So you’ve made the decision to move to Office 365 – now how do you ensure your critical business information is secure in the cloud?
A common barrier to fully adopting the cloud is the concern around information governance. Organizations don’t know where to start when it comes to establishing an information governance strategy to reduce risks and ensure your users do the right thing.
Here are four steps that you can take to develop your information governance strategy to ensure your Office 365 investment meets business needs while protecting your most sensitive data.
1. Know what you have and identify what you need to secure
In your journey to Office 365, it is prudent to do an information inventory before migrating. While lifting and shifting may be an easier option, moving only what you need reduces your risk and provides long term benefits. The question is, do you know where most of your enterprise information is stored, what you have, and how to decide what you need to secure?
We have more unstructured data repositories (e.g., file shares, OneDrive, local files) than ever before. The first step to establish your information governance strategy is to identify your relevant content sources. Next, perform a file-level analysis to see if there is any redundant, outdated and trivial (ROT) data. By doing so, you can purge ROT data and keep only what you need.
If you’re wondering how to do this effectively, check out these FREE tools:
Once you know what you want to keep, perform a content-level analysis to identify if there is sensitive data that you need to secure and protect.
Now that you know what sensitive information you hold and where it resides, make sure you classify it accordingly. My rule of thumb is to keep your classification simple:
- Identify sensitivity level of the document
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
- Intellectual Property/Export Regulation
- Identify retention schedule
- Required to keep
- Required to dispose
- Content that is no longer relevant to the business
- Finish with managed keywords for search
2. Define relevant information governance policy
We all know that the days of academic, long-winded governance documents are gone. Your information governance policy should be practical and enforceable.
The approach should focus on the following considerations:
- Build controls into information containers
Establishing information security controls and policy where the content resides is important. For example, in SharePoint Online, clearly defining what specific site templates are used for, what type of content can be stored there, and who has access to it allows expectations to be set.
- Make sure no one messes with your controls
How can you ensure that containers are being used as intended? For example, if a OneDrive folder is being accessed by multiple people, how can you ensure that PII is not being stored there? This is where you can leverage technologies like Office 365 Compliance Center.
- Ensure that the system is being used as intended
As various Office 365 services are being used for collaboration and storage, it is critical that information is stored in the right place and accessed by the right person. Being able to monitor and track incidents is necessary to ensure that information is appropriately secured and classified. The good news is that Azure Enterprise Mobility and Security (EMS) can help support this need.
3. Proactively enforce policy
As we all know, with any new technology deployment, change is often met with resistance. Insisting our business users quit using email to send attachments or not rely on Excel for number crunching is a pipe dream.
As IT, our goal is to figure out how to make it easy for the users to do the right thing WITHOUT having to seriously change what tools they use to get their job done (at least initially). We all know forcing them to comply with every policy AND jump on the cool new Office 365 tools such as SharePoint Online, Groups, and even Teams is too much to ask.
So how can we proactively enforce policies and keep our users happy and productive? We have to automate policy enforcement as much as we can. We can’t rely our users to remember every single policy that they have to comply with and also use these new capabilities.
In Office 365, we should configure as much as we can to enforce these information governance policies. In addition to Office 365 Compliance Center and Azure EMS, we have AvePoint Governance Automation Online and Compliance Guardian Online that our customers leverage for extended information governance and compliance capabilities for Office 365. For example, being able to effectively manage Office 365 Groups is a big need and a capability that we support.
Additionally, on the user level, we can still allow them to use tools that they love and still take advantage of all the Office 365 goodness. For example, Microsoft’s Matter Center allows folks in the legal industry to use Outlook as their go-to tool and still use SharePoint on the backend. Also, AvePoint’s Office Connect can help fast track Office 365 sustainable adoption in your organization.
4. Efficiently report and audit
With today’s stringent requirement on information governance, organizations typically undergo a regular recertification process. This process may be required internally and/or externally as a part of industry regulations such as GDPR.
As a part of your strategy, you have to have a mechanism in place to efficiently report and audit any incidents. So even if a security breach occurred, which is not a good thing, you can provide full transparency and visibility on how it was monitored and what measures you took to remediate it.
Having this single pane of glass across all your information containers is necessary for incident management. Our Compliance Guardian solution not only supports Office 365, it can also provide incident management capabilities to Exchange, file shares, Box, and databases which gives you that one-stop shop a lot of organizations look for.
If you want to learn more, I invite you to come and attend our Data Governance workshops as our subject matter experts interactively walk you through these four steps. I look forward to seeing you there!