Information protection and governance capabilities of Microsoft 365

  3 minute read  

https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/

Know your data, protect your data, and govern your data

https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data

  • Microsoft Information Protection (MIP)

    • Discovers, classifies, and protects data throughout its lifecycle
    • Provides the tools

  • Microsoft Information Governance (MIG)

    • Manages content lifecycle
    • Uses solutions to import, store, and classify data
    • Allows you to keep what you need and delete what you don’t

Know your data: understand the data landscape and identify important data across on-premises, cloud and hybrid platforms. Tools such as trainable classifiers, activity explorer, and content explorer

Protect your data: protection actions including encryption, access restrictions, and visual markings

Prevent data loss: Detect risk and prevent accidental oversharing. DLP policy and endpoint DLP prevention

Govern your data: Automatically keep, delete and store data and records in a compliance manner.

Data classification capabilities in the Microsoft 365 Compliance Center

https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center

Data classification such as sensitive information types, trainable classifiers, content explorer, and activity explorer

Sensitive information types (SIT)

Pattern-based classifiers

For example; 123-456-789-ABC

Microsoft 365 includes SIT based on REGEX for example;

  • Credit card numbers
  • Passport or ID numbers
  • Bank account numbers
  • Health service numbers

You can also create custom SIT.

Exact Data Match (EDM) is also supported that matches exact values and not REGEX.

Trainable classifiers

  • Uses AI and ML to classify data
  • Useful for classifying data unique to the organization
    • Pre-trained
      • Five are created by Microsoft
      • Start using without training them
    • Custom trainable
      • Create and train classifiers
      • Useful for unique organizational data

To train a classifier it needs to “learn” by using seed data.

It does not support data that is encrypted

What is content explorer?

  • Gain visibility into the data that has been summarized
  • Highly-restricted as you can read scanned data
    • Content explorer list viewer
    • Content explorer content viewer

What is activity explorer?

  • Document-level activity such as label changes or
    • Files copied to removable media
    • Files copied to a network share
    • Label applied
    • Label changed

Sensitivity labels and policies

https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/4-describe-sensitivity-labels-policies

Sensitivity labels

  • Customizable
  • Clear text
  • Persistent
  • Only one label
  • Used to
    • Encrypt
    • Mark the content; such as watermarks, headers, or footers
    • Apply a label
    • Protect content in containers; the label isn’t applied to the file but the container
    • Extensibility to third party services via SDK

Label policies

  • Labels need to be published for consumption by people and services
  • This is done by label policies

Data loss prevention (DLP)

https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/5-describe-data-loss-prevention

  • Identify, monitor and protect data in
    • OneDrive
    • SharePoint
    • Teams
    • Exchange Online

Share tips to users when they share data

DLP enforced policies - Conditions that the content must match before the rule is enforced - Actions that the admin wants the rule to take automatically when the content that marches the conditions hss been found - Locations where the policy will be applied such as Exchange Sharepoint etc

Endpoint DLP

  • DLP policy extended to Windows 10

Team DLP

  • DLP policy extended to Teams

Retention policies and retention labels

https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/6-describe-retention-polices-retention-labels

  • Ensure data is only kept for a certain amount of time until it is permanently deleted
  • Supported by
    • SharePoint
    • OneDrive
    • Yammer
    • Exchange

Retention policies

  • Assign the same retention settings to content at a site or mailbox
  • Single policy applied at multiple locations, or specific locations and users
  • Items inherit from their container

Retention labels

  • Assign retention settings at an item level such as folder, document, or email
  • An item can only have a single retention label assigned at one time
  • Retention labels travel with the item
  • Labels can be applied manually or automatically
  • A default label can be applied to SharePoint

Records management

https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/7-describe-records-management

  • Manage regulatory, legal, and business-critical records across corporate data
  • Helps an organization look after their legal obligations
  • Helps to demonstrate compliance
  • When content is marked as a record
    • Restrictions are put in place to block certain activities
    • Activities are logged
    • Proof of disposition is kept at the end of the retention period
Last modified July 21, 2024: update (e2ae86c)