Not all of your data is equally critical or confidential. You need to know your data well to control its circulation and apply the right levels of protection to properly secure it, wherever it may be.
The more critical your data, the greater the effort and the expense will be to protect it. Protecting your data is a serious and demanding exercise.
Fortunately, Microsoft provides offers a full range of integrated solutions to set up your governance and manage your information protection policies. These solutions can help you remain aligned with your business objectives and in compliance with the rules that govern your activities.
Information governance
Data lifecycle management
Data governance is a set of rules, roles, and responsibilities that guide members of your company as they collaborate with each other, but also with your external partners. To support you in this iterative and perpetual process, Microsoft provides a smart platform that manages the lifecycle of data both in Microsoft 365 and imported by data connectors.
This method of managing records and content allows you to fulfill your legal and compliance obligations while letting you more efficiently dispose of items you no longer need.
You can even include document management schedules that automatically handle the full lifecycle of your data.
Data protection
Data classification
Once you have defined your strategies and criteria, Microsoft Information Protection allows you to classify your data by attaching privacy labels. When attached to content, these labels trigger the appropriate safeguards at the appropriate time. For example, the emailing an Excel file labeled “Highly Confidential” could be automatically blocked.
See how Microsoft Purview helps you protect content shared across all your M365 files and applications.
Retention labels
As part of this classification process, you must also ensure that your content is saved or deleted according to your business needs and the compliance rules that apply to your company.
This is where the retention labels that you will use to control how long a document is kept and how it will be disposed of come into play.
These labels can be applied automatically to content and documents that meet the conditions you have specified. The data will then be systematically classified and controlled according to its properties and sensitivity levels.
Management using retention labels is a key way Microsoft Information Protection helps ensure compliance with the various laws and especially the An Act to modernize legislative provisions as regards the protection of personal information (c. 25, formerly Bill 64), now in effect.
Activity explorer and content explorer
Microsoft Information Protection’s activity explorer gives you an overview of content that has been discovered and labelled, as well as its locations. You can access the activity history for your data, and you can also control the operations that can be performed on your labelled content.
Content explorer shows the current status of items with a confidentiality and/or retention label and/or that have been classified as sensitive. By periodically reviewing the status of your content, you can ensure compliance with your data loss prevention strategy. For example, doing so might help you locate and retrieve a deleted file that should have been archived instead.
Protection against data loss
Businesses have sensitive information under their control, such as financial data, employee records, credit card numbers, etc. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with unauthorized persons.
Microsoft 365’s data loss prevention (DLP) detects sensitive items through deep content analysis.
It also uses machine learning algorithms to detect data that matches your strategies. These matches allow you to track user activity on your sensitive items and take appropriate protective measures, if necessary.
When the criteria match the actions a user takes on a sensitive item, the strategy can generate a fully automated alert and/or action, such as blocking an email, for example.
Read also
Is your data really protected? →
A four-step approach
Thinking must always precede action to maximize benefits and minimize constraints. A data loss prevention strategy is implemented as follows:
1. Start by defining your objectives and how the controls will be applied. It is critical at this time that your strategies reflect your objectives or you will generate more irritants than benefits.
2. Next, assess the impact of these controls by making them part of a test strategy to protect against data loss.
3. Still in test mode, evaluate the results of the strategy. Make the necessary corrections to ensure the strategy fully meets your objectives and has no undue negative impacts on user productivity.
4. Once the strategy meets all of your objectives, put it into practice. However, continue to monitor the results and adjust it as needed.
While it may seem tedious at first, always take the time to test your strategy before making it official. There is nothing more frustrating than when an action is blocked that should have been identified as legitimate. Or when your client list is sent out via email.