Congratulations! You got your organization into the cloud with Microsoft 365. You’ve survived the planning sessions, seemingly endless whiteboards, change management, and finally, the migration itself. Even though Microsoft handles the maintenance of your environment, you still need to plan, configure, and implement proper governance to keep your organization’s data and intellectual property (IP) secure and compliant for privacy and industry regulations.
If you’re not sure whether you need proper governance and compliance, you need to ask yourself the following:
- Can you say that your Microsoft 365 is secure, compliant, trustworthy, and transparent?
- Does it take you less than an hour to compile all your Microsoft 365 compliance info, policies, and settings?
- Do you understand and know how to configure all the proper Microsoft 365 settings?
- Do you have all your necessary compliance information in one document?
If you answered No to any of these questions, then you need to come up with a plan.
In this article, we’ll discuss:
- What a governance and compliance roadmap entails.
- What Microsoft does for you and what you need to do for yourself.
- Who in your organization will need to provide you with input.
- What questions will need to be asked.
- And finally, the Microsoft 365 options that help you make sure that your organization is compliant and secure.
Let’s first look at the breakdown of responsibilities. Microsoft takes on and manages many of the controls for software-as-a-service (SaaS) offerings like Microsoft 365. By doing so, it enables you to focus on managing data protection and regulatory compliance controls that are specific to your needs.
Based on the graphic above, your organization needs to plan and configure the following:
- Access control to production environment (identity management)
- Data protection (encryption for information that travels between users)
- Personnel control
Who Needs to Be Involved?
Remember that even though you’ll be doing most of the configurations, you’re still going to need the input and expertise of many people throughout your organization. These will include IT, legal, HR, business management, and any other staff who initiate or handle audits.
Define Your Organization’s Data
Now that you have a high-level view of what you need to do and who needs to be involved, you’ll need to categorize your data and roles. Using categories to classify data protection levels allows you to map them to the personnel who need access and ultimately implement other governance features.
Microsoft recommends using these three tiers of protection for data and identities:
- Baseline protection
- Internal Public—data discoverable and accessible by anybody in the organization.
- Private—data discoverable and accessible only by members who have permission.
- Sensitive protection
- Highly confidential
While the diagram above is specific to SharePoint, most of your non-email-based data will reside in a SharePoint-based Microsoft 365 app (SharePoint itself, Teams, and OneDrive). But given the interaction with Outlook email and Teams video/audio, these tiers and labels mentioned above also apply to the overall guidance for your Microsoft 365 governance roadmap.
Here are some questions you’ll need to address while building your roadmap:
- How is data created or collected?
- How is data going to be used and maintained?
- Who is going to share this data, and with whom?
- What data can be shared internally and externally?
- What is protected personally identifiable information (PII)? And where is it currently located?
- What are our data portability policies? (Employee access via non-approved devices.)
- What are our data retention policies? (Data needed for audits/litigation.)
- What do we consider to be high-value assets, and what level of access do they have?
- Is e-discovery configured for potential legal matters?
- Have litigation hold and retention been configured?
- Is there content that needs to be marked as confidential (i.e., not approved for printing or screenshotting)?
- What data or communications need to be encrypted?
- Do we have security and compliance training for end users?
- Do we need regulated requirements like HIPAA or ISO?
Get Your Secure Score
Once you’ve gathered all this information and have it documented, it’s time to get your Secure Score in order to analyze your organization based on your regular activities and security settings in Microsoft 365.
If you have Microsoft 365 Enterprise, Microsoft 365 Business, or Microsoft 365 Business, you can view your organization’s secure score by going to the Office Secure Score site or by directly visiting the Security & Compliance Center. In Secure Score, you’ll see your current score on the Secure Score widget and have access to the Secure Score dashboard. This will give you a baseline against which you can measure yourself.
Action Your Roadmap
In the Security & Compliance Center, you can view and manage security, data governance, and search and investigate from the left-hand navigation. This is where you create, set up, and configure the following:
- Data labels and policies
- Data loss prevention (DLP)
- Data governance
- E-discovery and case management
You also have access to the Microsoft Service Trust Portal and the Compliance Manager.
The Service Trust Portal is a repository containing all the details about controls and processes that protect your data. It also provides both industry- and region-specific compliance information. Choose your industry and region to get specific information about how the Microsoft Cloud services keep your organization compliant.
Industry options available include:
- Financial Services
The Compliance Manager is a risk assessment tool designed to help manage any regulatory standards you need to maintain. It also provides a single place to:
- View a dashboard of standards and regulations.
- Assess control implementation details and test results.
- Control implementation guidance and many other features.
Office 365 governance, compliance, and security are all broad topics, and we certainly haven’t addressed all of the details here. But hopefully, you’ve gained sufficient understanding to be able to start your own security roadmap.
For more information and a full plan to implement the topics we covered here, be sure to take a look at Microsoft’s guide to security roadmapping in Microsoft 365.