subpoenas regulations and law internal policy
TRANSCRIPT
Sara Manning DawsonLead Program Manager - EDiscovery and AuditingMicrosoft Corporation
Managing Risk: How Auditing can help you be “In The Know”
EDC305
Am I in the right session?
Every member of my organization is perfect. They know exactly what to do all the time, and do it.
The country I live in has no laws. Neither does the state, province, county, or municipality.
No one in my organization communicates with anyone, ever.
..
You may not need this session if any of the following apply:
Agenda
Why does being “In The Know”
matter?
How can we help?
Today’s solutions
What we’re building to make it easier
Why does being “In the Know” matter?
Why Auditing?I can determine that my organization is doing the right thing with it’s information and technology“Help me respond to this lawsuit”
90% U.S. corporations currently engaged in litigationAverage number of active lawsuits for $1B+ companies: 147$1M Average per case cost to find and cull evidence
“I’m regulated. Help me know and show we are doing the right thing”
“Help me enforce internal policies”Standards of Business Conduct, Confidentiality, Financial Integrity, Anti-Corruption…
10%28%
62%
Size of Regulated Orgs<50
50-1000
> 1000
28%72
%
Regulated?
No
Yes
PIIHIPAA, PCI DSSGramm-Leach-Bliley
Also ITAR, NASD, UK FSA, ABI, ISO9001, Sarbanes Oxley, Magdelina, FINRA,, SEC, DODD FRANK
Subpoenas
Regulations
and Law
Internal Policy
Regulations, Law and Policy…Oh My!Who It Applies To In a Nutshell More detail What, and where software can help
168 companies with average revenues of $4.7 billion, the average compliance costs were $1.7 million (0.036% of revenue).[
States have ruled that even zip codes fall into this category: California in 2011, Massachusetts in 2013
The Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently also COPPA
Publicly Traded Companies “Don’t play games with your financial reporting”
• CXOs are responsible• Your favorite consultant and best
friend can’t be your auditor• Analysts shouldn’t talk to
investment bankers
Sarbanes Oxley302, 404: Disclose and assess Internal Controls401:Disclose Off-balance sheet items
Many Countries, including USA, Australia, Canada, EU
“Don’t disclose enough info to be able to identify a person”
• If you can figure out who it is with the information disclosed even if it’s vague, it was TMI
PIINSIT (Dept of Commerce): Any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." Privacy Act of 1974, California OPP Act of 2003
Websites and online services “Be careful what you do, website, with stuff typed in by children under 13”
• Post a privacy policy for children• Protect the information and get
rid of it when it no longer applies• Do you best to provide parent’s
notice and a change to review
Children’s Online Privacy Protection ActNot CIPA: K-12 schools and libraries need to protect against harmful online content
Organizations who handle personal health information
“Don’t share someone’s health info”
The company I work for “Don’t give away valuable intellectual property”
• Don’t share this new product code word with anyone
• All docs for the new awesome device we’re building can only be stored here
Employer Confidentiality AgreementsData Loss Prevention rules before the factEdiscovery + Auditing after the fact
• Patients own their health data• It can be released without
patients consent in a limited and well-defined set of circumstances
HIPAADidn’t know? $100-$25KReasonable? $1K-$100KWillfull neglect, corrected <30 days? $10K-$250KWillful neglect? $50K-$1.5 million
How can we help?
How can we help?Regulatory, Legal, and Internal Compliance
Put Controlsin Place
• Archive and Hold: Keep what you need• Deletion Policies: Get rid of what you need to get rid of• DLP and Encryption: Control, and help user control, sensitive
content
ShowCompliance,Investigate
a User
• EDiscovery: Search for important content• Auditing: Show that people did the right thing, or didn’t
1
2
How can Auditing Help?I can determine that my organization is doing the right thing with it’s information and technology Internal
PoliciesRegulations and LawSubpoenas
Demonstrate ReportingCompliance Sampling
Investigate a Search User Shorter term,
Less well-defined
Longer term,Well-defined data
I need to: I do this via:
“I followed the Legal Discovery process”
“Only doctors viewed this HIPAA doc”
“All PPTs marked ‘Microsoft Confidential’ were viewed only by FTEs”
Financial Policy Violation, Confidentiality Breach
Insider Trading
Sensititive Data Loss to public
Wrongful Termination
Users DC OperatorsIT AdminsCompliance Officers
How can we help? O365 makes it easy •HIPAA Business Associate Agreement (HIPAA BAA)
•FISMA authority to operate (ATO) from a federal agency•FERPA use and disclosure restrictions related to student data •EU model clause addressing international transfers of data•CJIS Security Policy 5.2 requirements met for CA and TX law enforcement•DPA (Data Processing Agreement) to address the privacy, security, and handling of customer data
Supporting Customer
Compliance
• ISO 27001: First major business productivity public cloud service to have implemented ISO 27001 mgmt. controls
• SAS 70 Type I and Type II attestation
O365Accreditations
• Protecting Against Government Snooping: http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government-snooping.aspx
• Transparency Advocacy: https://www.reformgovernmentsurveillance.com/ • DC Ops Auditing• Numbers of govt requests for data
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/02/03/providing-additional-transparency-on-us-government-requests-for-customer-data.aspx
• Law enforcement requests report: http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
Transparency and Government
Snooping
“We are committed to notifying business and government customers if we receive legal orders related to their data. Where a gag order attempts to prohibit us from doing this, we challenge it in court. “
“http://office.microsoft.com/en-us/business/office-365-security-and-privacy-verified-by-a-third-party-FX103089231.aspx
How can we help? Regulation TemplatesCountr
yPII Financial Health
US US State Security Breach Laws,US State Social Security Laws, COPPA
GLBA & PCI-DSS (Credit, Debit Card, Checking andSavings, ABA, Swift Code)
Limited Investment: US HIPPA, UK Health Service,Canada Health Insurance card
Rely on Partners and ISVs
GermanyEU data protection,Drivers License, Passport National Id
EU Credit, Debit Card,IBAN, VAT, BIC,Swift Code
UKData Protection Act,UK National Insurance, Tax Id, UK Driver License, Passport
EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code
Canada PIPED Act,Social Insurance, Drivers License
Credit Card, Swift Code
France
EU data protection, Data Protection Act,National Id (INSEE),Drivers License, Passport
EU Credit, Debit Card,IBAN, BIC, VAT,Swift Code
JapanPIPA, Resident Registration, Social Insurance, Passport, Driving License
Credit Card,Bank Account,Swift Code
Australia Drivers License, Passport, Social Insurance Credit Card, Bank Account, Swift Code• Predefined rules targeted at sensitive data types• Advanced content detection• Combination of regular expressions, dictionaries, and internal functions (e.g. validate checksum on credit card numbers)• Extensibility for customer and ISV defined data types
EDC.UN.301-R
DLP
Unplugged
How can we help? In-Place Advantage
Why Compliance• Subpoenas
• Laws and Regulations
• Internal Policy
Today’s Challenges• Duplicate
storage
• Add-ons for users
• Complex experience
The Asks
• Lower the cost
• One experience
• Easier to manage
Content Lifecycle
Create Collaborate
Store Dispose
Compliance
DeleteDiscover
Archive EncryptAudit DLP Preserve
Data volumes have increased…so risk has increased
Today’s Solutions
EX
SP
Default Retention: 3 months
Default Retention: 1 month
Admin ActivityAll cmdlet activityDC Admin distinction
Site Collection Activity:Create/Delete Group, Add/Remove member, Create/Update/Remove role, Perms/Inheritance Change, Audit Change
Mailbox ActivityCopy, Create, Move, DeleteSelect a Folder/Message,SendAs, Update(O365 is Delegate only)
Item Activity:Check-In/Out, Edit, View, Move, Delete, Copy, Update, Property Update, Restore, Access, Audit Change, Find(O365 does not include view)
What we offer
Walkthrough
Exchange Auditing
ImprovementsScale
O365: DC Ops Activity Reporting
O365: Noise Reduction
EDiscovery as part of your compliance solutionToday…
…Future
What we’re building to make it easier
EX
SP
Default Retention: 3 months
Default Retention: 1 month
Admin ActivityAll cmdlet activityDC Admin distinction
Site Collection Activity:Create/Delete Group, Add/Remove member, Create/Update/Remove role, Perms/Inheritance Change, Audit Change
Mailbox ActivityCopy, CreateSelect a Folder/Message,Move, Delete, SendAs, Update(O365 is Delegate only)
Roadmap
Calendar and delegate changesSP Tenant Admin and O365 AD
ActivityOneDrive for Business AuditingSharepoint SharingUser and Item Pivoted ReportingReport when Content became
Sensitive
Simple, Unified Configuration
Unified Reporting
Years and Years of Storage
Item ActivityCheck-In/Out, Schema Change, Move, Delete, Copy, Update, Property Update, Restore, Access, Audit Change, Find(O365 does not include view)
Features
Our Vision1. The events that matter: to your regulators, to your compliance officers,
to judges2. One simple config to turn on auditing3. One reporting console across workloads4. One storage location for easy pivots by user or item
1
2
3
4
Sneak Peek
Unified Auditing
Simple Config
Architecture ComponentsWorkload (Exchange)
Backend Backend
FFO/EOPUCC – Auditing
console
Policy Store
Policy WebService
Policy cmdlet Arbitration Mailbox (per tenant policy store)
Local Queue, Uploader
(per BE server)Policy DAL
Policy Sync Service
Backend 1Backend N
ExchangeAuditing Hooks
Workload (SharePoint)
Backend Backend
Policy Store (per tenant policy store)
Local Queue, Uploader
(per BE server)
Policy Sync Service
Content FEContent FE
SP Content Front End Node
Audit Storage (EXO)
Audit Long Term Storage
Audit Upload Web Service
FFO/EOPUCC – Auditing
console
Reporting cmdlets
Reporting UX
Reporting Web Service
ContentBE
SQL
Long term storage
• Reports, while you wait: 1 hour freshness, 15 second wait• Anything manual, including bulk events, shown as individual events• System Events are captured by the cmdlet that enabled them
Craveworthy ReportingContoso Site Activity
ACTION
Viewed
Modified
Modified
Viewed
Viewed
Viewed
Viewed
Viewed
Modified
Shared
Shared
Modified
Deleted
Modified
Deleted
Viewed
Viewed
Visa Application (Turkey)
Gene W…
Visa Application (Turkey)
Gene W… Visa Application
(Turkey) Gene W… OFFER
FORM.docx
OFFER FORM.docx
Visa Application (Turkey)
Gene W…
Visa Application (Turkey)
Walter T…
Visa Application (Turkey)
Walter T…
Visa Application (Turkey)
Walter T…
PricingInfo-
November2014.xlsx
PricingInfo-
November2014.xlsx
PricingInfo-
November2014.xlsx
PaulsDocumentAppendix.doc
x
PaulsDocumentAppendix.doc
x
DocumentAppendix.docx
DocumentAppendix.docx
DocumentAppendix.docx
TARGET
2/24/2014 4:28
2/24/2014 6:21
2/25/2014 7:17
2/25/2013 14:14
2/25/2013 22:44
2/26/2013 13:40
2/26/2013 23:27
2/27/2013 3:15
2/28/2013 9:57
2/28/2013 16:35
2/28/2013 21:36
3/1/2013 1:00
3/1/2013 3:07
3/1/2013 20:16
3/2/2013 8:41
3/2/2013 13:20
3/2/2013 19:06
TIME
Cem Aykan
Cem Aykan
Olaf Hubel
Julia White
Julia White
Olaf Hubel
Cem Aykan
Cem Aykan
Cem Aykan
Michal Gideoni
Michal Gideoni
Michal Gideoni
Paul Andrew
Paul Andrew
Julia White
Julia White
Julia White
PERSON
graph table details only
IP Address: 54.33.191.12
Saved from Word Web Viewer
Saved from Word Web Viewer
IP Address: 101.12.19.233
IP Address: 101.12.19.233
IP Address: 54.33.191.11
IP Address: 54.33.191.12
IP Address: 54.33.191.12
Saved from Word Web Viewer
Shared with
Shared with [email protected]
Saved from Word desktop
IP Address: 101.12.19.200
Saved from PowerPoint Web
IP Address: 101.12.19.1
IP Address: 55.66.123.101
IP Address: 101.12.19.1
DETAILS
Filter the graph by
events (207)
Fri5/10
Sat5/11
Sun5/12
Mon5/13
Tues5/14
Wed5/15
Thu5/16
Fri5/17
Sat5/18
Sun5/19
Mon5/20
Tues5/21
Wed5/22
Thu5/23
2 weeks
Date range:
5/10/2013 to 5/23/2013 (UTC)
10
15
20
25
30
35
40
45
50
0
5
44 events
graph table details only
Why does being “In The Know” matter?Audit records help to
1. demonstrate compliance with Regulations/Laws2. demonstrate compliance with Internal Policies3. respond to ________________
How can we help?O365 has taken specific steps to help orgs comply with what regulations?
Today’s SolutionsWhat we’re building to make it easyIn our Unified Auditing simple config, what type of auditing is “always on”?
Did I come to the right session?
Q&A
Please fill out evals -Thanks!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.