Plan for insider risk management
Before an organization gets started with Insider risk management, there are important planning activities it must undertake. Its Information Technology (IT) and Compliance Management teams should then review these activities and considerations. Thoroughly understanding and planning for an Insider risk management deployment helps organizations ensure their implementations go smoothly and align with the solution's best practices.
Additional reading. For more information and an overview of the planning process to address risky activities in your organization, select the following link to download the article titled: Starting an Insider risk management program.
Additional viewing. Watch the following short videos for more information on Insider risk management:
- Insider Risk Management. This four-minute video examines the Insider risk management workflow. It analyzes how the workflow can help an organization prevent, detect, and contain risks while prioritizing the company's values, culture, and user experience.
- Microsoft Mechanics. This 14-minute video discusses how Insider risk management and communication compliance work together. It specifically focuses on how they help minimize data risks from users in an organization.
Work with stakeholders in your organization
An organization should identify the appropriate stakeholders that it assigns to its Insider risk management team.
- It should assign certain members of the team responsibility for taking actions on Insider risk management alerts and cases.
- Other stakeholders should be responsible for the initial planning and the end-to-end Insider risk management workflow. These stakeholders are usually people from the following areas of an organization:
- IT
- Compliance
- Privacy
- Security
- Human resources
- Legal
Determine regional compliance requirements
Different geographic and organizational areas may have compliance and privacy requirements that are different from other areas of an organization. Work with the stakeholders in these areas to ensure they understand:
- The compliance and privacy controls in Insider risk management.
- How the different areas of the organization should use these controls.
In some scenarios, compliance and privacy requirements may require policies that designate or restrict some stakeholders from investigations and cases. An organization may base these requirements on the case for a user, or regulatory or policy requirements for the area.
If an organization requires specific stakeholders to work in case investigations, it may want to implement separate Insider risk management policies. These policies would target users in certain regions, roles, or divisions, even if they're identical. This approach enables the organization to involve the necessary stakeholders for each case while also ensuring that it tailors the policies to the unique needs of each group. This configuration enables the efficient triaging and management of cases that the right stakeholders can identify as relevant to their roles and regions.
Plan for the review and investigation workflow
Organizations that want to manage Insider risk management policies and alerts must assign users to specific role groups to manage different sets of Insider risk management features. For example:
- It can assign users with different compliance responsibilities to specific role groups to manage different areas of Insider risk management features.
- It can also assign all user accounts for designated administrators, analysts, investigators, and viewers to the Insider Risk Management role group.
Organizations should use a single role group or multiple role groups to best fit its Compliance Management requirements. They can choose from the role group options and solution actions in the following table when working with Insider risk management.
| Actions | Insider Risk Management | Insider Risk Management Admin | Insider Risk Management Analysts | Insider Risk Management Investigators | Insider Risk Management Auditors |
|---|---|---|---|---|---|
| Configure policies and settings | Yes | Yes | No | No | No |
| Access analytics insights | Yes | Yes | Yes | No | No |
| Access & investigate alerts | Yes | No | Yes | Yes | No |
| Access & investigate cases | Yes | No | Yes | Yes | No |
| Access & view the Content Explorer | Yes | No | No | Yes | No |
| Configure notice templates | Yes | No | Yes | Yes | No |
| View & export audit logs | Yes | No | No | No | Yes |
Organizations should ensure they always have at least one user in the Insider Risk Management or Insider Risk Management Admin role groups (depending on the option they choose). By doing so, a company's Insider risk management configuration doesn't get in a "zero administrator" scenario if specific users leave the organization.
Members of the following roles can assign users to Insider risk management role groups and have the same solution permissions included with the Insider Risk Management Admin role group:
- Microsoft Entra Global Administrator
- Microsoft Entra Compliance Administrator
- Microsoft Purview compliance portal Organization Management
- Microsoft Purview compliance portal Compliance Administrator
Note
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
Understand requirements and dependencies
Depending on how it plans to implement Insider risk management policies, an organization must have the proper Microsoft 365 licensing subscriptions. It must also understand and plan for some solution prerequisites.
Licensing
Insider risk management is available as part of wide selection of Microsoft 365 licensing subscriptions. For details, see Getting started with Insider risk management.
Important
Insider risk management is currently available in tenants hosted in geographical regions and countries supported by Azure service dependencies. To verify that your organization supports Insider risk management, see Azure dependency availability by country/region.
If an organization doesn't have an existing Microsoft 365 Enterprise E5 plan, it can still try Insider risk management. It can add Microsoft 365 to its existing subscription or sign up for a trial of Microsoft 365 Enterprise E5.
Policy template requirements
Depending on the policy template that an organization chooses, there are requirements that it must understand and plan for prior to configuring Insider risk management:
- Data theft by departing users template. The organization must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for its users. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector.
- Data leaks templates. The organization must configure at least one Microsoft Purview Data Loss Prevention (DLP) policy to define sensitive information and to receive Insider risk alerts for High Severity DLP policy alerts. See Create and Deploy data loss prevention policies for step-by-step guidance to configure DLP policies.
- Security policy violation templates. The organization must enable Microsoft Defender for Endpoint for Insider risk management integration in the Microsoft Defender portal to import security violation alerts. For step-by-step guidance to enable Defender for Endpoint integration with Insider risk management, see Configure advanced features in Microsoft Defender for Endpoint.
- Disgruntled user templates. The organization must configure a Microsoft 365 HR connector to periodically import performance or demotion status information for an organization's users. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector.
Test with a small group of users in a production environment
Before an organization enables the Insider risk management solution broadly in its production environment, it should consider testing the policies with a small set of production users while conducting for the necessary compliance, privacy, and legal reviews. Evaluating Insider risk management in a test environment requires that you generate simulated user actions and other signals to create alerts for triage and cases for processing. This approach isn't practical for most organizations. As such, Microsoft recommends testing Insider risk management with a small group of users in a production environment.
During testing, keep the Anonymization feature in policy settings enabled. This setting anonymizes user display names in the Insider risk management console during testing to maintain privacy within the tool. Doing so helps protect the privacy of users that have policy matches. It can also help promote objectivity in data investigation and analysis reviews for Insider risk alerts.
If no alerts immediately appear after configuring an Insider risk management policy, it may mean the organization has yet to meet the minimum risk threshold. It's important that you check whether an action triggered the policy, and the policy works as expected. To do so, see if the user is in-scope for the policy on the Users page.