information governance in the age of cloud …
TRANSCRIPT
INFORMATION GOVERNANCE IN THE AGE OF CLOUD COMPUTING
INACTION IS NOT AN OPTION www.lighthouseglobal.com
2
Introduction
What makes information governance in the cloud
different?
How should we respond?
Final thoughts
Proprietary/Confidential 3
John Shaw
Director, Account Management / Business [email protected]
• Over 20 years' experience working in technical roles: software engineering, digital forensics, e-Discovery and technical consulting
• Responsible for client relationships, engagement commercials and operational delivery and oversight
• Strong track record guiding clients through complex issues and ensuring service delivery at the highest level
© 2018 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
Lighthouse
Proprietary/Confidential 4© 2018 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
Introducing Lighthouse
Damian Murphy
Executive Director, Global Advisory Services, [email protected]
• Practising barrister / trial attorney and leads Lighthouse’s Global Advisory Services within the UK.
• For over 20 years, Damian has been advising and representing clients facing complex legal issues, developing and implementing practical solutions in a legal context and managing change across a wide variety of clients in pharma, government and financial services.
• Damian is responsible for providing the whole range of Lighthouse advisory services including eDiscovery, data protection and data movement, dawn raid response planning, managed services, information governance and records management.
• Before becoming a barrister, Damian worked at Accenture where he focused on business process design and change management within pharma, government and financial services in the UK and the US.
• As well as his legal qualifications, Damian has a degree in English Literature from Christ’s College Cambridge and a diploma in French from the University of Bourgogne.
5Proprietary/Confidential
Microsoft + Lighthouse Alliance
• Working relationship began 20 years ago
• Grew up together in eDiscovery
• Lighthouse is the leading Microsoft Compliance Partner for Microsoft 365
• Lighthouse is Microsoft’s eDiscovery service provider
• Engaged in all major U.S. regions, the UK and EU; working with 200+ corporations globally
• Key advisory positions include Partner Advisory Council (PAC); GDPR partner program; Financial Services Consortium
• Relationships within the Security and Compliance Product Group, O365 PAC, and CELA
• Strategic alignment between Microsoft and Lighthouse
6
Introduction
What makes information governance in the cloud
different?
How should we respond?
Final thoughts
• The regulatory landscape is more demanding than ever before
• Data is more accessible
• Tools to provide control over data are readily available
7© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.Proprietary/Confidential
The cloud has radically changed the nature of information governance
• Accumulation of privacy regulations• GDPR, CCPA
• Increasingly militant regulators• Around €200 million in fines imposed under GDPR• Notable information governance fines (focused on failing to delete old personal
data)• Deutsche Wohnen – €14.5m• Denmark:
• ID Design - €200,000• Taxa4x35 – €160,000• Arp-Hansen Hotel Group A/S – €150,000
8© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.Proprietary/Confidential
The regulatory landscapeTop 5 GDPR fines (€)
Google (Fr) 50mH&M (Ger) 35mTIM (It) 28mBA (UK) 22mAustrian Post (Aus) 18m
The accessibility of data
Proprietary/Confidential © 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies. 9
• Adoption of cloud-based data is one of the most disruptive and significant trends to hit the information governance profession in the past 20 years
• Having data in the cloud (e.g. in M365) means you have the data in, effectively, one place and in, effectively, one searchable format
Proprietary/Confidential © 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies. 10
Insider
Risk Management
Identify and remediate critical insider risks
Protect and govern data anywhere it lives
Information
Protection &
Governance
Quickly investigate and respond with relevant data
Discover
& Respond
The availability of tools
Compliance Management Simplify and automate risk assessments
Proprietary/Confidential © 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies. 11
• Insider Risk Management• Communications Compliance• Information Barriers• Customer Lockbox• Privileged Access Management
• Retention & Disposition• Cloud DLP• Communications DLP• Rules-based auto classification• Machine Learning auto
classification• Records Management• Customer Key• Advance Message Encryption
• Advanced Audit• Core eDiscovery• Advanced eDiscovery• Data Subject Access
Requests
Microsoft’s Investment in Compliance (Including GDPR)
Compliance Management• Compliance Manager• Compliance Score• GDPR Dashboard
Proprietary/Confidential © 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies. 12
The regulatory landscape, the accessibility of data and the availability of tools…
These combine into the perfect storm meaning that no company can afford to place itself in a position where it is not planning to delete the data that it does not need
13
Introduction
What makes information governance in the cloud
different?
How should we respond?
Final thoughts
Proprietary/Confidential © 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies. 14
Foundational considerations
Adoption strategy
Dealing with email
Dealing with Teams
Dealing with old data
Proprietary/Confidential © 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies. 15
Foundational considerations - definitions
Make sure everyone understands the meanings
Gartner defines information governance as “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information”.
Proprietary/Confidential © 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies. 16
Foundational considerations - teamwork
Assemble a team with solid credentials, a clear framework and a plan
eDiscovery•End to End workflow including review
Records Management •Retention & disposition
Privacy•Auto Classification (Sensitivity Labels)•GDPR Data Subject Access Request Automation
Data Protection•Data Loss Prevention•Alerts/Monitoring
Cyber Security•Data Investigations•Threat Analysis
Risk•Compliance Monitoring
Knowledge Management•Delve
17© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.Proprietary/Confidential
Foundational considerations - privacy by design
18
• Frequently (not always) first workload implemented
• Typically 90% + of mailboxes moved to cloud
Exchange Online
• Will we adopt?
• Will it become our corporate standard for user file sharing?
• Will we migrate home share, My Documents, file sharing service
OneDrive for Business
• Will we adopt?
• Will SPO replace file server based file sharing?
• Will me migrate file shares to SPO?
SharePoint Online
OneDrive
18© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.Proprietary/Confidential
Adoption strategy – email typically first
Although Teams is being prioritised more and more
• 500K organizations as of April 2020
• 91 of the Fortune 100
• 75 million daily active users
• 60% of Teams users reside outside the US
• Available in 51 languages
Proprietary/Confidential 19© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
Email Governance
Where are emails that constitute records going to be stored?
Proprietary/Confidential 20© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
Email Governance
Proprietary/Confidential 21© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
Non-Regulated Examples
Highly-Regulated Examples
22© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.Proprietary/Confidential
2 Year Baseline Retention &
Deletion
Exempt
10 Years
5 Year
7 YearsLabels may be applied to folder or individual items
Example Framework in M365 (Exchange Online)
Lega
l Hol
d
Permanent(Sr. Mgmt
Only)
M365 Teams Governance
Proprietary/Confidential 23© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
• Considerations• Not just retention and deletion• “Level-Up” governance (for example: naming convention; who can create a Team)• Deployment configuration to meet legal, regulatory, compliance, and data privacy
requirements• Retention and deletion• Chats (channel and private)• Files• Day 1 and go-forward: How will you stay in front of changes, e.g., Teams private
channels?
M365 Teams Governance
Proprietary/Confidential 24© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
• Approach• Participate actively in the evaluation, strategy, and planning for Teams• Develop/acquire baseline understanding of how Teams works, especially:• What data is available• Where that data is stored• Tools available to manage the data and how those tools work in practice – this requires a
detailed understanding• Systematically review features and functions to assess their impact on information governance• Develop governance and configuration preferences and present to other stakeholders
Dealing with old data
25
Forklift move? “Information Governance” cleanup prior to move?
• Identify data subject to legal hold• Identify data subject to legal,
regulatory, or business retention requirements (records, work in progress, etc.)
• Identify data with business value• Leftovers are “ROT”
“Information Governance” cleanup after move?
• Move ESI into M365 then turn on policies
© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
26
Introduction
What makes information governance in the cloud
different?
How should we respond?
Final thoughts
What to take away?
Proprietary/Confidential 27© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.
• GDPR regulators appear to be focusing more on the storage limitation principle – data should be retained for no longer than is necessary
• Data in the cloud is both readily accessible and pre-formatted so that tools can be applied to make a rapid improvement in information governance
• Getting to grips with email is a good starting point
• Given the COVID-triggered proliferation of collaborative tools such as Teams, a tactical approach to information governance should include these tools in scope
• Communications management deals with the going forward position, realistically defensible disposal of legacy data will be needed significantly to reduce regulatory risk in relation to the storage limitation principle