100 million people use Office 365, and its market share is still growing. Have you started to explore how cloud technologies might benefit your business? If you haven’t, chances are you will soon. How can you arm yourself with information to be prepared?
In this seminar, we will look at a modern information management framework that encompasses cloud, on-premises, and legacy platforms. We will discuss common requirements for government agencies and highly regulated organizations, and how you can meet compliance obligations of Freedom of Information, DPA and GDPR.
Next, we will look at a cloud journey using Office 365. We will look at Office 365 features and benefits, and how these are being commonly used in government agencies and regulated industries. We will then discuss compliance features in Office 365. This will include features that are available natively, and strategies for filling any gaps. Finally, we will show how to maintain a file plan across Office 365 to meet industry regulations.
Key Takeaways:
- An understanding of an information framework that can be used to plan your cloud journey
- The basis for a business case for cloud deployment within your organization
- An understanding of the features and benefits of Office 365
- An understanding of how technology can support your GDPR processes
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Strategies for Modern Information Management and Compliance (Sydney)
1.
2. TIME WHAT WHO
9:00 AM - 9:30 AM Breakfast and Registration Welcome and Registration
9:30 AM - 9:45 AM Kick-Off Host welcomes guests and introduces speakers
and companies
9:45 AM -11:00 AM Session 1 - Modern Information
Management
Presented by RecordPoint
11:00 AM - 11:15 AM Break Beverages and light snacks available
11:15 AM - 12:30 PM Session 2 - Execute a Compliant
Strategy on Office 365
Presented by RecordPoint
12:30 PM - 1:00 PM Lunch and Q&A Attendees can depart with a lunch or stay for Q
and A with presenters
1:00 PM Departure
3.
4.
5.
6. Users!
Diverse
Standards
No
Federation
of Control
No Single
View
Many
Content
Sources
“My data is
scattered across
many sources
and growing
fast”
“It’s impossible
to know what I
have, let alone
apply policy”
“My users aren’t
interested in
compliance”
“I want policy to
be universal,
automatic and
based on
content”
“How can I
identify and
protect sensitive
information?”
Massive
Data
Growth
8. Cost of the Compliance Problem
Sources: Figures in $USD, Gartner IT Key Metrics Data 2017: Key Infrastructure Measures: Storage Analysis: Multiyear, American Bar Association:
Pricing Processing in E-Discovery: Keep the Invoice from Being a Surprise, Compliance and Governance Oversight Council
No Business Value
(69%)
Current Business Value
(25%)
On Legal Hold (1%) In Records Retention (5%)
Unstructured content
$1.5 million lost per
petabyte by not
managing content
by value
9. Impact of the Compliance Problem
Source: Gartner: Best Practices for Data Retention and Policy
Business Value
Cost and Risk
10. End users as Records
Managers
Dictate where to store content
Make end users tag content
with metadata
End users move to EDRMS
once content is not being used
Force use of a non-modern
solution
Typical
Solutions
12. Systems of Record versus Engagement
System of RecordSystems of Engagement
?
13. ExchangeOnline
SharePointOnline
OneDriveforBusiness
Delve
Yammer
Office 365 Groups
Office Graph
Classification
/ File Plan
Retention &
Disposal
Automated Policy Engine
Centralised
Management
Physical
Records
Security
MicrosoftTeams
SkypeforBusiness
Social
Records
Long Term
Preservation
Legal Holds GDPR
Barcode
Management
Exporting &
Importing
Reporting
Systems of Engagement from an Office 365 Perspective
Compliance Services
Systems/Services of
Engagement
14. Reduce Risk with Modern Records Management
Manage Content
Invisible Records Management
Create DisseminateMaintain & Administer
15. Utilize a Cost Effective Approach for Records Management
Set Up
Maintain
Records
Add or
Change a
Policy
End User
Training
License Fees
Support
Costs
Fines
Managing
Multiple
Systems
16. COST RECORDPOINT
Set Up One time set up of file plan and retention policies for all systems of
engagement. No hardware investment
Maintain Records One dashboard containing all content across systems. Automatic
classification by rules
Add or Change a Policy Policy changes apply to all content sources. They are created
modified in a single location
End User Training Not needed!
License Fees Works with all versions of content systems – no special license
required
Support Costs No end user support needed, since no action is required from them
Fines Reduced risk of non compliance = reduced risk of fines
Managing Multiple Systems One system to rule them all
17. Reduce Complexity
for Users with
RecordPoint
1. Autoclassification of content
2. End users are not asked to
complete metadata
3. Records Managers can “govern”
rather than manage
4. End Users are not asked to be
compliance experts
20. With EASY, Modern and Trusted Compliance
Turnkey Compliance
In-place Records Management;
Intuitive UI based on user-centred design;
Centralised solution that enables Records Managers to seamlessly manage
unstructured content across multiple content repositories using an extensible
connector framework;
Reduced burden on end users by rules based automation that hides records
concepts and removes the need to manually classify content.
21. Modern Architecture
Records-as-a-Service: The only cloud-first, SaaS records
management system;
Highly Scalable: based on Restful APIs and a Micro-services
architecture that means the solution can scale as needed;
Highly Portable: Can be deployed in different Infrastructure-as-a-
service providers with support for diverse cloud deployment models;
Highly Extensible:
Uses W3C recommended approaches to provide context for
records;
Schemaless Data Model for easy integration with different
ontologies;
Support for Custom Connectors with modern REST APIs,
WebHooks and SDKs;
Cost Effective: Leverages multiple open source technologies and
standards that lower total cost of ownership.
With Easy, MODERN and Trusted Compliance
22. With Easy, Modern and TRUSTED Compliance
Local & Global Standards Compliant
Designed from the ground up to be compliant with local and global standards to
ensure record management best practices are in place;
Maintain data onshore to meet data sovereignty compliance;
Support for long-term preservation and archiving to guarantee that digital
information of continuing value remains accessible and usable via open
standards;
Certified on SOC 2 Type 1 and Type 2 and in the process of getting certified on
other security & operational standards - IRAP, ISO 27001, DoD5015.2.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34. Auto-applied based on
sensitive information types
Auto-applied based on a
search query
The label is a record
A user has manually applied a
label
Auto-applied based on a
location
Another label is older
35.
36.
37.
38.
39.
40.
41.
42.
43. If the label is… Then the label policy can be applied to…
Exchange SharePoint OneDrive Groups
Published to end users X X X X
Auto-applied based on sensitive
information types
X X
Auto-applied based on a query X X X X
44. PROS CONS RECORDPOINT
Use to identify and action sensitive
content
Application of Label can be 1-7 days Provides real time classification of
content
A label can be used by RecordPoint
to refine a classification
No hierarchy of labels Can prioritize labels
No automatic application of labels to
sites, content types,
Has localized certifications, such as
Generic functionality that doesn’t
meet local standards
Can use a label as input
Need to have an E5 license for
automatic labelling
Works with any SharePoint license
No automatic labelling for records Automatic labelling of records and all
content
Have to apply document library labels
to each location
Can apply classifications from a
central location
45.
46.
47. • Retaining content so that it can’t be permanently deleted before the end of the retention
period.
• Deleting content permanently at the end of the retention period.
Organization Wide
(limit of 10 org-wide policies and entire-location policies combined)
SharePoin
t
OneDrive
for
Business
Groups
Exchange
Email
Exchange
Public
Folder
Skype for
Business
Users
(up to 1000)
Groups
(up to 1000)
Locations
(up to 100 sites)
Entire
Locations
Include or
Exclude
48.
49. 1. If the content is modified or deleted during the retention period
2. If the content is not modified or deleted during the retention period
50. PROS CONS RECORDPOINT
Simple content clean-up for non-
records content
A limit of 10 organization wide and
location based retention policies
No limit on the number of retention
policies
Covers Skype for Business and
Exchange Content
Keeps documents for 93 days after
disposition approval
Dispose of document immediately on
approval
No certification of destruction Provides a fully auditable certification
of destruction
Covers social feeds and file share
content, with more coming
Legal hold integrates with Office 365
Can retain content in placec
51. High Level Classifications
Very High Level Retention
Retention Schedule
Manage Multiple Content Sources
Records Management
eDiscovery
Physical Records
High Certifications (DoD)
Editor's Notes
Mention location of toilets
Mention location of refreshments and food if not in the room
Top Row – typical issues.
Second row - Signs/indications of these issues
And the top row is only going to get worse nor can you ignore it- 50% YOY growth in electronic content
41% of orgs state enforcing policy is their biggest issue
45% of orgs lack governance which opens them to security and compliance risks
Many many very public examples of poor compliance and the impacts they can have.
Many organisations are protecting the systems they can, but compliance is as good as its weakest link
Recent case study cited by gartner stated that A large enterprise with 10PB of content would spend approx. 12.74m $US on unstructured storage (80% of 15.83m)
If they spent 1% (a 100TB set) on eDiscovery, which is not uncommon for a large enterprise @ $150k/TB they would be spending an additional 15m, just for basic culling of discovery sets (no coding, document review, etc.)
Research from gartner suggests that typically only 1% of corporate information is on litigation hold, 5% is in records retention and 25% has current business value. Therefore Up to 69% of all the data organizations collect has no business, legal or regulatory value at all.
As the value of data to business diminishes over time, unfortunately, the volumes increase
Just because data may not have an active value to a business any more, does not mean it is any less of a risk should it be leaked, than the currently active data.
Why do the high overheads associated with managing archive data occur:
End users as records managers –Mis-classified (or not classified) content – eg first entry in classification scheme – eg community relations: addresses
End users don’t understand records management nor do they want/need to
Dictate where to store content – results in users often working in structures that do not fit the need or purpose of how they, as users interact with data
Results in duplication of content as users take copies of content due to it not being intuitive to find
Make end users tag content with metadata – kind of like a blended approach of the first two points (and the problems of both).
Give them a flexible structure, but insist they apply a records tag to all documents – there’s that “community relations:addresses” problem again!
End users move to an EDRMS once content not being used – ie is the EDRMS as an archiving solution.
Very risky approach, and not taking advantage of the technologies available (eg versioning, security etc)
No compliance or controls if (or until) the documents reach the EDRMS
No real way to ensure content reliably moved to the EDRMS
No WIIFM factor for users to move content
Force us of a non modern solution – typically all of the above scenarios are brought about as a result of more traditional thinking and approach to compliance.
Note: Risks will appear on click
This slide highlights some of the issues we saw on the typical solutions slide
Records controls didn’t come in until after the document is finalised/declared
Users needed to be “in on” the declaration process
Additionally, here are some of the other risks highlighted by this process:
Risk of deletion: before the document has been declared a record
Risk of not being declare a record
Risk of non-disposal: the content is kept too long opening us up to liability
Note – click to reveal RP logo in place of “?” after explanation.
What we want to do is introduce you to the concepts of a system of records versus a system of engagement.
Traditionally people have only thought about things in a system of record context (systems of engagement box on the left).
Today, these lines are blurring and people don’t have time or inclination to move stuff around to assist organizational compliance goals.
Recordpoint is different because its about allowing content to stay in place without the need for users to move it, or even have visibility its being managed
For example, the recommendation for users in O365 was for them to move content to the EDRMS (even though usually not clear when to move it) and delete from Office 365
Reduces findability
High end user burden
Contradicts modern workplace concept
We would recommend a system of record that works seamlessly across all systems of engagement. This way records are properly managed without the end user’s involvement. It allows users to work in the systems they are most comfortable.
System of Record versus Systems of Engagement
We think that the industry should be thinking about information management in two categories:
The systems of engagement, where users do their everyday work.
The system of Record, which is where Records management functions are performed.
Systems of Engagement
These are tools such as Office 365, SharePoint on-premises, files shares, Box, Dropbox, Google Drive, etc.
The user experience of these tools should not be impacted by the system of record, therefore meaning no user adoption or training is needed.
End users can perform their day to day tasks without thinking about records management.
System of Record
The "one source of the truth" for compliance and records management
Only accessible by records officers that are deeply training in RM
Automates the identification, classification and lifecycle of a record
Benefits of this approach
Manage policies and administration in one location for all content
No risk of deletion prior to records management - all documents are captured as they are created
Can manage content in place, which reduces confusion for the end users and maintains context of the document
Achieves compliance, without reducing productivity or impacting the user's ability to collaborate easily
Risk of not using this approach
Time spent managing and administering multiple systems of records
Risk of human error - some documents might not be properly covered by a policy
Lack of visibility of information and data not stored within the 'classic' records management system
If we look at this just in the context of O365, its even more starling
Talk to different engagement points in O365 and the compliance requirements that underpin (or should)
Note: 2nd and 3rd rows will appear on the 2nd and 3rd click
Managing content is all users care about but there are other requirements from an organizational perspective
Benefits of Managing Content as a Record
The correct retention and disposition policy is applied to content from the beginning
No need to reclassify information as a record later
Users don’t need to be records managers
Users don’t need to consciously move or declare content for compliance
No risk of accidental deletion of content
Click for 2nd row
By allowing users to just manage their content, and providing invisible records management, it is possible to meet the key requirement
Click for 3rd row
Risk of Not Using This Approach
See risks of deletion and risks of non-disposal above
Lengthy and cumbersome disposal approval processes
Other ISO Notes
X
x
TALK TO THE BOXES IGNORE THE BELOW
Who is it for?
Need points for how Costs are reduced for each:
SETUP:
Cloud/SaaS platform – no hardware investment, minimal platform setup required
MAINTAIN RECORDS
Automatic via rules.
No cost to users as the onus is not on them
ADD or CHANGE A POLICY
Change/update policy in RecordPoint, resubmit content. No need to perform updates on the content side
TRAINING
Don’t need to train users in RM. Train them in using SharePoint
LICENSE FEES
Subscription rather than outright purchase
SUPPORT COSTS
No need to invest in supporting/upgrading the platform. Part of SaaS
TCO
NOT MANAGING MULTIPLE SYSTEMS
Who is it for?
Need points for how Costs are reduced for each:
SETUP:
Cloud/SaaS platform – no hardware investment, minimal platform setup required
MAINTAIN RECORDS
Automatic via rules.
No cost to users as the onus is not on them
ADD or CHANGE A POLICY
Change/update policy in RecordPoint, resubmit content. No need to perform updates on the content side
TRAINING
Don’t need to train users in RM. Train them in using SharePoint
LICENSE FEES
Subscription rather than outright purchase
SUPPORT COSTS
No need to invest in supporting/upgrading the platform. Part of SaaS
TCO
NOT MANAGING MULTIPLE SYSTEMS
Read left box. And how we do this – points in right
Remove the Management Burden for Records Managers and Users
RecordPoint removes the need for records managers to manage electronic records requests after information has been classified, and before disposal.
Benefits of this approach
The records managers 'govern' rather than manage
Users do not have to worry about records management. They can go about their daily work as normal.
Risk of not using this approach
Records managers fulfilling requests that could be automated
Users are not records experts. They could misclassify something or not classify it.
We made it easy by
DoD, ISO15489 and ISO16175, ISO27001
Before we dive into the compliance features from Microsoft this is a quick reminder of the range of features in Office 365 however this slide groups the activities against the underlying technology
Office 365 eDiscovery:
Data Loss Prevention (DLP): identify, monitor, and automatically protect sensitive information across Office 365
Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business.
Prevent the accidental sharing of sensitive information.
Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
Help users learn how to stay compliant without interrupting their workflow.
View DLP reports showing content that matches your organization’s DLP policies.
Information Rights Management (IRM)
Service Assurance: It’s about transparency
Safeguards confidentiality, integrity, availability and reliability of your data.
Let’s you control access to your data.
Helps you comply with various regulatory standards.
Customer Lockbox
Advanced Threat Detection (ATD):
Interactive tools to analyze prevalence and severity of threats in near real-time.
Real-time and customizable threat alert notifications.
Remediation capabilities for suspicious content.
Expansion of Management API to include threat details—enabling integration with SIEM solutions.
Supervision
Audit Log
The Security & Compliance Center is where all the feature settings are located, within Office 365 tenant admin.
Assign permissions to people in your organization so they can perform tasks in the Security & Compliance Center
Manual label will always override automatic label
Manual label will always override automatic label
Who is it for?
Who is it for?
Office 365 eDiscovery:
Data Loss Prevention (DLP): identify, monitor, and automatically protect sensitive information across Office 365
Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business.
Prevent the accidental sharing of sensitive information.
Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
Help users learn how to stay compliant without interrupting their workflow.
View DLP reports showing content that matches your organization’s DLP policies.
Information Rights Management (IRM)
Service Assurance: It’s about transparency
Safeguards confidentiality, integrity, availability and reliability of your data.
Let’s you control access to your data.
Helps you comply with various regulatory standards.
Customer Lockbox
Advanced Threat Detection (ATD):
Interactive tools to analyze prevalence and severity of threats in near real-time.
Real-time and customizable threat alert notifications.
Remediation capabilities for suspicious content.
Expansion of Management API to include threat details—enabling integration with SIEM solutions.
Supervision
Audit Log