Today’s post was written by Rudra Mitra, Partner Director of Microsoft 365 Security and Compliance.
With more than 200 updates from 750 regulatory bodies a day, keeping up to date with all the changes is a tremendous challenge. As privacy regulations, like the General Data Protection Regulations (GDPR), continue to evolve, compliance requirements can seem complex to understand and meet. However, when you store your data in the Microsoft Cloud, achieving compliance becomes a shared responsibility between you and Microsoft. Take the National Institute of Standards and Technology (NIST) 800-53 security control framework as an example—Microsoft helps you take care of 79 percent of the 1,021 controls, and you can focus your efforts on the remaining 21 percent. Additionally, Microsoft provides you with a broad set of security and compliance solutions to more seamlessly implement your controls.
In addition to a number of investments made over the last year to support GDPR compliance and the privacy rights of individuals, we hear from you that organizations need more built-in capabilities to proactively achieve modern compliance. Therefore, we are working diligently to bring more artificial intelligence (AI) powered, user-centered, and integrated compliance solutions into Microsoft 365. Today, we’re announcing new and expanded capabilities that support your organization’s compliance journey.
Assess and manage your compliance for GDPR and more
Conducting ongoing risk assessments of your information management systems is a crucial activity to help your organization understand the effectiveness of security, compliance, and privacy controls; recognize the risks; and make appropriate plans to remediate when needed.
We expanded Compliance Manager to offer 12 assessments, including security control frameworks, such as NIST CSF and CSA CCM, and regulated industry standards like FFIEC and FedRAMP. These assessments can help you proactively enhance your data protection controls and meet compliance obligations. Learn more about this update in our Tech Community blog.
Harness intelligence to protect and govern your most important data
To ensure effective protection and governance around your most important data, you should implement intelligent solutions and processes to automatically discover, classify, label, and monitor this data—no matter where it lives or travels.
The unified labeling experience in Microsoft 365, now generally available, provides organizations with a more integrated and consistent approach to creating, configuring, and automatically applying comprehensive policies to protect and govern data across devices, apps, cloud services, and on-premises locations. This new approach gives customers a single destination to create and configure data sensitivity labels for both Azure Information Protection and Office 365, so you can set up sensitivity and retention labels and policies in the same place. These labels can be used to enforce policy across our information protection services—for example, Windows Information Protection will be able to understand the presence of a data sensitivity label in a document and apply policy to protect that data on the device.
The unified labeling experience is complemented by user experiences built into Office apps and Windows—no plug-ins or add-ons required. This native labeling is now available in public preview for Office apps on Mac, iOS, and Android—giving customers a labeling experience they are familiar with if they are already using the Azure Information Protection client on Windows. We also support a growing ecosystem of third-party apps and security solutions. Starting in October, you will be able to preview the ability to open protected PDF files directly within Adobe Acrobat on Windows.
Additionally, our Information Protection SDK is now generally available, making it easy for ISVs and third-parties to build labeling and protection experiences into their apps and services. Learn more about all these new updates that help you meet both your security and compliance needs at our Tech Community.
In addition to the new unified labeling experience, we have several updates to Microsoft 365 data governance capabilities. First, you can now auto-apply a label to Exchange Online content and to files associated with a specific content type in SharePoint Online, such as tax documents or human resources information. Once you map a content type to a retention label with an auto-classification query, you can auto-apply retention and deletion policies to all files with that content type. This new capability enables you to align labels to your existing information architecture and governance policies.
We also made it easier for you to configure complex record retention schedules for your departments, locations, and categories with the new file plan capability, now available in public preview. The file plan capability allows you to import or export the retention plan as a template and bulk edit labels, providing a more robust way to manage your record retention policies.
Finally, long-term audit log availability is now coming to public preview for Microsoft 365 and Office 365 E5 subscribers. This is an important update for organizations that need long-term access to audit logs for regulatory or security purposes. The audit log availability has now increased from 90 days to one year.
Learn more about all of these data governance updates at the Tech Community blog.
Enforce zero-standing access to your sensitive data
For organizations looking to protect and control their data, governing privileged access can reduce the risk of data compromise and help meet compliance obligations regarding access to sensitive data. Built on the principle of no standing access, where admins do not have access by default, we are announcing the general availability of privileged access management in Office 365. This feature enables organizations to govern privileged access by requiring admins to go through an approval process and gain temporary permissions to perform high-risk tasks like a journal rule, which is a task that can expose and exfiltrate data by copying messages to an external shadow mailbox. Once an admin elevates permissions to execute the high-risk task, it can be automatically or manually be approved before access is granted—either way all activities are logged and auditable.
Privileged access management is available in the Microsoft 365 Admin Center, and organizations can now also manage Customer Lockbox requests and Data Access requests from Azure Managed Apps from a single management pane for privileged access to your Microsoft 365 data. Read more details on the Tech Community blog.
Proactively safeguard your sensitive emails with insights
We’re also sharing a few new enhancements in Office 365 Message Encryption that enable organizations to more seamlessly collaborate on and proactively protect their sensitive emails. First, to further enable collaboration for consumer recipients, Office 365 Message Encryption now offers organizations the option to control whether attachments should be encrypted for the encrypt-only template, so that recipients can have full permissions to share the attachment with anyone—this feature is generally available today.
To help IT admins proactively protect and control sensitive emails, organizations can monitor encrypted messages by viewing reports on encrypted messages. The new reporting dashboard in public preview provides granular details such as message ID, along with sender and recipient information. IT admins can use the insights to proactively adjust and apply policies to sensitive emails. To learn more about these capabilities and more, read the Tech Community blog for details.
Streamline compliance investigations process with enhanced Search & Tagging capabilities
Litigation and regulatory demands, like GDPR, are requiring organizations to be more efficient at discovering information in a timely manner. Organizations also have a responsibility to support internal investigations such as corporate fraud, discrimination, work rule violation, and other misconduct.
To further streamline the process of identifying relevant data, the new Search & Tagging feature in Advanced eDiscovery, now generally available, enables you to find the most relevant information within an existing eDiscovery case, using keywords, metadata, and analytics capabilities like Themes and Relevance Score. Additionally, you can preview and organize the data using case-specific tags, which can help you save time and cost when reviewing documents. Learn more about Search & Tagging.
Address global data residency needs with Multi-Geo Capabilities
Increasingly, governments around the world are enacting laws that mandate data residency for cloud data. Global companies are often challenged with digitally transforming with the cloud and staying in compliance with their data residency requirements.
Multi-Geo Capabilities in Office 365 can help address these concerns and make it easy for companies to meet their global data residency needs and empower every employee with a modern productivity experience. Earlier this year, we launched Multi-Geo Capabilities for Exchange Online and OneDrive, giving you controls over the country/region where each employee’s mailbox content and files are stored at-rest.
In 2019, we’re rolling out Multi-Geo Capabilities in SharePoint Online and Office 365 Groups, letting you control the country/region of SharePoint Online Team Sites and Office 365 Group content such as files, associated SharePoint Sites, and group mailboxes. Learn more about Multi-Geo Capabilities.
Learn more about the Microsoft 365 Compliance solutions
Our investment in data privacy and compliance is beyond the GDPR, and we want to help you make compliance a less burdensome process, so you can focus on your core work, to empower employees to achieve more. You can find more resources below to learn more about the compliance solutions Microsoft 365 provides.