access,
07:10
you can actually assign it to somebody. So in this example, on assigning this improvement action to Bob Smith
07:16
involved can then market is implemented Implementation Day
07:20
test test date. So you have all of this within one central location.
07:27
Insider risk management within administrate 65 helps minimize internal risk.
07:32
Kind of had I mean, that's the name of right,
07:34
really OK
07:36
by
07:38
allowing detection, investigation and remediation when risky activities within an organization
07:45
this included with office 3. 65 e five
07:48
as well as within the industry. 65. If I Sweet
07:54
It's also available for E three users with the E five compliance or he five. Insider risk management. Adeline.
08:01
It is center around these principles. Transparency
08:05
Balanced employee privacy burst his organization Risk with privacy about design, architecture,
08:11
configurable
08:13
configurable policies based on industry, geographical and business groups.
08:20
Integrated,
08:20
integrated workflow across the entire industry. 60. File of compliance. Sweet,
08:26
actionable,
08:28
it provides insights to enable employees notifications, daddy investigation and employees investigations.
08:35
The insider risk mayors when work for
08:37
this is follows
08:39
policy
08:41
the inside of risk management policies or created using pre defined templates
08:46
and policy conditions that define what risk indicators are examined.
08:50
These conditions include how risk indicators are used for alerts
08:54
why users are included in those policies which services or prioritized and the monitoring time Period
09:03
alerts.
09:05
Alerts are automatically generated by the risk indicators that match policy conditions.
09:11
These are displayed in the alerts. Dashboard
09:13
Lars Dashboard enables a quick view of all arts that need review,
09:18
open alerts over time
09:20
and a large stance for your organization.
09:22
All policy large for displayed with associated information to help you quickly identify the current status of existing ours and new alerts that need action.
09:35
Now we get into the insider risk case management portion
09:39
the last 3/4 of the work for
09:41
triage.
09:43
New activities that need investigation automatically generate alerts that are assigned a needs review status.
09:50
Reviewers can quickly identify these alerts and scroll through to evaluate and triage.
09:56
Investigate
09:56
cases are creative. Four alerts that require deeper review and investigation of details and circumstances were on the policy match
10:05
case. National War provides an up to date view of all active cases.
10:09
Open cases Overtime case stats for your organization. Reviewers can quickly filter cases by status date. They were open in the date that it was last updated
10:20
action.
10:22
After cases are investigated,
10:24
reviewers can take action to resolve the case.
10:26
We'll collaborate the risk with other stakeholders within your organization.
10:33
When the poise accidentally or inadvertently violate policy condition.
10:37
A simple ra modernizers can be sent to the employees
10:41
from notifications in place.
10:43
You configure for your organization.
10:46
These notices may serve as simple reminders
10:48
or may direct the employees to the training resource or guidance to help them prevent that behavior.
10:56
Configure an insider risk management.
10:58
There are a few sets you need to go through me to enable risk management.
11:03
Therefore, Roll Gertz used to configure permissions
11:07
inside a risk management features.
11:09
To continue with these configurations steps
11:11
your tenant administrators must first assign you toothy inside or risk management or inside a risk management admin Robert
11:20
to access and managed insider risk management features. After initial configuration,
11:26
users must be a member
11:28
of at least one insider risk management. Robert
11:31
Step two
11:33
enable the auto long. This is required
11:37
inside a risk Management uses audit logs for user in size and activities that are configured and policies.
11:43
A lot of laws are a summary of all activities associated with insider risk management policy
11:48
War Anytime policy changes
11:52
Step 30 This is optional.
11:54
Configure pre RECs for templates.
11:56
Some inside of risk management in place have pre RECs that must be configured for policy indicators.
12:01
To generate relevant activity, warts
12:05
configure the appropriate pre rex on the policies
12:09
you plan to enable for your organization.
12:13
Step four. This is required. Configure. Insider risk settings
12:18
inside of wrist settings apply to all inside of risk management policies. Regards to the template you choose settings are configured using the insider risks settings control. Located at the top of all inside of risk management tabs.
12:33
The settings control privacy
12:35
indicators. Monitoring Windows and intelligent detection.
12:41
Step five required.
12:43
Create a insider risk management policy course to enable you have to have a policy. Otherwise it
12:48
I won't do anything
12:50
inside a risk. Management policies include a sign users and define which types of risk indicators are configured for alerts
13:00
before activities. Controllers. It policy has to be configured
13:03
policy. Come first, you have to have a policy
13:05
communications compliance and M s. 3 65. This is part of the inside of resolution that bills on features of supervision policies in office. 3 65
13:16
else detect, capture and take remediation actions. Inappropriate messages within the organization.
13:22
Customizable pretty configured templates as machine learning support. It's flexible remediation, workflow and even integrates with third parties such as Twitter, Facebook like Dan and other partners with any mess for 65.
13:37
So the communications components
13:39
communications components feature would be used if you have certain words, Not necessarily George Carlin's list of four letter words,
13:48
maybe depending on your organization,
13:50
but if you have certain
13:52
phrases, words, language
13:56
that you do not want your employees using within your environment,
13:58
your national go through marketing communications.
14:01
It also will allow you if you're a social media manager within the P i o office. If you integrated AM with Twitter Facebook link, then those social media platforms.
14:11
You can get a
14:13
alert
14:15
if starting topics are talking about
14:18
one social media by your organization's official account.
14:22
So maybe your stock trading organization there certain phrases of certain stocks that you should never, ever talk about to the public,
14:28
maybe your A medical organization. And there are certain things you should never
14:31
talk about. Social media.
14:33
You can have a true indication compliance policy that helps enforce that
14:39
Well, actually, block it from even going out. Sending the Ark sent a email to the person who has that communication
14:48
GDP are
14:50
for my European friends.
14:52
This is a car fit for a letter word for you guys.
14:56
Um,
14:58
I don't want to deal with it much in my industry. However, I also have friends here in the U. S that they do e commerce and other types of sites that they hey Judy pure.
15:09
They love it from the standpoint of
15:13
this is what people should have. These are the basic rights within data that people should have,
15:18
but them having to enforce it
15:20
have all of the compliance controls. Fourth, that's the part that is frustrating for them in time.
15:26
So MSNBC survive offers pre built tools that helps you with GDP are
15:31
service transportable
15:33
compliance manager compliant. Score. It even has a GDP, are dashboard
15:37
and has a data subject request case full.
15:41
Using the data subject Request Hole, you can create a separate case for each
15:46
request. Investigation
15:48
Control. Who has access to the DSR case by adding people as members to the case. Only members can access that case and only see the cases in the list of cases that they are assigned to
15:58
quiz.
16:00
Insider risk management requires the office 3 65 all along to be enabled. True
16:06
or thoughts.
16:07
You know this graphic here. If you are a compliance officer,
16:11
this is pretty *** telling. You have a six little areas what everybody thinks you do as your job.
16:18
The first one, the top left with my friends Think I do.
16:21
Yeah, that's
16:22
that's pretty pretty accurate.
16:25
Marketing just thinks you run roughshod over. People don't want to do things, but you don't let them.
16:30
Senior management. This goes with all security professionals.
16:33
I think you take the money, and they just you just delighted that you're just wasting it.
16:37
You may see yourself as Captain America or some other superheroes where you keep your organization from being
16:44
sued.
16:45
That's a good calls. That's a real your calls.
16:48
A little bit humor. So true or false? Back to the question again. True or false?
16:53
True, it does require the office 3 65 audit logs to be enabled because you can't see the risk
17:00
unless they have a log to score off.
17:04
If you don't know what and users doing,
17:07
you know, looking at the long to see what they're doing.
17:10
How will you know how rescue just you want? So you have to have the audit logs in order a fortune inside of a risk management to function
17:18
To recap. Today's lesson. The compliance score helps understand the organization's compliance posture, using risk based scoring
17:26
around actions that reduce risk around data and regulatory standards
17:32
inside a risk management minimizes internal risk
17:36
by allowing detection, investigation and remediation
17:38
when risky activities within the organization.
17:41
Communications compliance helps detect, capture and take remediation action for inappropriate messages
17:48
within your organization.
17:52
Censorship.
17:55
M s 3 65 has several tools available to help with GDP are included in the service Trust portal Compliance manager Score GDP are dashboard and a very handy data subject Request case tool.
18:08
Thank you for joining me on this lesson. I hope you aren't something
18:11
and that absolutely look for joining me for the next one.
18:15
Take care.

Up Next

MS-500: Microsoft 365 Security Administration

The Microsoft 365 Security Administration course is designed to prepare students to take and pass the MS-500 certification exam. The course covers the four domains of the exam, providing students with the knowledge and skills they need to earn their credential.

Instructed By

Instructor Profile Image
Jim Daniels
IT Architect
Instructor