Updated: Sep 6, 2020
Office 365 information governance is about better managing information assets, not just ensuring compliance. I have below tried to summarize some of the most important requirements for improving information governance for Office 365 and beyond. This Office 365 checklist for information governance is part of the information management strategy that I addressed in a previous post.
Question 1: Are you able to ensure information availability, completeness, and trustworthiness?
The more content silos you have over the information lifecycle, the more difficult it is to ensure information availability, completeness, and trustworthiness. It doesn't make sense in the cloud era to install a new information silo based on purpose (e.g. publish to web) or value (e.g. records management). Organizations need instead secure and compliant platforms that manage information with apps and components on top of it. This reduces operational risks and costs, - as an example, the annual cost of a leading legacy content management system for 2,000 staff is often higher than the annual cost of Microsoft E5 Advanced Compliance for 20,000 staff...
Question 2: Is it easy for users to find information per business unit, country, etc.?
Metadata is key to finding information, and without this it will be difficult to find information per business unit, country, etc. in a cloud tenant. If you set default metadata on Office 365 sites, then information uploaded or stored to these sites will automatically inherent the metadata. Search can then be configured for progressive filtering of search results using the metadata.
Question 3: Is it easy to identify the owner of Office 365 sites and files per business unit, country, etc.?
Same as above, - you will need a site configuration solution for setting default metadata on sites, but also a site directory listing site owner, business unit, country, etc. The site configuration could be self-service using Office 365 out-of-the-box Site Design and Logic App to put metadata and governance on sites created manually by staff, or automatic when creating Teams, Planner, Yammer, and Stream. Another option is to establish a corporate service to set up Office 365 sites for staff using the PnP framework.
Question 4: Are you able to ensure that important information is protected and secured?
Office 365 Sensitive Information Types, Retention Labels, Sensitivity Labels, and Data Loss Prevention are some of the Office 365 out-of-the-box E3 features that will help you protect and secure important information. Check out my previous post about this, and below is an image summarizing it.
Question 5: Are you able to stop users from sharing or downloading highly sensitive information?
Office 365 Sensitivity Labels can be manually or auto-applied to sensitive information for better protection, or you can use Office 365 Sensitivity Information Types to automatically identify sensitive information such as credit card number, social security numbers, and passports using out-of-the-box or custom classifiers. Office 365 Sensitivity Labels enforce protection settings such as encryption or watermarks on labeled content, protect content in Office apps across different platforms and devices, and prevent sensitive content from leaving your organization on devices running Windows.
Question 6: Are you able to ensure compliance with relevant regulations, e.g. GDPR?
Users can manually apply Retention Labels on information, or you can automate this based on storage location, content, metadata, and/or machine learning. A Retention Label for records management locks and retain the information as required, but also ensure deletion at the end of the retention period when required. This ensures compliance with e.g. GDPR requirements for data minimization and storage limitation.
Question 7: Are you able to discover relevant information in a timely manner to support your litigation processes?
Office 365 out-of-the-box comes with a lot of features to support the discovery of relevant information, e.g. eDiscovery, GDPR subject access request. Establish a process for handling this using the Microsoft Compliance Center. Use Microsoft 365 Compliance Content Search to find all relevant information across your tenant in support of litigation or to establish a Legal Hold on information. For GDPR subject access requests, use Microsoft 365 Compliance Center Data Subject Request to log, search, and respond to request from people wanting to know what you have of data about them.
Feel free to contact us if you need help establishing an information governance and protection strategy for Office 365 and beyond.