Plan for insider risk management

Completed

Before an organization gets started with Insider risk management, there are important planning activities it must undertake. Its Information Technology (IT) and Compliance Management teams should then review these activities and considerations. Thoroughly understanding and planning for an Insider risk management deployment helps organizations ensure their implementations go smoothly and align with the solution's best practices.

Additional reading. For more information and an overview of the planning process to address risky activities in your organization, select the following link to download the article titled: Starting an Insider risk management program.

Additional viewing. Watch the following short videos for more information on Insider risk management:

  • Insider Risk Management. This four-minute video examines the Insider risk management workflow. It analyzes how the workflow can help an organization prevent, detect, and contain risks while prioritizing the company's values, culture, and user experience.
  • Microsoft Mechanics. This 14-minute video discusses how Insider risk management and communication compliance work together. It specifically focuses on how they help minimize data risks from users in an organization.

Work with stakeholders in your organization

An organization should identify the appropriate stakeholders that it assigns to its Insider risk management team.

  • It should assign certain members of the team responsibility for taking actions on Insider risk management alerts and cases.
  • Other stakeholders should be responsible for the initial planning and the end-to-end Insider risk management workflow. These stakeholders are usually people from the following areas of an organization:
    • IT
    • Compliance
    • Privacy
    • Security
    • Human resources
    • Legal

Determine regional compliance requirements

Different geographic and organizational areas may have compliance and privacy requirements that are different from other areas of an organization. Work with the stakeholders in these areas to ensure they understand:

  • The compliance and privacy controls in Insider risk management.
  • How the different areas of the organization should use these controls.

In some scenarios, compliance and privacy requirements may require policies that designate or restrict some stakeholders from investigations and cases. An organization may base these requirements on the case for a user, or regulatory or policy requirements for the area.

If an organization requires specific stakeholders to work in case investigations, it may want to implement separate Insider risk management policies. These policies would target users in certain regions, roles, or divisions, even if they're identical. This approach enables the organization to involve the necessary stakeholders for each case while also ensuring that it tailors the policies to the unique needs of each group. This configuration enables the efficient triaging and management of cases that the right stakeholders can identify as relevant to their roles and regions.

Plan for the review and investigation workflow

Organizations that want to manage Insider risk management policies and alerts must assign users to specific role groups to manage different sets of Insider risk management features. For example:

  • It can assign users with different compliance responsibilities to specific role groups to manage different areas of Insider risk management features.
  • It can also assign all user accounts for designated administrators, analysts, investigators, and viewers to the Insider Risk Management role group.

Organizations should use a single role group or multiple role groups to best fit its Compliance Management requirements. They can choose from the role group options and solution actions in the following table when working with Insider risk management.

Actions Insider Risk Management Insider Risk Management Admin Insider Risk Management Analysts Insider Risk Management Investigators Insider Risk Management Auditors
Configure policies and settings Yes Yes No No No
Access analytics insights Yes Yes Yes No No
Access & investigate alerts Yes No Yes Yes No
Access & investigate cases Yes No Yes Yes No
Access & view the Content Explorer Yes No No Yes No
Configure notice templates Yes No Yes Yes No
View & export audit logs Yes No No No Yes

Organizations should ensure they always have at least one user in the Insider Risk Management or Insider Risk Management Admin role groups (depending on the option they choose). By doing so, a company's Insider risk management configuration doesn't get in a "zero administrator" scenario if specific users leave the organization.

Members of the following roles can assign users to Insider risk management role groups and have the same solution permissions included with the Insider Risk Management Admin role group:

  • Microsoft Entra Global Administrator
  • Microsoft Entra Compliance Administrator
  • Microsoft Purview compliance portal Organization Management
  • Microsoft Purview compliance portal Compliance Administrator

Note

Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.

Understand requirements and dependencies

Depending on how it plans to implement Insider risk management policies, an organization must have the proper Microsoft 365 licensing subscriptions. It must also understand and plan for some solution prerequisites.

Licensing

Insider risk management is available as part of wide selection of Microsoft 365 licensing subscriptions. For details, see Getting started with Insider risk management.

Important

Insider risk management is currently available in tenants hosted in geographical regions and countries supported by Azure service dependencies. To verify that your organization supports Insider risk management, see Azure dependency availability by country/region.

If an organization doesn't have an existing Microsoft 365 Enterprise E5 plan, it can still try Insider risk management. It can add Microsoft 365 to its existing subscription or sign up for a trial of Microsoft 365 Enterprise E5.

Policy template requirements

Depending on the policy template that an organization chooses, there are requirements that it must understand and plan for prior to configuring Insider risk management:

  • Data theft by departing users template. The organization must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for its users. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector.
  • Data leaks templates. The organization must configure at least one Microsoft Purview Data Loss Prevention (DLP) policy to define sensitive information and to receive Insider risk alerts for High Severity DLP policy alerts. See Create and Deploy data loss prevention policies for step-by-step guidance to configure DLP policies.
  • Security policy violation templates. The organization must enable Microsoft Defender for Endpoint for Insider risk management integration in the Microsoft Defender portal to import security violation alerts. For step-by-step guidance to enable Defender for Endpoint integration with Insider risk management, see Configure advanced features in Microsoft Defender for Endpoint.
  • Disgruntled user templates. The organization must configure a Microsoft 365 HR connector to periodically import performance or demotion status information for an organization's users. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector.

Test with a small group of users in a production environment

Before an organization enables the Insider risk management solution broadly in its production environment, it should consider testing the policies with a small set of production users while conducting for the necessary compliance, privacy, and legal reviews. Evaluating Insider risk management in a test environment requires that you generate simulated user actions and other signals to create alerts for triage and cases for processing. This approach isn't practical for most organizations. As such, Microsoft recommends testing Insider risk management with a small group of users in a production environment.

During testing, keep the Anonymization feature in policy settings enabled. This setting anonymizes user display names in the Insider risk management console during testing to maintain privacy within the tool. Doing so helps protect the privacy of users that have policy matches. It can also help promote objectivity in data investigation and analysis reviews for Insider risk alerts.

If no alerts immediately appear after configuring an Insider risk management policy, it may mean the organization has yet to meet the minimum risk threshold. It's important that you check whether an action triggered the policy, and the policy works as expected. To do so, see if the user is in-scope for the policy on the Users page.