Auditing with data: for Performance Auditors and Internal Auditors that use (or want to use) data
The podcast for performance auditors and internal auditors that use (or want to use) data. Produced by Risk Insights.
Auditing with data: for Performance Auditors and Internal Auditors that use (or want to use) data
43. Microsoft 365 Compliance with Erica Toelle
Erica Toelle is a senior product marketing manager on the Microsoft compliance product team, with focus on information governance and records management.
Erica is a long-time member of the SharePoint and Microsoft 365 community, a former Microsoft MVP, a published author, and a recognized expert in the information governance area.
In this episode, we discuss Erica's book - Microsoft 365 Compliance: A Practical Guide to Managing Risk.
Links:
- Erica's book - Microsoft 365 Compliance: A Practical Guide to Managing Risk (https://www.apress.com/us/book/9781484257777)
- Erica on LinkedIn (https://www.linkedin.com/in/ericatoelle/)
About this podcast
The podcast for performance auditors and internal auditors that use (or want to use) data.
Hosted by Conor McGarrity and Yusuf Moolla.
Produced by Risk Insights (riskinsights.com.au).
You're listening to the Assurance Show. The podcast for performance auditors and internal auditors that focuses on data and risk. Your hosts are Conor McGarrity and Yusuf Moolla.
Yusuf:Today we have Erica Toelle, the Senior Product Marketing Manager for records management and info gov at Microsoft. We'll talk through a few things but with focus on a book that she's published, the compliance guide for Microsoft365. Erica, do you want to kick off with your background before heading into Microsoft?
Erica:Sure. I've been focused on this space for the past 15 years. Mostly as a consultant, but also with a small stint at a records management product company called Record Point. Most of my career was in management consulting where I was helping large enterprise organizations with figuring out their compliance, information architecture, strategy, and how to manage knowledge as an asset. I've also spent a lot of time working internally at Microsoft. For example, back in 2008, I was the consultant to the product team, helping them understand the enterprise content management and records management market, as we designed the features in SharePoint that became the records management and enterprise content management features. I've also spent a lot of time helping customers move from on-premise to Microsoft365 from various places. And then for the last five years have pretty much been a hundred percent focused on records management of Microsoft365 content. It's quite an interesting space because that's where everyone's doing their work. That's where, things are happening in the organization and where a lot of these records are being made. So how do we identify that properly and help the records managers put that wherever it needs to end up.
Yusuf:This book that has now been launched. Who is it for? And what can people expect from it?
Erica:So the book is called "Microsoft365
Compliance:A practical guide for managing risk". It came because I was working at Microsoft as a hired expert on compliance, helping customers deploy the compliance technology, on behalf of Microsoft. And I found that, the documentation is helpful, but it doesn't tell the story to the business users of how and why to use these features. And that information was scattered in different blogs and in different places. But there wasn't one place that people could go, if they're using Microsoft365 in their organization and they need to be compliant. They need it to be auditable and they want to secure and protect their information. So the goal of this book was to cover everything that's included in what's called the Microsoft365 compliance center, which is the area where auditors, records managers, information protection professionals, can go to configure and use these features.
Yusuf:Who would be using this the most?
Erica:There's two main audiences. So first are the people in organizations that are managing compliance. Depending on your organization, that can be called many different things. Internal auditors, records managers, knowledge managers, there's many more names. But it's also for I.T. Professionals. So the people who are in charge of maintaining and administering their Microsoft365 environment. My goal is to provide information so that both sides can talk to each other and be on the same page.
Yusuf:How would internal auditors and performance auditors use the compliance guide?
Erica:Well, there's a few ways. First would be to help prepare for an audit. There's a little known feature called compliance manager included with your subscription that has pre-built templates for how to comply with very popular regulations. And inside the template, in addition to having kind of a checklist of things you need to do, it also provides a place where you can put your testing documents, your results, and essentially create a package that you could hand off to an auditor, internal or external. That helps people prepare in a nice, organized way. You can use the features throughout to generally just clean house and be prepared to meet your needs of audit, whether that's making sure you're applying the right retention policies, making sure information is discoverable and you can find it or making sure it's protected so that the wrong people don't access the information. Internal auditors can help drive those discussions, even when it's not necessarily their responsibility to do it.
Conor:When you were doing your research for the book, was there anything in particular from any of the internal auditors or risk professionals you spoke to in terms of a recurring pain point or issue or challenge?
Erica:Yeah, there's a couple. The first one was just that nobody knew what they had purchased. So helping with general education. Then from there, we would usually start with information protection because, this is right when COVID started and everyone was working from home, they were very concerned about their sensitive information ending up on personal computers or devices or being emailed to the wrong people. And then once we get past kind of the protection conversation, then it goes in a few ways. Many times they're paying for a separate system and they want to be able to retire that system and use what they already own. In many countries in the financial services organization, you have to supervise the traders' conversations to make sure that they're following all applicable laws. So there is a solution that does that called communication compliance. Or you want to look for patterns of risky behavior in your organization. When everybody is working in Microsoft365, you can get signals about what they're doing. And when they deviate from normal behavior, such as suddenly downloading 300 files that have been marked confidential and then someone can look into that. So we would go then through those kinds of common pain points and figure out what they wanted to tackle next.
Conor:If I was an internal auditor, for example, doing my annual planning of upcoming audits for the year, it would be helpful to understand the capabilities off the product vis-a-vis information, security and so forth, because it might actually inform the way in which I do my audits into those issues.
Erica:Again, that's why I wrote the book. So you could quickly get an overview of what's possible. And then pick from there, what you're most interested in looking into. Every organization is different. What's the problem that year?
Conor:Cyber security is a massive issue globally, for example. So if we were doing an internal audit into cybersecurity, it sounds as if it'd be really helpful to take a look at your book about some of the protections and controls that are in built into the system.
Erica:As you're very aware, cybersecurity is a massive topic. And specifically in compliance, we focus on the protection of the actual files and emails themselves. Rather than things like people penetrating your system or hacking into it or even social hacks. We're more focused on you have different levels of sensitivity to your information in your organization. Somebody's say personal information, right? It's protected by several privacy laws now. You have to ensure that even within your organization, that only the people with proper reasons can access that data. So that's more kind of the security pieces that are covered in this book.
Yusuf:In terms of planning a cyber audit, there's all sorts of frameworks that we need to understand, and there'll be a range of systems and controls to evaluate. But what your book will help do is understand exactly where people can go to find those components that relate to Microsoft365 and that they've been using and understand how protection of information, governance of information, access control, has been configured and what the level of compliance with those controls would be.
Erica:Yeah. And then to add to that a bit more the other power of these solutions is how they work together. Let's use a very specific example. You've scanned your environment to look for patterns that indicate sensitive information like a passport number has a very specific pattern. Your tax ID number, very specific pattern. So you can find those with a reasonable level of accuracy, identify that as higher risk content, put a stamp on it. Well, now I can take that stamp and say, if it's been marked as personally identifiable information, then we need to make sure that we're only retaining it for three years. And then asking their permission again, if we keep it longer than that. In addition, we can tell if somebody, even that should have access suddenly downloads, a dump of those files to their computer. They don't need to do that for their job. That's risky. So we're starting to chain these solutions together where if you just, start one place and invest there, you can leverage that investment holistically.
Yusuf:Quite powerful controls. And your book helps identify those and, tell people where to go to look for the types of controls that compliance center will be able to handle.
Erica:Yeah. This sounds really simple, but when I was first starting to learn this, because these solutions are maybe about three years old at this point, I couldn't find just a list of everything that it could do. So I started this book by literally creating that list, organizing them into logical groups and then being like, okay, I'm going to go through the user interface and I'm going to find every button and figure out exactly what it does and why, and get to that level of detail.
Yusuf:In putting the book together, what did you find to be the most challenging area to understand and write about?
Erica:First of all, lot of those buttons aren't documented anywhere. And so there was trial and error. To figure out what it did and what other impacts it had in these other solutions. So that was the first challenge. And then if I was going to pick the solution, that was the most complex, it would be the advanced e-discovery solution which you can use to, search and review information in bulk across your organization. It's complex because it is so powerful. We're dealing with such large amounts of data these days, , even if you'd write the perfect search, it's going to return more results than a human being could ever review. So it does things like find the duplicates or documents that are 80% similar and group them together. So you can just review 500 documents at one time. It helps group together, things in themes using machine learning models and so much more. That chapter alone is a hundred pages of the 525 pages in the book, but I covered every single button. So you're good.
Conor:Probably the chapter I might jump into first, because these days Internal Auditors are required more and more to do forensic investigations or sensitive inquiries as part of their audit projects and having that advanced e-discovery capability, sounds as if it's really going to help
Erica:Yeah. You're exactly right. I see people using it more for internal investigations, even than for legal reasons or freedom of information requests. Because with those investigations, you start with a clue of where to look right. But then that clues going to lead you to, oh, maybe I should look into this person or this project, or, find emails that contain these three people in this three-month span. And the power of advanced e-discovery is you can do those further queries and filters, on the fly, in a pretty easy to use interface.
Yusuf:Switching a little bit to an area that I find myself often hitting up against, and that is the area around managing devices that are not within the network and obviously over the last year that's become more and more important. So with people working from home, working remotely, they may not be physically connected to the network. They may not necessarily be on devices that their organizations own, in some cases. What guidance do you have around that aspect of connectivity, if you like and security around that connectivity.
Erica:I think it's first deciding are you going to allow corporate data on personal devices? If so, do people have to enroll their devices in a corporate profile, like on Android, it's called a work profile. Where I, am giving the, for me, it's Microsoft permission to scan my phone with anti-virus software. I'm not allowed to jailbreak it. There's other rules as well. So first, yes or no. Do you want people to access on their phone? Then their personal computer as well. And then if the answer is, yes, do you want them to be able to access all data? Like those documents and those sites you've marked as confidential. Do you want to block those from being accessed, but everything else is okay? That's again, the power of once you start to label and use these solutions, it gives you much more granular control over what remote workers or even people just home in the evenings are doing on their devices.
Narrator:The Assurance Show is produced by Risk Insights. We work with performance auditors and internal auditors. Delivering audits, helping audit teams use data, and coaching auditors to improve their data skills. You can find out more about our work at datainaudit.com. Now, back to the conversation.
Yusuf:While writing the book, I understand, or just after you started writing the book, you landed a job at Microsoft looking after records management and infogov. You wanna talk to us about that?
Erica:Well, I've always been an industry expert in the Microsoft records management area, and being located in Seattle, it's always been very easy for me to know the people at corporate. I'm the one that's always trying to get them to have lunch with me so I can ask those annoying questions. Multiply that by 15 years, people either enjoy your questions or hate you. And I was working on this internal, compliance expert team and working with them very closely. This was a new position they created to have someone dedicated to managing the records business. And when it came up, they let me know I applied and it was my dream job. So it was extremely excited to get it. They call it a product marketing manager. But what that really means is you're the one who's actually looking after the whole business. So I have a counterpart Roberto Inglesias who manages the design and development of the product, and he decides what features we're going to build. I help with understanding the market landscape, competitive landscape, what we need to build to help our customers. So I meet with a lot of customers and partners. I help manage our ties into the internal programs at Microsoft. There's many cogs in the machine, right.
Conor:Are you able to tell us about any new features coming down the line?
Erica:Yeah. We actually have two big ones that are listed on the public Microsoft365 roadmap. So Microsoft has a roadmap. You can go look and it has, a paragraph about each feature that's coming. So our biggest one is we're completely overhauling what we call the disposition process for records management. So this is the approval process that most managed documents have to go through before they're deleted. So it'll reach the end of the retention period. It'll kick off an approval. Usually it has to go to say the business owner, then maybe the records manager and everyone has to say, yep, it's okay if we delete this. And then you leave behind, what's called a certificate of destruction, proving that it was in fact deleted. And that's what the auditors would probably care about the most. You can customize that approval process with multiple stages and people. And then we're making just the user experience of the review, much more streamlined and easy. And then the next one is this one's a little bit more techie, but it is, big. So if you're going to manage let's say a person with a policy. There's a couple of ways you can scope that policy. Maybe you just need everybody's email to be kept for three years. But maybe there's like your executive team that needs to have their emails kept forever. Like we don't delete bill Gates as email. I'm pretty sure. So you need to be able to identify who are those people that need this forever policy? In Microsoft365 they have a user profile. It says things like their department, their geography, other things like that. What we'll be able to do is look at those properties in the user profile, and you can scope the policy based on that. Say everyone who has Australia listed as their, country, put them in this policy to manage them. So it sounds simple, but it's going to unlock a lot of scenarios and things our customers want to do that require that.
Yusuf:So let's say I'm an internal auditor in a public sector organization. There's a whole bunch of laws that I need to comply with. And I've got a bunch of records against which retention policies have been established or that have been labeled in a particular way. What happens when those laws are different and may conflict. One says you have to delete within five years and the other one says, you must keep it for seven years. What do your customers usually do about those sorts of scenarios, where there are laws that don't necessarily work together?
Erica:That's a great question. In the vast majority of cases most laws will say to retain it for the longer amount of time. What that entails is you have to be able to assign the multiple policies to that document. So that there's a process that evaluates all the policies on a periodic basis and says, okay, this is the longest one. It's the one that wins.
Yusuf:Okay. And when we have things like we need to make sure that any private information that we keep is kept up to date. And we need to make sure that where we do have PII, that we give people the ability to update that. Is there a way that you can then apply that to all the records as well? Or does that only apply to newer records? How does that all work?
Erica:So there's just too much data to manually evaluate anymore. Even if users are tagging it, like as they create things, they're going to do it wrong. They're going to forget it's just not okay. So instead of trying to manage everything, we're having to shift our way of thinking to managing the highest risk data. So if you think of it as a quadrant. The highest risk is in the upper right corner. That's really what you want to go after. So how do we identify that? a document that's just even sitting in a SharePoint site has a lot of information about it. You can tell who's accessing it, what their job is, what meetings it was shared in, in a teams meeting and these things. And from there, you can start to use artificial intelligence to build the risk profile. We can apply sensitivity policies and retention policies based on this risk profile today, but it still has a long way to go to be perfect and completely mature and no technology can do it yet, to be fair.
Yusuf:That makes a lot of sense. So extending from that, an organization that is starting along the records management, information governance, path. Where would they start?
Erica:With the high-risk data, but how do they decide what is high risk? So there's a couple of ways. So if you're already a highly regulated or government organization, you typically have what's called a retention schedule. With the categories of information and how long you need to keep it. So you can sit down with your security team and figure out, of those categories, what's the riskiest information? Start with maybe the 10% riskiest categories. Then you can say, okay what does this information look like? Is it templatized? Is it all over the place? Is it in emails? Is it in files? And start identifying the characteristics of the data. Then you have a couple options. If it's a well managed asset like contracts or something that we've already been managing for a long time, you probably know where it sits and you can manage it by the location. But if it's more collaborative in nature, it could be anywhere. So in that case, we have what are called trainable classifiers, where you can feed in examples of the documents and train the machine. And then it'll go look for it anywhere in SharePoint or one drive and you can start to identify things that way by the patterns of information. There's other ways to do it as well, but that's the easiest place to start.
Conor:So where would you find the trainable classifiers?
Erica:That's in the compliance center and it's covered in detail in the book on how to either use one of the out of the box, classifiers Microsoft built, or how to start from scratch and make your own model.
Yusuf:If you know some of the high-risk documents and you can identify where those reside, you're then able to use those to build a pattern and then go and look for similar documents so that you're not missing some documents that may be buried deep down in a folder structure, or that may have been copied from one area to another area, or that may be in a user's individual OneDrive folder, as opposed to some of the more shared folders.
Erica:Yeah, exactly. And you can use the trainable classifier either to find content and apply a retention label or protect it with one of those sensitivity labels to make sure the right people have access to it and the wrong people, don't.
Yusuf:That's a range of data governance areas that are being covered off all at the same time. If you were in the internal audit area or the performance audit area and whether you had records management on your mind deliberately or not, what would it be that would make you sit up and say, I need to do something about this, or I need to evaluate this, or this is a risk area that I need to bring to the attention of the board or others.
Erica:A lot of companies have had just a keep everything culture. And they don't realize the risks that are presented with just keeping information around forever. Of course there's legal risks. If you are a part of a legal case, if you can find it in your organization, you have to produce it as part of the case. If it's something that could have been deleted that loses the case for you, that's not a great situation. Also the more data that you have, bigger attack surface you have, the more you have to just manage for these privacy laws or for other regulations. And it's just more expensive and takes a lot more time and effort. A lot of times these aren't visible costs because if you do it right, no one should ever know that you did your job. Cause you're not appearing on any lists of people that, that did something bad. That's, why sometimes it's so easy to overlook by leadership, but why it's so important to pay attention to it?
Conor:It's important to reflect on your own organization and ask the question. Do we have a, keep everything culture in this organization and as an internal auditor what can I do to help my organization,manage that risk better.
Yusuf:Where can people find you, connect with you, and importantly, where can they you find your book?
Erica:The least expensive place to buy the book is going to be @ apress.com. So that's apress.com and they can ship to most countries in the world. It is also available on Amazon. Uh, fortunately have kind of a unique, last name. So on every social media property and email address, it's just my first name, my last name. No dots, dashes or underscores, just those two together, twitter, @microsoft.com, whatever you would like.
Yusuf:Okay. So that's Erica Toelle and that's ERICA last name TOELLE. we'll put link to your profile in the show notes, we'll put a link to your book on apress in the show notes as well.
Erica:If you ever have any questions about any of this, especially records management, just hit me up on LinkedIn or email me. We're very casual around here and we just want to help everyone. So don't feel like your question isn't important enough because if you can't find the answer, it's an important question.
Yusuf:Really interesting conversation. We look forward to getting a copy of the book. Thank you very much for joining us
Narrator:If you enjoyed this podcast, please share with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com. The link is in the show notes.
.jpg)
.jpg)
