Office 365 Data Compliance features
Updated: Mar 22
Microsoft Office 365 has a lot of tools to ensure compliance, and I will in this blog post cover some of the most important ones.
When you first visit the Microsoft 365 Compliance Center, the card section on the home page shows you at a glance how your organization is doing with data compliance, what solutions are available for your organization, and a summary of any active alerts. From here, you can review the Microsoft Compliance Score card, which leads you to the new Compliance Score solution (currently in preview). It calculates a risk-based score that measures your progress toward completing recommended actions that help reduce risks around data protection and regulatory standards. It also provides workflow capabilities and built-in control mapping to help you efficiently carry out those actions.
Here are some of the Microsoft 365 Compliance Center tools you have available for ensuring compliance:
Information protection - Discover, classify, and protect sensitive and business critical content throughout its lifecycle across your organization.
Data loss prevention - Detect sensitive content as it's used and shared throughout your organization, in the cloud and on devices, and helps prevent accidental data loss.
Records management - Automate and simplify the retention schedule for regulatory, legal and business-critical records in your organization.
Data subject requests - Find and export a user’s personal data to help you respond to data subject requests for GDPR.
Content search - Use Content search to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Microsoft Teams and Skype for Business.
Audit - Use the Audit log to investigate common support and compliance issues.
eDiscovery- Expand this section to use the core and Advanced eDiscovery for preserving, collecting, reviewing, analyzing, and exporting content that's responsive to your organization's internal and external investigations.
Data investigations - Search across content locations to identify sensitive, malicious, or misplaced data across Microsoft 365 so you can investigate and remediate any incidents, such as data spillage.
Communication compliance - Minimize communication risks by automatically capturing inappropriate messages, investigating possible policy violations, and taking steps to remediate.
Let us do a deep-dive into the most important functionality for ensuring compliance.
Microsoft 365 Retention Labels
With retention labels, you can classify data across your organization for governance, and enforce retention rules based on that classification
Enable people in your organization to apply a retention label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups.
Advanced Data Governance to apply retention labels to content automatically if it matches specific conditions, such as when the content contains: 1) Specific types of sensitive information. 2) Specific metadata or keywords that match a query you create.
Apply a default retention label to a document library in SharePoint and Office 365 group sites, so that all documents in that library get the default retention label.
Implement records management across Office 365, including both email and documents. You can use a retention label to classify content as a record. When this happens, the label can't be changed or removed, and the content can't be edited or deleted.
Microsoft 365 Retention Policies
With a retention policy, you can:
Decide proactively whether to retain content, delete content, or both - retain and then delete the content.
Apply a single policy to the entire organization or specific locations or users.
Apply a policy to all content or content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.
When content is subject to a retention policy, people can continue to edit and work with the content as if nothing's changed because the content is retained in place, in its original location.
But if someone edits or deletes content that's subject to the policy, a copy is saved to a secure location where it's retained while the policy is in effect.
Retention policies can be used to automatically delete draft content after X months/years (not implemented at Equinor)
Ensure we retain records as long as required based on business and legal requirements (see later slides)
Teams conversations are persistent and retained forever by default. With the introduction of retention policies, admins can configure retention policies (both preservation and deletion) in the Security & Compliance Center for Teams chat and channel messages
Microsoft 365 Sensitivity Labels
You can use sensitivity labels to:
Enforce protection settings such as encryption or watermarks on labeled content.
Protect content in Office apps across different platforms and devices
Prevent sensitive content from leaving your organization on devices running Windows
Classify content without using any protection settings
Additional security modules allows you to use the label definitions to automatically find and apply labels to content that matches the conditions you define.
Keyword-based search for data, e.g. content with the word “confidential”. This works across Exchange, SharePoint Online, OneDrive for Business and data within Office 365 groups.
Sensitive information types, e.g. a NI number, passport number, credit card number. There are built-in sensitive information types to match a large number of global types, and if needed you can define and upload your own types.
Microsoft 365 Data Loss Prevention (DLP)
To comply with business standards and industry regulations, organizations must protect sensitive information and prevent its inadvertent disclosure.
Sensitive information can include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records.
With a data loss prevention (DLP) policy in the Microsoft 365 Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.
Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Team
Prevent the accidental sharing of sensitive information
Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint, and Word
Help users learn how to stay compliant without interrupting their workflow
View DLP reports showing content that matches your organization's DLP policies
Microsoft 365 has three ways to classify content.
Manually - This method requires human judgment and action. An admin may either use the pre-existing labels and sensitive information types or create their own and then publish them. Users and admins apply them to content as they encounter it. You can then protect the content and manage its disposition.
Automated pattern matching - This category of classification mechanisms includes finding content by:
keywords or metadata values (keyword query language)
using previously identified patterns of sensitive information like social security, credit card or bank account numbers (sensitive information types)
Recognizing an item because it's a variation on a template (document finger printing) - currently in preview
using the presence of exact strings (exact data match).
Machine learning with Trainable classifiers - This classification method is particularly well suited to content that isn't easily identified by either the manual or automated pattern matching methods. This method of classification is more about training a classifier to identify an item based on what the item is, not by elements that are in the item (pattern matching). A classifier learns how to identify a type of content by looking at hundreds of examples of the content you're interested in classifying. You start by feeding it examples that are definitely in the category. Once it processes those, you test it by giving it a mix of both matching and non-matching examples. The classifier then makes predictions as to whether any given item falls into the category you're building. You then confirm its results, sorting out the positives, negatives, false positives, and false negatives to help increase the accuracy of its predictions. When you publish the trained classifier, it sorts through items in locations like SharePoint Online, Exchange, and OneDrive, and classifies the content.
Microsoft 365 comes with six ready to use classifiers:
Offensive Language: detects text items that contain profanities, slurs, taunts, and disguised expressions (which are expressions that have the same meaning as a more offensive term).
Resumes: detects items that are textual accounts of an applicant's personal, educational, professional qualifications, work experience, and other personally identifying information.
SourceCode: detects items that contain a set of instructions and statements written in widely used computer programming languages.
Harassment: detects a specific category of offensive language text items related to offensive conduct targeting one or multiple individuals based on the following traits: race, ethnicity, religion, national origin, gender, sexual orientation, age, disability.
Profanity: detects a specific category of offensive language text items that contain expressions that embarrass most people.
Threat: detects a specific category of offensive language text items related to threats to commit violence or do physical harm or damage to a person or property.
Use trainable auto-classifiers when one of the out of the box classifiers won't meet your needs.
Microsoft 365 classifier is a tool you can train to recognize various types of content by giving it samples to look at.
Training the classifier involves first giving it samples that are human picked and positively match the category.
You need to have at least 50 positive samples and as many as 500. The trainable classifier will process up to the 500 most recent created samples (by file created date/time stamp). The more samples you provide, the more accurate the predictions the classifier will make.
Then, after it has processed those, you test the predictions by giving it a mix of positive and negative samples.
The trainable classifier uses this feedback to improve its prediction model.
Creating and publishing a trainable classifier for use in compliance solutions, such as retention policies and communication supervision, follows this flow.
Feel free to contact us to discuss this in more detail or for a demonstration.
Images are courtesy of Microsoft.