Enhanced classification to quantify potential sensitive data risk in all M365 email, collaboration and document repositories.
Do you have potentially sensitive data in Microsoft 365?
Protecting information is critical to ensuring trust and meeting internal and external privacy and regulatory requirements. While mobility and cloud services have helped users become more productive and collaborative, securing and monitoring data has become harder.
Data protection faces new challenges as people work in new ways, creating and sharing data across boundaries, and as organisations prepare to deploy AI tools, good governance is needed to ensure the security of sensitive data.
Organisations must now protect sensitive information across devices, SaaS applications, and cloud services in addition to on-premises environments. But before an organisation can protect its data, they must first know where it resides, how it is being used and shared, the associated privacy and regulatory risks, and if the data is even still needed.
A Microsoft 365 Sensitive Data Assessment (M365 SDA), undertaken by Microsoft Information Protection and Compliance Administrator Associates from Oyster IMS, is an initial data examination to identify potentially stale and sensitive data in your M365 estate.
SDA Objectives
- Identify a selection of privacy and regulatory risks that might exist in Microsoft 365.
- Help understanding of how M365 services and products can mitigate and protect against risks.
- Provide a prioritised phased action plan to mitigate risks and improve compliance posture.
Where is this sensitive data?
The M365 SDA is powered by Microsoft’s Data Risk Check (DRC) methodology.
The DRC is a structured engagement that leverages Microsoft 365 Purview Information Protection and Data Lifecycle Management tools to visualise existing, and sometimes hidden, privacy and regulatory risks that might exist in the data that resides in a Microsoft 365 environment.
At its core, the DRC scans Exchange Online, SharePoint Online and Teams repositories. The outcome and findings of the DRC serve as input to the overall assessment and will be used to create awareness and make mitigation plans.
Sensitive Data Types
Documents, emails and other types of data often contain critical information about employees, customers, projects or other business-sensitive content.
Most organisations are subject to privacy or industry regulations such as GDPR, CCPA, SOX, HIPAA, or others. The exposure, breach, or leakage of data containing any sensitive information may potentially bring high financial, reputational, or other risks to the business and so must be avoided.
The DRC creates an inventory of potentially sensitive data using Microsoft’s generic classification types to identify Personally Identifiable Information (PII) such as UK National Insurance Numbers.
Additionally, the DRC leverages custom sensitive information types developed by Oyster IMS, to search for Special and/or Core categories of data as defined by GDPR. In this example, our Special category search identified a high incidence of Criminal Offence Data in the same dataset.
Stale Data
Much of the data that is created by organisations becomes stale or unused immediately after creation and is no longer of value.
Many organisations have not implemented an automated Retention and Disposition process to safeguard the timely deletion of data. This results in high volumes of stale and unused data that can impose risks and potential financial liability if exposed inappropriately.
The DRC process creates an inventory of data that is older than X months (configurable to the Client’s preference) and provides insight into the volume of documents, their size, and location. This inventory can be used to better understand the associated risks and then used to optimise future storage costs.
