Compliance in Office 365Edge PereiraSandy MillarFrom Avanade Australia

OSS304

Introduction

“Faced with never-ending and expanding regulatory and industry mandates, organizations invest tremendous amounts of energy on audit, compliance, controls, and (in some cases) risk management. At the same time, they seek to free staff resources from mundane tasks such as evidence gathering and simple reporting.”

Source: Gartner Report: IT Governance, Risk, and Compliance Management Solutions, http://www.gartner.com/resId=1884814

Why are we here?What is compliance?What does it mean to an ITPro?How can Office 365 help you?How to enable compliance controls?

Compliance – What is it?

Australian Standard AS 3806-2006

“The Standard provides principles for the development, implementation and maintenance of effective compliance programs within both public and private organisations. These principles are intended to help organisations identify and remedy any deficiencies in their compliance with laws, regulation and codes, and develop process for continual improvement in this area.”

Why do we need to take compliance seriously?Areas that fall in to compliance scope• Integrity and anti-fraud• Bribery and corruption regulation• Anti-trust and competition regulation• Privacy regulation

What does this mean to your organisation?Levels and activities are driven by many factors

For example• Public or private sector

• Industry vertical

• Business activities

• Geography

• Laws or regulation

Example AvanadeLegislation• Privacy Act 1988• Privacy Amendment (Enhancing Privacy Protection) Act 2012

Customer Data Protection Program (CDP)• Industry leading CDP Program to implement appropriate controls• Internal data management and security policies• Privacy policy

Customer• Avanade works with customers to take customer-specific concerns

and policies into account

So what is Microsoft doing?

Office 365 includes many features that support compliance processes, including:- • Data Loss Prevention

• eDiscovery

• Information Management Policies

• Auditing

• Records Management

• RBAC

• Encryption

Two faces of compliance in Office 365Built-in Office 365 capabilities

(global compliance)

Customer controls for compliance for internal

policies• Access Control• Auditing and Logging• Continuity Planning• Incident Response• Risk Assessment• Communications Protection• Identification and

Authorisation• Information Integrity• Awareness and Training

• Data Loss Prevention • Archiving• eDiscovery• Encryption• S/MIME• Legal Hold• Rights Management

In practice, it looks like this

What does your organisation get?• Independent verification

• Regulatory compliance

• Peace of mind

• Improved governance

• Better risk management

• Avoiding prosecution

So what does all that boil down to for ITPro’s?It is all about customer controls!

Remembering

“A control is a process, function, in fact anything that supports maintaining compliance”

Lets look at Office 365 customer controls

Identify Monitor Protect Educate

Data Loss Prevention

What is meant by Data Loss Prevention?

“Data loss/leak prevention solution is a system that is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).“[1]

[1] http://en.wikipedia.org/wiki/Data_loss_prevention_software

“Quotation...”Good definitionhttp://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf

In-use controls (end-point)• Operating System and Apps fully patched and up to date • End-point security tools installed and correctly configured• Firewall enabled and correctly configured• Access to required applications only• Access to “need to know” data• Compliance Adherence Monitoring

At-rest controls• Secure Connections - SSL

• Encryption - Transparent Data Encryption

• Auditing

• Information Management Policies (Retention)

• Access control

In-motion controls (email)

Create a DLP Policy • From a built-in template

• Build own customised policy

• Import a pre-built policy

Apply DLP Policy

Manage and report

Australian DLP Policies provided by Microsoft:-

• Financial Data (credit cards, and SWIFT codes)• Health Records Act -HRIP Act (medical account number

and TFN)• Personally Identifiable Information (PII) Data (TFN,

driver's license)• Privacy Act (driver's license and passport number)

Country PII Financial Health

USA US State Security Breach Laws,US State Social Security Laws, COPPA

GLBA & PCI-DSS (Credit, Debit Card, Checking andSavings, ABA, Swift Code)

Limited Investment: US HIPPA, UK Health Service,Canada Health Insurance card

Rely on Partners and ISVs

Germany EU data protection,Drivers License, Passport National Id

EU Credit, Debit Card,IBAN, VAT, BIC, Swift Code

UKData Protection Act,UK National Insurance, Tax Id, UK Driver License, Passport

EU Credit, Debit Card,IBAN, BIC, VAT, Swift Code

Canada PIPED Act,Social Insurance, Drivers License

Credit Card, Swift Code

FranceEU data protection, Data Protection Act,National Id (INSEE),Drivers License, Passport

EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code

JapanPIPA, Resident Registration, Social Insurance, Passport, Driving License

Credit Card,Bank Account,Swift Code

Built-in DLP content areas

Establishing DLP Design and implement• Determine sensitive information types

and related policies or regulations• Establish policies to protect sensitive

data• Implement Office 365 DLP featuresOperate

• Detect sensitive data in email

• Detect sensitive data with document fingerprinting

• User awareness with Outlook Policy tips

Australian sensitive information types provided by Microsoft

• Bank Account Number

• Driver's License Number

• Medicare Account Number

• Passport Number• Tax File Number

DEMO: Data Loss Prevention

• Protect communications• Basic level of built-in anti-malware and enhanced

spam filtering to help protect your email environment from threats

Summary - Data Loss Prevention

Enforce policyData loss prevention (DLP) controls that can detect sensitive data in email before it is sent and automatically block, hold or notify the sender

Simplify managementUnified administration of anti-spam, anti-malware and data loss prevention within Exchange

eDiscovery

What do we means by eDiscovery?

“Electronic discovery (or e-discovery or eDiscovery) refers to discovery in civil litigation or government investigations which deals with the exchange of information in electronic format (often referred to as electronically stored information or ESI).”[2][2] Wikipedia (http://en.wikipedia.org/wiki/Electronic_discovery)

eDiscovery ProcessFind relevant content (documents, emails, Lync conversions)DISCOVERY

PRESERVATIONPlace content on legal hold to prevent content modification and/or removal

Collect and send relevant content for processing

Prepare files for review

PRODUCTION

REVIEWLawyers determine which content will be supplied to opposition

Provide relevant content to opposition

COLLECTION

PROCESSING

Office 365 eDiscovery Centre SharePoint Template that creates a site customised for Case Management

• Assists the creation of “Cases”

• Grants specific user permissions to manage the Cases

• Identifies and Holds Exchange, SharePoint, OneDrive for Business and File Share data

• Searches and Exports data of interest

In-place Hold

Provide a high level of immutability by:• Preserving data in source• Protecting from deletion• Protecting from tampering

Provides easy management via:• Rich query, location and time based content target • Across Exchange, Lync and SharePoint• Using Exchange Admin or eDiscovery Centres

Find what you need• Real time search• Rich query capability (text, time, source)

Export for actionDownload directly from data source

Take the data offline as:-• Native files (.docs, .xlsx, etc)

• Outlook Personal Information Store (.pst)

• Web Archive (.MHT)

• Comma Separated Values (.csv)

• Lists or Feeds

• Electronic Discover Reference Model XML (v1.1)

eDiscovery Considerations

• Roles• There will be a storage impacts• Recoverable Items quotas separate from mailbox

quotas and need to be monitored• Hybrid data sources

eDiscovery Reports• Content modifications• Content type and list modifications • Content viewing• Deletion • Custom reports• Expiration and Disposition • Policy modifications• Auditing settings• Security settings

Important BenefitsRisk mitigation• Centrally managed proactive enforcement • Reduced collection touch points• Consistent and repeatable

Minimised business impact• Transparent to users• Minimises the need for offline copies, until they are needed• Instantly searchable/exportable

Lower cost!

Demo: eDiscovery

Auditing

Reporting and Auditing

Comprehensive view of DLP policy performance

Downloadable Excel workbook

Drill into specific departures from policy to gain business insights

Exchange - Audit Features Exchange has full auditing on by default!

Available Reports• Mailbox access by non-owners• Mailbox litigation hold• Role group changes• Mailbox content search and hold• Admin audit log (including external administration)

SharePoint – Auditing FeaturesSharePoint must have auditing enabled at a Site Collection level.

Document and Items - Editing itemsChecking in and outMoving or copying within

siteDeleting or restoring

List, libraries and sites - Editing content type and columns

Searching site contentEditing users and

permissions

SharePoint Audit Reports

Demo: Document Fingerprinting

Wrap Up

Overall objectives: security and protection

Enforce policyProtect

communicationsSimplify

management

Useful ReferenceOffice 365 Security and Compliance

http://technet.microsoft.com/en-us/library/dn532171.aspx

Office 365 Trust Centrehttp://office.microsoft.com/en-au/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx

Office Blogshttp://blogs.office.com/2013/10/23/cloud-services-you-can-trust-security-compliance-and-privacy-in-office-365/

Governance, risk management, and compliance

http://en.wikipedia.org/wiki/Governance,_risk_management,_and_complianceOffice 365 Service Descriptionshttp://technet.microsoft.com/en-us/library/jj819284%28v=technet.10%29

Related content

Breakout Sessions (session codes and titles)

Track resources

Ignite - Ignite.office.com

FastTrack - fasttrack.office.com

Office Blogs – blogs.office.com

Office 365 Trust Centre - trustoffice365.com

Office 365 Customer Success Centre – success.office.comRegister for Office 365 Ignite - aka.ms/ausignite

Additional Slides

DLP extensibility points

Content Analysis Process

Content analysis process

Joseph F. FosterVisa: 4485 3647 3952 7352Expires: 2/2012

Get Content

4485 3647 3952 7352 a 16 digit number is detected

RegEx Analysis

1. 4485 3647 3952 7352 matches checksum2. 1234 1234 1234 1234 does NOT match

Function Analysis

1. Keyword Visa is near the number2. A regular expression for date (2/2012)

is near the number

Additional Evidence

1. There is a regular expression that matches a check sum

2. Additional evidence increases confidenceVerdict

Encryption Solutions in Office 365

Office 365 Message Encryption – Encrypt messages to any SMTP address

Personal account statement from a financial institution

Information Rights Management – Encrypt content and restrict usage; usually within own organization or trusted partners

Internal company confidential memo

S/MIME – Sign and encrypt messages to users using certificates

Peer to peer signed communication within a government agency

Registry Key Outlook Client