Microsoft SC-900 – Module 4 : Describe the capabilities of Microsoft compliance solutions part 3

18. Retention Polices and Retention Labels

There are situations when labels and policies needs to be kept only for certain duration of time, and then they need to be permanently deleted. That’s when retention labels and policies will help organization to do just that. Applying retention labels and assigning retention policies help organizations to comply proactively with industry regulations, relations and internal policies. It can also reduce risk when there is litigation or a security breach. At times, it will also ensure users work with content that’s current and relevant to them. So when content has retention settings assigned, it stays in its original location. People can continue to work with the documents and mails as if nothing has changed.

But if they edit it or delete content that’s included in the retention policy, a copy is automatically kept in a secure location. The secure locations and the retained content are not visible to most people. In most cases, people don’t even know that their content is subject to retention settings. Most of the applications today support retention settings, and those applications are SharePoint OneDrive, Microsoft Teams, Yammer and Exchange. So remember that when you’re using retention policies and retention labels to assign retention settings to the content, there are some points to understand about each one of them. Let’s talk about retention policies first.

Retention policies are used to assign the same retention settings to a content at a site level or a mailbox level a single policy, although it can be applied to multiple locations or even to specific locations or users. And this is where the items may inherit the retention settings from their container specified in the retention policy. So that means that if a policy is configured to keep content and an item is then moved outside that container, a copy of the item is kept in the workload’s secure location. However, the retention settings do not travel with the content in its new location. Talking about retention labels retention labels are used to assign retention settings at an item level. For example, a folder or document or an email. An email or a document can only have a single retention label assigned to it at a time.

Retention settings from retention labels travel with the content if it’s moved to a different location within your Microsoft 365. Tenant Administrators can enable users in the organizations to apply a retention label manually. Also, a retention label can be applied automatically if it matches defined conditions. A default label can be applied for SharePoint documents. Plus, the retention labels support disposition review to review the content before it permanently is deleted. Think about various scenarios. So if all the documents in the SharePoint side were kept for five years, it’s more efficient to do with a retention policy than apply the same retention label to all the documents in that site.

However, think about a scenario where some documents in that site should be kept for five years and others are there for ten years. You would need to apply a policy to the SharePoint site with a retention period of five years. You then apply a retention label to individual item with a retention setting of ten years. With that comes another important point in discussion records management. So we are thinking about legality, business criticality and other kinds of records that are very critical for regulatory purposes. How do you manage them? How do you label them? Let’s talk about that in the next section.

19. Records Management

Regardless of the size of the organization, they would need a solution to manage regulatory, legal and business critical records across their corporate data. Records management in Microsoft Three Six Five will help an organization look after the legal obligations’THE. Record management will be providing the various options to demonstrate compliance with regulations and increases the efficiency with regular disposition of items that are no longer required to be kept, no longer have value, or no longer required for business purposes. There are several capabilities of records management that include labeling content as a record, migrating and managing the retention plans with file Plan Manager.

How about establishing retention and deletion policies with the record label, triggering event based retention and reviewing and validating dispositions? There are other things like proof of record solution, exporting information about disposed items, setting specific permissions for record manager functions in the organization. So when the content is labeled as a record, lot of things happen, including restrictions are put in place to block certain activities. The audit logs are recorded, they are logged, and proof of disposition is kept at the end of the retention period. Items like documents and emails can then be marked as records based on their retention labels. Items might be marked as records, but they can also be shown as a regulatory record. Regulatory records provide different kinds of controls and restrictions.

Think about a regulatory label that cannot be removed when an item has been marked as a regulatory record. The retention periods cannot be made shorter after the label has been applied. The most important difference is that if the content has been marked as a regulatory record, nobody, not even the global administrator, can remove the label. Marking an item as a regulatory record can have irreversible consequences and should only be done when necessary. And this is the reason why this option is not available by default and has to be enabled by the administrator using PowerShell. This marks the end of this module. Let’s go ahead and summarize what we learned in this lesson. Thanks for watching so far and I’ll see you there.

20. Chapter Summary

In this lesson we looked at various Microsoft three six five capabilities like data classification, records management, data loss prevention, and these will help you provide information protection and information governance across an organization. Now, you can imagine what’s going to be the life of an Admin or an organization without these capabilities. Well, the organization information would be at a risk and it might not be compliant with legal and regulatory standards. However, by using these capabilities, organizations can provide information protection and governance to help avoid the risk of non compliance. What we learnt about here was data classification capabilities, records management, and data loss prevention. Thank you so far for listening to this. Let’s go ahead and understand the insider risk capabilities in Microsoft 365 in the next lesson.

21. The insider risk capabilities in Microsoft – Introduction

Who are insiders. Insiders are contractors or even your employees. Organizations understand that risk can come from either of them. There’s always a risk that people might share information with competitors after leaving the company. Organizations need to ensure that they are protected from these kind of risks. This lesson here is all about about the capabilities of Microsoft 365. For example, risk management, communication, compliance, information barriers, privileged access management, and customer lockbox. Now, these will help you protect against insider risks in your organization. After completing this lesson, you will be able to identify insider risks and take appropriate action using Microsoft 365. You’ll also know how Microsoft 365 helps organizations identify, investigate and remediate malicious activities in your organization.

22. Insider Risk management

What is insider risk management? This is a solution from Microsoft 365 that will let you cut down or minimize the internal risks by enabling an organization to detect, identify, investigate and also act on risky and malicious activities. Insider risk management is available in the Microsoft 365 Compliance Center. Managing and minimizing risk in an organization begins with understanding different types of risks that are found in today’s modern workspace. Now, certain risks are driven by external events, external factors, and these are outside the organization’s direct control. Where other risks are driven by internal employees internal events that can possibly be eliminated and avoided.

There are certain examples that are risks, for example, illegal activities, inappropriate unauthorized methods or unethical behaviors that are taken by employees and their managers. Now, these behaviors can possibly lead to a broad range of internal risks from employees. Let’s go ahead and talk about some of them.You can think about leaks of sensitive data and data spillage. There could be confidentiality violations. How about intellectual property theft, fraud, insider trading, regulatory compliance violations as well? Now think about insider risk Management as something that is preventing you against all these. The main reason is that the Insider Risk Management is centered around a couple of principles.

They are transparency and it means that there is a balance between users privacy versus organizations to risk with privacy. By design architecture, it is configurable based on industry, geographical and business groups as well. The Insider Risk Management tool integrates very well with various workflows across Microsoft 365 compliance solutions. You can definitely take actions and provide insights to enable user notifications, perform data investigations as well as user investigations. Let’s take a quick peek at Insider risk Management workflow in the next section. Thank you.

23. Insider Risk management Workflow

The Insider Risk Management Workflow we now know that insider risk management is helping organizations to identify, investigate and address internal risks. But how is this possible? Well, you will have several kind of templates comprehensive activity signaling across Microsoft 365 as well as a workflow that an organization can take advantage of and help identify and resolve risky behaviors. Quickly identifying and resolving internal risk activities and compliance issues with insider Risk Management in Microsoft 365 is achieved with the workflow as described here. So you got policies, alerts, triage, investigate. And action. Policies is where you have predefined templates. And there are policy conditions that define what risk indicators are examined in Microsoft 365 feature areas.

And these conditions include how indicators are used for alerts, what users are included in the policy, which services are prioritized, and the monitoring time period as well, which defines how long do you want to monitor it? The next section alerts is automatically generated by risk indicators and now these are matching policy conditions.They are displayed on the alerts dashboard and this dashboard will be quickly enabling you to see all the alerts that are required over a period of time and statistics as well for the organization in a graphical manner. Triage there will be new activities that need investigation, there will be automatic generated alerts that will be looked at by the reviewers.

Well, reviewers in the organization can quickly identify these alerts, look at each one of them, evaluate and then do the triage. So alerts are resolved by opening a new case and assigning the alert to existing case, or probably you can just dismiss the alert as well investigation now this is where the cases are created for alerts that require deeper review, deeper investigation and the circumstances that do not have a policy match. This is the area where you will have risk activities, policy conditions, alert details and user details. These are all synthesized into an integrated view for the reviewers so that you don’t have to jump around multiple screens. Finally the action. So after the case is investigated, reviewers can quickly action to resolve the case or collaborate with other risk stakeholders within the organization.

24. Communications Compliance

The communication compliance in Microsoft Three Six Five will be helping you cutting down and minimize the communication risks by enabling organizations to detect certain inappropriate messages. It will be able to capture such messages and take remediation actions. So if people are sending messages back and forth on teams or any other internal tool, then Microsoft Three Six Five Compliance Center can take an action as well. There are predefined and custom policies in the communication compliance that will make it possible to scan internal and external communications for the policy it matches and they can then be examined by chosen reviewers. Identifying and Resolving Compliance Issues with compliance manager in Office Three Six Five or Microsoft Three Six Five uses something like a workflow, so you got configure, investigate, remediate and monitor the first step in the configuration phase. Admins will be identifying the compliance requirements so they’ll be working a lot with the HR and the legal team and then configure applicable communication compliance policies.

Once that is set up, it’s time to investigate. Administrators can take a deeper look into issues that are detected when matching your communication. The compliance policies are looked at. There are tools and steps as well within that which will help you include the alerts issue management as well with the help of remediation document reviews and the user history option as well. And finally, the remediation will happen with compliance issues options including resolving an alert, tagging a message or notifying a personnel escalating to another reviewer or for a peer review or marking an alert as false positive, removing a message from the teams if that message is inappropriate and escalating for investigation or various options available as part of remediation monitoring.

Now that is done to keep track of the compliance issues which are identified by the communication compliance policies. As a result of monitoring, you will have logs and you will have a wide variety of options as well, including the monitoring dashboard. You can export the logs, you have a unified audit log option. In order to continuously evaluate and improve your compliance posture. Communication compliance will be enabling reviewers to investigate scanned emails and messages across Microsoft Teams, exchange, online Yammer or any other third party communications in the organization. So we now know that compliance manager can look at various things within the organization. It will be helping you adhere to the corporate policies, risk management as well as regulatory compliance.

Now what will be there on the corporate policies? Well, users are supposed to follow certain corporate policies, for example, how are they supposed to use the tools, for example, Microsoft Teams? What should be the ethics for day to day business communications? Are there any potential concerns of offensive language usage or possible harassment? Now these are the things that are defined in corporate policies when it comes to risk management. The communication compliance can help understand how you can protect against possible confidential information leakage, for example, acquisitions or high profile employees leaking earnings disclosures and other such information. The regulatory compliance is about how you should be running your day to day operations.

For example, if you’re working in a financial sector, there is a possibility that the employees are talking about potential insider trading. So how do you safeguard against it? There could be possible money laundering or bribery. It’s paramount that we focus on such areas as well. Communication compliance will be helping the organization to scan through such kind of communications happening report on these type of channels in a way that it meets the requirements. All in all, communication compliance is a powerful tool that will help you maintain and safeguard your employees data and your organization.

25. Information barriers in Microsoft Teams

If you would like to prevent individuals or groups from communicating with each other, you need to have some kind of a barrier. That barrier in Microsoft teams is called as information barrier. Information barriers are useful if, for example, one department is handling information that should not be shared with other departments. When do you think that will be helpful? Well, that’s for comparison compliance purposes, isn’t it? Now information barriers are useful when groups needs to be isolated to do their own activities or tasks are totally prevented from communicating with anyone outside of that group. With information barriers you can have different kinds of policies. Policies like you can prevent from searching for a user, maybe adding a member to the team.

You can also prevent from starting a chat session with somebody, or starting a group chat or invite somebody to join a meeting. You can also prevent from sharing a screen or placing a phone call or sharing a file with another user. You can also get it to a level where you can prevent access to files through sharing links. So if the people involved are included in the information barrier policy to prevent that activity, they will not be able to continue these kind of activities. Potentially everybody included in an information barrier policy can be blocked from communicating with each other in Microsoft teams. You can think about a financial services industry.

They are highly regulated. They are governed by legal restrictions where there is always a conflict of interest within member forms. Other use case scenarios are education where students in one school should not be able to look up contact details for students in another school. Think about legal activities in this industry of legality, maintaining the confidentiality of data that is obtained by lawyer of one client and prevent it from being accessed by lawyer for the same firm who represents a different client. Think about government or professional services as well. This is about information barrier in Microsoft teams. Let’s go ahead and talk about privileged access management in the next section. Thanks for watching so far and I’ll see you in the next section.

26. Privileged Access Management

An administrator is privileged to do several tasks in Microsoft 365 console. These privileged access will sometimes lead to breaches. The Privileged Access Management will allow granular access control over privileged admin tasks in Microsoft 365. So it will help you protect from breaches that use existing Privilege admin accounts with access to sensitive data or access to critical configuration settings. So what you need to do is just go ahead and enable the Privileged Access Management in Microsoft 365 and thereby the organizations will have the ability to operate with Zero Standing Access. And that means that any user who needs privileged access must request for permissions for access and will receive only the level of access that they need to just get their job done.

What’s technically called as just NF access, Zero Standing Access provides a layer of protection against several administrative access vulnerabilities. The Privileged Access Management will require users to request Justintime access to complete elevated and privileged tasks through a highly scoped and time bound approval workflow. What does that mean? Well, the administrators will be able to configure a privileged access policy. So configuring an approval policy like that will allow the administrators to define the specific approval requirements that are scoped at individual tasks at a granular level access Request so users can request access to elevated or privileged tasks. That means that the Privileged Access feature will send the request to Microsoft 365 for processing against the configured Privileged Access Policy and will also record the activity in Security and Compliance Center logs.

And finally, the stage of Access approval. Now, this stage is generating an approval request and that means a pending request notification is emailed to the approvals. If it is approved, the Privileged access request is processed and the task is ready to complete. But if that is denied, the task is blocked and new access is generated to the requester. The requester is then notified of the request approval or denial via an email message. There’s another step here which is called as Access Processing. Now, for an approved request, the task is processed and that means that the approval is checked against the Privileged Access Policy and processed by Microsoft. All activities of the tasks are logged in the Security and Compliance Center.

At this point, I would also like to mention about Pam the privileged access management. Now, this sounds a lot like privileged identity management, which is Pam. So what’s the difference here? Well, the Privileged Access management Pam is defined and scoped at the task level, whereas the PIM applies protection at the role level with the ability to execute multiple tasks. Azure Adpim primarily allows managing access for ad roles and role groups, while the Pam, which is Privileged Access Management in Microsoft 365, applies only at a task level. So remember that PIM is for ad roles and groups, whereas Pam is applying at the task level or even at the granular task level at the resources. Let’s talk about customers lockbox in the next section.