Your go-to source for everything records management, eDRMS, Office 365, TRIM/Content Manager, RecordPoint, AvePoint, and EncompaaS related.
Office 365 Regulatory Compliance: Promoting Compliance with Office 365
In the time it takes to read this informative blog multiple staff members have saved important documents that have not been captured by your records management system. Now don’t run down to accounts and start a lengthy discussion on why records management is important. There is a good reason for this behaviour. People don’t like to waste time interacting with programs or apps that don’t apply to them or that they are not familiar with.
Due to this way of thinking and working electronic records are slipping through the eDRMS cracks and not being captured correctly or even at all. It appears that records management systems will need to become truly transparent to ensure all the important data is captured, classified and retained.
Are you currently using Office 365 or is your organisation interested in its compliance capabilities? With organisations moving towards building new, collaborative workspaces, many are adopting Office 365 to achieve this. Although it may not be as advanced as traditional records management systems, Office 365 still has functionality that can go a long way to improving an organisations records retention and security. With Office 365 regulatory compliance functionality, organisations can improve their ability to accurately capture information and dispose of it when it is no longer required to be retained, no longer of value or no longer required for business purposes. The advantage of using Office 365 to accomplish this is that end-users can work with the tools they are familiar with and do not need to engage with a traditional eDRMS. This in turn, means more productive staff.
These are ways Office 365 can cover the lifecycle of your documents and achieve regulatory compliance through its advanced governance features.
Labels are used in Office 365 to trigger retention periods or security settings. Labels can be applied either manually by an end-user or automatically to documents that contain sensitive information, specific keywords or belong to a specific content type. These labels can then be used to trigger specific security controls, validate disposal or disposal review dates.
Retention labels in Office 365 classify information across your organisation and enforce retention rules based on those classifications. With retention labels you can:
Enable people in your organisation to apply a retention label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups. Users often know best what type of content they’re working with, so they can classify it and have the appropriate policy applied.
Apply retention labels to content automatically if it matches specific conditions, such as when the content contains:
- Specific types of sensitive information.
- Keywords that match a query you create.
The ability to apply retention labels to content automatically is important because:
- You don’t need to train your staff on all of your classifications.
- You don’t need to rely on people to classify all content correctly.
- Users no longer need to know about retention policies – they can instead focus on their work.
Implement records management across Office 365, for both email and documents. Office 365 also provides built in functionality where you can classify content as a “SharePoint record”, which means it cannot be edited or deleted.
Apply a default retention label to a document library, folder, or document set in SharePoint, so that all documents that arrive in that location inherit the default retention label.
With sensitivity labels, you can classify and help to protect and secure your sensitive information, while ensuring that peoples’ productivity and ability to collaborate isn’t hindered. You can use sensitivity labels to:
Enforce protection settings such as encryption or watermarks on labelled content. For example, your staff can apply a confidential label to a document or email, and that label can encrypt the content and apply a confidential watermark.
Protect content in Office apps across different platforms and devices. Sensitivity labels work in Office apps on Windows, Mac, iOS, and Android.
Prevent sensitive content from leaving your organisation on devices running Windows, by using endpoint protection in Microsoft Intune. After a sensitivity label has been applied to content that resides on a Windows device, endpoint protection can prevent that content from being copied to a third-party app, such as Dropbox or Gmail, or being copied to removable storage, such as a USB drive. For example, you could apply a sensitivity label on content containing Personally Identifiable Information (PII), such as credit card numbers.
Protect content in third-party apps and services, by using Microsoft Cloud App Security. With Cloud App Security, you can detect, classify, label, and protect content in third-party apps and services, such as SalesForce, Box, or DropBox, even if the third-party app or service does not read or support sensitivity labels.
Extend sensitivity labels to third-party apps and services. With the Microsoft Information Protection SDK, third-party apps on Windows, Mac, and Linux can read sensitivity labels and apply protection settings.
Classify content without using any protection settings. You can also simply assign a classification to content (like a sticker) that persists and roams with the content as it’s used and shared. You can use this classification to generate usage reports and see activity data for your sensitive content. Based on this information, you can always choose at a later time to apply protection settings.
Choose from the same sensitive information types as when you create a Data Loss Prevention Policy (DLP), when automatically applying a sensitivity label based on conditions. You can learn more about data loss prevention policies in Office 365 here.
In all of these cases, sensitivity labels in Office 365 can help you take the right action on the right content. With sensitivity labels, you can classify data across your organisation and enforce protection settings based on that classification.
Separate from their retention label counterparts (see above), retention policies are used to retain content for a specified period, delete content after a specified time and delete content automatically. The retention can start from when the documents were created or last modified and can be applied to volumes of emails, documents, instant messages and more.
Like labels, you can choose which location to deploy the retention policy to. These locations include; exchange mail, SharePoint, OneDrive for Business, Groups, Skype for Business, Exchange Public Folders, Teams Channel Messages, Teams Chat.
One of the benefits of using Office 365 retention polices is to promote better sharing of knowledge within your organisation by ensuring your staff work on content that is current and relevant to them. There is also the freedom to apply a single policy to the entire organisation or to just a specific location or user. Blanket policies are a good way to ensure content is not accidentally deleted and can be recovered.
With organisations experiencing a continually increasing volume of online communications through a variety of platforms such as emails and Microsoft teams, one of the biggest compliance challenges modern organisations face is how to monitor and regulate this. Office 365 has addressed this concern by introducing supervision policies, which allow organisations to capture users’ communications for examination by designated internal or external reviewers. With Office 365 supervision you can define policies that capture internal and external emails, Microsoft Teams communications or third-party communications, and then a nominated reviewer can examine these communications to ensure they are compliant.
Stop letting content slip through the eDRMS cracks and not be captured by your records management system. Become more proactive and initiate an array of Office 365 regulatory compliance capabilities.
Capture communications with supervision policies for review to promote compliance. Reinforce protection settings across you organisational documents with sensitivity labels and even extend that security to a third-party with SDK or if you’re extra cautious, prevent sensitive content from even leaving your devices. Retain your electronic documents correctly and apply retention policies and retention labels. Cut the middleman out and use the automatic features of Office 365 to ensure you are meeting your regulatory compliance requirements. Set retention policies for bulk or mass emails, documents and instant messages for a blanket effect to each location.
Best of all keep information current, relevant and compliant by disposing of any redundant, old or non-permanent documents with confidence and ease.
If you want to learn more about how Office 365 regulatory compliance capabilities can help your organisation meet its regulatory obligations, speak to one of our Office 365 consultants
John Whitehead LLB (Hons)
Senior Business Consultant
John has worked in the Information Management industry at a senior level for over twenty years and brings his wide-ranging technical, commercial and management skills to each project. He is client focussed and has a proven track record of providing Information Management solutions that deliver significant business value to his clients.
Follow us on social