Before we start, please note that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate them in the following link:
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through using Compliance Manager to run an assessment.
This document does not cover any other aspect of Microsoft E5 Purview, including:
It is presumed that you have a pre-existing understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
For details on licensing (i.e. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner.
This document will give a brief explanation of Compliance Manager and walk you through the basic tabs and aspects of the tool
An administrator wants to run their first Compliance Manager assessment.
Types of Assessments in Compliance Manager:
This is taken from the official Microsoft documentation (see the link in the Appendix and Links section):
“Compliance Manger can be used to assess different types of products. All templates, except the Microsoft Data Protection Baseline default template, come in two versions:
Assessments from universal templates are more generalized but offer expanded versatility, since they can help you easily track your organization's compliance across multiple products.
Note that US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers cannot currently use universal templates.”
Note – for this blog entry, we will not be running any further discussions or comparisons on Microsoft and/or Universal assessments.
It is recommended you read the official Microsoft documentation on Compliance Manager and the Paint By Numbers – Compliance Manager - Overview (Part 9a) blog.
Now that you have a basic understanding of Compliance Manager (See Part 9a – Compliance Manager – Overview blog entry), we will add an assessment.
“When you create an assessment, you'll need to assign it to a group. Groups are containers that allow you to organize assessments in a way that is logical to you, such as by year or regulation, or based on your organization's divisions or geographies.”
We will start with the Overview section of the assessment on the left-hand side.
This tab covers the controls and Control Families that are needed to meet your regulation/certification. Controls are the various requirements in your tenant that must be met to meet a part of an assessment. A Control Family is a grouping of Controls. This will be visible in the top section.
In this example, there are 4 Controls Families. You can see by the color if something is done (colored) or not done (grey).
In the bottom section, you will be able see the Control Family and under each, a Control.
This tab will show you ALL the improvements you can make to help meet your regulation/certification needs. Here is a sample screenshot.
If you click on any of these actions, it will take you to the Improvement Action.
Listed here are all the items Microsoft will make sure are secured in your tenant.
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.