Data Protection Guide

Update: This text was compiled almost a year before GDPR was signed. But it cpontains teminology relevant in the GDPR.

Overview

Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The (UK) Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights were revised and superseded by the Data Protection Act 1998 which came into force on 1st March 2000. This Guide explains what you should know about data protection under the Data Protection Act 1998 (‘the Act’). Continue reading “Data Protection Guide”

How transparent is the overall Office 365 operation?

[:en]msft-the-most-complete-cloud

Can you really trust Office 365? How transparent is the overall Office 365 operation?

Moving to a cloud service shouldn’t mean losing access to knowing what’s going on. With Office 365, it doesn’t. We aim to be transparent in our operations so you can monitor the state of your service, track issues and have the historical view of availability. Continue reading “How transparent is the overall Office 365 operation?”

How is Office 365 Compliant?

msft-the-most-complete-cloud

Can you really trust Office 365? How is Office 365 Compliant?

Office 365 is a global service and continuous compliance refers to Microsoft’s commitment to evolve the Office 365 controls and stay up to date with standards and regulations that apply to your industry and geography. We get lots of questions from our customers on controls and compliance, the purpose of this post is to surface some of the features and controls present to give our customers full peace of mind.

Office 365 provides admin and user controls, including eDiscovery, legal hold, and data loss prevention, to help you meet internal compliance requirements. These require no additional on-premises infrastructure to use.

Independent verification

Proactive approach to regulatory compliance

  • Microsoft have built over 900 controls in the Office 365 compliance framework that enable us to stay up to date with the ever-evolving industry standards.
  • A specialist compliance team is continuously tracking standards and regulations, developing common control sets for our product team to build into the service.

Customer controls for organisational compliance

  • Legal hold and eDiscovery built into the service help you find, preserve, analyse, and package electronic content (often referred to as electronically stored information or ESI) for a legal request or investigation. Privacy controls allow you to configure who in your organization has access and what they can access. The Silver Cloud are experts in these features and are able to support all Premier Support customers with discovering them.
  • Data loss prevention in Office 365 helps you identify, monitor, and protect sensitive information in your organisation through deep content analysis.

Can you really trust Office 365?

msft-the-most-complete-cloudCan you really trust Office 365? How can users protect themselves?

Prepared by Daniel John

At DBJ.ORG we know security is a top priority of our customers and this is one that we are working on

Office 365 is a security-hardened service, designed following the Microsoft Security Development Lifecycle. Microsoft bring together the best practices from two decades of building enterprise software and managing online services to give you an integrated software-as-a-service solution.

At the service level, Office 365 uses the defence-in-depth approach to provide physical, logical, and data layers of security features and operational best practices. In addition, Office 365 gives you enterprise-grade, user and admin controls to further secure your environment.

When you ask about Office 365 security it helps to consider security at a number of different levels. At DBJ.ORG we like to think of cloud security from four dimensions:

This post focuses on what is built-in with Office 365:

Built in security

  • 24-hour monitoring of data centers.
  • Multi-factor authentication, including biometric scanning for data center access.
  • Internal data center network is segregated from the external network.
  • Role separation renders location of specific customer data unintelligible to the personnel that have physical access.
  • Faulty drives and hardware are demagnetized and destroyed

Logical security

  • Lock box processes for strictly supervised escalation process greatly limits human access to your data.
  • Servers run only processes on white list, minimising risk from malicious code.
  • Dedicated threat management teams pro-actively anticipate, prevent, and mitigate malicious access.
  • Port scanning, perimeter vulnerability scanning, and intrusion detection prevent or detect any malicious access.

 

  • Data Security:

  • Encryption at rest protects your data on our servers.
  • Encryption in transit with SSL/TLS protects your data transmitted between you and Microsoft.
  • Threat management, security monitoring, and file/data integrity prevents or detects any tampering of data.

Admin and user controls

  • Rights Management Services prevents file-level access without the right user credentials.
  • Multi-factor authentication protects access to the service with a second factor such as phone.
  • S/MIME provides secure certificate-based email access.
  • Office 365 Message Encryption allows you to send encrypted email to anyone.
  • Data loss prevention prevents sensitive data from leaking either inside or outside the organization.
  • Data loss prevention can be combined with Rights Management and Office 365 Message Encryption to give greater controls to your admins to apply appropriate policies to protect sensitive data.

 

Enterprise Content Management is not Information Governance

Enterprise Content Management is not Information Governance

Quite a lot is written these days about information management and information governance. Analysts are predicting that effective information management and governance can be a game changer for enterprises.

BUt. Doesn’t this sound a lot like Enterprise Content Management, or ECM?  Aren’t there already plenty of successful vendors, ECM installations, and ECM strategies at work across companies at all levels, for many years now?

ECM and IG are not the same

In the world of enterprise content management, everything hangs on one single principle: that each document is unique, serves a defined purpose, and is therefore managed.

ECM is critical to regulated industries such as pharmaceutical, where even the specific revisions of drug labels must be managed and ECM solutions provide reliable, defensible tools.  ECM aids companies who regularly develop collaterals, training materials, as well as mundane activities like tracking contracts, document revisions, and so on.

This is not information governance, however – nor is it information management as the world is beginning to understand it.   The ECM world already assumes a one-to-one relationship, which is why ECM has never proven to be a solution for information governance.

Information management and governance – the one-to-many conundrum

One to Many
One to Many

In the information governance world, the rule of thumb is one-to-many.  And this is driven largely by email!

Email by its nature is repetitive:  even email archiving systems cannot and should not eliminate duplication.

In cases where an author sends the same document attachment to multiple recipients, logically all copies point back to the same central document. But as that document moves outside the organization, gets multiplied, is commented upon, and becomes the foundation for an email dialogue, the same information will be repeated and multiplied to make the matters worse.

Information governance has to go beyond the notion of identifying a single document or item and then tracking all revisions.  In the case of email, these revisions are derivatives in branches – in other words, conversations.  An ECM management solution can’t handle this situation, at least not easily.

Managed per content vs. managed per value

Another way to look at ECM is to look at how information is managed. ECM manages based on content:  what’s in a document determines how it and any documents that relate to it are managed. This is how revisioning for example works: inside each revision only changed content is stored not the whole document.

In the information governance world, there are simply too many variables.  Going beyond mere duplication, there is also the challenge that content simply “comes into” an organization via email and then forms the basis for other content.  The process is random.

The key to information governance is understanding the value of content and then applying management.

This is exactly and also is what Big-Data is all about: value of the whole content. Content (aka Information aka Data)  Value has been elusive, but think-groups like the Information Governance Initiative have begun to identify how companies are being successful in valuing information, (often by using Big-Data platforms).  Often, the mere age of the information is a measure of its value:  email is transient by nature, and unless mail refers to a specific subject that is managed differently (example, emails discussing pharma/client relationships at bio-tech institutions), its value decreases as it ages and it ultimately becomes worthless. And toxic as IT Regulators are very keen you don’t store but dump old information.  Companies have successfully ascribed any pre-determined aging to such documents and, as they are covered by legal holds or compliance regulations, delete them after a defined period.

Modern enterprise needs both ECM and IG

Is this really true for each and every mid to large Enterprise? The answer is probably yes, but it is easier to answer whether or not they need enterprise content management (ECM) first.

There are a number of ways to handle content within an organization, and solutions regularly overlap.  Multi-disciplinary solutions like SAP and Oracle provide content management as well as enterprise resource management, routing, tracking, programmatic responses, and the like.  Rarely do they provide information governance for unstructured information like emails, and in cases where they do, that email is often associated with other content.

Information governance (IG), on the other hand, first and foremost requires mature organization with mature and repeatable governance in place.

On the implementation level, IG can be simply an archiving solution:  capture and preserve email to satisfy regulations and later search and discovery.  At its most granular (read: complex) level, IG implementation can, similar to ECM, play a role in identifying unstructured content, categorizing it, and applying very company and content-specific management rules.

Companies need both for different reasons.  Companies usually need ECM platform, because the particular type of information being managed is critical to their business.

Companies need information governance, on the other hand, because there is too much unmanaged and unstructured information flowing throughout their organizations.  Without management, they are unable to mine any potential insights from that information.  Without management, they are also unable to mitigate any risks that information may pose. And this is one very critical driver becoming obvious as from 2015 Q1.  Information can and will become toxic just as any other waste: if dumped anywhere it will develop its toxicity through time. As any “big bank” knows by now, for example. On the other hand if old and stale information, is classified and incinerated it will be safely disposed of.

And make no mistake: informations protection regulators are already here.

By Dave Hunt ]