Describe insider risk, eDiscovery, and audit capabilities in Microsoft Purview Flashcards
Insider Risk Management
Microsoft Purview Insider Risk Management is a solution that helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities.
Insider risk management is centered around the following principles:
-Transparency: Balance user privacy VS organization risk with privacy-by-design architecture.
-Configurable: Configurable policies based on industry, geographical, and business groups.
-Integrated: Integrated workflow across Microsoft Purview solutions.
-Actionable: Provides insights to enable user notifications, data investigations, and user investigations.
Identifying and resolving internal risk activities and compliance issues with insider risk management in Microsoft Purview is achieved using the following workflow:
- Policies - Insider risk management policies are created using predefined templates and policy conditions that define what risk indicators are examined in Microsoft 365 feature areas.
- Alerts - Are automatically generated by risk indicators that match policy conditions and are displayed in the Alerts dashboard.
- Triage - New activities that need investigation automatically generate alerts that are assigned a Needs review status.
- Investigate - Cases are created for alerts that require deeper review and investigation of the details and circumstances around the policy match. The Case dashboard provides an all-up view of all active cases. The primary investigation tools in this area are: User activity, Content explorer and Case Notes.
- Action - After cases are investigated, reviewers can quickly act to resolve the case or collaborate with other risk stakeholders in the organization.
Insider risk management can help you detect, investigate, and take action to mitigate internal risks in your organization in several common scenarios.
Communication Compliance
Microsoft Purview Communication Compliance is an insider risk solution that helps you detect, capture, and act on inappropriate messages that can lead to potential data security or compliance incidents within your organization.
-With role-based access controls, human investigators can take remediation actions such as removing a message from Teams or notifying senders of potentially inappropriate conduct.
Identifying and resolving compliance issues with communication compliance in Microsoft Purview uses the following workflow:
- Configure – admins identify compliance requirements and configure applicable communication compliance policies.
- Investigate – admins look deeper into the issues detected when matching your communication compliance policies.
- Remediate – remediate communications compliance issues.
- Monitor – Keeping track and managing compliance issues identified by communication compliance policies.
Communication compliance enables reviewers to investigate scanned emails, and messages across Microsoft Teams, Exchange Online, Viva Engage, or third-party communications.
Some important compliance areas where communication compliance policies can assist with reviewing messages include:
-Corporate policies - Communication compliance can help admins can scan user communications across the organization for potential concerns of offensive language or harassment.
-Risk management - Communication compliance can help admins scan for unauthorized communication about projects that are considered to be confidential.
-Regulatory compliance - Communication compliance enables the organization to scan and report on these types of communications in a way that meets their requirements. (insider trading, money laundering, or bribery)
eDiscovery solutions in Microsoft Purview
Discovery is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery cases to identify, hold, and export content found in mailboxes and sites.
Microsoft Purview provides three eDiscovery solutions:
-Content Search: Search for content, Keyword queries and search conditions, Export search results, Role-based permissions
-eDiscovery (Standard): Search and export, Case management, Legal hold
-eDiscovery (Premium): Custodian management, Legal hold notifications, Advanced indexing, Review set filtering, Tagging, Analytics, Predictive coding models and more.
To access any of the eDiscovery-related tools, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Microsoft Purview compliance portal.
Audit Solutions in Microsoft Purview
Auditing solutions in Microsoft Purview help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations.
Microsoft Purview provides two auditing solutions:
-Audit (Standard): Log and search for audited activities: Enabled by default, Thoudsands of searchable audit events, 90-day default retention period, Accessed by GUI, cmdlet, and API.
-Audit (Premium):Builds on the capabilities of “Audit Standard” with: 1 year default retention period, Customized retention policies, Intelligent insights, Higher bandwidth access to API.
It can take anywhere from 30 minutes to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search.
Admins and members of investigation teams must be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log.
