Office 365 is a public cloud service. What this basically means is that the servers it uses are shared between everyone who uses the service. This may prevent some organizations from using it, but for the most part, it is perfectly feasible to use Office 365 in regulated environments – as long as you stay on top of security and compliance. With that in mind, here is a brief guide to your options for Office 365 security and compliance.
In-house using Office 365’s inbuilt reporting tools
It has to be said that the reporting tools in Office 365 are a vast improvement on the days of running PowerShell scripts to pull up information. In addition to having an extensive range of reports, Office 365 does an excellent job of presenting information in an easy-to-read format, which can be understood by just about anyone. In short, the native reports are perfect for showing to people who don’t really know about IT but still need to understand what IT means for the organization (like the average senior manager).
The problem is that this simplicity is not likely to impress the average auditor and if they have a question, somebody is going to have to spend their time going through the reports manually and putting together the information they need. Chances are that somebody is going to have to be an internal hire whose time costs less than the average auditors, but is still an expense you could have avoided by going down a different route.
It’s also worth noting that there’s a limit to the time Microsoft will store the data for these reports, so the onus will be on you to download and store them yourselves. This may have its own security and compliance implications.
In-house using third-party reporting tools
Even though Office 365’s native reporting tools are a great improvement on what Microsoft used to offer, the fact that they have so many limitations has led third-party vendors to create alternative software offerings to address them. While each third-party tool will have its own characteristics, the general selling point behind them is that they offer a much easier way to monitor security issues and to demonstrate compliance with both with the principles of data security in general and with specific compliance programs such as HIPAA, PCI/DSS and GDPR.
Typically, these programs will take the data produced by the Office 365 reporting system and slice and dice it so that it is searchable (in case an auditor asks you a specific question). They may also generate reports which are designed to show how your organization acts to comply with specific compliance programs (and hence highlight when you are not and need to take action). They also make it easier for you to store the relevant information for an extended period, which can also be very useful for keeping auditors happy.
While this is all well and good, the fact still remains that these third-party Office 365 security and compliance monitoring tools will only be any good to anyone if there is at least one person within your organization who can actually understand them. This leaves you with the challenge of recruiting and retaining such a person (which begins with determining whether or not this is a full-time role) and since recruitment and retention will only get you so far, you will also have the challenge of replacing them when they leave.
Externally using a third-party Office 365 security and compliance monitoring service
Looking purely at headline figures, this is the most expensive approach. Looked at from a practical perspective, however, it can actually be the most affordable and certainly the most cost-effective.
Using a reputable third-party Office 365 security and compliance monitoring service will save you the hassle of having to identify and deal with security threats. It will also ensure that you not only stay in compliance with all relevant laws and programs but that you can demonstrate that you have stayed in compliance with all relevant laws and programs. In a worst-case scenario, this can be hugely important in avoiding fines or other sanctions such as court judgments going against you.
Using a third-party Office 365 security and compliance monitoring service saves you the time required to analyze Office 365’s native reports and the money needed to buy third-party Office 365 reporting tools, plus the expense of recruiting and retaining the staff to use them effectively. In short, all of this becomes the responsibility of the third-party Office 365 security and compliance monitoring service.
If you’re interested in learning more about Office 365 security and compliance in Sacramento CA, please click here now to contact Aperio.IT.
Sign up today for free & stay current with local IT news.
X