Blog post: 2 minute read
As I’m working with organizations starting down the road of implementing some of the data protection controls in their own Office 365 tenants, there are some critical education pieces required for end-users. I believe end-users’ actions are perhaps the most important factor in determining the degree of success an organization will experience in meeting their Data Protection requirements. Although there are many times you can automate the controls, there will be occasions where the onus will be put on the end-user to make a decision and manually add a label. Because of this, I’m often thinking of ways to ensure the end-user is armed with the knowledge they need to be successful. End-users need to know how to handle the documents and emails in your organization in a safe and secure way.
I’ve recently blogged about using a SharePoint Communication site for an organization’s Office 365 Adoption Center – a “one-stop shop” for an Information Worker in Office 365. You can read about that post here. I thought of another excellent use-case for the Communication site template for organizations implementing the new AIP labeling features and protection controls in the Office 365 Security and Compliance Center. I believe a SharePoint Communication site would be an effective channel to guide end-users to “do the right thing” – something we need them to know how to do.
I recommend downloading Microsoft’s recent white paper titled ‘Modernizing Enterprise Content Management with Microsoft Content Services’ to learn about Microsoft’s approach to what was traditionally referred to as Enterprise Content Management (ECM). ECM has undergone a drastic evolution in recent years to what will now be called Content Services. The four pillars of Content Services are: Harvest, Create, Coordinate and Protect.
The Data Protection Communication site I describe in this post is part of the ‘Protect’ pillar.
Here’s an example of what a Data Protection SharePoint Communication site could look like. Although the visuals could be accomplished in a number of ways and is not material to this post, the most important thing to configure is the content behind it which I will describe below.
Here are some ideas for content you may want to put on your own Data Protection Communication site for end-users:
- What is Data Protection? This should be a definition of Data Protection in layman’s terms and why it’s important to protect your documents and emails within an organization. This is also a great place to talk about the risk if you don’t – something that some users may not think about. If your organization needs to be compliant for a specific regulation (GDPR for example), this is where you would describe what this means for end-users working with content in your tenant.
- Q&A. Have a running Q&A for common questions on labeling a document. This could link to a number of different things – everything from a simple SharePoint list to a Bot purpose-built to answer Data Protection questions specific to your organization (refer to my recent blog post Build an FAQ Bot in less than an hour to get you started on building your own Bot). The most important thing is to capture the common end-user questions and have clear and concise answers for each.
- Labeling 101. The Information Management team in your organization has likely spent a great deal of time coming up with the labeling scheme for your organization and now they need to ensure end-users know what these labels mean. This tile could be where you describe your organization’s AIP and Retention labeling classification scheme. Describe each label in clear, simple language and give examples of the type of content (including documents, emails) each would apply to and what security controls are in place for each. Note: although AIP labels can be auto-applied, they won’t always be so you will need to ensure end-users understand what each label means for your organization.
- Classification Wizard. I saw this idea at the recent Microsoft Ignite conference. Build a wizard to take an end-user thru the decision-making process for how a particular document should be classified. This could be as simple (link to a spreadsheet or document describing it) or as complex (actual wizard-like tool) as your requirements dictated, but it is a fantastic way to help end-users determine how a document should be labeled if they’re having trouble making that determination on their own. Also, you should give examples of documents that fall into each label.
- Usage Guidelines. This is where you will want to describe the Usage guidelines for handling documents in your organization (i.e. handling controls). When provisioning an Office 365 Group, your organization can apply a data governance classification to each that will apply to content stored within the group (I’ve blogged about how to set up your organizations’ classification here: Setting O365 Group Usage Guidelines). Once applied, end-users need to know what this means when they are working with content. For example, how should they handle content when in an Office 365 group marked as Public versus Confidential versus Top Secret? Does this affect the ability to share externally, to download or to print? I would recommend this hero image tile link to the same page as is defined in the UsageGuidelinesURL set thru PowerShell in your tenant. In summary, the guidelines page should assist an end-user in knowing how to properly handle their documents.
For those of you working with the new Retention and Protection controls in Office 365, I would love to know your Adoption strategy and if you’ve built a SharePoint site to help with that adoption. If not, start thinking about the end-user education piece – a critical part of the successful rollout of these new controls.
Thanks for reading.