May 23, 2021 • 24 mins
Erica Toelle is a senior product marketing manager on the Microsoft compliance product team, with focus on information governance and records management.
Erica is a long-time member of the SharePoint and Microsoft 365 community, a former Microsoft MVP, a published author, and a recognized expert in the information governance area.
In this episode, we discuss Erica's book - Microsoft 365 Compliance: A Practical Guide to Managing Risk.
Links:
- Erica's book - Microsoft 365 Compliance: A Practical Guide to Managing Risk (https://www.apress.com/us/book/9781484257777)
- Erica on LinkedIn (https://www.linkedin.com/in/ericatoelle/)
About this podcast
The podcast for performance auditors and internal auditors that use (or want to use) data.
Hosted by Conor McGarrity and Yusuf Moolla.
Produced by Risk Insights (riskinsights.com.au).
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Narrator (00:07):
You're listening to the Assurance Show.
The podcast for performanceauditors and internal auditors
that focuses on data and risk.
Your hosts are ConorMcGarrity and Yusuf Moolla.
Yusuf (00:20):
Today we have Erica Toelle, the Senior
Product Marketing Managerfor records management
and info gov at Microsoft.
We'll talk through a few thingsbut with focus on a book that
she's published, the complianceguide for Microsoft365.
Erica, do you want to kickoff with your background
before heading into Microsoft?
Erica (00:40):
Sure.
I've been focused on thisspace for the past 15 years.
Mostly as a consultant, butalso with a small stint at
a records management productcompany called Record Point.
Most of my career was inmanagement consulting where I
was helping large enterpriseorganizations with figuring out
(01:01):
their compliance, informationarchitecture, strategy, and how
to manage knowledge as an asset.
I've also spent a lot of timeworking internally at Microsoft.
For example, back in 2008,I was the consultant to the
product team, helping themunderstand the enterprise
content management andrecords management market,
(01:22):
as we designed the featuresin SharePoint that became
the records managementand enterprise content
management features.
I've also spent a lot of timehelping customers move from
on-premise to Microsoft365from various places.
And then for the last fiveyears have pretty much been
(01:42):
a hundred percent focusedon records management
of Microsoft365 content.
It's quite an interestingspace because that's where
everyone's doing their work.
That's where, things arehappening in the organization
and where a lot of theserecords are being made.
So how do we identifythat properly and help the
(02:04):
records managers put thatwherever it needs to end up.
Yusuf (02:08):
This book that has now been launched.
Who is it for?
And what can peopleexpect from it?
Erica (02:13):
So the book is called "Microsoft365
Compliance (02:16):
A practical guide for managing risk".
It came because I wasworking at Microsoft as a
hired expert on compliance,helping customers deploy
the compliance technology,on behalf of Microsoft.
And I found that, thedocumentation is helpful, but
it doesn't tell the story tothe business users of how and
(02:39):
why to use these features.
And that information wasscattered in different blogs
and in different places.
But there wasn't one placethat people could go, if
they're using Microsoft365in their organization and
they need to be compliant.
They need it to be auditableand they want to secure and
protect their information.
(02:59):
So the goal of this bookwas to cover everything
that's included in what'scalled the Microsoft365
compliance center, whichis the area where auditors,
records managers, informationprotection professionals,
can go to configureand use these features.
Yusuf (03:17):
Who would be using this the most?
Erica (03:20):
There's two main audiences.
So first are the peoplein organizations that
are managing compliance.
Depending on yourorganization, that can be
called many different things.
Internal auditors, recordsmanagers, knowledge managers,
there's many more names.
But it's also for I.T.
Professionals.
So the people who are in chargeof maintaining and administering
(03:42):
their Microsoft365 environment.
My goal is to provideinformation so that both
sides can talk to each otherand be on the same page.
Yusuf (03:51):
How would internal auditors and
performance auditors usethe compliance guide?
Erica (03:57):
Well, there's a few ways.
First would be to helpprepare for an audit.
There's a little knownfeature called compliance
manager included with yoursubscription that has pre-built
templates for how to complywith very popular regulations.
And inside the template, inaddition to having kind of a
checklist of things you needto do, it also provides a place
(04:19):
where you can put your testingdocuments, your results, and
essentially create a packagethat you could hand off to an
auditor, internal or external.
That helps people preparein a nice, organized way.
You can use the featuresthroughout to generally just
clean house and be preparedto meet your needs of audit,
(04:40):
whether that's making sureyou're applying the right
retention policies, making sureinformation is discoverable
and you can find it ormaking sure it's protected
so that the wrong peopledon't access the information.
Internal auditors can helpdrive those discussions, even
when it's not necessarilytheir responsibility to do it.
Conor (05:02):
When you were doing your research for the
book, was there anything inparticular from any of the
internal auditors or riskprofessionals you spoke to
in terms of a recurring painpoint or issue or challenge?
Erica (05:13):
Yeah, there's a couple.
The first one was justthat nobody knew what
they had purchased.
So helping withgeneral education.
Then from there, we wouldusually start with information
protection because, this isright when COVID started and
everyone was working from home,they were very concerned about
their sensitive informationending up on personal
computers or devices or beingemailed to the wrong people.
(05:36):
And then once we get past kindof the protection conversation,
then it goes in a few ways.
Many times they're paying for aseparate system and they want
to be able to retire that systemand use what they already own.
In many countries in thefinancial services organization,
you have to supervise thetraders' conversations
to make sure that they'refollowing all applicable laws.
(05:58):
So there is a solutionthat does that called
communication compliance.
Or you want to look forpatterns of risky behavior
in your organization.
When everybody is workingin Microsoft365, you
can get signals aboutwhat they're doing.
And when they deviate fromnormal behavior, such as
suddenly downloading 300files that have been marked
(06:18):
confidential and thensomeone can look into that.
So we would go then throughthose kinds of common pain
points and figure out whatthey wanted to tackle next.
Conor (06:27):
If I was an internal auditor, for example, doing
my annual planning of upcomingaudits for the year, it would
be helpful to understandthe capabilities off the
product vis-a-vis information,security and so forth,
because it might actuallyinform the way in which I do
my audits into those issues.
Erica (06:44):
Again, that's why I wrote the book.
So you could quickly get anoverview of what's possible.
And then pick fromthere, what you're most
interested in looking into.
Every organization is different.
What's the problem that year?
Conor (06:57):
Cyber security is a massive issue
globally, for example.
So if we were doing an internalaudit into cybersecurity, it
sounds as if it'd be reallyhelpful to take a look at
your book about some of theprotections and controls that
are in built into the system.
Erica (07:08):
As you're very aware, cybersecurity
is a massive topic.
And specifically incompliance, we focus on the
protection of the actualfiles and emails themselves.
Rather than things likepeople penetrating your
system or hacking intoit or even social hacks.
We're more focused on youhave different levels of
(07:29):
sensitivity to your informationin your organization.
Somebody's say personalinformation, right?
It's protected byseveral privacy laws now.
You have to ensure that evenwithin your organization, that
only the people with properreasons can access that data.
So that's more kind ofthe security pieces that
are covered in this book.
Yusuf (07:49):
In terms of planning a cyber audit, there's all
sorts of frameworks thatwe need to understand, and
there'll be a range of systemsand controls to evaluate.
But what your book will helpdo is understand exactly
where people can go tofind those components that
relate to Microsoft365 andthat they've been using and
understand how protection ofinformation, governance of
(08:10):
information, access control,has been configured and what
the level of compliance withthose controls would be.
Erica (08:17):
Yeah.
And then to add to that abit more the other power
of these solutions ishow they work together.
Let's use a veryspecific example.
You've scanned your environmentto look for patterns that
indicate sensitive informationlike a passport number has
a very specific pattern.
Your tax ID number,very specific pattern.
So you can find those with areasonable level of accuracy,
(08:40):
identify that as higher riskcontent, put a stamp on it.
Well, now I can take that stampand say, if it's been marked
as personally identifiableinformation, then we need
to make sure that we're onlyretaining it for three years.
And then asking theirpermission again, if we
keep it longer than that.
In addition, we can tellif somebody, even that
(09:02):
should have access suddenlydownloads, a dump of those
files to their computer.
They don't need to dothat for their job.
That's risky.
So we're starting to chain thesesolutions together where if
you just, start one place andinvest there, you can leverage
that investment holistically.
Yusuf (09:19):
Quite powerful controls.
And your book helps identifythose and, tell people where
to go to look for the typesof controls that compliance
center will be able to handle.
Erica (09:29):
Yeah.
This sounds really simple,but when I was first starting
to learn this, because thesesolutions are maybe about three
years old at this point, Icouldn't find just a list of
everything that it could do.
So I started this book byliterally creating that list,
organizing them into logicalgroups and then being like,
okay, I'm going to go throughthe user interface and I'm
(09:52):
going to find every buttonand figure out exactly what
it does and why, and getto that level of detail.
Yusuf (09:59):
In putting the book together, what did you find to
be the most challenging areato understand and write about?
Erica (10:06):
First of all, lot of those buttons aren't
documented anywhere.
And so there wastrial and error.
To figure out what it didand what other impacts it
had in these other solutions.
So that was the first challenge.
And then if I was going topick the solution, that was the
most complex, it would be theadvanced e-discovery solution
(10:26):
which you can use to, searchand review information in
bulk across your organization.
It's complex becauseit is so powerful.
We're dealing with suchlarge amounts of data these
days, , even if you'd writethe perfect search, it's going
to return more results than ahuman being could ever review.
So it does things like findthe duplicates or documents
(10:48):
that are 80% similarand group them together.
So you can just review500 documents at one time.
It helps group together, thingsin themes using machine learning
models and so much more.
That chapter alone is ahundred pages of the 525
pages in the book, but Icovered every single button.
So you're good.
Conor (11:10):
Probably the chapter I might jump into first, because
these days Internal Auditorsare required more and more
to do forensic investigationsor sensitive inquiries as
part of their audit projectsand having that advanced
e-discovery capability, soundsas if it's really going to help
Erica (11:27):
Yeah.
You're exactly right.
I see people using it morefor internal investigations,
even than for legal reasons orfreedom of information requests.
Because with thoseinvestigations, you start with
a clue of where to look right.
But then that clues going tolead you to, oh, maybe I should
look into this person or thisproject, or, find emails that
(11:49):
contain these three peoplein this three-month span.
And the power of advancede-discovery is you can do
those further queries andfilters, on the fly, in a
pretty easy to use interface.
Yusuf (12:03):
Switching a little bit to an area that I find myself
often hitting up against, andthat is the area around managing
devices that are not withinthe network and obviously over
the last year that's becomemore and more important.
So with people working fromhome, working remotely,
they may not be physicallyconnected to the network.
(12:23):
They may not necessarily be ondevices that their organizations
own, in some cases.
What guidance do you have aroundthat aspect of connectivity,
if you like and securityaround that connectivity.
Erica (12:37):
I think it's first deciding are you going
to allow corporate dataon personal devices?
If so, do people have to enrolltheir devices in a corporate
profile, like on Android,it's called a work profile.
Where I, am giving the,for me, it's Microsoft
permission to scan my phonewith anti-virus software.
(12:59):
I'm not allowed to jailbreak it.
There's other rules as well.
So first, yes or no.
Do you want people toaccess on their phone?
Then their personalcomputer as well.
And then if the answer is,yes, do you want them to
be able to access all data?
Like those documentsand those sites you've
marked as confidential.
Do you want to block thosefrom being accessed, but
everything else is okay?
(13:20):
That's again, the power ofonce you start to label and use
these solutions, it gives youmuch more granular control over
what remote workers or evenpeople just home in the evenings
are doing on their devices.
Narrator (13:33):
The Assurance Show is produced by Risk Insights.
We work with performanceauditors and internal auditors.
Delivering audits, helpingaudit teams use data,
and coaching auditors toimprove their data skills.
You can find out more aboutour work at datainaudit.com.
Now, back to the conversation.
Yusuf (13:53):
While writing the book, I understand, or just
after you started writingthe book, you landed a job
at Microsoft looking afterrecords management and infogov.
You wanna talk to us about that?
Erica (14:03):
Well, I've always been an industry expert in the Microsoft
records management area, andbeing located in Seattle, it's
always been very easy for me toknow the people at corporate.
I'm the one that's alwaystrying to get them to have
lunch with me so I can askthose annoying questions.
Multiply that by 15 years,people either enjoy your
questions or hate you.
(14:24):
And I was working onthis internal, compliance
expert team and workingwith them very closely.
This was a new position theycreated to have someone
dedicated to managingthe records business.
And when it came up, theylet me know I applied
and it was my dream job.
So it was extremelyexcited to get it.
They call it a productmarketing manager.
(14:46):
But what that reallymeans is you're the one
who's actually lookingafter the whole business.
So I have a counterpart RobertoInglesias who manages the
design and development of theproduct, and he decides what
features we're going to build.
I help with understanding themarket landscape, competitive
landscape, what we need tobuild to help our customers.
(15:10):
So I meet with a lot ofcustomers and partners.
I help manage our ties into theinternal programs at Microsoft.
There's many cogs inthe machine, right.
Conor (15:19):
Are you able to tell us about any new features
coming down the line?
Erica (15:22):
Yeah.
We actually have two bigones that are listed on the
public Microsoft365 roadmap.
So Microsoft has a roadmap.
You can go look and ithas, a paragraph about
each feature that's coming.
So our biggest one is we'recompletely overhauling what we
call the disposition processfor records management.
(15:43):
So this is the approvalprocess that most managed
documents have to go throughbefore they're deleted.
So it'll reach the endof the retention period.
It'll kick off an approval.
Usually it has to go to saythe business owner, then
maybe the records managerand everyone has to say, yep,
it's okay if we delete this.
And then you leave behind,what's called a certificate
(16:05):
of destruction, provingthat it was in fact deleted.
And that's what theauditors would probably
care about the most.
You can customize thatapproval process with
multiple stages and people.
And then we're making just theuser experience of the review,
much more streamlined and easy.
And then the next one isthis one's a little bit
more techie, but it is, big.
(16:26):
So if you're goingto manage let's say a
person with a policy.
There's a couple of waysyou can scope that policy.
Maybe you just needeverybody's email to be
kept for three years.
But maybe there's like yourexecutive team that needs to
have their emails kept forever.
Like we don't deletebill Gates as email.
I'm pretty sure.
So you need to be able toidentify who are those people
(16:48):
that need this forever policy?
In Microsoft365 theyhave a user profile.
It says things like theirdepartment, their geography,
other things like that.
What we'll be able to do islook at those properties in
the user profile, and you canscope the policy based on that.
Say everyone who hasAustralia listed as their,
(17:09):
country, put them in thispolicy to manage them.
So it sounds simple, butit's going to unlock a
lot of scenarios andthings our customers want
to do that require that.
Yusuf (17:19):
So let's say I'm an internal auditor in a
public sector organization.
There's a whole bunch of lawsthat I need to comply with.
And I've got a bunch ofrecords against which
retention policies have beenestablished or that have been
labeled in a particular way.
What happens when those lawsare different and may conflict.
(17:40):
One says you have to deletewithin five years and the
other one says, you mustkeep it for seven years.
What do your customersusually do about those
sorts of scenarios, wherethere are laws that don't
necessarily work together?
Erica (17:53):
That's a great question.
In the vast majority of casesmost laws will say to retain it
for the longer amount of time.
What that entails is you have tobe able to assign the multiple
policies to that document.
So that there's a process thatevaluates all the policies
on a periodic basis and says,okay, this is the longest one.
(18:14):
It's the one that wins.
Yusuf (18:15):
Okay.
And when we have things likewe need to make sure that
any private information thatwe keep is kept up to date.
And we need to make surethat where we do have PII,
that we give people theability to update that.
Is there a way that youcan then apply that to
all the records as well?
Or does that onlyapply to newer records?
How does that all work?
Erica (18:36):
So there's just too much data to manually
evaluate anymore.
Even if users are tagging it,like as they create things,
they're going to do it wrong.
They're going to forgetit's just not okay.
So instead of trying to manageeverything, we're having to
shift our way of thinking tomanaging the highest risk data.
(18:56):
So if you think ofit as a quadrant.
The highest risk is inthe upper right corner.
That's really whatyou want to go after.
So how do we identify that?
a document that's just evensitting in a SharePoint site has
a lot of information about it.
You can tell who's accessingit, what their job is, what
meetings it was shared in, in ateams meeting and these things.
(19:19):
And from there, you can startto use artificial intelligence
to build the risk profile.
We can apply sensitivitypolicies and retention
policies based on this riskprofile today, but it still
has a long way to go tobe perfect and completely
mature and no technologycan do it yet, to be fair.
Yusuf (19:36):
That makes a lot of sense . So extending from that, an
organization that is startingalong the records management,
information governance, path.
Where would they start?
Erica (19:46):
With the high-risk data, but how do they
decide what is high risk?
So there's a couple of ways.
So if you're alreadya highly regulated or
government organization,you typically have what's
called a retention schedule.
With the categories ofinformation and how long
you need to keep it.
So you can sit down with yoursecurity team and figure out,
of those categories, what'sthe riskiest information?
(20:08):
Start with maybe the10% riskiest categories.
Then you can say, okay whatdoes this information look like?
Is it templatized?
Is it all over the place?
Is it in emails?
Is it in files?
And start identifying thecharacteristics of the data.
Then you have a couple options.
If it's a well managed assetlike contracts or something
(20:31):
that we've already been managingfor a long time, you probably
know where it sits and youcan manage it by the location.
But if it's more collaborativein nature, it could be anywhere.
So in that case, we havewhat are called trainable
classifiers, where you canfeed in examples of the
documents and train the machine.
And then it'll go look forit anywhere in SharePoint or
(20:53):
one drive and you can startto identify things that way by
the patterns of information.
There's other ways to doit as well, but that's the
easiest place to start.
Conor (21:02):
So where would you find the trainable classifiers?
Erica (21:05):
That's in the compliance center and it's covered in
detail in the book on how toeither use one of the out of
the box, classifiers Microsoftbuilt, or how to start from
scratch and make your own model.
Yusuf (21:16):
If you know some of the high-risk documents and
you can identify where thosereside, you're then able to use
those to build a pattern andthen go and look for similar
documents so that you're notmissing some documents that
may be buried deep down ina folder structure, or that
may have been copied from onearea to another area, or that
may be in a user's individualOneDrive folder, as opposed to
(21:39):
some of the more shared folders.
Erica (21:41):
Yeah, exactly.
And you can use the trainableclassifier either to find
content and apply a retentionlabel or protect it with
one of those sensitivitylabels to make sure the right
people have access to itand the wrong people, don't.
Yusuf (21:55):
That's a range of data governance areas
that are being coveredoff all at the same time.
If you were in the internalaudit area or the performance
audit area and whether youhad records management on your
mind deliberately or not, whatwould it be that would make
you sit up and say, I needto do something about this,
or I need to evaluate this,or this is a risk area that I
(22:15):
need to bring to the attentionof the board or others.
Erica (22:18):
A lot of companies have had just a keep
everything culture.
And they don't realizethe risks that are
presented with just keepinginformation around forever.
Of course there's legal risks.
If you are a part of a legalcase, if you can find it in
your organization, you have toproduce it as part of the case.
If it's something that couldhave been deleted that loses
(22:39):
the case for you, that'snot a great situation.
Also the more data that youhave, bigger attack surface
you have, the more you have tojust manage for these privacy
laws or for other regulations.
And it's just moreexpensive and takes a
lot more time and effort.
A lot of times these aren'tvisible costs because if you
(23:01):
do it right, no one should everknow that you did your job.
Cause you're not appearingon any lists of people that,
that did something bad.
That's, why sometimes it's soeasy to overlook by leadership,
but why it's so importantto pay attention to it?
Conor (23:15):
It's important to reflect on your own organization
and ask the question.
Do we have a, keep everythingculture in this organization
and as an internal auditorwhat can I do to help
my organization,managethat risk better.
Yusuf (23:28):
Where can people find you, connect with you,
and importantly, where canthey you find your book?
Erica (23:34):
The least expensive place to buy the book is
going to be @ apress.com.
So that's apress.com andthey can ship to most
countries in the world.
It is also available on Amazon.
Uh, fortunately have kindof a unique, last name.
So on every socialmedia property and email
address, it's just myfirst name, my last name.
(23:58):
No dots, dashes or underscores,just those two together,
twitter, @microsoft.com,whatever you would like.
Yusuf (24:07):
Okay.
So that's Erica Toelle andthat's ERICA last name TOELLE.
we'll put link to your profilein the show notes, we'll put
a link to your book on apressin the show notes as well.
Erica (24:19):
If you ever have any questions about any of
this, especially recordsmanagement, just hit me up
on LinkedIn or email me.
We're very casualaround here and we just
want to help everyone.
So don't feel like your questionisn't important enough because
if you can't find the answer,it's an important question.
Yusuf (24:35):
Really interesting conversation.
We look forward to gettinga copy of the book.
Thank you verymuch for joining us
Narrator (24:42):
If you enjoyed this podcast, please share
with a friend and rateus in your podcast app.
For immediate notificationof new episodes, you can
subscribe at assuranceshow.com.
The link is in the show notes.
You're listening to the Assurance Show.
The podcast for performanceauditors and internal auditors
that focuses on data and risk.
Your hosts are ConorMcGarrity and Yusuf Moolla.
Yusuf (00:20):
Today we have Erica Toelle, the Senior
Product Marketing Managerfor records management
and info gov at Microsoft.
We'll talk through a few thingsbut with focus on a book that
she's published, the complianceguide for Microsoft365.
Erica, do you want to kickoff with your background
before heading into Microsoft?
Erica (00:40):
Sure.
I've been focused on thisspace for the past 15 years.
Mostly as a consultant, butalso with a small stint at
a records management productcompany called Record Point.
Most of my career was inmanagement consulting where I
was helping large enterpriseorganizations with figuring out
(01:01):
their compliance, informationarchitecture, strategy, and how
to manage knowledge as an asset.
I've also spent a lot of timeworking internally at Microsoft.
For example, back in 2008,I was the consultant to the
product team, helping themunderstand the enterprise
content management andrecords management market,
(01:22):
as we designed the featuresin SharePoint that became
the records managementand enterprise content
management features.
I've also spent a lot of timehelping customers move from
on-premise to Microsoft365from various places.
And then for the last fiveyears have pretty much been
(01:42):
a hundred percent focusedon records management
of Microsoft365 content.
It's quite an interestingspace because that's where
everyone's doing their work.
That's where, things arehappening in the organization
and where a lot of theserecords are being made.
So how do we identifythat properly and help the
(02:04):
records managers put thatwherever it needs to end up.
Yusuf (02:08):
This book that has now been launched.
Who is it for?
And what can peopleexpect from it?
Erica (02:13):
So the book is called "Microsoft365
Compliance (02:16):
A practical guide for managing risk".
It came because I wasworking at Microsoft as a
hired expert on compliance,helping customers deploy
the compliance technology,on behalf of Microsoft.
And I found that, thedocumentation is helpful, but
it doesn't tell the story tothe business users of how and
(02:39):
why to use these features.
And that information wasscattered in different blogs
and in different places.
But there wasn't one placethat people could go, if
they're using Microsoft365in their organization and
they need to be compliant.
They need it to be auditableand they want to secure and
protect their information.
(02:59):
So the goal of this bookwas to cover everything
that's included in what'scalled the Microsoft365
compliance center, whichis the area where auditors,
records managers, informationprotection professionals,
can go to configureand use these features.
Yusuf (03:17):
Who would be using this the most?
Erica (03:20):
There's two main audiences.
So first are the peoplein organizations that
are managing compliance.
Depending on yourorganization, that can be
called many different things.
Internal auditors, recordsmanagers, knowledge managers,
there's many more names.
But it's also for I.T.
Professionals.
So the people who are in chargeof maintaining and administering
(03:42):
their Microsoft365 environment.
My goal is to provideinformation so that both
sides can talk to each otherand be on the same page.
Yusuf (03:51):
How would internal auditors and
performance auditors usethe compliance guide?
Erica (03:57):
Well, there's a few ways.
First would be to helpprepare for an audit.
There's a little knownfeature called compliance
manager included with yoursubscription that has pre-built
templates for how to complywith very popular regulations.
And inside the template, inaddition to having kind of a
checklist of things you needto do, it also provides a place
(04:19):
where you can put your testingdocuments, your results, and
essentially create a packagethat you could hand off to an
auditor, internal or external.
That helps people preparein a nice, organized way.
You can use the featuresthroughout to generally just
clean house and be preparedto meet your needs of audit,
(04:40):
whether that's making sureyou're applying the right
retention policies, making sureinformation is discoverable
and you can find it ormaking sure it's protected
so that the wrong peopledon't access the information.
Internal auditors can helpdrive those discussions, even
when it's not necessarilytheir responsibility to do it.
Conor (05:02):
When you were doing your research for the
book, was there anything inparticular from any of the
internal auditors or riskprofessionals you spoke to
in terms of a recurring painpoint or issue or challenge?
Erica (05:13):
Yeah, there's a couple.
The first one was justthat nobody knew what
they had purchased.
So helping withgeneral education.
Then from there, we wouldusually start with information
protection because, this isright when COVID started and
everyone was working from home,they were very concerned about
their sensitive informationending up on personal
computers or devices or beingemailed to the wrong people.
(05:36):
And then once we get past kindof the protection conversation,
then it goes in a few ways.
Many times they're paying for aseparate system and they want
to be able to retire that systemand use what they already own.
In many countries in thefinancial services organization,
you have to supervise thetraders' conversations
to make sure that they'refollowing all applicable laws.
(05:58):
So there is a solutionthat does that called
communication compliance.
Or you want to look forpatterns of risky behavior
in your organization.
When everybody is workingin Microsoft365, you
can get signals aboutwhat they're doing.
And when they deviate fromnormal behavior, such as
suddenly downloading 300files that have been marked
(06:18):
confidential and thensomeone can look into that.
So we would go then throughthose kinds of common pain
points and figure out whatthey wanted to tackle next.
Conor (06:27):
If I was an internal auditor, for example, doing
my annual planning of upcomingaudits for the year, it would
be helpful to understandthe capabilities off the
product vis-a-vis information,security and so forth,
because it might actuallyinform the way in which I do
my audits into those issues.
Erica (06:44):
Again, that's why I wrote the book.
So you could quickly get anoverview of what's possible.
And then pick fromthere, what you're most
interested in looking into.
Every organization is different.
What's the problem that year?
Conor (06:57):
Cyber security is a massive issue
globally, for example.
So if we were doing an internalaudit into cybersecurity, it
sounds as if it'd be reallyhelpful to take a look at
your book about some of theprotections and controls that
are in built into the system.
Erica (07:08):
As you're very aware, cybersecurity
is a massive topic.
And specifically incompliance, we focus on the
protection of the actualfiles and emails themselves.
Rather than things likepeople penetrating your
system or hacking intoit or even social hacks.
We're more focused on youhave different levels of
(07:29):
sensitivity to your informationin your organization.
Somebody's say personalinformation, right?
It's protected byseveral privacy laws now.
You have to ensure that evenwithin your organization, that
only the people with properreasons can access that data.
So that's more kind ofthe security pieces that
are covered in this book.
Yusuf (07:49):
In terms of planning a cyber audit, there's all
sorts of frameworks thatwe need to understand, and
there'll be a range of systemsand controls to evaluate.
But what your book will helpdo is understand exactly
where people can go tofind those components that
relate to Microsoft365 andthat they've been using and
understand how protection ofinformation, governance of
(08:10):
information, access control,has been configured and what
the level of compliance withthose controls would be.
Erica (08:17):
Yeah.
And then to add to that abit more the other power
of these solutions ishow they work together.
Let's use a veryspecific example.
You've scanned your environmentto look for patterns that
indicate sensitive informationlike a passport number has
a very specific pattern.
Your tax ID number,very specific pattern.
So you can find those with areasonable level of accuracy,
(08:40):
identify that as higher riskcontent, put a stamp on it.
Well, now I can take that stampand say, if it's been marked
as personally identifiableinformation, then we need
to make sure that we're onlyretaining it for three years.
And then asking theirpermission again, if we
keep it longer than that.
In addition, we can tellif somebody, even that
(09:02):
should have access suddenlydownloads, a dump of those
files to their computer.
They don't need to dothat for their job.
That's risky.
So we're starting to chain thesesolutions together where if
you just, start one place andinvest there, you can leverage
that investment holistically.
Yusuf (09:19):
Quite powerful controls.
And your book helps identifythose and, tell people where
to go to look for the typesof controls that compliance
center will be able to handle.
Erica (09:29):
Yeah.
This sounds really simple,but when I was first starting
to learn this, because thesesolutions are maybe about three
years old at this point, Icouldn't find just a list of
everything that it could do.
So I started this book byliterally creating that list,
organizing them into logicalgroups and then being like,
okay, I'm going to go throughthe user interface and I'm
(09:52):
going to find every buttonand figure out exactly what
it does and why, and getto that level of detail.
Yusuf (09:59):
In putting the book together, what did you find to
be the most challenging areato understand and write about?
Erica (10:06):
First of all, lot of those buttons aren't
documented anywhere.
And so there wastrial and error.
To figure out what it didand what other impacts it
had in these other solutions.
So that was the first challenge.
And then if I was going topick the solution, that was the
most complex, it would be theadvanced e-discovery solution
(10:26):
which you can use to, searchand review information in
bulk across your organization.
It's complex becauseit is so powerful.
We're dealing with suchlarge amounts of data these
days, , even if you'd writethe perfect search, it's going
to return more results than ahuman being could ever review.
So it does things like findthe duplicates or documents
(10:48):
that are 80% similarand group them together.
So you can just review500 documents at one time.
It helps group together, thingsin themes using machine learning
models and so much more.
That chapter alone is ahundred pages of the 525
pages in the book, but Icovered every single button.
So you're good.
Conor (11:10):
Probably the chapter I might jump into first, because
these days Internal Auditorsare required more and more
to do forensic investigationsor sensitive inquiries as
part of their audit projectsand having that advanced
e-discovery capability, soundsas if it's really going to help
Erica (11:27):
Yeah.
You're exactly right.
I see people using it morefor internal investigations,
even than for legal reasons orfreedom of information requests.
Because with thoseinvestigations, you start with
a clue of where to look right.
But then that clues going tolead you to, oh, maybe I should
look into this person or thisproject, or, find emails that
(11:49):
contain these three peoplein this three-month span.
And the power of advancede-discovery is you can do
those further queries andfilters, on the fly, in a
pretty easy to use interface.
Yusuf (12:03):
Switching a little bit to an area that I find myself
often hitting up against, andthat is the area around managing
devices that are not withinthe network and obviously over
the last year that's becomemore and more important.
So with people working fromhome, working remotely,
they may not be physicallyconnected to the network.
(12:23):
They may not necessarily be ondevices that their organizations
own, in some cases.
What guidance do you have aroundthat aspect of connectivity,
if you like and securityaround that connectivity.
Erica (12:37):
I think it's first deciding are you going
to allow corporate dataon personal devices?
If so, do people have to enrolltheir devices in a corporate
profile, like on Android,it's called a work profile.
Where I, am giving the,for me, it's Microsoft
permission to scan my phonewith anti-virus software.
(12:59):
I'm not allowed to jailbreak it.
There's other rules as well.
So first, yes or no.
Do you want people toaccess on their phone?
Then their personalcomputer as well.
And then if the answer is,yes, do you want them to
be able to access all data?
Like those documentsand those sites you've
marked as confidential.
Do you want to block thosefrom being accessed, but
everything else is okay?
(13:20):
That's again, the power ofonce you start to label and use
these solutions, it gives youmuch more granular control over
what remote workers or evenpeople just home in the evenings
are doing on their devices.
Narrator (13:33):
The Assurance Show is produced by Risk Insights.
We work with performanceauditors and internal auditors.
Delivering audits, helpingaudit teams use data,
and coaching auditors toimprove their data skills.
You can find out more aboutour work at datainaudit.com.
Now, back to the conversation.
Yusuf (13:53):
While writing the book, I understand, or just
after you started writingthe book, you landed a job
at Microsoft looking afterrecords management and infogov.
You wanna talk to us about that?
Erica (14:03):
Well, I've always been an industry expert in the Microsoft
records management area, andbeing located in Seattle, it's
always been very easy for me toknow the people at corporate.
I'm the one that's alwaystrying to get them to have
lunch with me so I can askthose annoying questions.
Multiply that by 15 years,people either enjoy your
questions or hate you.
(14:24):
And I was working onthis internal, compliance
expert team and workingwith them very closely.
This was a new position theycreated to have someone
dedicated to managingthe records business.
And when it came up, theylet me know I applied
and it was my dream job.
So it was extremelyexcited to get it.
They call it a productmarketing manager.
(14:46):
But what that reallymeans is you're the one
who's actually lookingafter the whole business.
So I have a counterpart RobertoInglesias who manages the
design and development of theproduct, and he decides what
features we're going to build.
I help with understanding themarket landscape, competitive
landscape, what we need tobuild to help our customers.
(15:10):
So I meet with a lot ofcustomers and partners.
I help manage our ties into theinternal programs at Microsoft.
There's many cogs inthe machine, right.
Conor (15:19):
Are you able to tell us about any new features
coming down the line?
Erica (15:22):
Yeah.
We actually have two bigones that are listed on the
public Microsoft365 roadmap.
So Microsoft has a roadmap.
You can go look and ithas, a paragraph about
each feature that's coming.
So our biggest one is we'recompletely overhauling what we
call the disposition processfor records management.
(15:43):
So this is the approvalprocess that most managed
documents have to go throughbefore they're deleted.
So it'll reach the endof the retention period.
It'll kick off an approval.
Usually it has to go to saythe business owner, then
maybe the records managerand everyone has to say, yep,
it's okay if we delete this.
And then you leave behind,what's called a certificate
(16:05):
of destruction, provingthat it was in fact deleted.
And that's what theauditors would probably
care about the most.
You can customize thatapproval process with
multiple stages and people.
And then we're making just theuser experience of the review,
much more streamlined and easy.
And then the next one isthis one's a little bit
more techie, but it is, big.
(16:26):
So if you're goingto manage let's say a
person with a policy.
There's a couple of waysyou can scope that policy.
Maybe you just needeverybody's email to be
kept for three years.
But maybe there's like yourexecutive team that needs to
have their emails kept forever.
Like we don't deletebill Gates as email.
I'm pretty sure.
So you need to be able toidentify who are those people
(16:48):
that need this forever policy?
In Microsoft365 theyhave a user profile.
It says things like theirdepartment, their geography,
other things like that.
What we'll be able to do islook at those properties in
the user profile, and you canscope the policy based on that.
Say everyone who hasAustralia listed as their,
(17:09):
country, put them in thispolicy to manage them.
So it sounds simple, butit's going to unlock a
lot of scenarios andthings our customers want
to do that require that.
Yusuf (17:19):
So let's say I'm an internal auditor in a
public sector organization.
There's a whole bunch of lawsthat I need to comply with.
And I've got a bunch ofrecords against which
retention policies have beenestablished or that have been
labeled in a particular way.
What happens when those lawsare different and may conflict.
(17:40):
One says you have to deletewithin five years and the
other one says, you mustkeep it for seven years.
What do your customersusually do about those
sorts of scenarios, wherethere are laws that don't
necessarily work together?
Erica (17:53):
That's a great question.
In the vast majority of casesmost laws will say to retain it
for the longer amount of time.
What that entails is you have tobe able to assign the multiple
policies to that document.
So that there's a process thatevaluates all the policies
on a periodic basis and says,okay, this is the longest one.
(18:14):
It's the one that wins.
Yusuf (18:15):
Okay.
And when we have things likewe need to make sure that
any private information thatwe keep is kept up to date.
And we need to make surethat where we do have PII,
that we give people theability to update that.
Is there a way that youcan then apply that to
all the records as well?
Or does that onlyapply to newer records?
How does that all work?
Erica (18:36):
So there's just too much data to manually
evaluate anymore.
Even if users are tagging it,like as they create things,
they're going to do it wrong.
They're going to forgetit's just not okay.
So instead of trying to manageeverything, we're having to
shift our way of thinking tomanaging the highest risk data.
(18:56):
So if you think ofit as a quadrant.
The highest risk is inthe upper right corner.
That's really whatyou want to go after.
So how do we identify that?
a document that's just evensitting in a SharePoint site has
a lot of information about it.
You can tell who's accessingit, what their job is, what
meetings it was shared in, in ateams meeting and these things.
(19:19):
And from there, you can startto use artificial intelligence
to build the risk profile.
We can apply sensitivitypolicies and retention
policies based on this riskprofile today, but it still
has a long way to go tobe perfect and completely
mature and no technologycan do it yet, to be fair.
Yusuf (19:36):
That makes a lot of sense . So extending from that, an
organization that is startingalong the records management,
information governance, path.
Where would they start?
Erica (19:46):
With the high-risk data, but how do they
decide what is high risk?
So there's a couple of ways.
So if you're alreadya highly regulated or
government organization,you typically have what's
called a retention schedule.
With the categories ofinformation and how long
you need to keep it.
So you can sit down with yoursecurity team and figure out,
of those categories, what'sthe riskiest information?
(20:08):
Start with maybe the10% riskiest categories.
Then you can say, okay whatdoes this information look like?
Is it templatized?
Is it all over the place?
Is it in emails?
Is it in files?
And start identifying thecharacteristics of the data.
Then you have a couple options.
If it's a well managed assetlike contracts or something
(20:31):
that we've already been managingfor a long time, you probably
know where it sits and youcan manage it by the location.
But if it's more collaborativein nature, it could be anywhere.
So in that case, we havewhat are called trainable
classifiers, where you canfeed in examples of the
documents and train the machine.
And then it'll go look forit anywhere in SharePoint or
(20:53):
one drive and you can startto identify things that way by
the patterns of information.
There's other ways to doit as well, but that's the
easiest place to start.
Conor (21:02):
So where would you find the trainable classifiers?
Erica (21:05):
That's in the compliance center and it's covered in
detail in the book on how toeither use one of the out of
the box, classifiers Microsoftbuilt, or how to start from
scratch and make your own model.
Yusuf (21:16):
If you know some of the high-risk documents and
you can identify where thosereside, you're then able to use
those to build a pattern andthen go and look for similar
documents so that you're notmissing some documents that
may be buried deep down ina folder structure, or that
may have been copied from onearea to another area, or that
may be in a user's individualOneDrive folder, as opposed to
(21:39):
some of the more shared folders.
Erica (21:41):
Yeah, exactly.
And you can use the trainableclassifier either to find
content and apply a retentionlabel or protect it with
one of those sensitivitylabels to make sure the right
people have access to itand the wrong people, don't.
Yusuf (21:55):
That's a range of data governance areas
that are being coveredoff all at the same time.
If you were in the internalaudit area or the performance
audit area and whether youhad records management on your
mind deliberately or not, whatwould it be that would make
you sit up and say, I needto do something about this,
or I need to evaluate this,or this is a risk area that I
(22:15):
need to bring to the attentionof the board or others.
Erica (22:18):
A lot of companies have had just a keep
everything culture.
And they don't realizethe risks that are
presented with just keepinginformation around forever.
Of course there's legal risks.
If you are a part of a legalcase, if you can find it in
your organization, you have toproduce it as part of the case.
If it's something that couldhave been deleted that loses
(22:39):
the case for you, that'snot a great situation.
Also the more data that youhave, bigger attack surface
you have, the more you have tojust manage for these privacy
laws or for other regulations.
And it's just moreexpensive and takes a
lot more time and effort.
A lot of times these aren'tvisible costs because if you
(23:01):
do it right, no one should everknow that you did your job.
Cause you're not appearingon any lists of people that,
that did something bad.
That's, why sometimes it's soeasy to overlook by leadership,
but why it's so importantto pay attention to it?
Conor (23:15):
It's important to reflect on your own organization
and ask the question.
Do we have a, keep everythingculture in this organization
and as an internal auditorwhat can I do to help
my organization,managethat risk better.
Yusuf (23:28):
Where can people find you, connect with you,
and importantly, where canthey you find your book?
Erica (23:34):
The least expensive place to buy the book is
going to be @ apress.com.
So that's apress.com andthey can ship to most
countries in the world.
It is also available on Amazon.
Uh, fortunately have kindof a unique, last name.
So on every socialmedia property and email
address, it's just myfirst name, my last name.
(23:58):
No dots, dashes or underscores,just those two together,
twitter, @microsoft.com,whatever you would like.
Yusuf (24:07):
Okay.
So that's Erica Toelle andthat's ERICA last name TOELLE.
we'll put link to your profilein the show notes, we'll put
a link to your book on apressin the show notes as well.
Erica (24:19):
If you ever have any questions about any of
this, especially recordsmanagement, just hit me up
on LinkedIn or email me.
We're very casualaround here and we just
want to help everyone.
So don't feel like your questionisn't important enough because
if you can't find the answer,it's an important question.
Yusuf (24:35):
Really interesting conversation.
We look forward to gettinga copy of the book.
Thank you verymuch for joining us
Narrator (24:42):
If you enjoyed this podcast, please share
with a friend and rateus in your podcast app.
For immediate notificationof new episodes, you can
subscribe at assuranceshow.com.
The link is in the show notes.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.