For my past two blog articles I’ve covered quite a bit of details on what Secure Score can offer you and your Office 365 tenant. What I wanted to do for this article is tie this in with the new and upcoming regulation called GDPR. GDRP stands for General Data Protection Regulation. The regulation initiative was passed by the EU in April of 2016 and it goes into effect on May 18, 2018. The regulation is not solely for companies in the EU, but is intended to protect personal data for people in the EU. This means that if you have customers in the EU or have dealings with the EU, GDPR will affect you.
Brief GDPR Overview
What is GDPR? GDPR is an expanded set of rights for protection of people’s personal data. The expansion comes from the changes / additions made to the original protection regulation from 1995. Here are some of the key changes (source EuGDPR.Org):
- Increased Geographical Scope: Effects companies from all over the world. As long as they process personal data for EU citizens, this change affects them.
- Penalties for non-Compliance: The fines are potentially HUGE depending on the size of your company – “4% of annual global turnover or €20 Million (whichever is greater)”
- Consent: This one is entertaining because basically what it says is that any consent forms must be in plain language and not legalese and undoing consent must be easy as well. The potential kicker here is not the actual consent or removal of consent, but also the rules on data no longer being needed must be removed as well as the potential for citizens to request data be delivered somewhere else.
In other words, the changes are big and farther reaching than previous data protection regulations. For smaller businesses there are certainly some parts of the regulations that will be hard to implement than others. A good outline of this can be found HERE. Be sure to review the article there to get an idea where these changes could cause issues down the road for your company and/or your clients.
Microsoft also has – their own link for GDPR.
Secure Score and GDPR
How does this relate to Secure Score? Secure Score, as was covered in my last articles, is intended to help the Office 365 administrators secure their tenants with a list of recommendations from Microsoft. While the recommendations are not necessarily a direct one to one reflection of GDPR, the intent of the Tasks in Secure Score never were intended for this purpose. However, the added security and increased Secure Score number might help in the event of an audit against GDPR requirements. Here are some Tasks in Secure Score:
- Enable MFA for all global admins
- Enable MFA for all users
- Enable Client Rules Forwarding Block
- Enable audit data recording
- Review signs-ins after multiple failures report weekly
- Set outbound spam notifications
- Review sign-ins from unknown sources report weekly
- Review signs-ins from multiple geographies report weekly
- Review role changes weekly
- Store user documents in OneDrive for Business
- Enable Information Rights Management (IRM) services
- Use audit data
- Do not use transport rule to external domains
- Do not use transport white lists
- Review mailbox forwarding rules weekly
- Review mailbox access by non-owners report bi-weekly
- Review malware detections report weekly
- Do not use mail forwarding rules to external domains
- SPO Sites have classification policies
- Review sign-in devices report weekly
- Review account provisioning activity report weekly
- Review non-global administrators weekly
- IRM protections applied to documents
- IRM protections applied to email
- Configure expiration time for external sharing links
- Tag documents in SharePoint
- Review list of external users you have invited to documents monthly
- Disable accounts not used in last 30 days
- Enable Data Loss Prevention policies
- Enable Advanced Security Management Console
- Enable Advanced Threat Protection safe attachments policy
- Enable Advanced Threat Protection safe links policy
- Enable mobile device management services
- Require mobile devices to use a password
- Require mobile devices to block access and report policy violations
- Require mobile devices to manage email profile
- Do not allow simple passwords on mobile devices
- Require mobile devices to use alphanumeric password
- Require mobile devices to use encryption
- Require mobile devices to lock on inactivity
- Require mobile devices to have minimum password length
- Require mobile devices to wipe on multiple sign-in failures
- Do not allow jail broken or rooted mobile devices to connect
- Require mobile devices to never expire password
- Do not allow mobile device password re-use
- Enable customer lockbox feature
Conclusion
In summary, think of Secure Score as a tool for complying with GDPR regulations. It will not do everything for you. It will not shield you from GDPR regulation. It will however provide you with some auditable and actionable tasks that you can use to secure your Office 365 tenant. Securing your tenant in this way should be part of your overall GDPR strategy for compliance. Other tasks, tools, methodologies and or software should be used in conjunction with Secure Score.
