sharepoint & compliance marc dreyfus sr. compliance solutions specialist, cipp/us
TRANSCRIPT
SharePoint & Compliance
Marc DreyfusSr. Compliance Solutions Specialist, CIPP/US
Intellectual Property and Trade Secrets
Sensitive Customer Information and Data
Competitive Advantage
Personnel information
National Security
The Challenge-Legions of compliance obligations and risks to information
The onslaught of risk and compliance issues related to Information sharing includes:
Persistent Data (once it’s out there, it’s out there)
Simple Authorship
Information Transference
Information Collection
Big Data
What’s Changed: Forces Driving Organizational Compliance Obligation
Massive amounts circulating content has led to reactive legislative policies and a rethinking of how corporate data is to be managed.
Big Data
Addresses inefficiencies in Statistical Sampling
Diapers and Beer Language Translation Tracking Spread of Influenza Credit Scores Identification with NAME / ZIPCODE
Sign of the times
Elizabeth Warren
A Sample of Compliance Standards
Accessibility Compliance Section 508 and 508 Refresh Web Content Accessibility Guidelines (WCAG) 1.0 Web Content Accessibility Guidelines (WCAG) 2.0 Canadian Government common Look and Feel
Privacy Compliance Gramm-Leach Bliley Act (GLBA) California SB1386 and AB 1950 European Union Safe Harbor US Section 208 Privacy Act of the USA UK Data Protection Act Health Insurance Portability and Accountability Act (HIPAA) Canadian Personal Information Protection and Electronic Document Act (PIPEDA) European Union Data Protection Directive 1995/46 European Union Privacy and Electronic Communications Directive 2002/58
Others• Records Management
• Sarbanes Oxley (SOX)• Operational Security (OPSEC)• Export Control Requirements (ITAR)• Brand and Site monitoring
• Bad or Broken Links• Metadata Policy• Improper words or phrases• Identity mismanagement• Marketing Standards
• Metadata Policy• Risk Level Tagging• Dublin Core Metadata Initiative • Z39.50 Tagging• Custom Vocabularies• Pointer Records
Operational SecuritySection 508 Refresh
Gramm-Leach-Bliley
ITAR
Regulations have common elements
Information must be accessible and available to the people who should have access to it and protected from the people who should not
Further this information may need to be stored, archived and preserved for some period of time
Building a Compliance Policy
Transparency/Collaboration
Data Protection/Management
Texas Health Care Provider - Hidden Salaries
An Email Thread from my Mortgage Banker
From: MarcHi Todd, Can you promise me that we can close on the house on July 15th. I have no mortgage contingency.Thanks,Marc
From: ToddMarc,That will not be a problem. We can absolutely close on July 15th.Best,Todd
Insurance Company, CT – FINRA 11-06 Compliance
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Restricted Use for all employees
1000 Users Regulated by FINRA Excluded from SharePoint 2013
Dirty Word Lists
SharePoint 2013 Blogs, Wikis, MySites Social
Risk assessment: Don’t just focus on what you can see
RiskAwareness
RiskIgnorance
Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”
E.J. Smith, Captain of the Titanic
US City – Drug Offenders
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
In thinking of potential privacy breaches, how likely do you think the following risks are for your organization?
15
Source: HCCA;, “Data Privacy: How Big a Compliance Challenge?”; January 2011
Pfc. Bradley Manning
Notable Government Breaches
Published private list of city drug offenders and court judgment on their public website.
A laptop was stolen containing the personal information of 26 million veteran and active duty troops. This was the largest of many breaches of VA electronic data.
Airstrike videos, war documents, and 250,000 diplomatic cables were downloaded by an Army soldier stationed in Iraq. Soldier was authorized to access systems.
Creating and maintaining a compliant environment is a continuous process
Balancing transparency and collaboration with data protection and management
People Policy and Process Technology
Training Governance and Oversight Technical Enforcement
What is Compliance Guardian
• Real-time or scheduled• “visible” and “invisible” content• Text or element based• Include/exclude filters
Scan
• Alerts and role-based reporting• Cross-farm, cross version results roll-up• Dashboard with drill-down• Trend analysis and historical reports
Report
• Move• Delete• Quarantine• Classify• Secure with permissions
Act
Demo
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Compliance Guardian modular architecture
CG Content Scanner
•Crawls through content source
• SharePoint sources• File Shares, Web
Sites, Yammer etc..*
CG Compliance Engine
•Checks against defined conditions
•Uses the AvePoint Testing Language
•Checks content, elements, framework, context etc..
CG Reporting Engine
•Compiles and presents scan results
•Role-specific dashboard views with summary and drill-down
•Trend reporting and historical analysis
APIAPI
Undertake Migration
Maintain Control
Surround Services – Best Practices Approach
Assess
Design
6
Implement
7
Maintain
Analyze
1
Diagram New Security
BoundariesArchitect in
GovSecIdentify Non-
Compliance
2
Prioritize
3Diagram Security
BoundariesArchitect in GovSec
4 5
Review Compliance
Requirements
Set Scope for Initial
Test
Initial Smoke Test
ReviewResults/Refine
Rules withearly project
owners
Initial Baseline Scan
Results Presentation
Meeting
Results Analysis and
Documentation
Recommended Mitigation
Initial Engagement Process
Initial Meeting
Compliance Guardian roadmap at a glance…
Jan 2013- v3 release• Support for SharePoint 2007
and 2010 sources•Pre-populated test suites for
PII, PHI, Accessibility, Sensitive information
•Role-based management dashboard to monitor compliance status and trends
• Support for automated, user assisted and verified manual classification and metadata tagging
•Real-time or scheduled content actions to reduce exposure and risk
Q2 2013- v3 CU1•Enhanced test suite editor for
greater efficiency when creating/customizing test suites
•Allow scanning for previous versions
•16 new pre-defined test suites mapped to common regulations and compliance initiatives
•40+ new pre-defined test files for common violation types
Q3 2013- v3 SP1• Support SharePoint 2013
Sources• Scan file system for
Compliance and Classification scans
• Scan non-SharePoint web-server for Compliance scans
•Enhanced risk calculation formulas and report
•Enhanced Compliance report dashboard and detail reports
• Site quality and branding test suites including broken links, missing images, Mobile OK
• Support for automatic tagging of SharePoint Managed Metadata columns
Q4 2013- Service Release•Enhanced user preferences
settings for Compliance Dashboard
•Enhance site quality features with performance monitoring and metrics
•Redaction capability for violations within content
• “Heat Map” to prioritize risk based on location
•Enhanced reporting of automated actions taken by Compliance Guardian
Q1 2014- Service Release•User Path Analysis•Encryption of test files to
protect operational security test suites
•Enhanced auditing of actions taken within the Compliance Guardian console
Scan File System
Scan Websites
Redaction
Heatmaps
Encryption of Test Files
Additional Resources (Please Click Images or Visit www.AvePoint.com/resources)
Customer Success StoriesWhitePapers from AvePoint’s Own SharePoint Experts
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
© 2012 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
© 2012 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
The Compliance Reporting Dashboard…
Track Progress and improvements over a period of time
Track trends across data sets and Content
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.