Microsoft 365 Information Governance Interactive Assessment

Organisations with limited email governance end up with a legacy of orphaned mailboxes and PSTs, where data grows but the emails' value is lost. This creates risk in terms of privacy compliance (DSARs, over-retention of personal data, breach, etc.) and cost of storage and responding to requests or litigation.

Managing emails effectively results in the defensible disposal of emails no longer required for legal or regulatory reasons. This, in turn, reduces the related cost and risks.

Enabling encryption on emails and files secures data when sent externally. Unencrypted emails are not only at risk in transit but also at rest in the recipient's mailbox or archive. Encrypting data in end-point devices secures the information if the device is lost or stolen.

Ensure your organisation has processes to review your policies and how they are being automated continually. For example, information handling requirements and threats change over time and continuously need to be reassessed.

Use emails for formal communications; they are particularly useful when seeking a decision from another party that will become part of the business record and when communicating externally.

Chat/IM apps simplify business communications and are better suited for brief back-and-forth conversations. When used with the other tools (such as co-authoring) this helps speed up collaboration in real-time.

Employees often use personal storage areas to hold content of corporate value. This causes issues in terms of privacy and compliance and can also lead to the loss of corporate information that should be managed in corporate/shared systems.

Microsoft Teams provides a rich collaboration platform that combines content with communication around a team in one place; enabling people to collaborate more effectively and securely anywhere and at any time. If configured, Microsoft 365 also allows the content and messages to be governed in line with your record retention rules reducing data risk according to data value.

If your employees are predominantly working in file shares and email, then moving to Teams offers these and more benefits.

Many organisations are emerging from legacy environments such as file shares where documents and records have not been classified and governed. This leads to risk in compliance, higher costs in e-discovery projects and potential fines or lawsuits.

Use Microsoft 365 Record Management capabilities to correctly classify and manage important document retention and disposal.

A seven-year retention period can be considered an average retention period for data. If the vast majority of your data is older than seven years, it is likely that you are not enforcing compliant retention rules. Implementing retention rules based on the type of data can help you govern this data and reduce the risks and costs inherent in the over-retention of data.

Records management policies and record retention schedules are fundamental information governance documents that all organisations should have in place and review at least annually. They allow companies to defend their data deletion and narrow the scope of e-discovery requests, helping save money on litigations, storage and reduce data risk.

Many organisations have a retention schedule that defines retention rules to be applied to data, but very few have got as far as "operationalising" these rules within their systems.

When procuring new systems, include requirements around data retention and secure information handling to ensure data is classified as it is stored to support automated governance.

Having processes, controls and monitoring to protect your organisation's confidential data and intellectual property is essential to avoid a data breach and protect your competitive advantage.

Emails sent to the wrong address are not intentional and could have been avoided with the help of some technical controls, such as Data Loss Prevention (DLP). DLP allows you to build rules around how your employees handle information securely based on the sensitivity of the information. You can build in tool tips to help educate users as part of the process.

Most organisations deploy Microsoft 365 applications without any controls, governance or training plan that explains how the applications should be used effectively and compliantly.

Without these considerations, Microsoft 365 can rapidly become your next data graveyard where data is created and left unmanaged creating cost and risk to the organisation. Moving to Microsoft 365 provides the opportunity to ensure that processes, roles and training are put in place to ensure governance is embedded to help enforce compliance with data privacy and record-keeping requirements.