Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Discover where your data resides, what governance helps you do, and what types of data you're classifying. Then build your data and security protection baselines for your retention policy, sensitivity labels, workload containers, and both forced and unforced policies.
Your Challenge
|
Common Obstacles
Data governance has several obstacles that impact a successful launch, especially if governing M365 is not a planned strategy. Below are some of the more common obstacles:
|
Info-Tech’s Approach
|
Data classification is the lynchpin to any effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model. Start your journey by identifying what and where your data is and how much data do you have. You need to understand what sensitive data you have and where it is stored before you can protect or govern it. Ensure there is a high-level leader who is the champion of the governance objectives. Data classification fulfills the governance objectives of risk mitigation, governance and compliance, efficiency and optimization, and analytics.
1Know Your DataDo you know where your critical and sensitive data resides and what is being done with it?Trying to understand where your information is can be a significant project. |
2Protect Your DataDo you have control of your data as it traverses across the organization and externally to partners?You want to protect information wherever it goes through encryption, etc. |
3Prevent Data LossAre you able to detect unsafe activities that prevent sharing of sensitive information?Data loss prevention (DLP) is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data. |
4Govern Your DataAre you using multiple solutions (or any) to classify, label, and protect sensitive data?Many organizations use more than one solution to protect and govern their data, making it difficult to determine if there are any coverage gaps. |
Deciding on how granular you go into data classification will chiefly be governed by what industry you are in and your regulatory obligations – the more highly regulated your industry, the more classification levels you will be mandated to enforce. The more complexity you introduce into your organization, the more operational overhead both in cost and resources you will have to endure and build.
Microsoft Information Protection (MIP), which is Microsoft’s Data Classification Services, is the key to achieving your governance goals. Without an MVP, data classification will be overwhelming; simplifying is the first step in achieving governance.
(Source: Microsoft, “Microsoft Purview compliance portal”)
Using least-complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.
Data governance is a "takes a whole village" kind of effort.
Clarify who is expected to do what with a RACI chart.
End User | M365 Administrator | Security/ Compliance | Data Owner | |
Define classification divisions | R | A | ||
Appy classification label to data – at point of creation | A | R | ||
Apply classification label to data – legacy items | R | A | ||
Map classification divisions to relevant policies | R | A | ||
Define governance objectives | R | A | ||
Backup | R | A | ||
Retention | R | A | ||
Establish minimum baseline | A | R |
What and where your data residesData types that require classification. |
M365 Workload Containers | |||
Email
|
Site Collections, Sites | Sites | Project Databases |
Contacts | Teams and Group Site Collections, Sites | Libraries and Lists | Sites |
Metadata | Libraries and Lists | Documents
|
Libraries and Lists |
Teams Conversations | Documents
|
Metadata | Documents
|
Teams Chats | Metadata | Permissions
|
Metadata |
Permissions
|
Files Shared via Teams Chats | Permissions
|
Knowing where your data resides will ensure you do not miss any applicable data that needs to be classified. These are examples of the workload containers; you may have others.
AIP helps you manage sensitive data prior to migrating to Office 365:
|
|
Azure Information Protection scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. Discover mode helps you identify and report on files containing sensitive data (Microsoft Inside Track and CIAOPS, 2022). Enforce mode automatically classifies, labels, and protects files with sensitive data. |
Any asset deployed to the cloud must have approved data classification. Enforcing this policy is a must to control your data.
Information Governance
|
Records Management
|
Retention and Deletion
‹——— Connectors for Third-Party Data ———› |
|
Information governance manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you do not. Backup should not be used as a retention methodology since information governance is managed as a “living entity” and backup is a stored information block that is “suspended in time.” | Records management uses intelligent classification to automate and simplify the retention schedule for regulatory, legal, and business-critical records in your organization. It is for that discrete set of content that needs to be immutable. |
Info-Tech InsightRetention is not backup. Retention means something different: “the content must be available for discovery and legal document production while being able to defend its provenance, chain of custody, and its deletion or destruction” (AvePoint Blog, 2021). |
|
What are retention policies used for? Why you need them as part of your MVP?
Do not confuse retention labels and policies with backup.
Remember: “retention [policies are] auto-applied whereas retention label policies are only applied if the content is tagged with the associated retention label” (AvePoint Blog, 2021).
E-discovery tool retention policies are not turned on automatically.
Retention policies are not a backup tool – when you activate this feature you are unable to delete anyone.
“Data retention policy tools enable a business to:
“It is also important to remember that ‘Retention Label Policies’ do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.” (Source: AvePoint Blog, 2021)
Data classification is a focused term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.
Once data is classified, you can then create policies; sensitive data types, trainable classifiers, and sensitivity labels function as inputs to policies. Policies define behaviors, like if there will be a default label, if labeling is mandatory, what locations the label will be applied to, and under what conditions. A policy is created when you configure Microsoft 365 to publish or automatically apply sensitive information types, trainable classifiers, or labels.
Sensitivity label policies show one or more labels to Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups. Once published, users can apply the labels to protect their content.
Data loss prevention (DLP) policies help identify and protect your organization's sensitive info (Microsoft Docs, April 2022). For example, you can set up policies to help make sure information in email and documents is not shared with the wrong people. DLP policies can use sensitive information types and retention labels to identify content containing information that might need protection.
Retention policies and retention label policies help you keep what you want and get rid of what you do not. They also play a significant role in records management.
Internal Personal, Employment, and Job Performance Data
|
Confidential Information
|
Internal Data
|
Public Data
|
Public | Private | |
Privacy |
|
|
Allowed | Not Allowed | |
External guest policy |
|
|
What users will see when they create or label a Team/Group/Site
(Source: Microsoft, “Microsoft Purview compliance portal”)
Data Protection Baseline
“Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline" (Microsoft Docs, June 2022). This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance. This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization) as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union). |
Security Baseline
The final stage in M365 governance is security. You need to implement a governance policy that clearly defines storage locations for certain types of data and who has permission to access it. You need to record and track who accesses content and how they share it externally. “Part of your process should involve monitoring unusual external sharing to ensure staff only share documents that they are allowed to” (Rencore, 2021). |
Security MFA or SSO to access from anywhere, any device Banned password list BYOD sync with corporate network |
Users Sign out inactive users automatically Enable guest users External sharing Block client forwarding rules |
Resources Account lockout threshold OneDrive SharePoint |
Controls Sensitivity labels, retention labels and policies, DLP Mobile application management policy |
Sensitivity Profiles: Public, Internal, Confidential; Subcategory: Highly Confidential
Sensitivity | Public | External Collaboration | Internal | Highly Confidential |
Description | Data that is specifically prepared for public consumption | Not approved for public consumption, but OK for external collaboration | External collaboration highly discouraged and must be justified | Data of the highest sensitivity: avoid oversharing, internal collaboration only |
Label details |
|
|
|
|
Teams or Site details | Public Team or Site open discovery, guests are allowed | Private Team or Site members are invited, guests are allowed | Private Team or Site members are invited, guests are not allowed | |
DLP | None | Warn | Block |
Please Note: Global/Compliance Admins go to the 365 Groups platform, the compliance center (Purview), and Teams services (Source: Microsoft Documentation, “Microsoft Purview compliance documentation”)
PRIMARY ACTIVITIES |
Define Your Governance
The objective of the MVP is reducing barriers to establishing an initial governance position, and then enabling rapid progression of the solution to address a variety of tangible risks, including DLP, data retention, legal holds, and labeling. Decide on your classification labels early. |
CATEGORIZATION
CLASSIFICATION |
MVP | ||||
Data Discovery and Management
AIP (Azure Information Protection) scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. |
|||||||
Baseline Setup
Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly. Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline. |
|||||||
Default M365 settings
Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline. This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance. |
|||||||
SUPPORT ACTIVITIES |
Retention Policy
Retention policy is auto-applied. Decide whether to retain content, delete content, or retain and then delete the content. |
Sensitivity Labels
Automatically enforce policies on groups through labels; classify groups. |
Workload Containers
M365: SharePoint, Teams, OneDrive, and Exchange, where your data is stored for labels and policies. |
Unforced Policies
Written policies that are not enforceable by controls in Compliance Manager such as acceptable use policy. |
Forced Policies
Restrict sharing controls to outside organizations. Enforce prefix or suffix to group or team names. |
PRIMARY ACTIVITIES | Define Your Governance
| CATEGORIZATION
CLASSIFICATION | MVP | ||||
Data Discovery and Management
| |||||||
Baseline Setup
| |||||||
Default M365 settings
| |||||||
SUPPORT ACTIVITIES | Retention Policy
| Sensitivity Labels
| Workload Containers
| Unforced Policies
| Forced Policies
|
Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.
Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.
Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk and to develop project foresight for a smooth migration.
Remote work calls for leveraging your Office 365 license to use Microsoft Teams – but IT is unsure about best practices for governance and permissions. Moreover, IT has few resources to help train end users with Teams best practicesIT Governance, Risk & Compliance
Several blueprints are available on a broader topic of governance, from Make Your IT Governance Adaptable to Improve IT Governance to Drive Business Results and Build an IT Risk Management Program.
“Best practices for sharing files and folders with unauthenticated users.” Microsoft Build, 28 April 2022. Accessed 2 April 2022.
“Build and manage assessments in Compliance Manager.” Microsoft Docs, 15 June 2022. Web.
“Building a modern workplace with Microsoft 365.” Microsoft Inside Track, n.d. Web.
Crane, Robert. “June 2020 Microsoft 365 Need to Know Webinar.” CIAOPS, SlideShare, 26 June 2020. Web.
“Data Classification: Overview, Types, and Examples.” Simplilearn, 27 Dec. 2021. Accessed 11 April 2022.
“Data loss prevention in Exchange Online.” Microsoft Docs, 19 April 2022. Web.
Davies, Nahla. “5 Common Data Governance Challenges (and How to Overcome Them).” Dataversity. 25 October 2021. Accessed 5 April 2022.
“Default labels and policies to protect your data.” Microsoft Build, April 2022. Accessed 3 April 2022.
M., Peter. "Guide: The difference between Microsoft Backup and Retention." AvePoint Blog, 9 Oct. 2021. Accessed 4 April 2022.
Meyer, Guillaume. “Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them.” nBold, 6 October 2021. Accessed 2 April 2022.
“Microsoft 365 guidance for security & compliance.” Microsoft, 27 April 2022. Accessed 28 April 2022.
“Microsoft Purview compliance portal.” Microsoft, 19 April 2022. Accessed 22 April 2022.
“Microsoft Purview compliance documentation.” Microsoft, n.d. Accessed 22 April 2022.
“Microsoft Trust Center: Products and services that run on trust.” Microsoft, 2022. Accessed 3 April 2022.
“Protect your sensitive data with Microsoft Purview.” Microsoft Build, April 2022. Accessed 3 April 2022.
Zimmergren, Tobias. “4 steps to successful cloud governance in Office 365.” Rencore, 9 Sept. 2021. Accessed 5 April 2022.