Microsoft 365 Information Governance Interactive Assessment

The purpose of this assessment is to provide a high-level summary of possible information governance risk areas that your company may be facing. The assessment will generate a report based on answers provided in the messaging, collaboration, storage, securing and managing data questionnaire. This assessment is targeted at organisations with a Microsoft environment and those that have migrated to Microsoft 365 or are planning to.

Question 1/12

Does your organisation have an approach to managing emails compliantly?

  • Yes
  • Partially
  • No

Organisations with limited email governance end up with a legacy of orphaned mailboxes and PSTs, where data grows but the emails' value is lost. This creates risk in terms of privacy compliance (DSARs, over-retention of personal data, breach, etc.) and cost of storage and responding to requests or litigation.

Managing emails effectively results in the defensible disposal of emails no longer required for legal or regulatory reasons. This, in turn, reduces the related cost and risks.

Implement data classification (such as Microsoft 365 retention labels) to help classify and govern important records.

Question 2/12

Does your organisation encrypt sensitive information when sent externally?

  • Yes
  • Sometimes
  • No

Enabling encryption on emails and files secures data when sent externally. Unencrypted emails are not only at risk in transit but also at rest in the recipient's mailbox or archive. Encrypting data in end-point devices secures the information if the device is lost or stolen.

Ensure your organisation has processes to review your policies and how they are being automated continually. For example, information handling requirements and threats change over time and continuously need to be reassessed.

Allow users to encrypt emails and configure rules to automatically encrypt sensitive emails using Microsoft 365 sensitivity labels and encryption tools.

Question 3/12

Is your organisation effectively utilising the range of messaging tools at their disposal?

  • Yes
  • Sometimes
  • No

Use emails for formal communications; they are particularly useful when seeking a decision from another party that will become part of the business record and when communicating externally.

Chat/IM apps simplify business communications and are better suited for brief back-and-forth conversations. When used with the other tools (such as co-authoring) this helps speed up collaboration in real-time.

Make sure your organisation clearly communicates how and when each of these messaging tools should be used.

Question 4/12

Do employees use personal storage (e.g. OneDrive) for corporate or client data?

  • Yes
  • Sometimes
  • No

Employees often use personal storage areas to hold content of corporate value. This causes issues in terms of privacy and compliance and can also lead to the loss of corporate information that should be managed in corporate/shared systems.

Define an approach and educate your employees on how the different collaboration and storage platforms should be used in your organisation.

Question 5/12

Which platform do you predominantly use for collaborating/sharing documents?

  • Email
  • File share (or equivalent)
  • Microsoft Teams/SharePoint (or equivalent)

Microsoft Teams provides a rich collaboration platform that combines content with communication around a team in one place; enabling people to collaborate more effectively and securely anywhere and at any time. If configured, Microsoft 365 also allows the content and messages to be governed in line with your record retention rules reducing data risk according to data value.

If your employees are predominantly working in file shares and email, then moving to Teams offers these and more benefits.

Encourage and promote the use of Teams while setting the right policies and configuration on the platform to support compliant information governance.

Question 6/12

Does your organisation have a centralised system in place for capturing all record types (e.g. clients, HR, health and safety, etc.) compliantly in line with local laws and regulations?

  • Yes
  • Partially
  • No

Many organisations are emerging from legacy environments such as file shares where documents and records have not been classified and governed. This leads to risk in compliance, higher costs in e-discovery projects and potential fines or lawsuits.

Use Microsoft 365 Record Management capabilities to correctly classify and manage important document retention and disposal.

Classify your data per functional/business area using an updated file plan and manage your retention and disposal rules with Microsoft 365 retention and sensitivity labels and policies.

Question 7/12

Does your organisation have systems or archives with data older than seven years?

  • Yes
  • No

A seven-year retention period can be considered an average retention period for data. If the vast majority of your data is older than seven years, it is likely that you are not enforcing compliant retention rules. Implementing retention rules based on the type of data can help you govern this data and reduce the risks and costs inherent in the over-retention of data.

Implement your organisation's retention rules in Microsoft 365 and develop a strategy to remediate legacy data and operationalise retention within Microsoft 365.

Question 8/12

Does your organisation have a records management policy and retention schedule in place that is maintained, defensible and can be implemented (i.e., has clear retention and trigger rules)?

  • Yes
  • Partially
  • No

Records management policies and record retention schedules are fundamental information governance documents that all organisations should have in place and review at least annually. They allow companies to defend their data deletion and narrow the scope of e-discovery requests, helping save money on litigations, storage and reduce data risk.

Consider implementing a tool to support the creation and ongoing maintenance of a defensible retention schedule and import the retention rules into Microsoft 365 File plan for managing and publishing retention labels.

Question 9/12

Does your organisation classify data as it is stored (contracts, sensitive information…) to support handling and disposal of data in accordance with security and retention rules?

  • Yes
  • Sometimes
  • No

Many organisations have a retention schedule that defines retention rules to be applied to data, but very few have got as far as "operationalising" these rules within their systems.

When procuring new systems, include requirements around data retention and secure information handling to ensure data is classified as it is stored to support automated governance.

Implement your retention rules as retention labels and security classification as sensitivity labels in Microsoft 365 compliance centre. Develop Data Loss Prevention (DLP) rules aligned to your sensitivity rules and handling requirements to reduce the threat of data breach.

Question 10/12

Does your organisation actively prevent, monitor and contain Intellectual Property (IP) theft or internal malicious attacks?

  • Yes
  • No

Having processes, controls and monitoring to protect your organisation's confidential data and intellectual property is essential to avoid a data breach and protect your competitive advantage.

Microsoft 365 allows organisations to identify, investigate and take action against potential insider risks. Create custom policies linked to your DLP and sensitive data labels in the Microsoft 365 Insider Risk Management System. Set up triggers (such as employees leaving) or add additional safety measures to your organisation's most sensitive data.

Question 11/12

Has your organisation accidentally sent emails or documents to the wrong recipients?

  • Frequently
  • Sometimes
  • No

Emails sent to the wrong address are not intentional and could have been avoided with the help of some technical controls, such as Data Loss Prevention (DLP). DLP allows you to build rules around how your employees handle information securely based on the sensitivity of the information. You can build in tool tips to help educate users as part of the process.

Microsoft 365 includes DLP features to help organisations minimise the risk of data unintentional data breaches. You can benefit from this feature by implementing DLP rules aligned to your company's security classification standards in the Microsoft 365 compliance centre.

Question 12/12

Does your organisation actively manage (i.e., provision, review, decommission or archive) shared working areas (e.g., File shares, Teams)?

  • Yes
  • Partially
  • No

Most organisations deploy Microsoft 365 applications without any controls, governance or training plan that explains how the applications should be used effectively and compliantly.

Without these considerations, Microsoft 365 can rapidly become your next data graveyard where data is created and left unmanaged creating cost and risk to the organisation. Moving to Microsoft 365 provides the opportunity to ensure that processes, roles and training are put in place to ensure governance is embedded to help enforce compliance with data privacy and record-keeping requirements.

Develop processes or implement additional governance tools to support the provisioning and decommissioning of Teams, SharePoint, OneDrive and Outlook. Also, implement processes to attest access and continued use of Teams and SharePoint to ensure data access is appropriate and data does not become "orphaned." Utilise Microsoft 365 dashboards and reporting to monitor compliance and help determine interventions required to address non-compliance.

Calculating assessment results, this should only take a few seconds.

Get in Touch