Compliance insider risk is a technical process that the user must follow within a specified system. Several approaches and steps make the system perfectly user-friendly for accomplishing their work.
1. Feature capabilities:
i. Visual Capturing allows organizations to capture clips of key
security-related user activities, allowing for more secure or compliance
visibility and meeting organizational needs.
ii. Configure a recording policy that focuses on the applications and
websites that present the most risk by including or excluding desktop
applications and/or Windows. This preserves storage space and user privacy. For
example, Exclude personal Email and Social Media accounts.
iii. Enhances phishing protection (Preview) allows organizations to
capture clips related to enhanced phishing protection in Microsoft Defender
Smart Screen. For example, you can capture when users enter the Microsoft
Password they used to sign into their Windows OS device on a phishing site or
application connecting to a phishing site.
iv. Protected user privacy through multiple levels of approval for activating
the capturing feature.
v. Customizable triggers and capturing options mean that security teams
can set forensics evidence to meet their needs, whether based on incidents (for
example, Capture 5 minutes before and 10 minutes after a user has downloaded
Secreatresearch.docx) or on continuous capturing needs.
vi. User-centric policy targets mean that security and compliance teams
can focus on user activity, not device activity, for better contextual
insights.
vii. Strong role-based access controls (RBAC) mean that the ability to
set and review forensics clips is tightly controlled and only available to
individuals in organizations with the correct permissions.
viii. Trial capacity (Up to 20 GB) for captured clips, with quick access
to capacity utilization and the ability to purchase additional capacity.
2. Capturing Options:
There are two options for capturing information.
Triggering insider risk management policies, including forensics evidence
policies. Triggering events are user actions that determine if users are
brought into scope for evaluation in insider risk management policies.
- i. Specific Activities: This policy option captures activity only when a triggering event has brought an approved user into scope for the forensics evidence policy and when the user detects the conditions for a policy indicator. For example, a user-approved system for forensic evidence capturing is brought into scope to services or portable storage devices. Capture is scoped only for the configured time frame when the user copies the data to the personal cloud storage service or portable storage device. This option's capture will be available for review on the forensic evidence tab on the alerts dashboard.
- ii. activities:
This policy option captures any user activity. For example, your organization
must capture activities for an approved user actively involved in potentially
risky activities that may lead to a security incident. Policy incidents may not
have reached the threshold for an alert to be generated by the policy, and the
potentially risk activity may not be documented. Continuous capturing helps
prevent potentially risky activity from being missed or going undetected. Computers
for this option will be reviewed on the Forensics evidence tab on
the User Activity Reports (Preview) dashboard.
3. Workflow:
i. Users subject to capturing must have explicit capturing requests and
approvals: This is an extra process not included in configuring other
insider risk management policies. Users assigned to the Insider Risk Management
or Insider Risk Management Admin role groups must submit a request to those
assigned to the Insider Risk Management approved role group before any user in
your organization is eligible for clip-capturing options. For example, This requirement
helps support organizational scenarios where your insider risk management
admins must replicate approval from your designed legal or human resources personnel
before enabling capturing for any user.
ii. Devices must be onboarded and installed with the Microsoft Purview
client: Before forensics evidence can collect and store clips captured for
eligible users, their devices must be onboarded to the Microsoft Purview
compliance portal. Additionally, each device must have the Microsoft Purview
Client installed.
These prerequisites enable support for both online and offline device
capturing.
No comments:
Post a Comment