Successful Office 365 Management: Compliance
As I outlined in the first post in this series on Office 365 security, much of the administrative experience inside of Office 365 streamlines and automates tasks that you previously had granular control over within the individual on-premises workloads. From an auditing and compliance perspective, this means you need to understand:
- Your organizational requirements, standards, and policies.
- What capabilities are possible within each of your hybrid components, from discovery through technical enforcement.
- What can be managed centrally versus within each individual system or component, and by whom.
Whether your environment is on-premises, in the cloud, or in a temporary or permanent hybrid state, it is critical that organizations clearly understand their security and compliance requirements, and whether these requirements are being met. For this post, I’ll focus on the topic of compliance.
Commercial organizations have regulations and policies that they must comply with to operate businesses in various industries. These policies can be a mix of external regulatory requirements that vary depending on industry and geographical location of the organization and internal company-based policies.
Office 365 provides built-in capabilities and customer controls to help customers meet both various industry regulations and internal compliance requirements, staying up-to-date with many of today’s ever-evolving standards and regulations, giving customers greater confidence.
What Microsoft provides
Microsoft undergoes third-party audits by internationally recognized auditors as an independent validation that they comply with all policies and procedures for security, compliance and privacy. Office 365 utilizes a control framework that employs a strategic approach of implementing extensive standard controls that in turn satisfy various industry regulations. Office 365 supports over 900 controls that enable Microsoft to meet complex standards and offer contracts to customers in regulated industries or geographies, like ISO 27001, the EU Model Clauses, HIPAA Business Associate Agreements, FISMA/FedRAMP.
Where Microsoft is putting most of their resources is in expanding the Office 365 Security and Compliance Centers found at Protection.Office.com, both of which require an Office 365 login. These are your primary portals for protecting data within Office 365, and for managing all of your auditing and compliance requirements. For an overview of what is included within these portals, check out this blog post by
Adrian Valencia on the AvePoint blog, which provides details and screenshots.
Potential gaps that organizations should plan for
According to 2019 research conducted by CollabTalk and the Marriott School of Management at Brigham Young University, the top three most widely cited compliance challenges identified by the survey respondents include:
- End users don’t classify data correctly and/or take required actions (38%)
- Content stored in legacy content systems (35%)
- Content spread across multiple workloads (34%)
What this research shows is that organizations need to put in place a proactive compliance strategy to regularly review the growing body of content, and provide guidance to their end users on how to properly apply information architecture and content lifecycle management policies and procedures.
For more in depth data around this topic, download a free copy of the Office 365 Operational Success Playbook. In the next post in this series, I’ll highlight data and relevant links for Governance.
[…] I outlined in the first post in this series on Office 365 security and the second post on compliance, much of the administrative experience inside of Office 365 streamlines and automates tasks that […]