SharePoint and Compliance Regulations

Download Report

Transcript SharePoint and Compliance Regulations

SharePoint & Compliance
Marc Dreyfus
Sr. Compliance Solutions Specialist, CIPP/US
The Challenge-Legions of compliance obligations and
risks to information
The onslaught of risk and compliance issues related to
Information sharing includes:
 Intellectual Property and Trade Secrets
 Sensitive Customer Information and Data
 Competitive Advantage
 Personnel information
 National Security
What’s Changed: Forces Driving Organizational
Compliance Obligation
Massive amounts circulating content has led to reactive
legislative policies and a rethinking of how corporate data is to
be managed.
 Persistent Data (once it’s out there, it’s out there)
 Simple Authorship
 Information Transference
 Information Collection
 Big Data
Big Data
Addresses inefficiencies in Statistical
Sampling





Diapers and Beer
Language Translation
Tracking Spread of Influenza
Credit Scores
Identification with NAME / ZIPCODE
Sign of the times
Elizabeth Warren
A Sample of Compliance Standards
Section 508 Refresh
Operational Security
ITAR
GrammLeach-Bliley
Regulations have common elements
Information must be accessible and available to the people
who should have access to it and protected from the
people who should not
Further this information may need to be stored, archived
and preserved for some period of time
Building a Compliance Policy
Transparency/
Collaboration
Data Protection/
Management
Texas Health Care Provider - Hidden Salaries
An Email Thread from my Mortgage Banker
From: Marc
Hi Todd,
Can you promise me that we can close on the house on July 15th.
I have no mortgage contingency.
Thanks,
Marc
From: Todd
Marc,
That will not be a problem. We can absolutely close on July 15th.
Best,
Todd
Insurance Company, CT – FINRA 11-06 Compliance
Restricted Use for all employees
1000 Users Regulated by FINRA Excluded from SharePoint 2013
Dirty Word Lists
SharePoint 2013
Blogs,
Wikis,
MySites
Social
© 2011 AvePoint, Inc. All rights reserved. No part of this may be
Risk assessment: Don’t just focus on
what you can see
Risk
Awareness
Never in all history have we harnessed
such formidable technology. Every
scientific advancement known to man has
been incorporated into its design. The
operational controls are sound and
foolproof!”
E.J. Smith, Captain of the Titanic
Risk
Ignorance
US City – Drug Offenders
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
In thinking of potential privacy breaches, how likely do you
think the following risks are for your organization?
Source: HCCA;, “Data Privacy: How Big a Compliance Challenge?”; January 2011
15
Pfc. Bradley Manning
Notable Government Breaches
Airstrike videos, war documents, and 250,000 diplomatic
cables were downloaded by an Army soldier stationed in
Iraq. Soldier was authorized to access systems.
A laptop was stolen containing the personal information
of 26 million veteran and active duty troops. This was the
largest of many breaches of VA electronic data.
Published private list of city drug offenders and court
judgment on their public website.
Creating and maintaining a compliant environment is
a continuous process
Balancing transparency and collaboration with data protection
and management
 People
 Policy and Process
 Technology
 Training
 Governance and Oversight
 Technical Enforcement
What is Compliance Guardian
Scan
•
•
•
•
Real-time or scheduled
“visible” and “invisible” content
Text or element based
Include/exclude filters
Report
•
•
•
•
Alerts and role-based reporting
Cross-farm, cross version results roll-up
Dashboard with drill-down
Trend analysis and historical reports
Act
•
•
•
•
•
Move
Delete
Quarantine
Classify
Secure with permissions
Demo
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
Compliance Guardian modular architecture
CG Content Scanner
API
•Crawls through
content source
•SharePoint sources
•File Shares, Web
Sites, Yammer etc..*
CG Compliance Engine
•Checks against
defined conditions
•Uses the AvePoint
Testing Language
•Checks content,
elements,
framework, context
etc..
API
CG Reporting Engine
•Compiles and
presents scan results
•Role-specific
dashboard views
with summary and
drill-down
•Trend reporting and
historical analysis
Surround Services –
Best Practices Approach
Assess
1
2
4
3
Diagram New
Security
Boundaries
Prioritize
7
Maintain
5
Design
6
Undertake
Migration
Implement
Architect in
GovSec
Initial
Meeting
Review
Compliance
Requirements
Set Scope
for Initial
Test
Initial Smoke
Test
Review
Results/Refine
Rules with
early project
owners
Recommended
Mitigation
Results
Presentation
Meeting
Results
Analysis and
Documentation
Initial Baseline
Scan
Compliance Guardian roadmap at a glance…
2013v3 SP1
ScanQ3File
System
Jan 2013- v3 release
Q2 2013- v3 CU1
•Support for SharePoint 2007
and 2010 sources
•Pre-populated test suites for
PII, PHI, Accessibility,
Sensitive information
•Role-based management
dashboard to monitor
compliance status and trends
•Support for automated, user
assisted and verified manual
classification and metadata
tagging
•Real-time or scheduled
content actions to reduce
exposure and risk
•Enhanced test suite editor for
greater efficiency when
creating/customizing test
suites
•Allow scanning for previous
versions
•16 new pre-defined test
suites mapped to common
regulations and compliance
initiatives
•40+ new pre-defined test files
for common violation types
•Support SharePoint 2013
Sources
•Scan file system for
Compliance and Classification
scans
•Scan non-SharePoint webserver for Compliance scans
•Enhanced risk calculation
formulas and report
•Enhanced Compliance report
dashboard and detail reports
•Site quality and branding test
suites including broken links,
missing images, Mobile OK
•Support for automatic tagging
of SharePoint Managed
Metadata columns
Scan Websites
Encryption of Test
Files
Q4 2013- Service
Release
Q1 2014- Service
Release
•Enhanced user preferences
settings for Compliance
Dashboard
•Enhance site quality features
with performance monitoring
and metrics
•Redaction capability for
violations within content
•“Heat Map” to prioritize risk
based on location
•Enhanced reporting of
automated actions taken by
Compliance Guardian
•User Path Analysis
•Encryption of test files to
protect operational security
test suites
•Enhanced auditing of actions
taken within the Compliance
Guardian console
Heatmaps
Redaction
Additional Resources
(Please Click Images or Visit www.AvePoint.com/resources)
Customer Success Stories
WhitePapers from AvePoint’s Own
SharePoint Experts
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
© 2012 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
The Compliance Reporting Dashboard…
© 2012 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
Track Progress and improvements over a period of
time
Track trends across data sets and Content
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.