SharePoint Online - NYS Forum Home · 11/13/2019 · Exchange Online, SharePoint Online, OneDrive...

Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.

SharePoint Online

DLP, IRM, SPO Groups/AD Groups,

Governance, Best Practices, Information

Security, Audit Logs and ShareGate

O365 CoP – November 2019

2


DLP – Data

Loss

Prevention

November 13, 2019 3


DLP – Data Loss Prevention ~ Overview

Identify sensitive information across many locations, such as

Exchange Online, SharePoint Online, OneDrive for Business,

and Microsoft Teams.

Prevent the accidental sharing of sensitive information.

Monitor and protect sensitive information in the desktop

versions of Excel, PowerPoint, and Word.

November 13, 2019 4


DLP – Data Loss Prevention ~ Overview

Help users learn how to stay compliant without interrupting their

workflow.

View DLP reports showing content that matches your agency’s

DLP policies.

November 13, 2019 5


DLP – Data Loss Prevention Policy Templates

A preconfigured DLP policy template can help you detect specific types of sensitive information:

• U.S. Personally Identifiable Information (PII)• Health Insurance Portability and Accountability (HIPAA)• U.S. Financial Data• U.S. Federal Trade Commission Consumer Rules• U.S. Gramm-Leach-Bliley Act (GLBA)• U.S. Patriot Act• U.S. State Breach Notification Laws• U.S. State Social Security Number Confidentiality Laws

November 13, 2019 6


DLP – Data Loss Prevention Example PII

November 13, 2019 7



November 13, 2019 8



November 13, 2019 9



November 13, 2019 10





DLP – Data Loss Prevention

Any Questions on Data Loss Prevention?

18


IRM – Information

Rights

Management



IRM – Information Rights Management ~ Overview

Information Rights Management (IRM) enables you to limit the actions that users can take on files that have been downloaded from SharePoint Online lists or libraries. IRM encrypts the downloaded files and limits the set of users and programs that are allowed to decrypt these files. IRM can also limit the rights of the users who are allowed to read files, so that they cannot take actions such as print copies of the files or copy text from them.

You can use IRM on lists or libraries to limit the dissemination of sensitive content.



How IRM can help protect content

IRM helps to protect restricted content in the following ways:• Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or

copying and pasting the content for unauthorized use• Helps to prevent an authorized viewer from copying the content by using the Print

Screen feature in Microsoft Windows• Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail

after it is downloaded from the server• Restricts access to content to a specified period of time, after which users must confirm

their credentials and download the content again• Helps to enforce corporate policies that govern the use and dissemination of content

within your organization



How IRM cannot help protect content

IRM cannot protect restricted content from the following:• Erasure, theft, capture, or transmission by malicious programs such as Trojan horses,

keystroke loggers, and certain types of spyware• Loss or corruption because of the actions of computer viruses• Manual copying or retyping of content from the display on a screen• Digital or film photography of content that is displayed on a screen• Copying through the use of third-party screen-capture programs• Copying of content metadata (column values) through the use of third-party screen-

capture programs or copy-and-paste action



How to establish IRM for a Document Library

IRM is set for the NYS SharePoint Online tenant

Users can enforce IRM for a particular Document Library or List by performing the following:(To apply IRM to a list or library, you must have administrator permissions for that list or library)

• Get to Site Contents• Identify the document library or list, and select Settings by clicking the three vertical dots• Once the settings page opens – select “Information Rights Management”• When the “Information Rights Management Settings” page opens, select “More Options”



How to establish IRM for a Document Library



IRM – Information Rights Management

Any Questions on Information Rights

Management?

25


Groups –

SharePoint Online

and Azure AD



Groups – SharePoint Online & Azure AD ~ Overview




From Microsoft’s Documentation:

“Office 365 Groups is the cross-application membership service in Office 365. At the basic level, an Office 365 Group is an object in Azure Active Directory with a list of members and a loose coupling to related workloads including a SharePoint team site, shared Exchange mailbox resources, Planner, Power BI and OneNote. You can add or remove people to the group just as you would any other group-based security object in Active Directory.”




Types of Groups:• Office 365 groups are used for collaboration between users.• Distribution groups are used for sending notifications to a group of people.• Security groups are used for granting access to SharePoint resources.• Mail-enabled security groups are used for granting access to SharePoint resources, and

emailing notifications to those users.• Shared mailboxes are used when multiple people need access to the same mailbox, such

as a company information or support email address.



Groups – Office 365 Groups

• Office 365 groups are used for collaboration between users, both inside and outside your company. With each Office 365 group, members get a group email and shared workspace for conversations, files, and calendar events, and a Planner.

• Office 365 groups can be configured for dynamic membership in Azure Active Directory, allowing group members to be added or removed automatically based on user attributes such as department, location, title, etc. (Requires Azure AD P1 licensing.)

https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-change-type



Groups – Distribution Groups

• Distribution groups are used for sending notifications to a group of people. When thinking of a Distribution Group, they function like a Distribution List

• Distribution groups are best for situations where you need to broadcast information to a set group of people, such as "People in Swan Street" or "Everyone at ITS."

https://docs.microsoft.com/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups



Groups – Security Groups

• Security groups are used for granting access to Office 365 resources, such as SharePoint. They can make administration easier because you need only administer the group rather than adding users to each resource individually.

• Security groups can be configured for dynamic membership in Azure Active Directory, allowing group members or devices to be added or removed automatically based on user attributes such as department, location, or title; or device attributes such as operating system version. (Note, this requires Azure AD P1 licenses for members of the SG.)

https://docs.microsoft.com/en-us/office365/admin/email/create-edit-or-delete-a-security-group?view=o365-worldwide

https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-change-type



Groups – Mail-Enabled Security Groups

• Mail-enabled security groups function the same as regular security groups, except that they cannot be dynamically managed through Azure Active Directory and cannot contain devices.

• They include the ability to send mail to all the members of the group.



Groups – Shared Mailboxes

• Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people.

• Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that.

https://docs.microsoft.com/en-us/office365/admin/email/create-a-shared-mailbox?view=o365-worldwide



Groups – SharePoint Online & Azure AD

Any Questions on SharePoint Online or Azure

AD Groups?

35


SharePoint Online

Governance



Governance – SharePoint Online ~ Overview

SharePoint Online Governance Consists of:

• A governance plan

• Individuals tasked with insuring that the governance plan is

adhered to. The individuals form a group that creates,

modifies and publishes the plan as necessary.

• Communication with users and administrators to ensure that

they are aware of the plan and methods to implement the

plan.



Governance – SharePoint Online ~ Overview

SharePoint Online Governance Plan Example

• Overview

• Site Architecture (Communication, Team, Hub)

• Security / Groups / External Sharing

• Navigation

• Site Design

• Metadata Usage

• Information Protection (DLP, IRM, Versioning, Check In/Out)

• Information Removal

• User Onboarding and Removal

• Understanding Help/Support Options



Groups – SharePoint Online Governance

Any Questions on SharePoint Online

Governance?

39


SharePoint Online

Best Practices



Best Practices – SharePoint Online

Assign permissions using Groups – administration of

permissions is greatly simplified.

Give groups/user only the permissions that they really need.

Consider implementing DLP and IRM for all site collections in

your agency that may possibly contain sensitive information.




Changing inheritance of a site, list, document library or page

should only be done with the greatest of caution.

Know who the site-collection admins or site owners are. Those

individual should be your first line of contact for any issues.

Use versioning on all document libraries. There can be up to

500 versions of a document available.



Best Practices – SharePoint Online ~ Versioning

There are 3 options for document library versioning:

1. Create major versions2. Create major and minor (draft) versions3. No versioning – (not recommended)

With major and minor versions, draft item security permissions are provided. Thereare 2 options as to who can see draft versions:

1. Only users who can edit items (recommended)2. Only users who can approve items, and the author of the item




Turn off sharing when a new site is created.




Any Questions on SharePoint Online Best

Practices?

Any success stories to share regarding SPO

Best Practices?

45


SharePoint Online

Information

Security



Information Security – SharePoint Online

Microsoft 365 GCC (“Best for FedRAMP moderate, supports CJIS and IRS 1075 standards and DISA Level 2 Security Requirements Guidelines.”). To learn more, we refer to:

https://www.microsoft.com/en-US/microsoft-365/government

https://www.microsoft.com/en-us/trust-center

https://www.microsoft.com/en-us/TrustCenter/Compliance/complianceofferings

https://www.microsoft.com/en-US/microsoft-365/government

https://www.microsoft.com/en-us/trust-center

https://www.microsoft.com/en-us/TrustCenter/Compliance/complianceofferings




Any Questions on SharePoint Online

Information Security?

49


SharePoint Online

Audit Logs



Audit Logs – SharePoint Online

All SharePoint Online activities are monitored via

the O365 Unified Audit Log (UAL). The UAL applies

to:

• Site Collections / Sites (sub-sites)

• OneDrive

• NYS SPO tenant




Microsoft documentation can be found at:

"Search the audit log in the Security & Compliance Center"

Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance




The Unified Audit Log can provide:

• User activity in SharePoint Online and OneDrive for Business

• Admin activity in SharePoint Online

SharePoint Online activity should appear in the UAL within 30 minutes.




Any Questions on SharePoint Online Audit

Logs?

54


SharePoint Online

ShareGate



ShareGate – SharePoint Online




Any Questions on ShareGate?

59


SharePoint Online - NYS Forum Home · 11/13/2019 · Exchange Online, SharePoint Online, OneDrive...

Documents

Transcript of SharePoint Online - NYS Forum Home · 11/13/2019 · Exchange Online, SharePoint Online, OneDrive...