Date post: | 19-Dec-2015 |
Category: |
Documents |
Upload: | jacob-mathews |
View: | 223 times |
Download: | 0 times |
Compliance in Office 365Edge PereiraSandy MillarFrom Avanade Australia
OSS304
Introduction
“Faced with never-ending and expanding regulatory and industry mandates, organizations invest tremendous amounts of energy on audit, compliance, controls, and (in some cases) risk management. At the same time, they seek to free staff resources from mundane tasks such as evidence gathering and simple reporting.”
Source: Gartner Report: IT Governance, Risk, and Compliance Management Solutions, http://www.gartner.com/resId=1884814
Why are we here?What is compliance?What does it mean to an ITPro?How can Office 365 help you?How to enable compliance controls?
Compliance – What is it?
Australian Standard AS 3806-2006
“The Standard provides principles for the development, implementation and maintenance of effective compliance programs within both public and private organisations. These principles are intended to help organisations identify and remedy any deficiencies in their compliance with laws, regulation and codes, and develop process for continual improvement in this area.”
Why do we need to take compliance seriously?Areas that fall in to compliance scope• Integrity and anti-fraud• Bribery and corruption regulation• Anti-trust and competition regulation• Privacy regulation
What does this mean to your organisation?Levels and activities are driven by many factors
For example• Public or private sector
• Industry vertical
• Business activities
• Geography
• Laws or regulation
Example AvanadeLegislation• Privacy Act 1988• Privacy Amendment (Enhancing Privacy Protection) Act 2012
Customer Data Protection Program (CDP)• Industry leading CDP Program to implement appropriate controls• Internal data management and security policies• Privacy policy
Customer• Avanade works with customers to take customer-specific concerns
and policies into account
So what is Microsoft doing?
Office 365 includes many features that support compliance processes, including:- • Data Loss Prevention
• eDiscovery
• Information Management Policies
• Auditing
• Records Management
• RBAC
• Encryption
Two faces of compliance in Office 365Built-in Office 365 capabilities
(global compliance)
Customer controls for compliance for internal
policies• Access Control• Auditing and Logging• Continuity Planning• Incident Response• Risk Assessment• Communications Protection• Identification and
Authorisation• Information Integrity• Awareness and Training
• Data Loss Prevention • Archiving• eDiscovery• Encryption• S/MIME• Legal Hold• Rights Management
In practice, it looks like this
What does your organisation get?• Independent verification
• Regulatory compliance
• Peace of mind
• Improved governance
• Better risk management
• Avoiding prosecution
So what does all that boil down to for ITPro’s?It is all about customer controls!
Remembering
“A control is a process, function, in fact anything that supports maintaining compliance”
Lets look at Office 365 customer controls
Identify Monitor Protect Educate
Data Loss Prevention
What is meant by Data Loss Prevention?
“Data loss/leak prevention solution is a system that is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).“[1]
[1] http://en.wikipedia.org/wiki/Data_loss_prevention_software
“Quotation...”Good definitionhttp://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf
In-use controls (end-point)• Operating System and Apps fully patched and up to date • End-point security tools installed and correctly configured• Firewall enabled and correctly configured• Access to required applications only• Access to “need to know” data• Compliance Adherence Monitoring
At-rest controls• Secure Connections - SSL
• Encryption - Transparent Data Encryption
• Auditing
• Information Management Policies (Retention)
• Access control
In-motion controls (email)
Create a DLP Policy • From a built-in template
• Build own customised policy
• Import a pre-built policy
Apply DLP Policy
Manage and report
Australian DLP Policies provided by Microsoft:-
• Financial Data (credit cards, and SWIFT codes)• Health Records Act -HRIP Act (medical account number
and TFN)• Personally Identifiable Information (PII) Data (TFN,
driver's license)• Privacy Act (driver's license and passport number)
Country PII Financial Health
USA US State Security Breach Laws,US State Social Security Laws, COPPA
GLBA & PCI-DSS (Credit, Debit Card, Checking andSavings, ABA, Swift Code)
Limited Investment: US HIPPA, UK Health Service,Canada Health Insurance card
Rely on Partners and ISVs
Germany EU data protection,Drivers License, Passport National Id
EU Credit, Debit Card,IBAN, VAT, BIC, Swift Code
UKData Protection Act,UK National Insurance, Tax Id, UK Driver License, Passport
EU Credit, Debit Card,IBAN, BIC, VAT, Swift Code
Canada PIPED Act,Social Insurance, Drivers License
Credit Card, Swift Code
FranceEU data protection, Data Protection Act,National Id (INSEE),Drivers License, Passport
EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code
JapanPIPA, Resident Registration, Social Insurance, Passport, Driving License
Credit Card,Bank Account,Swift Code
Built-in DLP content areas
Establishing DLP Design and implement• Determine sensitive information types
and related policies or regulations• Establish policies to protect sensitive
data• Implement Office 365 DLP featuresOperate
• Detect sensitive data in email
• Detect sensitive data with document fingerprinting
• User awareness with Outlook Policy tips
Australian sensitive information types provided by Microsoft
• Bank Account Number
• Driver's License Number
• Medicare Account Number
• Passport Number• Tax File Number
DEMO: Data Loss Prevention
• Protect communications• Basic level of built-in anti-malware and enhanced
spam filtering to help protect your email environment from threats
Summary - Data Loss Prevention
Enforce policyData loss prevention (DLP) controls that can detect sensitive data in email before it is sent and automatically block, hold or notify the sender
Simplify managementUnified administration of anti-spam, anti-malware and data loss prevention within Exchange
eDiscovery
What do we means by eDiscovery?
“Electronic discovery (or e-discovery or eDiscovery) refers to discovery in civil litigation or government investigations which deals with the exchange of information in electronic format (often referred to as electronically stored information or ESI).”[2][2] Wikipedia (http://en.wikipedia.org/wiki/Electronic_discovery)
eDiscovery ProcessFind relevant content (documents, emails, Lync conversions)DISCOVERY
PRESERVATIONPlace content on legal hold to prevent content modification and/or removal
Collect and send relevant content for processing
Prepare files for review
PRODUCTION
REVIEWLawyers determine which content will be supplied to opposition
Provide relevant content to opposition
COLLECTION
PROCESSING
Office 365 eDiscovery Centre SharePoint Template that creates a site customised for Case Management
• Assists the creation of “Cases”
• Grants specific user permissions to manage the Cases
• Identifies and Holds Exchange, SharePoint, OneDrive for Business and File Share data
• Searches and Exports data of interest
In-place Hold
Provide a high level of immutability by:• Preserving data in source• Protecting from deletion• Protecting from tampering
Provides easy management via:• Rich query, location and time based content target • Across Exchange, Lync and SharePoint• Using Exchange Admin or eDiscovery Centres
Find what you need• Real time search• Rich query capability (text, time, source)
Export for actionDownload directly from data source
Take the data offline as:-• Native files (.docs, .xlsx, etc)
• Outlook Personal Information Store (.pst)
• Web Archive (.MHT)
• Comma Separated Values (.csv)
• Lists or Feeds
• Electronic Discover Reference Model XML (v1.1)
eDiscovery Considerations
• Roles• There will be a storage impacts• Recoverable Items quotas separate from mailbox
quotas and need to be monitored• Hybrid data sources
eDiscovery Reports• Content modifications• Content type and list modifications • Content viewing• Deletion • Custom reports• Expiration and Disposition • Policy modifications• Auditing settings• Security settings
Important BenefitsRisk mitigation• Centrally managed proactive enforcement • Reduced collection touch points• Consistent and repeatable
Minimised business impact• Transparent to users• Minimises the need for offline copies, until they are needed• Instantly searchable/exportable
Lower cost!
Demo: eDiscovery
Auditing
Reporting and Auditing
Comprehensive view of DLP policy performance
Downloadable Excel workbook
Drill into specific departures from policy to gain business insights
Exchange - Audit Features Exchange has full auditing on by default!
Available Reports• Mailbox access by non-owners• Mailbox litigation hold• Role group changes• Mailbox content search and hold• Admin audit log (including external administration)
SharePoint – Auditing FeaturesSharePoint must have auditing enabled at a Site Collection level.
Document and Items - Editing itemsChecking in and outMoving or copying within
siteDeleting or restoring
List, libraries and sites - Editing content type and columns
Searching site contentEditing users and
permissions
SharePoint Audit Reports
Demo: Document Fingerprinting
Wrap Up
Overall objectives: security and protection
Enforce policyProtect
communicationsSimplify
management
Useful ReferenceOffice 365 Security and Compliance
http://technet.microsoft.com/en-us/library/dn532171.aspx
Office 365 Trust Centrehttp://office.microsoft.com/en-au/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx
Office Blogshttp://blogs.office.com/2013/10/23/cloud-services-you-can-trust-security-compliance-and-privacy-in-office-365/
Governance, risk management, and compliance
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_complianceOffice 365 Service Descriptionshttp://technet.microsoft.com/en-us/library/jj819284%28v=technet.10%29
Related content
Breakout Sessions (session codes and titles)
Track resources
Ignite - Ignite.office.com
FastTrack - fasttrack.office.com
Office Blogs – blogs.office.com
Office 365 Trust Centre - trustoffice365.com
Office 365 Customer Success Centre – success.office.comRegister for Office 365 Ignite - aka.ms/ausignite
Additional Slides
DLP extensibility points
Content Analysis Process
Content analysis process
Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012
Get Content
4485 3647 3952 7352 a 16 digit number is detected
RegEx Analysis
1. 4485 3647 3952 7352 matches checksum2. 1234 1234 1234 1234 does NOT match
Function Analysis
1. Keyword Visa is near the number2. A regular expression for date (2/2012)
is near the number
Additional Evidence
1. There is a regular expression that matches a check sum
2. Additional evidence increases confidenceVerdict
Encryption Solutions in Office 365
Office 365 Message Encryption – Encrypt messages to any SMTP address
Personal account statement from a financial institution
Information Rights Management – Encrypt content and restrict usage; usually within own organization or trusted partners
Internal company confidential memo
S/MIME – Sign and encrypt messages to users using certificates
Peer to peer signed communication within a government agency
Registry Key Outlook Client