The three pillars of GRC
Governance
Risk management
Compliance
Where does Microsoft Purview fit in?
GRC has proven to be a very successful approach to enterprise risk management, helping to clarify and support the achievement of risk management objectives, while simultaneously enhancing decision-making capabilities and improving business performance. It does, however, require collaboration between various stakeholders, including governance, business, IT, compliance and/or risk departments.
This can create challenges, particularly in areas where the lines between team responsibilities become blurred. Data governance is a classic example.
IT teams typically understand the technicalities of the Microsoft environment, its configuration, where the data risks lie, and what tools and capabilities are available to address them. However: IT is not (normally) responsible for formulating – or overseeing and
reporting on – the data governance strategy. This falls to governance/compliance/risk teams, most of which have far less in the way of technical understanding of the tools at hand.
This can easily result in data governance policies that don’t translate well into the available technical controls, leaving potentially dangerous mismatches between policy and implementation.
This is where Microsoft Purview’s consolidated capabilities can be a gamechanger.
Bridging the gaps
Microsoft Purview is a set of solutions that help organisations govern, protect and manage data where(ever) it lives. It’s not a holistic GRC tool and isn’t looking to take on this role. It does, however, have an impressive feature set and well-structured dashboard that can add a lot of value (and overcome a lot of hurdles) for businesses implementing data governance as part of their GRC strategy.
It does this by bridging the gaps between the technical and risk/compliance sides of data governance, facilitating more effective collaboration and eliminating blind spots.
Purview for IT
On the technical side, Microsoft Purview delivers exceptional visibility into the data estate, and offers a comprehensive range of controls to safeguard and manage sensitive data throughout its lifecycle.
Purview for Risk/Compliance
On the risk/compliance side, that same visibility becomes a powerful asset in the identification of data risks; the supervision and realistic adaptation of technical controls in alignment with the latest regulations and certifications; and the monitoring and reporting of ongoing progress.
Compliance/risk teams access the vast majority of this functionality through Microsoft Purview Compliance Manager. This potent tool is designed to help automatically assess and manage compliance across a multi-cloud environment, dramatically reducing the time, complexity, and workload of managing and monitoring enterprise compliance and risk.
Microsoft Purview Compliance Manager offers:
- Pre-built assessments for common standards and regulations, as well as custom assessments for unique compliance needs.
- Consolidated risk assessment workflows.
- Actionable, step-by-step guidance on high impact improvement actions.
- A risk-based compliance score to benchmark compliance posture and measure the impact of improvement actions as they are completed.
Who is responsible for rolling out Purview?
The trouble with having something for everyone is that it can be tricky to decide exactly who should be responsible for rolling out Microsoft Purview. The not-so-simple answer is that Purview deployments really need to be a joint effort.
Risk, compliance and business stakeholders need to provide input on the business’ requirements around sensitive data classification and any legal and/or regulatory requirements around retention policies. These feed into the technical controls configured by IT to safeguard and manage the data effectively.
Everyone needs to play their part in understanding and mitigating the risks associated with data. That includes understanding the fundamentals of how the technology works, and the impact policy decisions can have on the business and its users.
Getting to this point can be challenging – particularly when stakeholder engagement is low. If you’re struggling to get everyone in the same room and on the same page, we highly recommend considering the Cloud Essentials Compliance Accelerator Programme.
Get in touch to find out more.