Using a Compliance Compass to Navigate Sensitive content is available upon request. Using a Compliance Compass to Navigate Sensitive Content within Your IT Environment IAPP Europe: Data

Download Using a Compliance Compass to Navigate Sensitive   content is available upon request. Using a Compliance Compass to Navigate Sensitive Content within Your IT Environment IAPP Europe: Data

Post on 24-Apr-2018

212 views

Category:

Documents

0 download

TRANSCRIPT

  • Accessible content is available upon request.

    Using a Compliance Compass to Navigate Sensitive Content within Your IT Environment IAPP Europe: Data Protection Intensive 2013 Ralph OBrien EMEA Compliance Specialist AvePoint UK

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Understanding the Challenge The Context

    The Players

    The Prism of SharePoint

    A Best Practices Methodology Achieving Compliance

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Understanding the Challenge

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    IT

    Business

    Compliance

    Boundaries

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Governance

    Risk

    Compliance

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Governance is the set of policies, roles, responsibilities, and processes that guides, directs, and controls how an organizations business divisions and I.T. teams cooperate to achieve business goals.

    Microsoft Governance Model of SharePoint Definition

    http://bit.ly/nmNSbj

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Effect of uncertainty on objectives.

    According to - ISO 31000

    http://www.praxiom.com/iso-31000.htm

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Conformity in fulfilling official requirements.

    Merriam-Webster - Compliance Definition

    http://www.merriam-webster.com/dictionary/compliance

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    At the very highest level we are talking about: Making information available to the people who should have it

    Protecting it from the people who should not

    This may come from requirements: Regulatory

    Statutory

    Internal Policy

    All the above

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Issues Include: Intellectual property and trade secrets

    Sensitive customer information and data

    Employee data

    Collaborations on strategy

    Personal information and health information

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Want the same data protection rights across the EU

    Special Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union, June 2011.

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Accidental Breaches

    Employee Third Party

    Intentional Breaches

    Employee Third Party Hackers

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Designing a Compliance Policy How do we protect the most important data in the enterprise?

    How do we reduce the risk of exposure?

    How do we quickly find information?

    How do we prepare for litigation and eDiscovery?

    How do we ensure policy consistency?

    How do we scale the compliance solution to the enterprise?

    How do we control costs?

    What is our Cloud Strategy?

    What is our current compliance status or our as is?

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Dont just focus on what you can see

    Risk Awareness

    Risk Ignorance

    Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!

    E.J. Smith, Captain of the Titanic

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    The Prism of SharePoint

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Business Intelligence

    eDiscovery

    Compliance

    Enterprise Content Management

    Records Management

    Social

    Search

    Web Content Management

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Content that changes all day, every day Massive Data Stores

    Document Management, Collaboration, Social, Cloud, Communications

    Now Can be Searched and Accessed by EVERYONE

    Internet, Extranet and Intranet website content

    Enterprise Content Growth by 2014 (Gartner Research)

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Accountability

    Who owns the sites? Is the site still

    accessed & used?

    Discoverability

    Are search results relevant?

    Is it easy to find relevant content?

    Adoption

    Was there training prior to granting elevated permissions?

    provisioning services causing bottlenecks?

    Infrastructure

    Storage footprint ? Duplicate content? Backup files growing

    with no pruning? Application

    development?

    Appropriateness

    Is there PII content uploaded?

    Is there content stored in a site that should be in a different site?

    Quality

    Is the site still active? Is the content still

    relevant?

    Compliance

    PII data? HIPAA requirements? Section 508?

    Restrictions

    How can we prevent sharing of confidential documents?

    Who has access to what content?

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Personal/My Sites

    Governance

    Vis

    ibili

    ty

    Project/Team Sites

    Community Sites

    Portal

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Balancing Accessibility & Security

    Classification of Documents Confidentiality of Documents

    Integrity of Information within Documents Understanding Different Roles

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Transparency/ Collaboration

    Data Protection/ Management

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Converging Interests

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Creating & maintaining is a continuous process

    Balancing transparency & collaboration with data protection and management Training

    Governance and Oversight

    Technical Enforcement

    People

    Policy and Process

    Technology

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    A Best Practices Methodology

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Design

    2

    Control

    4

    Optimization

    3

    Assessment

    1

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Prioritize

    3

    Identify

    2

    Analyze

    1

    Diagram

    4

    Structure

    5

    Migrate

    6

    Maintain Control

    7

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Analyze the Current Environment Identify non-compliant data across a broad framework of organizational or regulatory requirements such as Accessibility, Brand Management, Privacy, Security, Sensitive Security Information, and Site Quality

    Identify Non-Compliance

    Prioritize the Business Need

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Diagram New Security Boundaries Determine appropriate permissions and security settings based on the governance and compliance requirements of SharePoint or file-based information.

    Architect in Governance & Compliance

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Implement Compliant Methodology

    Maintain Control Easily audit security settings, investigate usage patterns, and monitor sensitive information to assess the effectiveness of the risk management strategy.

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Undertake Migration

    Optimization

    Maintain Control

    Control

    Analyze Identify Prioritize

    Assessment

    Diagram Structure

    Design

    1 2 3 4 5

    6 7

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Repeat for Comprehensive Access & Security Permissions Prevent

    Detect

    Track

    Respond & Resolve

  • AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

    Know Who Has Accessed What & When Record and track all user interactions, security changes, and search queries in any or all of your Microsoft SharePoint environments.

    Track Employees SharePoint Usage See everything an individual employee or group of employees has done and is doing in your SharePoint environment

    Track an Item Through its Entire Life See what happened to a document, including when it was created and by whom; who has viewed it when; and when it was deleted and by whom.

    Audit SharePoint Search See who has performed a search, for what, and when. See how often an item is returned in search results.

  • AvePoint, Inc. All r...

Recommended

View more >