Accessible content is available upon request.
Using a Compliance Compass to Navigate Sensitive Content within Your IT Environment IAPP Europe: Data Protection Intensive 2013 Ralph O’Brien EMEA Compliance Specialist AvePoint UK
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Understanding the Challenge The Context
The Players
The Prism of SharePoint
A Best Practices Methodology Achieving Compliance
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Understanding the Challenge
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
IT
Business
Compliance
Boundaries
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Governance
Risk
Compliance
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
“Governance is the set of policies, roles, responsibilities, and processes that guides, directs, and controls how an organization’s business divisions and I.T. teams cooperate to achieve business goals.”
Microsoft – Governance Model of SharePoint Definition
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
“Effect of uncertainty on objectives.”
According to - ISO 31000
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
“Conformity in fulfilling official requirements.”
Merriam-Webster - Compliance Definition
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
At the very highest level we are talking about: Making information available to the people who should have it
Protecting it from the people who should not
This may come from requirements: Regulatory
Statutory
Internal Policy
All the above
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Issues Include: • Intellectual property and trade secrets
• Sensitive customer information and data
• Employee data
• Collaborations on strategy
• Personal information and health information
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Want the same data protection rights across the EU
Special Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union, June 2011.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Accidental Breaches
Employee Third Party
Intentional Breaches
Employee Third Party Hackers
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Designing a Compliance Policy • How do we protect the most important data in the enterprise?
• How do we reduce the risk of exposure?
• How do we quickly find information?
• How do we prepare for litigation and eDiscovery?
• How do we ensure policy consistency?
• How do we scale the compliance solution to the enterprise?
• How do we control costs?
• What is our Cloud Strategy?
• What is our current compliance status or our “as is”?
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Don’t just focus on what you can see
Risk Awareness
Risk Ignorance
“Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”
E.J. Smith, Captain of the Titanic
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
The Prism of SharePoint
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Business Intelligence
eDiscovery
Compliance
Enterprise Content Management
Records Management
Social
Search
Web Content Management
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Content that changes all day, every day Massive Data Stores
Document Management, Collaboration, Social, Cloud, Communications
Now Can be Searched and Accessed by EVERYONE
Internet, Extranet and Intranet website content
Enterprise Content Growth by 2014 (Gartner Research)
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Accountability
• Who owns the sites? • Is the site still
accessed & used?
Discoverability
• Are search results relevant?
• Is it easy to find relevant content?
Adoption
• Was there training prior to granting elevated permissions?
• provisioning services causing bottlenecks?
Infrastructure
• Storage footprint ? • Duplicate content? • Backup files growing
with no pruning? • Application
development?
Appropriateness
• Is there PII content uploaded?
• Is there content stored in a site that should be in a different site?
Quality
• Is the site still active? • Is the content still
relevant?
Compliance
• PII data? • HIPAA requirements? • Section 508?
Restrictions
• How can we prevent sharing of confidential documents?
• Who has access to what content?
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Personal/My Sites
Governance
Vis
ibili
ty
Project/Team Sites
Community Sites
Portal
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Balancing Accessibility & Security
Classification of Documents Confidentiality of Documents
Integrity of Information within Documents Understanding Different Roles
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Transparency/ Collaboration
Data Protection/ Management
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Converging Interests
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Creating & maintaining is a continuous process
Balancing transparency & collaboration with data protection and management • Training
• Governance and Oversight
• Technical Enforcement
• People
• Policy and Process
• Technology
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
A Best Practices Methodology
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Design
2
Control
4
Optimization
3
Assessment
1
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Prioritize
3
Identify
2
Analyze
1
Diagram
4
Structure
5
Migrate
6
Maintain Control
7
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Analyze the Current Environment Identify non-compliant data across a broad framework of organizational or regulatory requirements such as Accessibility, Brand Management, Privacy, Security, Sensitive Security Information, and Site Quality
Identify Non-Compliance
Prioritize the Business Need
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Diagram New Security Boundaries Determine appropriate permissions and security settings based on the governance and compliance requirements of SharePoint or file-based information.
Architect in Governance & Compliance
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Implement Compliant Methodology
Maintain Control Easily audit security settings, investigate usage patterns, and monitor sensitive information to assess the effectiveness of the risk management strategy.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Undertake Migration
Optimization
Maintain Control
Control
Analyze Identify Prioritize
Assessment
Diagram Structure
Design
1 2 3 4 5
6 7
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Repeat for Comprehensive Access & Security Permissions Prevent
Detect
Track
Respond & Resolve
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Know Who Has Accessed What & When Record and track all user interactions, security changes, and search queries in any or all of your Microsoft SharePoint environments.
Track Employees’ SharePoint Usage See everything an individual employee or group of employees has done and is doing in your SharePoint environment
Track an Item Through its Entire Life See what happened to a document, including when it was created and by whom; who has viewed it when; and when it was deleted and by whom.
Audit SharePoint Search See who has performed a search, for what, and when. See how often an item is returned in search results.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Prevention • Assign permissions & access to SharePoint site
• Assign metadata or policy to content with real time filtering and scheduling
• Assign policy access rights and permissions to content stored in File Shares
• Proactive policy enforcement of secure vs. non-secure sites through automated site provisioning & permissions management
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Detection • Discover offensive content with real time scans and scheduled risk
reports
• Search for user permission with security search
• Individual user or group profile of security permissions
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Tracking • Track user activity with the user life cycle repots
• Track content life cycle with item life cycle reports
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Responding & Resolving • Legal hold and tracking
• Archive and encryption
• Restructure permissions & access metadata and security of content itself
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Conclusion & Takeaways
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Mixed Content In
Prioritize Business Need
Filter for Compliance
Structure for Governance
Organized Content Out
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Gather your stakeholders! Content contributors: Internal and External
Process owners, Legal, PR, CPO, IT, Data Security
Engage Executive Leadership & keep them briefed!
Create a policy with enforceable & measurable rules
Integrate policy with “enforcement”
Integrate with your technology solutions
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Questions & Answers
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
AvePoint.com EMEA: +44 (0) 207 421 5199