Forum Discussion

DarleneElohim's avatar
DarleneElohim
Copper Contributor
Mar 01, 2024

SC - 900 Purview Insider Risk Question

Does risk management and communication compliance solutions investigate individual users?

Does it actually retain folders regarding each risk user with their identity visible to the compliance admin? I'm asking this as it correlates with user privacy issues.

azure
microsoft 365
Security Compliance and Identity
  • 3lli3's avatar
    3lli3
    Copper Contributor
    Mar 05, 2024

    DarleneElohim  You have two questions, I think.

     

    Does MSFT Purview Insider Risk and Compliance Communication actually retain folders regarding each risk user with their identity visible to the compliance admin? The answer to that is "NO". That's done in two ways: masking identity and controlling access.

    1. This Purview Insider Risk and Compliance privacy guide says that masking identity ('pseudonymization') is used to remove identifiable user details like user name, email, title, and department or location. So an employee's identity would only be known as ANON4374 for example, where 4374 is a randomly assigned number. 
    2. Controlling access is ensured through role-group assignments. Specifically, the Compliance Admin role-group is allowed to write and update policies and send out notices but can't access or investigate alerts or initiate remediations.  In contrast, Insider Risk Analysts are not allowed to write or update policies but they can access and investigate alerts and cases about users. Insider Risk Investigators are not allowed to write or update policies but they can access and investigate alerts about users, as well as view forensic evidence. This chart shows what permissions the Compliance Admin role-group (and other compliance role-groups) does and doesn't have. This chart shows the roles and permissions for Insider Risk.

     

    Do risk management and communication compliance solutions investigate individual users? I think the answer is "NO" unless a pseudonymous individual's cumulative behavior triggers an alert (e.g. doing something anomalous much more often than the average for others in that work role) or does something that appears to be a one time but serious violation like a breach of security policy. This July 2023 post, New Insider Risk Management features in general availability describes how that works. Unless an alert is triggered and the individual is being investigated for a violation, I don't think folders are kept on users that are accessible to compliance admins.

Resources