{"id":14029,"date":"2018-05-16T00:00:00","date_gmt":"2018-05-16T05:00:00","guid":{"rendered":"https:\/\/centricconsulting.com\/post\/asset-protection-series-security-policies-office-365_portal\/"},"modified":"2021-12-15T00:15:02","modified_gmt":"2021-12-15T05:15:02","slug":"asset-protection-series-security-policies-office-365_portal","status":"publish","type":"post","link":"https:\/\/centricconsulting.com\/blog\/asset-protection-series-security-policies-office-365_portal\/","title":{"rendered":"Asset Protection: Security Policies in Office 365"},"content":{"rendered":"<h2 style=\"text-align: center;\"><em>Let&#8217;s review the Office 365 security policies that you need and why they&#8217;re important.<\/em><\/h2>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-20300\" src=\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2018\/07\/FB-Asset-Protection-Security-policy-2.jpg\" alt=\"security policies\" width=\"472\" height=\"247\" loading=\"lazy\" \/><\/p>\n<p><em>Part four of a\u00a0<a href=\"https:\/\/centricconsulting.com\/blog\/protect-your-assets-in-office-365-azure_portal\/\">series<\/a>.<\/em><\/p>\n<p class=\"intro-text\">Everyone knows they need policies, especially for security. Do you have policies? Are they up-to-date?<\/p>\n<p>Let\u2019s first make a distinction between the two types of policies we have to work with. There are policies in Office 365 and Azure such as Password, DLP, Label, Threat Management, Data Governance and Mobile Device Management. These are the policies you can create in your Office 365 and Azure tenants and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.<\/p>\n<p>But what I want to discuss in this article are the other policies that you\u2019ll need and why they\u2019re important. These are the policies in their documented form that have been decided upon and will not change without your governance board or boards\u2019 approval.<\/p>\n<p>Although we won\u2019t talk about it until the Operations and Monitoring blog, post 7 in this series, you can use Secure Score and <a href=\"https:\/\/portal.cloudappsecurity.com\">Cloud App Security<\/a> for a bit to assist in making decisions about which policies are most important and which ones might wait awhile.<\/p>\n<h2>Identity Policy<\/h2>\n<p>This type of policy covers items that protect your users, their personal information, and access to your systems.<\/p>\n<ul>\n<li>Passwords \u2013 It\u2019s likely that your password policies are managed on-premises and not in the cloud but make sure they\u2019re documented and up-to-date. <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html\">NIST<\/a> has new guidelines that may surprise you. Find them in the link above.<\/li>\n<li>Multi-Factor Authentication \u2013 I\u2019ll say it again and probably not for the last time \u2013 because of the new NIST guidelines, you will want to enforce this for all admins and all mobile\/= or off-network logins.<\/li>\n<li>Data Loss Prevention \u2013 Automatically label documents and emails containing social security numbers or credit cards and prevent them from being shared outside the organization.<\/li>\n<li>Mobile Devices \u2013 Use some type of device management to govern what devices can connect to your tenant, what apps they can use, and what users can do with those apps.<\/li>\n<li>Administration and support \u2013 Determine who will administer what portions of your tenant by using roles, and also when they will have access.<\/li>\n<li>Onboarding\/Offboarding \u2013 Be sure to document your process and make concessions for data handling when users leave, especially in a hybrid environment.<\/li>\n<\/ul>\n<h2>Information Policy<\/h2>\n<p>This type of policy governs the ingress and egress of your company\u2019s data.<\/p>\n<ul>\n<li>External Sharing \u2013 Document who can share, what can be shared, from where the sharing can take place and how to monitor sharing.<\/li>\n<li>Classification and Encryption \u2013 Use <a href=\"https:\/\/centricconsulting.com\/blog\/classifying-data-with-azure-information-protection_portal\/\">Azure Information Protection<\/a> to allow users to classify, automatically classify and encrypt information in your tenant.<\/li>\n<li>Retention \u2013 Manage the lifecycle of your data and determine when or if it can be deleted so you retain critical data.<\/li>\n<\/ul>\n<h2>Governance Policy<\/h2>\n<p>This type of policy will help you maintain control over the permissions your users have to use your systems.<\/p>\n<ul>\n<li>Exchange \u2013 Document what services are allowed, who can use them, and how to effectively monitor and adjust as needed.<\/li>\n<li>Skype for Business \u2013 Determine what your users can and cannot do and share during meetings, chats, whiteboards&#8230;<\/li>\n<li>Teams \u2013 Decide on a Group and Team creation strategy, as well as retention plans, external application use, and external sharing.<\/li>\n<li>SharePoint \u2013 Determine strategies for storage management and usage, site creation and lifecycle management, and sharing.<\/li>\n<li>OneDrive for Business \u2013 Decide on quotas and sharing strategy.<\/li>\n<li>Yammer \u2013 Determine how you want to use Yammer, and how sharing and group creation will take place.<\/li>\n<li>Flow, PowerApps, PowerBI, Dynamics, Flow, Planner, Sway, Forms\u2026 \u2013 These are apps that don\u2019t have the traditional Office 365 Admin Center. But don\u2019t let down your guard. They still have access, usage and sharing policies you need to govern.<\/li>\n<li>Office 365 Groups \u2013 You\u2019ll need a naming strategy and retention policy, ownership and membership policy and external sharing plan. Remember that these are the underlying organizational units for Teams, Planner, PowerBI&#8230;<\/li>\n<\/ul>\n<h2>Final Thoughts<\/h2>\n<p>In many cases, you\u2019ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won\u2019t have well-defined policies in place and you will need to document and manage them.<\/p>\n<p>This will be especially important in your operations management and organizational change management. There are many decisions you need to make during your transition so be sure that you have a partner to help.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Let&#8217;s review the Office 365 security policies that you need and why they&#8217;re important. This is the latest in our series on asset protection.<\/p>\n","protected":false},"author":147,"featured_media":21738,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","footnotes":""},"categories":[1],"tags":[18559,19110],"coauthors":[],"acf":[],"publishpress_future_action":{"enabled":false,"date":"2024-07-31 17:05:28","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category"},"_links":{"self":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts\/14029"}],"collection":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/users\/147"}],"replies":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/comments?post=14029"}],"version-history":[{"count":0,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts\/14029\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/media\/21738"}],"wp:attachment":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/media?parent=14029"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/categories?post=14029"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/tags?post=14029"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/coauthors?post=14029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}