The Six Stages Of The Compliance Journey

Beyond the tech: The six stages of the compliance journey 

In a recent article, we discussed the role specialist tools play in compliance, and how to tell if your organisation should be using these in preference (or in addition) to a solution like Microsoft Purview. Over the years, we’ve found these questions – and the quest to find the perfect technology solution – to be some of the most common stumbling blocks for organisations trying to get their compliance journey on the road. 

The irony is that technology – while critically important – is only one piece of a much larger compliance picture. A quick look at what needs to happen during each of the steps of a well-run compliance project makes it blatantly obvious that the right people and processes are just as important as the right technology (if not more so). 

Here is our step-by-step breakdown of what a strategically-sound compliance process looks like, and all the decisions you’ll need to think about above and beyond your chosen tool suite. 

Step 1: Initiation 

The first step of any journey is figuring out where you want to end up. In a compliance context, that means creating a working hypothesis of your suspicions, and clarifying your motivations for wanting to address them.  

This is vital information for planning and prioritisation, but also plays a critical role in identifying the right people to own the problem and drive the solution (without which compliance projects invariably stall). 

Example Hypothesis: We suspect we’re carrying an unacceptable amount of risky data in our Microsoft 365 environment because it (a) identifies as sensitive information, (b) is outside our retention policy, (c) is accessible to people who shouldn’t have access. 

Example Motivations: (a) We need to be compliant (b) We need to reduce risk (c) We need to introduce new technology like AI that could increase our risk exposure. 

From here, you can start defining your scope: what are you looking for (sensitive information types, date ranges, permissions etc.) and where are you looking for it (Microsoft 365, on premises file shares, endpoints etc.)? This will inform whether or not you need a specialist solution able to search and analyse data outside of the Microsoft stable, or if you have the option to use Microsoft Purview across the board. 

Pro tip: Scoping compliance projects can feel a little “chicken and egg”, requiring visibility into your risky data to guide your policy decisions, but also requiring policy decisions to guide visibility into your data.  

We always recommend starting with a basic policy framework defining what constitutes sensitive information types, retention and ROT for your organisation. These can be refined as your compliance project – and compliance maturity – progresses. 

Other factors that may affect your decision to use a specialist solution for data discovery and analysis include: 

  • Cost vs value – specialist tools come with a hefty price tag 
  • Parameters – are you scanning per data source, per classification, etc.? 
  • Capabilities – do you need to scan, classify and index file content and properties? Collect file and folder structures and permissions? Conduct permissions mapping? 

Step 2: Assess and Benchmark 

Once you’ve chosen your technology, you can move ahead with data discovery and analysis to quantify just how accurate your suspicions are, and where your greatest risks lie. 

This step is where many organisations believe specialist compliance solutions will bring home the bacon – likely due to the often assessment-focussed nature of their marketing. In reality, using a powerhouse like Stealthbits orVaronis for this step, alone, might feel like like cracking a nut with a sledgehammer unless you’re already using these tools in earnest. Serious (and seriously expensive) overkill. 

If the majority of your data is created and/or stored within Microsoft 365, Purview is more than capable of performing the necessary analyses to identify and classify sensitive and/or at-risk data, and benchmark your existing controls against applicable regulations. (It doesn’t hurt that Purview is also bundled into popular enterprise licence packages, making it essentially available-for-use.) 

Step 3: Prioritise and Plan 

With a clearer understanding of your risk exposure and compliance shortfalls, it’s time to analyse the potential impact that could have on your organisation. We like to refer to this as the “so what?” stage, because there is one undeniable truth that always comes to the surface: 

If nobody really understands or cares about the impact of a vulnerability, nothing more is going to happen. 

Driving progress to achieve the compliance your organisation needs (and regulations demand) takes active engagement from stakeholders and decision makers that are genuinely invested in the outcomes. This isn’t something technology can help with, but is an area in which the right partner can add significant value. (Read more about our Compliance Accelerator Programme, here.) 

Outcomes of this step should include a detailed impact assessment, as well as a remediation plan with provision for ongoing iterative work. 

Step 4: Assemble and Engage 

This step uses the impact assessment created in Step 3 to assign ownership and establish accountability for the various aspects of the remediation plan. It’s essential that the chosen role-players are both authorised to take the necessary actions, and motivated to do so within a reasonable timeframe. 

We always recommend formalising a committee and setting timescales for progress. New data is being constantly generated, and those elusive and ever-moving compliance targets wait for no man. 

Step 5: Drive and Deliver 

No matter what tools or processes you’ve used to get to this point, the hardest step of your compliance journey is likely to be this one. It’s time to define your sensitive information types, retention, ROT and archiving permissions, solidify labelling and classification taxonomies and policies, and translate your compliance requirements into real-world technology controls. 

If the majority of your data is Microsoft-based, Purview offers some great efficiencies during this process. That said, the lion’s share of brainwork here is going to be human. 

Step 6: Monitor and Report 

Data is an ever-evolving beast – as is compliance. It takes constant monitoring and regular engagement to keep the ball between the goalposts.  

Purview’s active detection capabilities across data loss prevention, information protection and adaptive protection are a great advantage in this ongoing effort.  

Conclusion 

Technology has revolutionised the compliance journey, with specialist tools offering extraordinary capabilities for more complex deployments. Despite this, much of the compliance process still relies on skilled and motivated stakeholders to define the right goals and continuously drive progress towards them. 

Getting this right can be a struggle – particularly for organisations where business, legal and IT struggle to communicate effectively. To solve this challenge, Cloud Essentials now offers a facilitated Compliance Accelerator Programme designed to support and expedite strategic decision-making while maintaining optimal alignment between compliance maturity and business requirements. 

Find out more. 

The only way to really know if we’re a good fit is to get in touch, so let’s have a chat! One of our friendly experts will get straight back to you. You never know, this could be the beginning of a great partnership.
Bristol
Cape Town
Johannesburg
Email