Streamlining Security Operations with Microsoft Purview: A Role-Based Daily and Weekly Guide

Introduction

So, you’ve just installed Microsoft Purview, and you’re probably wondering, “What’s next?” and “Who’s going to handle this?” Well, don’t worry; you’ve made a fantastic choice! Microsoft Purview is a brilliant data governance solution that helps your organisation classify, protect, and manage sensitive data across different platforms. But simply installing it isn’t enough; you’ve got to keep up with it to ensure it’s doing its job effectively.

This blog post is here to guide you through the follow-up process. We’ll cover a comprehensive checklist of daily, weekly, and monthly tasks to make sure you’re getting the most out of Microsoft Purview. Plus, we’ll help you figure out who in your team should handle these tasks, ensuring everything runs smoothly and securely.


CategoriesDaily ActivitiesWeekly ActivitiesMonthly Activities
Information Protection– Monitor alerts/incidents queue for any sensitive information being exfiltrated

– Monitor anomaly activities through Activity Explorer
– Review sensitivity locations (ensure correct governance is in place)

– Review top sensitive labels applied

– Review Encrypted Report
– Review what’s new in IP

Review Office apps health (version governance)
Data Loss Prevention– Review alerts & Incidents dashboard

– Review potential data leak report

– Review sensitive information shared report

– Review top activities
– Look at the insights for unprotected documents in SharePoint and OneDrive

– Review device health for EDLP

– Review opportunities to extend SIT to auto-labelling
– Review encryption report

– Review insights for potential modification of policies

– Review what’s new in DLP
Data Lifecycle Management– Review label application activity– Review retention label activities in Activity Explorer

– Review label activities

– Review dispositions
– Review what’s new in Data Lifecycle Management

– Review archive mailbox data
Insider Risk Management– Review alerts and cases

– Review policies that are most active

– Review reports, old alerts past 30 days that have not been actioned

– Review Sensitive Interaction
– Review analytics to always see opportunities to fine-tune policies

– Review active cases to see if they can be closed or escalated to eDiscovery

– Investigate an active case before closing
– Review what’s new in Insider Risk Management

– Review forensic evidence device health

– Review reports with relevant stakeholders like HR

– Review sensitive interaction with AI Assistance
AI Hub– Review sensitive data reference in Copilot
Data Security Operational Check-list

Data Security Operational Checklist

1. Information Protection

Daily Activities

  • Monitor alerts/incidents queue for any sensitive information being exfiltrated
    Role: Security Analyst – Responsible for tracking and analysing alerts related to data breaches or exfiltration attempts.
  • Monitor anomaly activities through Activity Explorer
    Role: Security Operations Centre (SOC) Analyst – This role involves using Activity Explorer to identify and investigate any unusual user or system behaviour.

Weekly Activities

  • Review sensitivity locations (ensure correct governance is in place)
    Role: Information Protection Administrator – Ensures that all data sensitivity labels are applied correctly across the organisation.
  • Review top sensitive labels applied
    Role: Data Protection Officer (DPO) – Reviews sensitivity labels to ensure compliance with data protection laws and policies.
  • Review Encrypted Report
    Role: Encryption Specialist – Verifies that all necessary data is encrypted and encryption standards are maintained.

Monthly Activities

  • Review what’s new in IP (Information Protection)
    Role: Chief Information Security Officer (CISO) – Stays updated on the latest developments in Information Protection to ensure strategic alignment.
  • Review Office apps health (version governance)
    Role: IT Manager – Ensures that all Office applications are up-to-date and compatible with the organisation’s security policies.

2. Data Loss Prevention (DLP)

Daily Activities

  • Review alerts & incidents dashboard
    Role: Security Analyst – Monitors the DLP dashboard for any potential data loss incidents.
  • Review potential data leak report
    Role: Data Loss Prevention Specialist – Evaluates reports for potential leaks and recommends preventive measures.
  • Review sensitive information shared report
    Role: Data Governance Officer – Ensures that shared data complies with governance policies and procedures.
  • Review top activities
    Role: Security Operations Centre (SOC) Analyst – Focuses on analysing the most critical activities related to data loss prevention.

Weekly Activities

  • Look at insights for unprotected documents in SharePoint and OneDrive
    Role: SharePoint Administrator – Identifies and rectifies any unprotected documents.
  • Review device health for EDLP (Endpoint Data Loss Prevention)
    Role: Endpoint Security Specialist – Checks that all endpoints are compliant with EDLP policies.
  • Review opportunities to extend SIT to auto-labelling
    Role: Data Protection Officer (DPO) – Evaluates how auto-labelling can be used to enhance data security.

Monthly Activities

  • Review encryption report
    Role: Encryption Specialist – Verifies that all necessary data encryption measures are in place and effective.
  • Review insights for potential modification of policies
    Role: Chief Information Security Officer (CISO) – Considers insights to make necessary policy adjustments.
  • Review what’s new in DLP
    Role: Security Policy Manager – Stays informed about the latest developments in DLP to update policies and practices.

3. Data Lifecycle Management

Daily Activities

  • Review label application activity
    Role: Data Lifecycle Manager – Ensures that all data is appropriately labelled throughout its lifecycle.

Weekly Activities

  • Review retention label activities in Activity Explorer
    Role: Data Governance Officer – Checks that retention labels comply with organisational policies.
  • Review label activities
    Role: Information Protection Administrator – Ensures that label activities align with protection standards.
  • Review dispositions
    Role: Data Lifecycle Manager – Oversees the correct disposition of data as per policy requirements.

Monthly Activities

  • Review what’s new in Data Lifecycle Management
    Role: Data Lifecycle Manager – Stays updated on changes in data lifecycle management practices.
  • Review archive mailbox data
    Role: Mail Systems Administrator – Ensures that archived mail data is properly stored and accessible.

4. Insider Risk Management

Daily Activities

  • Review alerts and cases
    Role: Insider Threat Analyst – Monitors alerts and investigates potential insider threats.
  • Review policies that are most active
    Role: Policy Compliance Officer – Ensures that active policies are being followed correctly.
  • Review reports, old alerts past 30 days that have not been actioned
    Role: Security Operations Centre (SOC) Analyst – Addresses any lingering alerts that require action.
  • Review Sensitive Interaction
    Role: Data Protection Officer (DPO) – Reviews sensitive interactions to ensure compliance with data protection policies.

Weekly Activities

  • Review analytics to always see opportunities to fine-tune policies
    Role: Security Policy Manager – Looks for ways to improve policies based on analytics.
  • Review active cases to see if they can be closed or escalated to eDiscovery
    Role: eDiscovery Specialist – Determines whether cases should be closed or require further investigation.
  • Investigate an active case before closing
    Role: Insider Threat Analyst – Thoroughly investigates cases before closure.

Monthly Activities

  • Review what’s new in Insider Risk Management
    Role: Chief Information Security Officer (CISO) – Keeps abreast of developments in insider risk management.
  • Review forensic evidence device health
    Role: Forensic Analyst – Ensures that all devices used for forensic analysis are in top condition.
  • Review reports with relevant stakeholders like HR
    Role: HR Manager – Collaborates on reports concerning insider risk cases.
  • Review sensitive interaction with AI Assistance
    Role: AI Ethics Officer – Ensures AI assistance complies with ethical standards.

5. AI Hub

Weekly Activities

Review sensitive data reference in Copilot
Role: AI Ethics Officer – Ensures that AI models are handling sensitive data responsibly.


Role Assignments

Here’s a quick overview of the key roles and their responsibilities:

Azure Roles:

  • Security Administrator: Manages security settings and policies.
  • Compliance Administrator: Oversees compliance-related tasks and auditing.
  • Information Protection Administrator: Focuses on data protection and information management.
  • Data Loss Prevention (DLP) Administrator: Implements and monitors DLP policies.
  • Data Lifecycle Management Administrator: Manages data lifecycle policies and retention.
  • Insider Risk Management Analyst: Identifies and mitigates insider threats.

Microsoft 365 Roles:

  • Global Administrator: Highest level of access with control over all administrative features.
  • Security Reader: Can read security configurations and reports but not alter them.
  • Compliance Data Administrator: Manages compliance data and ensures regulatory adherence.

Company Roles:

  • Chief Information Security Officer (CISO): Oversees the organization’s overall security strategy.
  • Data Protection Officer (DPO): Ensures compliance with data protection regulations and policies.
  • IT Manager: Manages IT operations and aligns IT policies with business needs.
  • HR Manager: Collaborates on security aspects related to human resources.