Blog post: 2 minute read
Last update: February 2018 [New Information Protection role]
While sharing my Information Management/Data Governance presentation this past weekend at SharePoint Saturday Toronto I had a conversation with some attendees about a new role emerging on Office 365 teams, particularly in the medium to large business space. What is this role? It’s a hybrid of the traditional information Management/Records Management role, Compliance officer, Security officer and an O365 Tenant Administrator. I’m calling this role an Office 365 Information Manager. Depending on the size of the organization, this may be 1 person or a team of people.
Here is what I see as being the key responsibilities of this role within Office 365:
Azure Information Protection (AIP)
- Determine the default AIP labels for the organization’s Global Policy including clear language on what each of the labels means in layman’s terms
- Determine the business process for requesting new AIP scoped labels from across the organization. (These are labels scoped to specific users/groups for specific projects, groups, etc.)
- Configure the AIP scoped labels in advance of requiring them
- Determine the process for removing an AIP scoped label (eg. A scoped label is defined for a Merger project – when the Merger project is over, the label needs to be retained, but should be removed from the policy)
- Work with the Office 365 Admin team to test out conditions on AIP labels and verify the accuracy of label recommendations. Based on the test results, decide when/if a label can be made automatic.
- Determine which labels can be overridden by an end-user
- Decide who will monitor label override comments. (Automated labels can be overridden and require a comment by the end-user – who will monitor these?)
Retention Labels and Policies
- Determine how the organization retention schedule translates into Office 365 Retention labels and policies
- Determine the mapping between Retention labels and published locations (eg. Will you publish certain retention labels to specific SharePoint site collections or to ALL SharePoint site collections or to Exchange, Skype for Business and SharePoint?, etc)
- Determine the over-arching Retention policies (if any) your organization will put in place
- Determine the Disposition Review process (eg. Who is responsible for reviewing the dispositions? Will this responsibility be delegated by retention label or by site collection? How and where will approved dispositions be retained? (The resulting file will be the Certificate of Disposition)
- Decide which, if any, libraries and folders will have a default retention label assigned
Data Loss Prevention (DLP)
- Determine the corporate digital assets requiring protection
- Determine the conditions and rules to identify the above assets
- Determine which policies can be overridden
- Determine who will monitor the policy overrides
- Determine which DLP policies will be recommended and which ones will be automatic.
- Test the policies for accuracy
- Monitor the DLP violation reports
The above 3 features definitely impact the end-user and the goal should be to make that experience as smooth as possible with minimal interruption to their work. The best way to do this is to train users on what they will see and what our expectations are from them.
To do this, work alongside the Office 365 team to include AIP, Retention and DLP training across the organization. I discuss this in my previous blog post When to Choose What Label in Office 365 – the new dilemma!
Examples of training sessions you could give:
- Data Protection 101
- When to Choose What Label
- How to monitor and track your externally shared documents
I consider this to be advanced end-user training for Office 365. I would only give this training once end-users are comfortable using the basic tools across the Office 365 service such as Mail, OneDrive for Business, Skype for Business, SharePoint and all of the Office clients.
[UPDATE October 31, 2017] An innovative idea for approaching this type of training is to build a Data Protection Adoption Center in your Office 365 tenant. Read my blog post, O365 Data Protection: Information Worker Adoption, where I talk about ideas for building your own.
Office 365 Tenant Roles
There are roles/role groups within an Office 365 tenant you can use to assign targeted permissions within the Security & Compliance centre to accomplish some of the items above.
More information: Permissions in the Office 365 Security & Compliance Center
[Update February 2018] Microsoft recently announced the addition of a new role in Azure Active Directory called Information Protection Administrator (image). Members of this role will be able to manage Azure Information Protection labels and policies using the Azure portal, and use Rights Management Services PowerShell. This is a great way of delegating the administration of AIP.
Where do we go from here?
I believe the Office 365 Information Manager is a critical role to successfully manage information, protect corporate data and remain compliant across all Office 365 services. They will need to balance the compliance requirements against the business user impact and understand how to configure it within the Security & Compliance Center in Office 365. I recommend talking with your information management team about this new role and find out what their thoughts are.
I believe this role should not be left to the Office 365 Admin team alone to take on as these configurations should be approached from an Information Management and Data Protection perspective and not from a technical one.
I’m interested to see how organizations will staff this role as they move into configuring these features in their own tenants.
Thanks for reading. 🙂