Getting started on your data security journey
Published May 17 2023 09:00 AM 6,578 Views
Microsoft

 

Data security is a top concern and priority for many organizations. As I'm working with customers, especially in the State and Local Government, I notice that sometimes customers do not know where to begin with their data security strategy. It can be challenging to embark on this journey and there is an endless supply of information out there. To address this challenge, I wanted to provide a checklist that is digestible and will help in the various stages throughout this journey. I will also be providing supporting documentation that you can reference and provide to needed stakeholders. 

 

The below are 3 key considerations for your data security journey. 

 

Getting the right stakeholders  

I see many projects that do not get off the ground because they do not have the right stakeholders involved from the onset. An effective data security strategy requires planning and coordination from various stakeholders: IT, Security, Privacy, Risk, Compliance, Legal, Application owners, etc.  In State and Local Government (and other industries), this can include members from central IT, CISO, CIO, Compliance, Privacy, Legal, and others. "Communication is key", and it's important that all stakeholders remain engaged from start to finish. Additionally, someone needs to be assigned as managing the project beginning to end.

 

Additional information can be found here: Plan for data loss prevention - Microsoft Purview (compliance) | Microsoft Learn

 

Find a Champion  

Another key feature that is often missing in the initial stages is a champion (executive sponsor) for the program. Plain and simple – if there is no one at the top pushing to get this project initiated and executed, your “testing” of MIP/DLP controls could simply being “tests” that never go anywhere. Protecting business critical data is a team sport, but there needs to be a coach who is pushing for the team to win using equipment (solutions) that can help, practicing before the big game (PoC, pilot), and removing obstacles (internal roadblocks). Who can be a champion? This should be an executive such as CISO, CIO, CTO, or someone that has been delegated by an executive that will lead this team towards success.

 

Document the process and define success

I also find that many State and Local Government customers (and others) are also struggling with having their own test cases to test against data loss prevention and information protection. Essentially, there is no documentation of what's being tested and the results. Without proper documentation of what you are evaluating, it's difficult to recall all the work that has been put into testing your scenarios that can demonstrate how the solution can help. It's also important to understand what success looks like as you are assessing data security solutions to meet your use cases. Defining your use cases and defining your success criteria are critical components on this journey.

 

These are just 3 things of many others that should be considered as you are beginning your data security journey. Between the various items to consider and various stakeholders involved, its easy to get lost in "what to do next." To assist with this important initiative, I have provided the below Data Security Checklist and Test Cases that can help you during your data security journey ( attached as a download ). I've also provided some examples of test cases in the spreadsheet for Microsoft Purview Data Loss Prevention and Information Protection.  These can be modified to meet your needs and provide ideas to create other test cases.  Remember, each organization is unique and may have different criteria and scenarios that need to be considered as you are planning your data security strategy. I hope you find the information useful and would love to hear your feedback.

 

If you like to learn more about SLG use cases for Microsoft Purview, please feel free to Join the Microsoft Purview Customer Community for SLG! (office.com).

When you join this community, you will receive invitations for webinars that cover topics related to Microsoft Purview and answers to the #1 question government customers have - "What are other customers doing?" We cover use cases learned from the field and we share it back with the community. We also invite customer, industry, and Microsoft experts to have discussions covering topics related to data security, privacy, risk, data governance, and compliance. 

 

 

 

 

 

About the Author

Leo Ramirez is a Principal Technical Specialist for Compliance at Microsoft. Leo works with State and Local Government customers helping them meet their data security, compliance, privacy and risk use cases using Microsoft Purview solutions. Leo is an avid learner, with over 20 years' experience and has a background in consulting and delivering solutions to meet customer's infrastructure, security and compliance needs. Leo has technical strengths in data security, risk compliance, and privacy. 

 

 

1 Comment
Co-Authors
Version history
Last update:
‎May 17 2023 09:35 AM
Updated by: