compliance in office 365 edge pereira sandy millar from avanade australia oss304
TRANSCRIPT
![Page 1: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/1.jpg)
![Page 2: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/2.jpg)
Compliance in Office 365Edge PereiraSandy MillarFrom Avanade Australia
OSS304
![Page 3: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/3.jpg)
Introduction
![Page 4: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/4.jpg)
“Faced with never-ending and expanding regulatory and industry mandates, organizations invest tremendous amounts of energy on audit, compliance, controls, and (in some cases) risk management. At the same time, they seek to free staff resources from mundane tasks such as evidence gathering and simple reporting.”
Source: Gartner Report: IT Governance, Risk, and Compliance Management Solutions, http://www.gartner.com/resId=1884814
![Page 5: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/5.jpg)
Why are we here?What is compliance?What does it mean to an ITPro?How can Office 365 help you?How to enable compliance controls?
![Page 6: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/6.jpg)
Compliance – What is it?
Australian Standard AS 3806-2006
“The Standard provides principles for the development, implementation and maintenance of effective compliance programs within both public and private organisations. These principles are intended to help organisations identify and remedy any deficiencies in their compliance with laws, regulation and codes, and develop process for continual improvement in this area.”
![Page 7: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/7.jpg)
Why do we need to take compliance seriously?Areas that fall in to compliance scope• Integrity and anti-fraud• Bribery and corruption regulation• Anti-trust and competition regulation• Privacy regulation
![Page 8: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/8.jpg)
What does this mean to your organisation?Levels and activities are driven by many factors
For example• Public or private sector
• Industry vertical
• Business activities
• Geography
• Laws or regulation
Example AvanadeLegislation• Privacy Act 1988• Privacy Amendment (Enhancing Privacy Protection) Act 2012
Customer Data Protection Program (CDP)• Industry leading CDP Program to implement appropriate controls• Internal data management and security policies• Privacy policy
Customer• Avanade works with customers to take customer-specific concerns
and policies into account
![Page 9: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/9.jpg)
So what is Microsoft doing?
Office 365 includes many features that support compliance processes, including:- • Data Loss Prevention
• eDiscovery
• Information Management Policies
• Auditing
• Records Management
• RBAC
• Encryption
![Page 10: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/10.jpg)
Two faces of compliance in Office 365Built-in Office 365 capabilities
(global compliance)
Customer controls for compliance for internal
policies• Access Control• Auditing and Logging• Continuity Planning• Incident Response• Risk Assessment• Communications Protection• Identification and
Authorisation• Information Integrity• Awareness and Training
• Data Loss Prevention • Archiving• eDiscovery• Encryption• S/MIME• Legal Hold• Rights Management
![Page 11: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/11.jpg)
In practice, it looks like this
![Page 12: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/12.jpg)
What does your organisation get?• Independent verification
• Regulatory compliance
• Peace of mind
• Improved governance
• Better risk management
• Avoiding prosecution
![Page 13: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/13.jpg)
So what does all that boil down to for ITPro’s?It is all about customer controls!
Remembering
“A control is a process, function, in fact anything that supports maintaining compliance”
![Page 14: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/14.jpg)
Lets look at Office 365 customer controls
Identify Monitor Protect Educate
![Page 15: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/15.jpg)
Data Loss Prevention
![Page 16: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/16.jpg)
What is meant by Data Loss Prevention?
“Data loss/leak prevention solution is a system that is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).“[1]
[1] http://en.wikipedia.org/wiki/Data_loss_prevention_software
“Quotation...”Good definitionhttp://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf
![Page 17: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/17.jpg)
In-use controls (end-point)• Operating System and Apps fully patched and up to date • End-point security tools installed and correctly configured• Firewall enabled and correctly configured• Access to required applications only• Access to “need to know” data• Compliance Adherence Monitoring
![Page 18: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/18.jpg)
At-rest controls• Secure Connections - SSL
• Encryption - Transparent Data Encryption
• Auditing
• Information Management Policies (Retention)
• Access control
![Page 19: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/19.jpg)
In-motion controls (email)
Create a DLP Policy • From a built-in template
• Build own customised policy
• Import a pre-built policy
Apply DLP Policy
Manage and report
Australian DLP Policies provided by Microsoft:-
• Financial Data (credit cards, and SWIFT codes)• Health Records Act -HRIP Act (medical account number
and TFN)• Personally Identifiable Information (PII) Data (TFN,
driver's license)• Privacy Act (driver's license and passport number)
![Page 20: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/20.jpg)
Country PII Financial Health
USA US State Security Breach Laws,US State Social Security Laws, COPPA
GLBA & PCI-DSS (Credit, Debit Card, Checking andSavings, ABA, Swift Code)
Limited Investment: US HIPPA, UK Health Service,Canada Health Insurance card
Rely on Partners and ISVs
Germany EU data protection,Drivers License, Passport National Id
EU Credit, Debit Card,IBAN, VAT, BIC, Swift Code
UKData Protection Act,UK National Insurance, Tax Id, UK Driver License, Passport
EU Credit, Debit Card,IBAN, BIC, VAT, Swift Code
Canada PIPED Act,Social Insurance, Drivers License
Credit Card, Swift Code
FranceEU data protection, Data Protection Act,National Id (INSEE),Drivers License, Passport
EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code
JapanPIPA, Resident Registration, Social Insurance, Passport, Driving License
Credit Card,Bank Account,Swift Code
Built-in DLP content areas
![Page 21: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/21.jpg)
Establishing DLP Design and implement• Determine sensitive information types
and related policies or regulations• Establish policies to protect sensitive
data• Implement Office 365 DLP featuresOperate
• Detect sensitive data in email
• Detect sensitive data with document fingerprinting
• User awareness with Outlook Policy tips
Australian sensitive information types provided by Microsoft
• Bank Account Number
• Driver's License Number
• Medicare Account Number
• Passport Number• Tax File Number
![Page 22: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/22.jpg)
DEMO: Data Loss Prevention
![Page 23: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/23.jpg)
• Protect communications• Basic level of built-in anti-malware and enhanced
spam filtering to help protect your email environment from threats
Summary - Data Loss Prevention
Enforce policyData loss prevention (DLP) controls that can detect sensitive data in email before it is sent and automatically block, hold or notify the sender
Simplify managementUnified administration of anti-spam, anti-malware and data loss prevention within Exchange
![Page 24: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/24.jpg)
eDiscovery
![Page 25: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/25.jpg)
What do we means by eDiscovery?
“Electronic discovery (or e-discovery or eDiscovery) refers to discovery in civil litigation or government investigations which deals with the exchange of information in electronic format (often referred to as electronically stored information or ESI).”[2][2] Wikipedia (http://en.wikipedia.org/wiki/Electronic_discovery)
![Page 26: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/26.jpg)
eDiscovery ProcessFind relevant content (documents, emails, Lync conversions)DISCOVERY
PRESERVATIONPlace content on legal hold to prevent content modification and/or removal
Collect and send relevant content for processing
Prepare files for review
PRODUCTION
REVIEWLawyers determine which content will be supplied to opposition
Provide relevant content to opposition
COLLECTION
PROCESSING
![Page 27: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/27.jpg)
Office 365 eDiscovery Centre SharePoint Template that creates a site customised for Case Management
• Assists the creation of “Cases”
• Grants specific user permissions to manage the Cases
• Identifies and Holds Exchange, SharePoint, OneDrive for Business and File Share data
• Searches and Exports data of interest
![Page 28: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/28.jpg)
In-place Hold
Provide a high level of immutability by:• Preserving data in source• Protecting from deletion• Protecting from tampering
Provides easy management via:• Rich query, location and time based content target • Across Exchange, Lync and SharePoint• Using Exchange Admin or eDiscovery Centres
![Page 29: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/29.jpg)
Find what you need• Real time search• Rich query capability (text, time, source)
![Page 30: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/30.jpg)
Export for actionDownload directly from data source
Take the data offline as:-• Native files (.docs, .xlsx, etc)
• Outlook Personal Information Store (.pst)
• Web Archive (.MHT)
• Comma Separated Values (.csv)
• Lists or Feeds
• Electronic Discover Reference Model XML (v1.1)
![Page 31: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/31.jpg)
eDiscovery Considerations
• Roles• There will be a storage impacts• Recoverable Items quotas separate from mailbox
quotas and need to be monitored• Hybrid data sources
![Page 32: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/32.jpg)
eDiscovery Reports• Content modifications• Content type and list modifications • Content viewing• Deletion • Custom reports• Expiration and Disposition • Policy modifications• Auditing settings• Security settings
![Page 33: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/33.jpg)
Important BenefitsRisk mitigation• Centrally managed proactive enforcement • Reduced collection touch points• Consistent and repeatable
Minimised business impact• Transparent to users• Minimises the need for offline copies, until they are needed• Instantly searchable/exportable
Lower cost!
![Page 34: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/34.jpg)
Demo: eDiscovery
![Page 35: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/35.jpg)
Auditing
![Page 36: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/36.jpg)
Reporting and Auditing
Comprehensive view of DLP policy performance
Downloadable Excel workbook
Drill into specific departures from policy to gain business insights
![Page 37: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/37.jpg)
Exchange - Audit Features Exchange has full auditing on by default!
Available Reports• Mailbox access by non-owners• Mailbox litigation hold• Role group changes• Mailbox content search and hold• Admin audit log (including external administration)
![Page 38: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/38.jpg)
SharePoint – Auditing FeaturesSharePoint must have auditing enabled at a Site Collection level.
Document and Items - Editing itemsChecking in and outMoving or copying within
siteDeleting or restoring
List, libraries and sites - Editing content type and columns
Searching site contentEditing users and
permissions
![Page 39: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/39.jpg)
SharePoint Audit Reports
![Page 40: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/40.jpg)
Demo: Document Fingerprinting
![Page 41: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/41.jpg)
Wrap Up
![Page 42: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/42.jpg)
Overall objectives: security and protection
Enforce policyProtect
communicationsSimplify
management
![Page 43: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/43.jpg)
Useful ReferenceOffice 365 Security and Compliance
http://technet.microsoft.com/en-us/library/dn532171.aspx
Office 365 Trust Centrehttp://office.microsoft.com/en-au/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx
Office Blogshttp://blogs.office.com/2013/10/23/cloud-services-you-can-trust-security-compliance-and-privacy-in-office-365/
Governance, risk management, and compliance
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_complianceOffice 365 Service Descriptionshttp://technet.microsoft.com/en-us/library/jj819284%28v=technet.10%29
![Page 44: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/44.jpg)
Related content
Breakout Sessions (session codes and titles)
![Page 45: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/45.jpg)
Track resources
Ignite - Ignite.office.com
FastTrack - fasttrack.office.com
Office Blogs – blogs.office.com
Office 365 Trust Centre - trustoffice365.com
Office 365 Customer Success Centre – success.office.comRegister for Office 365 Ignite - aka.ms/ausignite
![Page 46: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/46.jpg)
Additional Slides
![Page 47: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/47.jpg)
DLP extensibility points
![Page 48: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/48.jpg)
Content Analysis Process
Content analysis process
Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012
Get Content
4485 3647 3952 7352 a 16 digit number is detected
RegEx Analysis
1. 4485 3647 3952 7352 matches checksum2. 1234 1234 1234 1234 does NOT match
Function Analysis
1. Keyword Visa is near the number2. A regular expression for date (2/2012)
is near the number
Additional Evidence
1. There is a regular expression that matches a check sum
2. Additional evidence increases confidenceVerdict
![Page 49: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/49.jpg)
Encryption Solutions in Office 365
Office 365 Message Encryption – Encrypt messages to any SMTP address
Personal account statement from a financial institution
Information Rights Management – Encrypt content and restrict usage; usually within own organization or trusted partners
Internal company confidential memo
S/MIME – Sign and encrypt messages to users using certificates
Peer to peer signed communication within a government agency
![Page 50: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/50.jpg)
Registry Key Outlook Client
![Page 51: Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304](https://reader035.vdocuments.mx/reader035/viewer/2022062216/56649d345503460f94a0b0bd/html5/thumbnails/51.jpg)