Financial services juggernaut overhauls records management system and strengthens its compliance posture

As a financial services organisation, our client were at a heightened risk of falling foul of increasingly strict legislation. They felt it was time to act and develop a comprehensive security, governance, and compliance approach across the organisation.

Experienced in helping organisations improve their compliance posture, Kocho was ideally placed to meet the client’s needs, which is why we were referred to them by Microsoft.

After performing a series of detailed discovery exercises, our client appointed us to support them across key compliance areas which included Azure Information Protection (AIP), Data Loss Prevention (DLP), and records management.

Achieving continuous compliance for a financial services giant

Here’s how we helped our client ‘Become greater’:

Failure (to comply) is not an option!

Our client was established in 1969 in the USA and has seen rapid growth ever since, opening up offices across Europe and Asia and employing over 40,000 people.

With a growing workforce and over 2.5 million active clients, protecting sensitive information from external threats and internal leaks
– whilst responding to a remote working revolution – was paramount.

The company operates in the financial services and insurance (FSI) sector, which is the number one target industry for cyber attackers. As a result, the FSI sector is heavily regulated.

With regulators such as the Financial Conduct Authority (FCA) having the power to stop companies trading overnight if a breach is reported, the risks presented from falling foul of increasingly strict compliance regulations is a very real concern.

So comprehensive security and compliance controls were right at the top of the client’s IT agenda.

Discovery creates the roadmap for an ambitious compliance journey

Our client was put in touch with us via Microsoft referral. We ran a range of in-depth discovery workshops and created a series of Proof of Concepts (PoCs), as well as a compliance enhancement plan covering nine key areas.

These nine areas included:

• Microsoft Defender for Cloud Apps
• Microsoft Purview Information Protection
• Records Management
• Data Loss Prevention – Proofpoint swap out
• Azure AD Identity Protection
• Privileged Identity Management (PIM) – CyberArk replacement
• Azure AD Identity Governance
• Insider Risk Management
• Microsoft Defender for Office 365

The PoCs we ran around AIP and DLP proved to be so successful that our client committed to plans for a complete rollout of these solutions across the organisation.

Compliance investments that promise to pay off

Our initial three focus areas were AIP, DLP, and Records Management.

Adding classification labels to unstructured data

Our initial engagement with our client around AIP was the deployment of a proof of concept, and a series of pilot implementations to a small control group. Our aim was to get this in place before the organisation’s full, company-wide compliance audit in 2021.

The audit itself highlighted the need for a set of classification labels to be rolled out across the organisation.

Working with our client, we scoped out a six-month full deployment plan, giving all users across the organisation the ability to classify, label, and better control the sharing of unstructured data.

The activities for this engagement included the following key aspects:

• Discovery, review, and gap analysis of current configuration and functionality.
• Defining a new roadmap for Microsoft Purview Information Protection deployment across the environment.
• Solution design for the sensitivity labels and policies.
• Implementation.
• Phased onboarding of users, including adoption services.
• Phased migration of users from voluntary to mandatory labelling.
• Launch communications, full training, and knowledge transfer.

Keep what you need and delete what you don’t

After the client’s 2021 compliance audit, it became apparent that there was an urgent need to refine their approach to records management.

The current process was to keep all records for 30 years, which is a policy difficult to justify to the Information Commissioner’s Office should they come knocking (and the ICO haven’t been lax in their enforcement of penalties for GDPR breaches).

The Human Resource (HR) department was particularly keen to implement Records Management, something we supported successfully with a Proof of Concept.

Following this successful PoC, the next stage is for Kocho to assist in a full Records Management roll-out, ensuring the HR Dept. is able to:

• Move storage of employee record files from non-governed, on-premises file share into SharePoint Online, making full use of our client’s Microsoft 365 E5 licensing.
• Mark employee files as ‘records’ to prevent modification and deletion during the period of retention, maintaining the integrity of the information.
• Provide relevant stakeholders with granular access to the Employee Records site and folders.
• Manage governance requirements with a comprehensive file plan featuring specific retention schedules for records of employees in different geographies.

Using these capabilities, the organisation will incorporate the company’s current retention schedules and requirements into a new Records Management solution that manages retention, records declaration, and disposal, over the full lifecycle of content.

Guarding against accidental and malicious data loss

Our client deals with financial data, and it is imperative that they protect it and ensure it isn’t shared with the wrong people.

Currently, they use a third-party solution, Proofpoint, which is proving cumbersome and generates too many false positives, creating extra cost in comparison with the Microsoft approach of using AIP and DLP together.

Once the implementation of AIP is complete, we will work with the client to develop, refine, and implement new DLP policies to prevent inappropriate data sharing and data leakage.

This will work in harmony with AIP sensitivity labels, sensitive information types, and trainable classifiers (currently supplied by a third-party tool), to add additional context around sensitive content to the DLP setup.

The deployment of DLP will allow our client to understand the potential risks and scale of sensitive data being shared inappropriately, and to take control with policies to prevent incorrect actions, direct users to approved sharing mechanisms, and reduce compliance risks from data loss.

Compliance is a journey, not a destination

Securing and bolstering compliance is of paramount importance in today’s climate of sophisticated cyber attacks and increasingly stringent data protection legislation, particularly in a highly targeted industry such as financial services.

Achieving compliance is an ongoing process, one that needs constant evaluation and revision, and at Kocho, we recognise and put this into practice for our clients.

Kocho’s dedicated Managed Compliance offering is designed to raise internal awareness and establish the processes and reviews necessary to ensure compliance is maintained. This approach consists of “Six steps to compliance”:

1. Initial Compliance Posture Assessment.
2. In-depth discovery and compliance roadmap.
3. Recommendations on priority systems and controls.
4. Configuration of in-built Microsoft 365 E5 compliance tools.
5. Regular progress reviews / compliance posture re-testing.
6. Optimising costs through strategic advisory services around the Microsoft 365 compliance suite.

When our client needed a partner to overhaul their records management system and strengthen their compliance posture, they were referred to us not only because of our ability to help them achieve compliance but also because of our ongoing partnership approach.

Next Steps