Compliance , Insync Tech Talk , IT Security , microsoft 365 , | 2020/07/15 at 3:15pm

Failure to comply will result in… a lower score and a lot of alerts

Former US Deputy Attorney General Paul McNulty once said, “if you think compliance is expensive, try non-compliance”. For many, the subject of compliance can cause headaches. Yet there are business tools available that can ease the burden of workplace compliance and it’s quite likely you have access to them.

Microsoft has offered various scoring functions for some time and are currently developing and consolidating capabilities. Scoring systems include the Windows Score for Security, Azure Active Directory Secure Score, Microsoft Secure Score and the Microsoft Compliance Score.

The latter is, surprisingly, somewhat of an enigma to many. A large number of organisations are unaware of the built-in compliance capability when rolling out Microsoft 365. However, it is worth getting to grips with, because, with a little bit of input it can help streamline compliance processes.

 

How does it work?

There is a compliance centre in every organisation’s Microsoft 365 environment. Unlike some features, your compliance score does not need activating, it is always on. That said it isn’t a set and forget function. In order to maximise its efficiency and use it to your advantage, it does require some thought.

Your score is generated based on certain activities and processes seen within the tenant. In addition to providing an overall score, a list of suggested improvements is provided.

Based on the specific settings, staff who execute a non-compliant action will receive an alert or an alternative recommendation to advise that this has occurred.

Some suggestions might be easy to implement, like calendar management, in which case they can be assigned to a task member to complete within a set timeframe. Another simple improvement might be to refresh Multi-Factor-Authentication (MFA), a sensible plan following the COVID-19 induced work from home period. Once complete, the score should improve, and the suggestions should have changed.

“If you use the compliance score properly, it can provide an effective technical audit of a workplace, but it doesn’t account for specific business processes or rational preferences,” says Loryan Strant, Product Manager at Insync Technology.

 

Manage your expectations. There’s no such thing as a perfect score

For the high achievers amongst us, it might be depressing to know that a Microsoft Compliance Score of 100% is pretty much a castle in the sky, it ain’t gonna happen! You can, however set a realistic benchmark or goal based on your specific organisation.

“A score of 100% would only come when a tenant is so compliant that it impacts their ability to work. The machine learning in the compliance centre cannot account for the specific processes and nuances that vary business to business,” says Loryan.

To avoid hampering the end user experience, Loryan recommends defining what your version of good looks like and then working towards achieving and maintaining this score. The compliance score will change over time, so you need to ensure that any actions are reviewed and repeated as regularly as required.

 

When you can’t mitigate, manage

Compliance doesn’t mean having one blanket rule for everyone because that just doesn’t work. To avoid tying yourself in knots over compliance suggestions, remember that when it comes to risk, if you can’t mitigate it, manage it. To do this you need to think about the bigger picture and clearly define what you are trying to achieve.

“I worked with a customer where users had to tick boxes before accessing services. This included MFA, which was a problem for provisioning the Surface Hubs installed because the devices accounts are obviously not real people. In this scenario we had to exclude those device accounts from the policy, which resulted in the loss of a point from the Secure Score – but this is an acceptable risk. These are the kind of tweaks you need to make as you go,” says Loryan.

 

Tips for using Microsoft Compliance Centre

Within the compliance centre, there are some guidelines that contradict with other elements of the Microsoft ecosystem and ethos. For example, enforcing password complexity or expiry conflicts with Microsoft advice around Windows Hello, that passwords are things of the past.

In order to get the most from your compliance centre and increase your score, Loryan recommends considering the following tips:

  1. Think about the bigger picture. What are you trying to achieve and why?
  2. Conduct an impact assessment before flicking a switch. How will end-users be affected, do they know which alerts can be ignored, and which can’t? Do you need to provide education or change management?
  3. Consider how you bring the compliance centre into your existing security and compliance processes. Do you need to update your policies and processes given you have increased functionality?
  4. Which elements flagged in the compliance centre are subject to licence and which elements may require additional licencing beyond those currently in place?
  5. Which staff will have admin access, read-only access or no access (end users)?
  6. Beware of false positives – e.g. alerts caused by logins which seem suspicious but are completely normal if the context is understood
  7. Do you have a risky user policy? What is a risky user and how do you manage that?

 

What’s your score?

So, there you have it, a handy compliance tool already accessible in any Microsoft 365 tenant. Are you ready to find out how you are faring when it comes to compliance?

“Remember that whilst this technology is incredibly clever, it’s not perfect. You need to look after it, manage it and adjust it as you go,” concludes Loryan.

To find out more about how Microsoft 365 can help improve compliance in your workplace, contact Insync Technology today.