Let’s review the Office 365 security policies that you need and why they’re important.

security policies

Part four of a series.

Everyone knows they need policies, especially for security. Do you have policies? Are they up-to-date?

Let’s first make a distinction between the two types of policies we have to work with. There are policies in Office 365 and Azure such as Password, DLP, Label, Threat Management, Data Governance and Mobile Device Management. These are the policies you can create in your Office 365 and Azure tenants and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.

But what I want to discuss in this article are the other policies that you’ll need and why they’re important. These are the policies in their documented form that have been decided upon and will not change without your governance board or boards’ approval.

Although we won’t talk about it until the Operations and Monitoring blog, post 7 in this series, you can use Secure Score and Cloud App Security for a bit to assist in making decisions about which policies are most important and which ones might wait awhile.

Identity Policy

This type of policy covers items that protect your users, their personal information, and access to your systems.

  • Passwords – It’s likely that your password policies are managed on-premises and not in the cloud but make sure they’re documented and up-to-date. NIST has new guidelines that may surprise you. Find them in the link above.
  • Multi-Factor Authentication – I’ll say it again and probably not for the last time – because of the new NIST guidelines, you will want to enforce this for all admins and all mobile/= or off-network logins.
  • Data Loss Prevention – Automatically label documents and emails containing social security numbers or credit cards and prevent them from being shared outside the organization.
  • Mobile Devices – Use some type of device management to govern what devices can connect to your tenant, what apps they can use, and what users can do with those apps.
  • Administration and support – Determine who will administer what portions of your tenant by using roles, and also when they will have access.
  • Onboarding/Offboarding – Be sure to document your process and make concessions for data handling when users leave, especially in a hybrid environment.

Information Policy

This type of policy governs the ingress and egress of your company’s data.

  • External Sharing – Document who can share, what can be shared, from where the sharing can take place and how to monitor sharing.
  • Classification and Encryption – Use Azure Information Protection to allow users to classify, automatically classify and encrypt information in your tenant.
  • Retention – Manage the lifecycle of your data and determine when or if it can be deleted so you retain critical data.

Governance Policy

This type of policy will help you maintain control over the permissions your users have to use your systems.

  • Exchange – Document what services are allowed, who can use them, and how to effectively monitor and adjust as needed.
  • Skype for Business – Determine what your users can and cannot do and share during meetings, chats, whiteboards…
  • Teams – Decide on a Group and Team creation strategy, as well as retention plans, external application use, and external sharing.
  • SharePoint – Determine strategies for storage management and usage, site creation and lifecycle management, and sharing.
  • OneDrive for Business – Decide on quotas and sharing strategy.
  • Yammer – Determine how you want to use Yammer, and how sharing and group creation will take place.
  • Flow, PowerApps, PowerBI, Dynamics, Flow, Planner, Sway, Forms… – These are apps that don’t have the traditional Office 365 Admin Center. But don’t let down your guard. They still have access, usage and sharing policies you need to govern.
  • Office 365 Groups – You’ll need a naming strategy and retention policy, ownership and membership policy and external sharing plan. Remember that these are the underlying organizational units for Teams, Planner, PowerBI…

Final Thoughts

In many cases, you’ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won’t have well-defined policies in place and you will need to document and manage them.

This will be especially important in your operations management and organizational change management. There are many decisions you need to make during your transition so be sure that you have a partner to help.