Communication Compliance was announced at Microsoft Ignite 2019 as part of the new Insider Risk solution set in Microsoft 365. It builds on the features of Office 365 Supervision Policies, (something I’ve previously blogged about: Email Supervision in Office 365), however Communication Compliance has some fantastic improvements.
Communication Compliance monitors outbound and inbound communication across Exchange email, Microsoft Teams chats, standard and private channels (and their attachments), Skype for Business conversations, and 3rd-party platform communications (such as Facebook, Twitter, etc.). It will automatically detect, capture, and alert reviewers of inappropriate communication across these channels based on policies you define.
How will this tool improve our compliance lives?
Communication Compliance is a tool to help with regulatory oversight in your organization, however it is also a “coaching for compliance” tool for remediation of insider non-compliant/risky behavior. It’s a significant improvement over Supervision Review in several key ways:
- Microsoft provides intelligent, customizable templates to start with
- Review workflow process for remediation takes place in the tool instead of in the reviewer’s Exchange mailbox
- Communication Compliance can leverage classifiers (both built-in and custom) to be able to intelligently detect sharing of certain types of communication at scale across all communications channels
- You can view the Teams communications in a threaded mode allowing you to see context of conversation rather than a communication in isolation
- Tenant-wide dashboard to provide insight for policy matches across all policies in the tenant including: Recent policy matches, resolved items, users with most policy matches, and escalation by policy
This post will walk thru an example in my own tenant for monitoring the communication of a fictitious employee, John Brown, for regulatory compliance using this new tool. Although my example is scanning John’s communication channels for a customer #, it could be for any type of content your regulation requires. (E.g. FINRA requiring oversight on employee’s communication for certain words to indicate the business they’re engaging in)
Microsoft reference: Configure communication compliance in Microsoft 365
Licensing: Users covered by communication compliance policies must have either a Microsoft 365 E5 Compliance license, an Office 365 Enterprise E3 license with the Advanced Compliance add-on, or be included in an Office 365 Enterprise E5 subscription.
Permission for Communication Compliance… it’s not sufficient to be a Global Administrator! You must set up a new role group (Communication Compliance Reviewer in my example below) with 3 roles and assign members to the role group for those members to be able to investigate and remediate communications: Supervisory Review Administrator, Case Management, and Review
The Compliance Requirement
John works with our competitors and many people across our own organization and we need to monitor his communications to determine whether he is sharing customer numbers in any of his outbound communications.
Multiple controls: This is an example where additional controls could be put in place to detect and take action on the detection of a customer # in a communication. Examples:
- Have a DLP policy in place to warn or prevent anyone from sharing a customer # in an email or a document with anyone outside of the company
- Have a sensitivity label configured to automatically apply protection to a document if a customer # was found within a communication
As you can see, there are several ways to detect and protect against a customer # “breach”.
Communication Compliance provides pre-defined, customizable policy templates to choose from or you can build a custom one from scratch (image). For this example, I’ll choose Custom policy:
I provide John Brown’s name as the supervised user, myself as the reviewer, Exchange and Teams as the monitored locations, outbound communications only, and a match on the custom sensitive information type configured in this tenant for our corporate customer #, called ABC Corp Customer Number. (To set up the custom sensitive information type, refer to a previous post I wrote: Build and Use Custom Sensitive Information Types in Office 365)
Note: For testing, I’ve chosen to monitor 100% of the outbound communication for John, however it’s unlikely you would want to do this in a production scenario due to sheer volume of content to review.
Once created, it can take up to 1 hour for the policy to activate and an additional 24 hours for the policy to start capturing communications.
The Waiting Period
For purposes of this blog post, I seeded some content from John sending Teams chats, channel posts, and an Exchange email with customer #s matching the format of my custom sensitive information type, ABC Corp Customer Number in some of them. I’ll wait 24 hours for the Communication Compliance policy to start capturing the communications matching the policy.
In the meantime, let’s configure a “Notice Template”! What’s that you’re wondering? To notify the sender of a violation, you can set up a template to be used to provide an approved and crafted message to the user. Tip: Bcc your compliance, legal, risk, or HR review teams to keep them in the loop on any of these communications being sent out.
24 hours later…
I start to see some items coming into the Communication Compliance dashboard for this policy. Several items were detected and await my review:
- 1 Exchange email
- 4 chats
The information is presented to me on a dashboard to provide insights across all policies in my tenant and is a launch point for starting the remediation workflow on all alerts:
When reviewing the communications of John, I can filter, tag, see threaded conversations (same capability that is also in Advanced eDiscovery), see exact and near duplicates, keyword highlighting, and even view the behind-the-scenes message details which is helpful or troubleshooting.
What happens if I need to take action on an item? There are several you can take:
- Resolve: if the item is not questionable or non-compliant, you would resolve it. This will move it into the Resolved tab. Optional: you could tag it first as Compliant although this is not required
- Tag as: Questionable, Compliant, Non-Compliant. You can then filter on these tags making this a very helpful feature, particularly in large result sets. It appears you cannot customize these tags like you can in Advanced eDiscovery
- Notify: using the notice template we created in a previous step, you can send a notice to the sender of the selected communication. You will have the opportunity to edit the notice or create a new one in the moment before sending
- Escalate: if escalation is required on an item, an email will be sent to someone you identify to further review the item(s) selected. In this example, I’m both the reviewer and the escalation person which doesn’t make sense, but you get what I mean… 😉
Note: the escalation person would require permission to access the M365 Compliance Center and the Communication Compliance tool.
- Create a case: In severe cases, you may want to do this. This creates an Advanced eDiscovery case making John a custodian for all items you have selected in the review pane. The eDiscovery administrators are automatically notified so they can assign the appropriate case members in eDiscovery to continue the review and investigation
- False positive: mark the item as a false positive to indicate this item shouldn’t be a match on the policy. This will also resolve the item.
The reviewer will also see all of the items to be reviewed in their Exchange mailbox, similar to Supervision Policies, however I prefer the new and improved workflow tool in the Compliance Center for assessing items under review.
A significant improvement of Communication Compliance over Supervision policies is the intelligent insights it has across your environment by leveraging built-in and custom classifiers in your policies to filter out content across your organization’s communication channels. The built-in classifiers delivered with Communications Compliance are below. They can be used both in policies as well as to filter results:
Tip: Create a custom classifier to identify contracts, budgets, or customer documents in your own environment and then monitor for where/when they’re being shared across your communication channels!
I’ll be testing the built-in classifiers and building custom ones of my own in the coming months and look forward to leveraging the machine learning model Microsoft has provided for this.
Thanks for reading.