Driving for Better Compliance
Following its announcement at Ignite 2017, Microsoft launched the preview of its Compliance Manager on November 16. The Compliance Manager is available to all organizations with a paid or trial subscription to a Microsoft cloud service, except tenants of the Office 365 datacenter regions in China and Germany.
Microsoft describes Compliance Manager as: “A dashboard that summarizes Microsoft’s and your organization’s control implementation progress for Office 365 across various standards and regulations, such as the EU General Data Protection Regulation (GDPR), ISO 27001, and ISO 27018.”
To access Compliance Manager, log into this site using your Microsoft cloud credentials.
Office 365 and GDPR
Although Azure is in the mix (due in early 2018), given the widespread presence of personal information (PII) in documents and email, I suspect that the new tool will be of interest to Office 365 tenants who operate anywhere in the European Union and the other countries, like Norway and Switzerland, where the General Data Protection Regulation (GDPR) becomes effective in six short months.
Office 365 already includes many compliance features to help an organization control data, including data loss prevention (DLP) and retention policies, classification labels, encryption and rights management for documents and email, content searches, and auditing. Some of the features are easier to use with higher-priced plans (like auto-label policies in Office 365 E5) and some will extra software (like Azure Information Protection P2).
The issue is not of having enough technology to control the misuse of PII; it’s more often the case that the people in the organization need help to understand what data needs protection and how best to protect the data.
The Compliance Manager Dashboard
Compliance Manager is a dashboard, but it is a passive instrument. Unlike other Office 365 dashboards like Secure Score or the Data Governance dashboard in the Security and Compliance Center, it does not try to analyze the settings of a target organization against any baselines to report gaps and problems. Microsoft intends to improve functionality in this area in the future and will generate a “compliance score” for a tenant.
For now, Compliance Manager lists standards and regulations that organizations and service providers might want to satisfy and delivers some practical advice about how tenants can start dealing with those standards. The plan is to add more standards to the dashboard over time. When I started Compliance Manager, it offered the option to work with GDPR and ISO 27001-2013 (Figure 1).
Each standard applied to a platform like Office 365 is decomposed into a set of controls. You can think of a control as something that either a service provider (in this case, Microsoft) or a tenant must do as part of the work to satisfy a regulation or meet a standard. The biggest benefit of the Compliance Manager is how Microsoft has broken down complex regulations like GDPR into the controls. For GDPR, 71 controls are assigned to Microsoft and 47 to the customer (see Jussi Roine’s review).
Microsoft’s controls are all passed after testing by an independent auditor. Given that all 71 controls are checked, one interpretation is that Microsoft believes that Office 365 satisfies GDPR, even if they have made no such claim. Microsoft does not say who carried out the audit or what plan or other software (like add-ons) the examined Office 365 tenant used. This is disappointing because a big difference exists in the compliance functionality available in different plans. For example, if you run Office 365 E5, you can deploy auto-label policies (part of advanced Office 365 data governance) to find and classify documents that hold PII data.
Assigning Work Through Controls
With 47 controls to satisfy, any Office 365 tenant has a lot of work to do to make sure that they can cope with GDPR. Compliance Manager tells them what needs to be done but gives no practical assistance to manage the actual work. You can assign people to work on a control (the list of names comes from the GAL), but you cannot assign a group or multiple people (Figure 2). And then you must tell the assignee that they have work to do because the email notification does not work yet (it’s coming soon).
Of course, email assumes that an Office 365 tenant uses Exchange Online. Most do, but some do not.
You can also upload documents to Compliance Manager for each control. Presumably these are documents to prove that the work is done. But the documents are not stored inside Office 365. All in all, using the Compliance Manager to track work is an exhaustingly manual process.
Leveraging Office 365 to Satisfy GDPR
If Office 365 has anything, it possesses collaboration technology. Why not harness technology to automate what is essentially an exercise in paperwork that probably involved collaboration with people drawn from across the organization.
Two obvious candidates present themselves. Planner to track the tasks involved in satisfying controls and Teams for collaboration. Outlook or Yammer Groups could also be used, but Teams and Planner are more tightly integrated at this point.
Creating a GDPR Plan
To implement the solution, I first created a new plan with Planner. Creating a new plan also creates a new Office 365 Group, to which I added the people who would work on the GDPR controls as members. I then created a set of buckets in the plan matching the categories Microsoft uses to divide up the GDPR controls.
Next, I created a task for each control in the appropriate bucket and assigned it to the individuals responsible (Figure 3). The description is cut and pasted from the Compliance Center. You can tailor the text to meet the unique needs of the organization, add checklist items, and add attachments that the person assigned the task might need to understand what must be done. Planner also has colored tabs for tasks that could be used to indicate departments, like IT, Finance, Legal, and so on.
After the tasks are created and assigned, it is easy to track progress through Planner (Figure 4). Although Planner has only a few graphs now, the Planner developers have promised that a new schedule view will be available soon.
Teams also use Office 365 Groups for their identity and membership, so it did not take long to team-enable the group. I then added a Planner tab and connected it to the plan (Figure 5). Team members can collaborate to achieve the necessary controls. Any documents needed can be assembled in Teams and stored in the SharePoint document library for the group.
Voilà! I now have the ability for people to work through the controls necessary for the organization to satisfy GDPR.
Of course, it would be nice if Microsoft built the necessary intelligence into Compliance Manager to create the Office 365 Group, plan, and team and export the controls information to the plan, probably using the Microsoft Graph APIs. However, this is preview software and it therefore only the start of what might happen in the future. Feel free to automate the process yourself if you feel like a challenge!
Compliance is Difficult
Compliance is easy in concept, but difficult to implement in reality. People are always the weakest link. Microsoft’s Compliance Manager breaks down complex regulations into digestible chunks. Using collaboration software like Planner and Teams to help people work together to achieve prepare for something like GDPR just makes sense. Being able to base that activity on those digestible chunks is even better.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.