Microsoft 365 Information Governance Interactive Assessment
The purpose of this assessment is to provide a high-level summary of possible information governance risk areas that your company may be facing. The assessment will generate a report based on answers provided in the messaging, collaboration, storage, securing and managing data questionnaire. This assessment is targeted at organisations with a Microsoft environment and those that have migrated to Microsoft 365 or are planning to.
Question 1/12
Does your organisation have an approach to managing emails compliantly?
- Yes
- Partially
- No
Your answer: Yes
Your organisation has done some of the work already.
Your answer: Partially
Your organisation is on the right path, but there is still work to do.
Your answer: No
This is an important topic that your organisation needs to address.
Organisations with limited email governance end up with a legacy of orphaned mailboxes and PSTs, where data grows but the emails' value is lost. This creates risk in terms of privacy compliance (DSARs, over-retention of personal data, breach, etc.) and cost of storage and responding to requests or litigation.
Managing emails effectively results in the defensible disposal of emails no longer required for legal or regulatory reasons. This, in turn, reduces the related cost and risks.
Implement data classification (such as Microsoft 365 retention labels) to help classify and govern important records.
Question 2/12
Does your organisation encrypt sensitive information when sent externally?
- Yes
- Sometimes
- No
Your answer: Yes
Data security is seriously managed.
Your answer: Sometimes
Data security is important in your organisation, but there is area for improvement.
Your answer: No
Data is not being securely handled, critical risk.
Enabling encryption on emails and files secures data when sent externally. Unencrypted emails are not only at risk in transit but also at rest in the recipient's mailbox or archive. Encrypting data in end-point devices secures the information if the device is lost or stolen.
Ensure your organisation has processes to review your policies and how they are being automated continually. For example, information handling requirements and threats change over time and continuously need to be reassessed.
Allow users to encrypt emails and configure rules to automatically encrypt sensitive emails using Microsoft 365 sensitivity labels and encryption tools.
Question 3/12
Is your organisation effectively utilising the range of messaging tools at their disposal?
- Yes
- Sometimes
- No
Your answer: Yes
Your organisation uses their messaging resources efficiently.
Your answer: Sometimes
Your organisation could benefit from some messaging best practices.
Your answer: No
Your organisation might face some challenges if no change is implemented.
Use emails for formal communications; they are particularly useful when seeking a decision from another party that will become part of the business record and when communicating externally.
Chat/IM apps simplify business communications and are better suited for brief back-and-forth conversations. When used with the other tools (such as co-authoring) this helps speed up collaboration in real-time.
Make sure your organisation clearly communicates how and when each of these messaging tools should be used.
Question 4/12
Do employees use personal storage (e.g. OneDrive) for corporate or client data?
- Yes
- Sometimes
- No
Your answer: Yes
There is a high risk of information being lost or forgotten.
Your answer: Sometimes
There is risk of information being lost or forgotten.
Your answer: No
Your organisation is preventing information from being lost or forgotten.
Employees often use personal storage areas to hold content of corporate value. This causes issues in terms of privacy and compliance and can also lead to the loss of corporate information that should be managed in corporate/shared systems.
Define an approach and educate your employees on how the different collaboration and storage platforms should be used in your organisation.
Question 5/12
Which platform do you predominantly use for collaborating/sharing documents?
- File share (or equivalent)
- Microsoft Teams/SharePoint (or equivalent)
Your answer: Email
Your organisation's collaboration is immature and can be improved
Your answer: File share
Your organisation is missing some productivity and risk reduction opportunities.
Your answer: Microsoft Teams/SharePoint
Your organisation is working to become more productive and minimising risks
Microsoft Teams provides a rich collaboration platform that combines content with communication around a team in one place; enabling people to collaborate more effectively and securely anywhere and at any time. If configured, Microsoft 365 also allows the content and messages to be governed in line with your record retention rules reducing data risk according to data value.
If your employees are predominantly working in file shares and email, then moving to Teams offers these and more benefits.
Encourage and promote the use of Teams while setting the right policies and configuration on the platform to support compliant information governance.
Question 6/12
Does your organisation have a centralised system in place for capturing all record types (e.g. clients, HR, health and safety, etc.) compliantly in line with local laws and regulations?
- Yes
- Partially
- No
Your answer: Yes
You appear to have strong governance and control over your records.
Your answer: Partially
Some records may not be recorded or are difficult to retrieve on demand. Potential risk for non-compliance.
Your answer: No
High non-compliance risk, urgent action required.
Many organisations are emerging from legacy environments such as file shares where documents and records have not been classified and governed. This leads to risk in compliance, higher costs in e-discovery projects and potential fines or lawsuits.
Use Microsoft 365 Record Management capabilities to correctly classify and manage important document retention and disposal.
Classify your data per functional/business area using an updated file plan and manage your retention and disposal rules with Microsoft 365 retention and sensitivity labels and policies.
Question 7/12
Does your organisation have systems or archives with data older than seven years?
- Yes
- No
Your answer: Yes
Your risks related to over-retention of data at present are high and need to be addressed.
Your answer: No
Your risks related to over-retention of data at present are low.
A seven-year retention period can be considered an average retention period for data. If the vast majority of your data is older than seven years, it is likely that you are not enforcing compliant retention rules. Implementing retention rules based on the type of data can help you govern this data and reduce the risks and costs inherent in the over-retention of data.
Implement your organisation's retention rules in Microsoft 365 and develop a strategy to remediate legacy data and operationalise retention within Microsoft 365.
Question 8/12
Does your organisation have a records management policy and retention schedule in place that is maintained, defensible and can be implemented (i.e., has clear retention and trigger rules)?
- Yes
- Partially
- No
Your answer: Yes
That's good to hear. You should now make sure systems and processes embed these policies and rules.
Your answer: Partially
Sounds like you have a way to go. Make sure your retention rules encompass all business activities, rules are justified, and can be implemented.
Your answer: No
This is a major compliance gap that needs addressing.
Records management policies and record retention schedules are fundamental information governance documents that all organisations should have in place and review at least annually. They allow companies to defend their data deletion and narrow the scope of e-discovery requests, helping save money on litigations, storage and reduce data risk.
Consider implementing a tool to support the creation and ongoing maintenance of a defensible retention schedule and import the retention rules into Microsoft 365 File plan for managing and publishing retention labels.
Question 9/12
Does your organisation classify data as it is stored (contracts, sensitive information…) to support handling and disposal of data in accordance with security and retention rules?
- Yes
- Sometimes
- No
Your answer: Yes
You are ahead of most of your competitors. Make sure you have processes to continually review and improve how you classify data.
Your answer: Sometimes
This is not unusual and is often a result of legacy systems and processes.
Your answer: No
Many organisations have developed policies but have not implemented them into their systems and processes.
Many organisations have a retention schedule that defines retention rules to be applied to data, but very few have got as far as "operationalising" these rules within their systems.
When procuring new systems, include requirements around data retention and secure information handling to ensure data is classified as it is stored to support automated governance.
Implement your retention rules as retention labels and security classification as sensitivity labels in Microsoft 365 compliance centre. Develop Data Loss Prevention (DLP) rules aligned to your sensitivity rules and handling requirements to reduce the threat of data breach.
Question 10/12
Does your organisation actively prevent, monitor and contain Intellectual Property (IP) theft or internal malicious attacks?
- Yes
- No
Your answer: Yes
You are proactively managing internal risks of data breach.
Your answer: No
You are at risk of data breach if you do not actively manage internal threats.
Having processes, controls and monitoring to protect your organisation's confidential data and intellectual property is essential to avoid a data breach and protect your competitive advantage.
Microsoft 365 allows organisations to identify, investigate and take action against potential insider risks. Create custom policies linked to your DLP and sensitive data labels in the Microsoft 365 Insider Risk Management System. Set up triggers (such as employees leaving) or add additional safety measures to your organisation's most sensitive data.
Question 11/12
Has your organisation accidentally sent emails or documents to the wrong recipients?
- Frequently
- Sometimes
- No
Your answer: Frequently
This is an area for concern. Simple measures can be put in place to reduce this risk.
Your answer: Sometimes
You are not alone. This is perhaps the most common form of data incident.
Your answer: No
It looks like you have good controls in place to address this type of risk.
Emails sent to the wrong address are not intentional and could have been avoided with the help of some technical controls, such as Data Loss Prevention (DLP). DLP allows you to build rules around how your employees handle information securely based on the sensitivity of the information. You can build in tool tips to help educate users as part of the process.
Microsoft 365 includes DLP features to help organisations minimise the risk of data unintentional data breaches. You can benefit from this feature by implementing DLP rules aligned to your company's security classification standards in the Microsoft 365 compliance centre.
Question 12/12
Does your organisation actively manage (i.e., provision, review, decommission or archive) shared working areas (e.g., File shares, Teams)?
- Yes
- Partially
- No
Your answer: Yes
You are ahead of most of your competitors. Having controls in place to manage Team working areas avoids data chaos!
Your answer: Partially
It may be worthwhile to review the controls you have in place.
Your answer: No
This is an area for improvement. Have a strategy for how data is governed through life.
Most organisations deploy Microsoft 365 applications without any controls, governance or training plan that explains how the applications should be used effectively and compliantly.
Without these considerations, Microsoft 365 can rapidly become your next data graveyard where data is created and left unmanaged creating cost and risk to the organisation. Moving to Microsoft 365 provides the opportunity to ensure that processes, roles and training are put in place to ensure governance is embedded to help enforce compliance with data privacy and record-keeping requirements.
Develop processes or implement additional governance tools to support the provisioning and decommissioning of Teams, SharePoint, OneDrive and Outlook. Also, implement processes to attest access and continued use of Teams and SharePoint to ensure data access is appropriate and data does not become "orphaned." Utilise Microsoft 365 dashboards and reporting to monitor compliance and help determine interventions required to address non-compliance.
Calculating assessment results, this should only take a few seconds.
Establishing Information Governance Best Practices for Microsoft 365 Deployments
Get in Touch
