How Office 365 Helped Us To Achieve Our IASME Governance Certification
Microsoft's security solutions give businesses the protection they need.
As any responsible business should, TMB takes security seriously. Not only do we implement the very same technologies we sell to our customers, we also assess the effectiveness of our current systems on a regular basis, making improvements as necessary. Part of that means renewing our Cyber Essentials and IASME Governance certification every year.
This time around, we sailed through our Cyber Essentials assessment, meeting the added requirements that have been included in the 2018 question set. But IASME Governance is a more stringent test of an organisation’s cyber security mettle, and it was here that we found ourselves having to make some changes so we could renew our certification.
Over time, more and more of our team have begun using mobile phones and RemoteApps to access emails and to work while off premises. It was in this area that TMB needed to make some tweaks, but thankfully, as a certified Microsoft Partner, we already had all the tools it needed to be compliant again.
Using Office 365 and various Microsoft add-ons, we enabled multi-factor authentication on RemoteApps connections and implemented a robust mobile device management policy.
Central to this was Microsoft Intune, a security solution that enables businesses to quickly and easily manage any mobile devices that connect to corporate networks or servers. Team members can use whatever devices they want, but the businesses they work for remain safe.
Supporting Android, iOS, Windows and MacOS, Intune allows you to create granular policies to control various aspects of data access in Office 365. As well as managing cloud-based access, organisations can allow on-premise access to Sharepoint and Exchange servers, based on a wide variety of conditions.
Thanks to app-level control, it’s also possible to secure data even on devices that haven’t been enrolled into your security records. Using this technique, it’s possible to limit user actions like Save As and copy and paste.
To further protect data, we used Azure Information Protection. This is a solution that protects emails, documents and other data that are shared with third-parties, enabling you to create policies that define who can access data and what they can do with it. It can also be fully automated, which makes using relatively easy.
In our case, we used Azure Information Protection to identify and protect personal data, to help us comply with GDPR, but it can do much more than that. Not only does the protection follow the data wherever it goes and no matter who it’s shared with, you’re always able to see how it’s being used, and you can always revoke access later, if you want to.
Available both in the cloud and on premise, Azure Information Protection can also aid collaboration while keeping data safe. For example, it’s possible to share a file with someone else and allow them to read it and make edits to it, but not letting them print or share it on.
These are just a few of the security tools that can be at your disposal with Office 365, but there are many more, including Azure Active Directory, Microsoft Cloud App Security, Microsoft Advanced Threat Analytics, Microsoft Identity Manager and Azure Advanced Threat Protection. These can all be added separately, or they can be brought together under one licence, known as Enterprise Mobility + Security (EMS). Furthermore, you can get Windows 10, Office 365 and EMS all together under one Microsoft 365 licence.
It’s certainly something worth thinking about if you want your business to reach the standards of safety required by Cyber Essentials and IASME Governance.