Compliance is often measured through standards such as FedRAMP, CMMC, and others. Though this is an extremely important view, there are other parts of compliance, however, that are distinctly different and can create legal jeopardy (even losses of litigation) if you don’t get things right. In this post, we will start a conversation about the legal angle of compliance and briefly discuss what is needed from a technical licensing standpoint.
I like to say that if your organization sells either products or services and/or has more than one person employed, risk and liability are real dangers. This implies that most, if not all, organizations face potential loss that impacts the bottom line. To reduce this loss, various departments within your organization must work together to mitigate risk and liability – legal departments (or outside counsel if your organization doesn’t have an in-house legal team), compliance departments, public disclosure/FOIA departments, HR, and other departments all share in this responsibility. However, with electronic data exploding in size and complexity, few organizations are involving these non-technical departments to work effectively with IT as partners to deal with an under the radar problem that can result in data leakage and “shadow IT.” In its worst-case scenario, it can close a business.
So, how did we get into this situation? The answer is straightforward: organizations often conflate compliance with security. They start with the wrong definition of compliance, which leads them to shift the burden onto IT’s shoulders and assume that “IT is taking care of everything for us.” This way of thinking places IT in a vulnerable position of having to create policies that should, in fact, be developed with legal guidance in mind. To help alleviate some of the confusion, a simplified, but still valuable, way is to talk to policy makers by positioning security vs. compliance from a different perspective, like this:
- Security protects your data and organization from the outside in. This pertains to bad actors (from outside your organization) trying to get your data. Usually, they will prey upon employees, customers, and your organization to exploit vulnerabilities to their benefit.**
- Compliance, on the other hand, is protecting your data, employees, customers, and organization from the inside out.** It focuses on the kinds of data handled and stored by your organization and what regulatory frameworks apply to its protection.
**REMEMEBER, there are significant overlaps, but the above is used for illustration purposes.
Though IT and consultants are best positioned to implement certain policies, they should not have the sole responsibility of creating the policy decisions (i.e., What is the retention policy for various data? Which corporate file sharing solution should the organization map to?) since they don’t possess the necessary legal background. However, policy makers (legal, compliance, public disclosure/FOIA, etc.) should also not be solely responsible for making policy decisions because they don’t work directly with tools (such as the Compliance Center in Microsoft 365) and therefore don’t leverage the capabilities well. These knowledge gaps disadvantage both the policy makers and implementers as they aim to set up the best policies. That disadvantage, in turn, increases risk and liability.
The best practice, therefore, is to get policy makers and implementers talking to each other. Granted, getting policy makers in the room to discuss these tricky technical questions can be difficult. But frankly, doing so is imperative to ensure the security of your organization’s information. To get started, I suggest exploring the “Catalog” on the left-hand side of the M365 Compliance Center with the right people in the room. It organizes the following areas in the Compliance Center:
- Information Protection and Governance: Data Loss Prevention, Information Governance, Information Protection, and Records Management.
- Privacy: Privacy Management
- Insider Risk Management: Communication Compliance, Information Barriers, and Insider Risk Management
- Discovery & Response: Audit, Data Subject Requests, and eDiscovery
The Catalog provides an overview of some of the key compliance parts that impact the policy maker’s goals and responsibilities to mitigate risk and liability. Legal departments and other policy makers are typically non-technical, so take great care to expand their involvement in the broader compliance footprint of your organization. Skilled guidance through the relevant parts of the Compliance Center, in their language of the policy maker departments, is critical to removing the silos most policy maker and implementer teams currently face.
Teasing out significant issues in Information Protection and Governance is the next step. One seemingly insignificant point, for instance, is to help policy makers understand the difference between retention policies and retention labels. That difference, though seemingly trivial, could be crucial to a policy maker as they decide how and what electronic evidence they need to retain. If electronic evidence is not properly retained, it cannot be produced if required later. Thus, that little difference can cause loss of litigation if not thought through. Scary? Yes!
Another topic that is necessary to detail is how eDiscovery functions in your organization. eDiscovery is a 16 billion dollar annual industry.i The tools that are currently being used and the workflow are all relevant data being captured. The Advanced eDiscovery tool set in Microsoft 365 is a game changer for many. Even with great tools, it is very important and maintain who has access and for how long. Maintenance of access is crucial, especially in Gover when regime changes occur every 2-4 years. Being able to scope discovery access is also important in servcie provider tenants where the sovereignty of each department or agency is paramount.
Creation of a case, communications, custodians, and remediation of problematic data are just a few topics your policy makers need to be involved in. IT can certainly assist, but IT is not in the court fighting on behalf of your organization. How your lawyers work with evidence is a critical point to establish.
In order to provide technical solutions to the Legal staff, IT staff need to know what licensing they will need in order to support the legal, public disclosure/FOIA and compliance teams of their organization and their decisions.
Two great resources are located here:
For starters, make sure IT staff look at the default settings of each of the O365 services and make changes to enforce the decisions being made. For example, auditing log retention (90 days) and OneDrive retention (30 days) are two common items we hear customers often forget. For Data Loss Prevention (DLP), many customers are unaware that their Teams chats also need additional configuration and possibly licenses even if they set up DLP for SharePoint and OneDrive. Insider risk is also another area that should be carefully reviewed. See our blog on Prevent Sensitive Insider Risk in Microsoft Teams located here https://go-planet.com/perspectives-blog/prevent-sensitive-insider-risk-in-microsoft-teams/
As you can see from this blog, there are many other considerations that policy makers and implementers need to explore together. But helping policy makers form a great working partnership with IT is a great place to start: doing so will help mitigate risk while also securing strong advocates in other business units that will help give IT the proper value and budget.
As always, if you need assistance with any of the topics mentioned in this blog, contact your Account Manager, Cloud Strategist, or send an email to [email protected].