In almost every case, Office 365 and Exchange Online have built-in solutions that meet an organisation’s business needs for compliance. Working with clients across almost all industries and the public sector, there are a lot of overlapping and common requirements and in this post, we’ll take you through a representative scenario and show how it can be achieved.
Key questions you should ask
You can’t just implement compliance functionality in Office 365 and Exchange Online without knowing what you are looking to achieve. As it varies from organisation, and potentially varies within the organisation you need to ask a few questions. So, a few key questions you should ask include:
- Do you have regulations to adhere to for legal and compliance?
- Do you need to keep data for a certain period of time?
- Do you have any requirements for data classification?
- Do you need to prevent data from being shared with the wrong people?
After asking these questions, typically there’ll be a few more to get down into the detail – but for now let’s think about an example scenario we need to configure Office 365 to meet.
Our example scenario
Lisa Jane Designs is a retailer selling online direct to customers, selling both pre-made clothing and custom-tailored clothing for a variety of customers. They not only process credit card information through their commerce platform, but will use Office 365 as a platform to interact with their customers, primarily over email.
As a business, they believe they must keep certain records for 7 years, and they will not keep any personal identifiable data (PII) for any longer than they need to, and do not want personal data shared via their email system or Office 365.
The Office 365 Security and Compliance Center
Your “one stop shop” for configuration of the settings you need in Office 365 and Exchange Online is within the Security and Compliance Center. This allows you to manage permissions, data classifications, Data Loss Prevention settings, data governance settings, manage threats, perform search and discovery and generate reports:
We can use this to configure Exchange Online related settings, but also configure Office 365 as a whole to share this configuration. This is important, because there is a great deal of crossover between different services that isn’t obvious to users. For example, when you share an attachment with Outlook, you can use Modern Attachments. This stores the attachment in OneDrive for Business, therefore if you allow Modern Attachments you need to ensure your policies for compliance cover this scenario.
In years gone by, you’d configure the Exchange Online specific settings for these policies within the Exchange Admin Center. However, some of this functionality, like creating searches will not be available from the Exchange Admin Center after July 1st, and when you attempt to manage or create policies you’ll be guided to use the Security Compliance center instead:
Therefore, consider using the Security and Compliance center going forward as the place to manage your Exchange compliance needs; or the respective Powershell cmdlets.
In-Place Hold and Data Loss Prevention Policies
There are a few options available for meeting our example scenario over at Lisa Jane Designs. We’ll look at the most common – to use In-Place Hold and Data Loss Prevention policies.
The In-Place Hold policy we create will hold all data in Exchange, OneDrive, SharePoint and Office 365 Groups for seven years. We’ll create this within the Security and Compliance Center, within Data governance > Retention by choose to Create a new policy:
After completing the wizard, we’ll review our settings, then choose Create this policy.
Next, we’ll create our Data Loss Prevention Policy with the intention to prevent PII from being shared. We’ll stay within the Security and Compliance Center and head to Data loss prevention > Policies and choose to Create a policy:
Within the policy wizard we have the opportunity to use built-in templates to detect the information we wish to restrict using the data loss prevention policies. Within Privacy, and then under the options for United Kingdom, we’ll select UK Data Protection Act, which includes both the UK PII data and the UK Privacy and Electronic Communications regulations data types:
Next, we’ll choose the locations to protect. As we’re covering Modern Attachments as well as traditional email content and attachments, we’ll ensure SharePoint and OneDrive are included as well as Exchange email:
The defaults for the policy settings may not do what we need however. Defaults will allow a small amount of sharing, and then block access to large amounts of sharing with external recipients. Therefore, we’ll choose to Use advanced settings to customize the actions we’ll take if content is detected:
Within the advanced settings, we can create our own rules to determine what action to take. In this case we’ll create rules to detect even a low level of content detected, and then restrict access to that content and alert administrators. We’ll create two rules within the policy to cover both inside the organisation and external sharing.
Finally, we will be offered the opportunity to allow the rule to run in test mode first, so we can ensure this has the desired effect once the policy has been created, then we can review and save the new policy:
We’ve got many options available within Exchange Online and Office 365 that allow us to simply detect information that needs to be restricted for compliance reasons, and to ensure that data is kept as long as required. In this basic introduction, you’ve seen what can be accomplished very quickly to meet common requirements.