Getting your compliance journey off to a good start
The right start sets the tone for any journey. When it comes to deploying Microsoft Purview, with its extensive range of tools and configuration options, we find Information Protection and Data Loss Prevention (DLP) to be the easiest – and most beneficial – starting point.
Now, we’re not saying good information protection is easy, by any means. It is, however, a relatively easy sell to those holding the IT purse strings.
In today’s cyber-threat-heavy landscape, anything that offers improved protection for sensitive data is a business value no-brainer. And since the same requirements for the deployment of robust Information Protection and DLP are also prerequisites for more advanced compliance deployments like data lifecycle management, it’s a great way to set yourself up for future success.
Information protection: ready, set, go!
Before we dive into information protection specifics, it’s important to acknowledge that your compliance journey will be unique to your organisation. We’ve been there from the start for many businesses across a huge variety of industries (chemicals, manufacturing, telecommunications, insurance, you name it) and each has required its own, tailored approach.
That said, the broad strokes – particularly early on – are similar for every compliance journey. With that in mind, we suggest making the following two steps your first ones.
Step 1: Data classification
To protect sensitive information, you first need to know what it is; where it’s hiding; and what rules, processes and procedures need to be implemented to keep it safe from unauthorised access. This information will form the basis of your data classification policies.
In our experience, the best way to define these policies this is by workshopping them with stakeholders from across the business. (This can be easier with the help of a compliance partner who is skilled at facilitating these kinds of interdepartmental conversations.)
Pro tip: As part of data classification, sensitive information is typically grouped into classes – each with its own set of rules and processes. Having too many classes can overly complicate matters with little benefit, however. In most cases, five or fewer classes is more than enough.
Step 2: Sensitivity labels
Once your data classification policies are formulated, you’ll need to translate them into sensitivity labels. These labels will apply the necessary protections defined in your policies (e.g. encryption, content markings like headers/footers/watermarks, access permissions, restricted actions etc.) to the data at hand.
Pro tip: While Microsoft provides a standard set of sensitivity labels, don’t feel obligated to use these if they don’t meet your needs. Trying to force square pegs into round holes will do nothing more than stall your compliance journey.
The importance of collaboration and communication
We’ve said it before, and we’ll say it again: never underestimate the importance of collaboration and communication on your compliance journey.
One of the most powerful ways to smooth the rollout of new compliance features is to get all your stakeholders actively engaged in the process. That means encouraging inter-departmental collaboration on the definition of data classifications. It means helping stakeholders understand how those classifications translate into sensitivity labels. It means empowering department heads and team leaders to share compliance context with their users, helping them understand how (and why) it relates to their own documents and data.
Of course, it’s not an easy process to facilitate these high-quality discussions, getting everyone on the same page and talking the same language. That’s why we’ve made it one of the key focus areas in our Compliance Accelerator Programme.
Let us help you achieve the leadership and stakeholder engagement you need to make sustainable progress towards your compliance objectives.
Get in touch to find out more.