Monday, July 1, 2024

The Compliance Insider Risk Management Forensics Evidence

Compliance insider risk is a technical process that the user must follow within a specified system. Several approaches and steps make the system perfectly user-friendly for accomplishing their work.




1. Feature capabilities:

i. Visual Capturing allows organizations to capture clips of key security-related user activities, allowing for more secure or compliance visibility and meeting organizational needs.

ii. Configure a recording policy that focuses on the applications and websites that present the most risk by including or excluding desktop applications and/or Windows. This preserves storage space and user privacy. For example, Exclude personal Email and Social Media accounts.

iii. Enhances phishing protection (Preview) allows organizations to capture clips related to enhanced phishing protection in Microsoft Defender Smart Screen. For example, you can capture when users enter the Microsoft Password they used to sign into their Windows OS device on a phishing site or application connecting to a phishing site.

iv. Protected user privacy through multiple levels of approval for activating the capturing feature.

v. Customizable triggers and capturing options mean that security teams can set forensics evidence to meet their needs, whether based on incidents (for example, Capture 5 minutes before and 10 minutes after a user has downloaded Secreatresearch.docx) or on continuous capturing needs.

vi. User-centric policy targets mean that security and compliance teams can focus on user activity, not device activity, for better contextual insights.

vii. Strong role-based access controls (RBAC) mean that the ability to set and review forensics clips is tightly controlled and only available to individuals in organizations with the correct permissions.

viii. Trial capacity (Up to 20 GB) for captured clips, with quick access to capacity utilization and the ability to purchase additional capacity.

2. Capturing Options:

There are two options for capturing information.

Triggering insider risk management policies, including forensics evidence policies. Triggering events are user actions that determine if users are brought into scope for evaluation in insider risk management policies.

  1. i.     Specific Activities: This policy option captures activity only when a triggering event has brought an approved user into scope for the forensics evidence policy and when the user detects the conditions for a policy indicator. For example, a user-approved system for forensic evidence capturing is brought into scope to services or portable storage devices. Capture is scoped only for the configured time frame when the user copies the data to the personal cloud storage service or portable storage device. This option's capture will be available for review on the forensic evidence tab on the alerts dashboard.
  1. ii.   activities: This policy option captures any user activity. For example, your organization must capture activities for an approved user actively involved in potentially risky activities that may lead to a security incident. Policy incidents may not have reached the threshold for an alert to be generated by the policy, and the potentially risk activity may not be documented. Continuous capturing helps prevent potentially risky activity from being missed or going undetected. Computers for this option will be reviewed on the Forensics evidence tab on the User Activity Reports (Preview) dashboard.

3. Workflow:

i. Users subject to capturing must have explicit capturing requests and approvals: This is an extra process not included in configuring other insider risk management policies. Users assigned to the Insider Risk Management or Insider Risk Management Admin role groups must submit a request to those assigned to the Insider Risk Management approved role group before any user in your organization is eligible for clip-capturing options. For example, This requirement helps support organizational scenarios where your insider risk management admins must replicate approval from your designed legal or human resources personnel before enabling capturing for any user.

ii. Devices must be onboarded and installed with the Microsoft Purview client: Before forensics evidence can collect and store clips captured for eligible users, their devices must be onboarded to the Microsoft Purview compliance portal. Additionally, each device must have the Microsoft Purview Client installed.

These prerequisites enable support for both online and offline device capturing.

No comments:

Post a Comment

Tech@Prism: Identity Clone Attack in Online Social Network

Tech@Prism: Identity Clone Attack in Online Social Network : In recent years, online social network (OSN) services have rapidly become an in...