Thanks for mentioning this! I’d also be very interested in anyone’s feedback & experiences implementing O365 Compliance Centre. If you can, please share your insights for us all to see here!
Records & Information Management Analyst
ARC Resources Ltd.
Yes please! We have started investigating the issue as well, and any insights would be welcome.
Currently we have concerns about access and group management (e.g. ability of group owners/members to invite externals/guests without any control/approval step, mixing external users in the same groups as internal users), security clearances, retention, declaring records, the number of versions (too high due to auto-save) and the automatic roll-off of versions when the limit is reached without the possibility of users to mark/lock important versions that should not be rolled off, hidden folders/stores, etc. Perhaps we do not yet understand fully how things work, but there seem to be serious gaps compared to our current policy requirements and level of compliance.
Zsuzsanna Tozser Milam
Office 365 – Security and Compliance Center
Ewan Macauley, IQBG, CTO
Richard Molique, IQBG, Director of Technical Operations, AIIM Fellow
Aug 22, 2019
The latest updates by Microsoft to the Security and Compliance module of Office365 is reminiscent of the 90’s management book “Who moved my cheese” by Spencer Johnson. Large ECRM solution providers must be looking over their shoulders wondering what is next?
The initial product offering had a few nifty compliance reports including some rules that could be enabled to protect data and search content. Microsoft, by their own admission, decided to take on the industry giants in the Enterprise Records Management space, and the last product update clearly does that and lays down the gauntlet. Whether Microsoft can unseat the big players is yet to be seen, however, it does warrant inclusion in any solution discussion now. In the next few paragraphs, I will highlight a few of our experiences and observations derived from a recent large deployment of Office 365 Security and Compliance.
As with any product choices, there are tradeoffs. The first major decision that must be taken into account is how the record exists within the system. With most/all current solution providers, the document has to be consciously moved or copied to the system of record, be it manually or electronically, making up a separate repository. There are a number of regulatory requirements that mandate this, and if this is a requirement, Office 365 Records and Compliance does not fit the bill. In Office 365 the record is created within the records management universe where it will be stored and managed. Furthermore, as part of the creation process, it will form part of the augmented Office365 product set such as Teams and other collaboration products. What this means from a deployment perspective is that the implementation of an RM strategy can form part of an Office365 deployment, overcoming traditional organizational resistance, and because it’s part of the Office365 suite of products, it is seamless and has a much higher level of adoption.
It is, however, our experience that as important as the location of the record is, the adoption of any solution or system is based on a security-centric environment. Users will question; do the consumers of the technology trust that the system is going to be secure, that access to content will be managed appropriately and that roles and permissions will be appropriately maintained? The roles, rights and responsibilities within Office 365 are integrated into the Active Directory system that users trust and rely on every day. All other systems hang off of the organizational AD, and although these are well developed and reliable systems, the perception remains that they are vulnerable.
The suitability of the Office 365 RM capability to each organization’s requirements still needs to be determined on a case by case basis, matching functional requirements to the capability of the product. Larger point solutions on the market have years of product knowledge and capability build into their solutions, so feature functions are perhaps more robust than the current O365 offering. However, the rate with which Microsoft has been releasing enhancements into this space does beg the question – how much longer with this be the case?
Finally, the security and reporting aspect of Office 365 stands head and shoulders above any other provider in this space. Not only can an organization take proactive steps to control and manage sensitive data such as PII, the reporting capability gives a unique insight into how well you are doing as an organization in this historically very sensitive space.
If you or others in the forum have any questions, please let me know.
We at HELUX are certainly seeing more clients who are using or are interested in using O365 Compliance Center. So we are helping them explore implementation options. The above discussions certainly touch the key points. I can send you a presentation that can provide some information and answer some questions you might have regarding records management in O365 and SPO. I would also be happy to share what HELUX has learnt from its engagements. If you are interested, then please contact me at amitabh@… or call me at 613.262.6569.
Amitabh Srivastav, PMP, CIP
VP, Operations & Governance
Thank you for your help!