Blog Post

Security, Compliance, and Identity Blog
2 MIN READ

Getting started with Insider Risk Management

Mavi Etzyon-Grizer's avatar
Jun 09, 2020

Insider Risk Management is a solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and take action on risky activities in your organization. Custom policies allow you to detect and take action on malicious and inadvertent risk activities in your organization, including escalating cases to Microsoft Advanced eDiscovery if needed. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.

 

You can enable the insider risk management capability in your organization’s tenant by following the steps below:

  1. Grant yourself or a designated administrator the Insider risk management Admin role by enabling permissions.
  2. Navigate to https://compliance.microsoft.com/ and on the left pane select the Catalog under the Solutions section.
  3. Scroll down to Insider Risk Management, and click View under the Insider Risk Management solution.
  4. Click Show in Navigation and then Open Solution to confirm you have access.

Once you confirm you have access, you can start creating policies, investigating alerts, and handling cases.

 

While Insider Risk Management is a technical solution, its scope straddles the worlds of security, privacy, HR and legal, so we recommend involving stakeholders from those areas in your organization that might be able to provide validation and insight during the evaluation. 

 

In order to get a meaningful experience, we highly recommend that you evaluate the solution in a production environment. The experience is highly dependent on the amount of data the system can analyze, so real-world data will provide the most meaningful results. If you decide to initially perform the evaluation in a test tenant you will have to generate simulated user actions for the system to consume.

 

When employees leave your organization, there are specific risk signals typically associated with data theft by departing employees. The data theft policy template prioritizes these signals and focuses detection and alerts to this risk area. Data theft for departing employees may include downloading files from SharePoint Online, copying files to portable devices such as USB drives, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. This template prioritizes signals relating to these activities and how they correlate with employee employment status.  Please follow these few steps to setup this policy for your organization.

  1. Setup HR connector 
  2. Setup IP theft policy 
  3. Triage and manage alerts 

 

For more information on Insider Risk Management, see the information below.

Updated May 11, 2021
Version 7.0
No CommentsBe the first to comment