sharepoint governance and compliance
TRANSCRIPT
SharePoint Governance and ComplianceALISTAIR PUGIN
[CHIEF STRATEGIST: MICROSOFT SERVICES] [DATACENTRIX]
SPONSORS
Chief Strategist: Microsoft ServicesBeen working with ECM Products since 2000
SharePoint Saturday South AfricaRegional Director for the Information Worker
Community in South Africa@alistairpugin
www.alistairpugin.netaOS Community Ambassador
What is Governance and Compliance
• Governance• Structure• Policies• Human component• Records Management for Information
Architecture
• Compliance• What legislation requires
• Technical Bits• RMS• Security and Compliance
Governance - StructureGovernance Framework
Governance Team
Executive stakeholders Business division leaders
Financial stakeholders Software development leaders
IT managers Technical specialists
Trainers Influential information workers
Information architects or taxonomists Compliance officers
Information Management Questions • How will the site or solution be structured and divided into a set of site
collections and sites?• How will data be presented?• How will site users navigate?• How will search be configured and optimized?• How can you organize content so that searches return useful results?• What types of content will live on sites?• How will content be tagged and how will metadata be managed?• Does any of the content on the sites have unique security needs?• What is the authoritative source for terms?• How will information be targeted at specific audiences?• Do you need to have language-specific or product-specific versions of your
sites?• Who will write content for the site and what method will you use to publish it?
Information Governance
Understanding Records Management
Records Management as a Service
Maturity
Statistics
Plans Required• IT Strategy
• Infrastructure Architecture Governance
• Marketing Strategy (Good)
• Communications Plan• Change Management
Plan• Training Plan
Change ManagementTools
•Why are these channels critical for change management?
•What is the goal of each tool?
Communications
Sponsor roadmap
Training
Coaching
Resistance management
Change Management Mapping
Communications
Sponsor roadmap
Training
Coaching
Resistance management
Change management
tools
Individual phases of change (ADKAR® )
Awareness
Desire
Reinforcement™
Knowledge
Ability
Where do you start?
It’s your dataYou own it, you control it
Transparency and Control
Privacy by design
ContinuousCompliance
Built inSecurity
Office 365
Continuous Compliance in Office 365
Built-in capabilities for compliance with standards
Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMAContractually commit to privacy, security and handling of customer data through Data Processing Agreements
Customer controls for compliance with internal
policies
Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance
Standards & Certifications
SSAE/SOCISO27001
EUMCFERPA
FISMA/FedRAMPHIPAA
HITECHITAR
HMG IL2CJIS
Article 29 +
SOC 2
GlobalGlobalEurope
U.S.U.S.U.S.U.S.U.S.UKU.S.
EuropeGlobal
FinanceGlobal
Europe Education
Government Healthcare Healthcare
DefenseGovernment
Law EnforcementEuropeGlobal
Standards Certificatio
nsMarket Region
+EU Data Protection Authorities validate Microsoft’s approach to privacy
How Office 365 does Compliance
Physical SecuritySecurity
Best PracticesSecure Network
LayerData
Encryption
Office 365 Service | Control Sets | Certifications
DLP
OME
SMIME
RBAC
RMS
Account Mgmt.
Incident Monitoring
Data EncryptionEncryption of stored data and more…
Data Minimizatio
n & Retention
New Cert’s and
more…
Access Control
AUDITS
Built-in Capabilities
Customer Controls
Building a comprehensive set of controls0.43M
1.53M3.94M
9.50M
23.23M
45.91M
Worldwide MT seats
39 122 172
313
457
653
Compliance Controls
ISO27001 HIPAA BAA
DPASAS70
FedRAMP CJIS SOC 2Type 2
ISO27018 MLPS OFFICIAL
IRS1075
DISA
IL2
1017
3 3 3 4
910
13
Workloads in Boundary
O365 Compliance Scale
Transparency MilestonesProof of ISO reportFISMA quarterly contmon reportsFinserv summitsFedRAMP monthly contmon reportsControl sharing, deep contmon, trust.microsoft.com for finserv
20102011201320142015
BPOS-S
ITARMT
GCC China
BPOS-D
FERPA
SOC 1 Type 2
EU Model Clauses
FISMAEU Safe Harbor
2008 2009 2010 2011 2012 2013 2014 201x3 4 5 8 9 17
Total certifications / standards compliant to
2
Federated model allows us to beat scale without staffing up
Engaged champs in each service team are key to driving success at service scale
Investments in automation are a force multiplier
Scaling with the service
Control set – over 1,050 controls
Risk Management in the CloudRisk Confidentiality Integrity Availability
On Premises Cloud On
Premises Cloud On Premises Cloud
Mitigate Customer Shared Customer Microsoft Customer Microsoft
Accept Customer Shared Customer Shared Customer Shared
Transfer -
Microsoft(Contracts
& Compliance
)
-
Microsoft(Contracts
& Complianc
e)
- Microsoft(SLA)
Transparency - data residency
http://trust.office365.com – direct link at Data Maps
Ever Evolving Approach to Compliance
Market & Competitive Intelligence
Compliance Manageme
nt Framework
Regulatory Impact
Analysis (RSIA)
Define Security,
and Privacy controls
Determine Implementatio
n Requirements
Implement Controls
Document Implementati
on
Continuous
Monitoring
Independent
verification (Audits)
Remediation Prioritize
ISO 27018
Have services independently audited for compliance with this standard
Key Principles - Cloud providers must:
Not use data for advertising or marketing unless express consent is obtained
Be transparent about data location and how data is handled
Be accountable to determine if customer data was impacted by a breach of information security
Communicate to customers and regulators in the event of a breach
Provide customers with control over how their data is used
How Office 365 does Compliance
Physical SecuritySecurity
Best PracticesSecure Network
LayerData
Encryption
Office 365 Service | Control Sets | Certifications
DLP
OME
SMIME
RBAC
RMS
Account Mgmt.
Incident Monitoring
Data EncryptionEncryption of stored data and more…
Data Minimizatio
n & Retention
New Cert’s and
more…
Access Control
AUDITS
Built-in Capabilities
Customer Controls
Control Effectiveness Assessment (Audit) ScheduleNov2014
Dec 2015
Jan 2015
Feb 201
5Mar
2015Apr
2015May 2015
Jun 2015
Jul 2015
Aug 2015
Sep 2015
Oct 2015
Nov 2015
ISO FedRAMP MT
ISAE3402/SOC
ITAR ISO
Control Effectiveness Assessment (Audit) ScheduleNov2014
Dec 2015
Jan 2015
Feb 201
5Mar
2015Apr
2015May 2015
Jun 2015
Jul 2015
Aug 2015
Sep 2015
Oct 2015
Nov 2015
ISO FedRAMP MT
ISAE3402/SOC
ISO
Audit cadence
Trust but verify
Share latest audit reports
(Third-party verification)Compliance Program(Right to Examine*)
Transparency and Control through Continuous monitoring
* For larger highly regulated customers
Part of the responsibility for the secure management of the service lies with each customer.
Managing RiskOffice 365 supports a high degree of customer configuration
• Account Management• Access control• Segregation of duties• Awareness and training• Support requests• Use flexible customer controls in Office 365
Customers must put the following controls in place to ensure the security of their data
Compliance controlsHelps to Identify monitor protect
Sensitive data through deep content analysis
Identify
Protect
Monitor
End user education
ALERT
CLASSIFY
ENCRYPT
APPEND OVERRIDE
REVIEW
REDIRECT
BLOCK
Flexible tools for policy enforcement that provide the right level of control
Transport RulesRights ManagementData Loss Prevention
DLP Policy Enforcement
Email archiving and retention
Preserve Search
Secondary mailbox with separate quotaManaged through EAC or PowerShellAvailable on-premises, online, or through EOA
Automated and time-based criteriaSet policies at item or folder levelExpiration date shown in email message
Capture deleted and edited email messagesTime-Based In-Place Hold Granular Query-Based In-Place HoldOptional notification
Web-based eDiscovery Center and multi-mailbox searchSearch primary, In-Place Archive, and recoverable itemsDelegate through roles-based administrationDe-duplication after discoveryAuditing to ensure controls are met
In-Place Archive Governance Hold eDiscovery
Activity Logs
Users
Admins
Microsoft
Engagement
Security
Operations
ActivityAPI Compliance
Report/Dashboards
ISVs
PrivacyPrivacy by design means that we do not use your information for
anything other than providing you services
No Advertising Transparency Privacy controls
No advertising products out of Customer Data No scanning of email or documents to build analytics or mine data
Various customer controls at admin and user level to enable or regulate sharingIf the customer decides to leave the service, they get to take to take their data and delete it in the service
Access to information about geographical location of data, who has access and whenNotification to customers about changes in security, privacy and audit information
ResourcesOffice 365 Trust Center http://trust.office365.comOffice 365 Blog http://blogs.office.com/
• Enabling transparency and control• Enhancing transparency and control for Office 365 customers• Customer Lockbox• Office 365 management activity API for security and complia
nce monitoring
WhitepapersOverview of Securityhttp://aka.ms/securitywhitepaperOverview of Security and Compliance in Office 365Customer controls for Information Protectionhttp://aka.ms/customercontrolsm
Law Enforcement Requests Reporthttp://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
thank youquestions?
live ratingsWWW.ECMNINJA.CO.ZAALISTAIRPUGIN
spca.biz/J3E5