This post has been republished via RSS; it originally appeared at: Healthcare and Life Sciences Blog articles.
Before we start, please note that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
Disclaimer
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
Target Audience
The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed.
Document Scope
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through.
This document is a basic overview of Compliance Manager. For more specific information, it is recommended that you access the official documentation on docs.microsoft.com. You can find many of these links in the Appendix and Links section below.
Out-of-Scope
This document does not cover any other aspect of Microsoft E5 Purview, including:
- Data Classification
- Information Protection
- Data Protection Loss (DLP) for Exchange, OneDrive, Devices
- Data Lifecycle Management (retention and disposal)
- Records Management (retention and disposal)
- eDiscovery
- Insider Risk Management (IRM)
- Priva
- Advanced Audit
- Microsoft Cloud App Security (MCAS)
- Information Barriers
- Communications Compliance
- Licensing
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner.
Overview of Document
This document will give a brief explanation of Compliance Manager and walk you through the basic tabs and aspects of the tool. Those tabs include:
- Compliance Manager Settings
- Overview (tab)
- Improvement Actions
- Solutions
- Assessments
- Assessment Templates
- Alerts
- Alert Policies
Use Case
None – This document is an overview of Compliance Manager.
Definitions
- Actions– the things that need to be done to mark a Control as completed and
- Assessments – these help you implement data protection controls specified by compliance, security, privacy, and data protection standards, regulations, and laws. Assessments include actions that have been taken by Microsoft to protect your data, and they're completed when you take action to implement the controls included in the assessment.
- Assessment Templates – these templates track compliance with over 300 industry and government regulations around the world.
- Compliance Score - Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. You receive an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.
- Controls – the various requirements in your tenant that must be met to meet a part of an assessment
- Control Family – a grouping of Controls
- Microsoft Actions – These are actions that Microsoft has performed inside of your tenant to help it meet a specific assessment.
- Progress – each assessment has a progress chart to help you visualize the progress you are making to meet the requirements of the assessment
- Your Improvement Actions – These are actions that you and your organization must perform to meet a specific assessment.
Notes
None
Pre-requisites
None
What is Compliance Manager?
Here is the official answer as listed in docs.microsoft.com.
“Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.”
Compliance Score
Here is the official definition as found in docs.microsoft.com. The URL can be found in t Appendix and Links section below.
“Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture.
Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.”
Compliance Manager Settings
Here are the 2 items covered in the settings:
- Testing Score – This allows you to turn ON/OFF your assessment testing.
- Manage User History – This allows you to manager individual users
Overview (tab)
This tab is broken into 3 sections (top, middle, bottom).
- Top section – This provides your Compliance Scopre and lists of the most important “Key” Improvement Actions needed to meet your regulations/certifications.
- Middle section – This section only lists the top Key Improvements you need perform in your tenant to meet your regulations/certifications.
- Bottom section – This breaks down your Compliance Score based on Microsoft subgroups of functionality.
Improvement Actions (tab)
This tab shows all the improvement actions you can take to help meet your regulations/certifications.
Solutions (tab)
Here you can find all of the Microsoft solutions that related to your overall Compliance Score. You can also see how much of each of these has been completed to meet your regulation/certification needs.
Assessments (tab)
This tab shows all the assessments you are actively running.
Assessment Templates (tab)
Here you can find a list of all the assessments that can be found in Compliance Manager. You can also create your own templates if you wish.
Alerts (tab)
Alerts are used to monitor activity and actions in your tenant that might affect your Compliance Score.
Here is a list of alert types that can be seen in the alerts tab. This is list is taken from the official documentation and can be found in the Appendix and Links section below.
- Score change – an increase or decrease in points awarded for an improvement action due to configuration changes made by someone in your organization. For example, if your organization creates an insider risk managing policy, that could increase your points for a certain action by a certain amount.
- Assignment change – an improvement action has been assigned to a user, re-assigned to a different user, or un-assigned from a user.
- Implementation status change – a user has changed an improvement action's implementation status.
- Test status change – a user has changed the testing status of an improvement action.
- Evidence change – a user has uploaded or deleted an evidence document in the Documents tab of the improvement action.
Note – Alert Policies must be created before you can start to receive Alerts
Alert Policies (tab)
Alert Policies must be created before you can start to receive alerts in the Alerts tab
Appendix and Links
Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.