Category Archives: Compliance

Information Protection and Governance with Microsoft 365

What? Me, Worry?

Why do we need to worry about our data? There’s probably a large portion of it that is confidential!

Why do we feel the need to protect it, and to manage it? Perhaps, we don’t want it to grow and overcome our ability to manage it?

While there are a number of common challenges that most organizations have with data, it is also dangerously clear that each organization will have its own requirements and needs to govern (manage) their own unique types of data.

With Microsoft 365 Advanced Compliance, you can manage your data and care for it to the level that makes the most business sense for your organization. This article will describe a few simple steps you can take today to get started.

Avoid Unnecessary Risk with Data Retention Labels

Often, companies are exposing themselves to risk and extra expenses by keeping every document, file, and piece of data that passes through their doors and routers. By setting a company-wide general retention policy, and then modifying that as necessary for more important data, you can limit the management tax on your systems to back up and review all the data, while still being at peace that you are meeting required retention requirements for the important data.

Protect Confidential Content with Sensitivity Labels

Content within an organization comes in all flavors and types. Most content should probably be available to groups of employees who can work with the content and expand upon it to maximize their production.  Some content needs to be kept restricted to certain groups of employees. Other content needs to be siloed within a specific organization, or at a specific management level. And while some content can be shared publicly, most probably should not.

So, how does an organization protect sensitive content with different levels of sensitivity and permitted exposure? Until now, that answer has often been – lock it up! With Sensitivity Labels, an organization can, by applying the correct label to a piece of content, and changing that label if appropriate, can dynamically have protection policies applied to protect the visibility, storage, and exposure of individual pieces of content.

Corporate Espionage?

When a Director of Sales is communicating to the sales team, she may place content available for public consumption, confidential employee only content, and content that needs to be limited to specific partners, and other sensitive content, all within the same document library or Team site, simply by applying the appropriate data sensitivity label to the content.

Typical sensitivity labels may have names such as Personal, Public, General, Confidential, or Highly Confidential, for example. When a sensitivity label is applied to content, the content protection capabilities of the Microsoft 365 online service, including Windows 10 Endpoint protection, Data Loss Prevention (DLP), document and email message encryption, etc., all respond appropriately and protect the content. This can include encrypting the content, preventing it from being copied to non-company devices, keeping it from being printed, or copy-pasted into other applications, the application of automatic archiving and document retention policies, or document and message expiration, etc.

Sensitivity labels can also be applied automatically, based on content source or destination, based on a business process or approval, etc.

Records Management Capabilities

The Data Governance features within the Microsoft 365 E5 license also include advanced Records Management capabilities. An organization that needs more complexity than a simple collection of content retention policies may establish a file plan for company records and significant content that enables the tiering or structuring of protection as a document ages and can enable the automatic disposition and destruction of content at the appropriate time.

Happy Records Managers

Microsoft Advanced Compliance

There are four pillars of functionality within the Microsoft 365 Advanced Compliance feature area. In this article, we have only introduced the flexibility and capability of the Information Protection and Governance pillar, or collection of capabilities. Please watch this space for related articles.

This article, Information Protection and Governance with Microsoft 365, was originally published on

What can I.T. learn from GDPR

So, GDPR has been in effect for just over a year now. (15 May 2018). Was there a celebration in your organization, or is GDPR a bad word? 🙂 )

Many lessons have been learned through the effort of bringing our systems into compliance with GDPR.

I think we can start to generalize from those lessons to identify how our own I.T. systems might benefit from this effort.

Generally, I think there are four broad and very generalized steps to bring your systems in line with GDPR – and to lead to better compliance over all.

  1. Understand what data you’re holding and where it is stored
  2. Collect and organize your data so it becomes an asset.
    • If the data is managed, and it becomes an asset, you can better determine the effort and value – or the expense – it takes to hold it.
    • bringing it in from extraneous storage locations is important. If you don’t move the data, cataloguing it can serve the same purpose. You must know where it is stored so that it doesn’t become a forgotten silo with unmanaged and broken permissions and access controls to surprise you later.
  3. Determine which services related to compliance with the regulation or management of the I.T. system you can and should centralize.Which monitoring systems do you need to identify changes, updates, access requests, delete requests, and other operations requested on the data?
    • Which services are needed to return current status and transactional logs related to the data and these requests?
    • Which trigger and alert services do you need to support to notify you of items that are trending in unexpected directions or are out of compliance?
  4. Understand which applications are accessing that data and prepare a plan to replace them with compliant applications, eliminate those applications that will be too expensive or risky to maintain, or modify the applications so they can be compliant
    • Finding a way to integrate your corporate applications with the centralized system of monitoring and compliance can provide you with a single source of application services related to the regulation and flexible applications that can more easily be modified to support future regulations. (e.g. do you do business in the state of California?)

This can take some time. It can take some patience, and it will require a prioritization effort to determine which project to modify first, etc. Perhaps there is someone in your organization that remembers the Y2K effort? Ask them about their lessons learned from that prioritization effort. 😊 I’m not suggesting that the implied urgency is the same…  or am I? We still have time before GDPR affects our own little I.T. group, right? Well, maybe not, and perhaps there is some urgency here.

Discussing this path to compliance can be useful. The first step toward being able to achieve a journey is to take the first step, of course, but having a map brings so much efficiency to the effort and saves so many wrong turns.

Use this map to compliance and see if you can liken it to your journey to improved collaboration, or deploying MFA and secure authentication across your organization, or any other I.T. challenge that is in front of your team this quarter.

Where are your data silos hiding?