Microsoft Teams: Not the compliance challenge you think

Manage Microsoft Office 365 Teams in a compliant manner with Classification Intelligence

Paula Smith

Written by

Paula Smith

Reviewed by

Share on Social Media
June 23, 2020
Microsoft Teams: Not the compliance challenge you think

Finding it hard to keep up with this fast-paced industry?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

More and more we are seeing organizations taking advantage of Microsoft Office 365 Teams – especially if they are taking the opportunity of a “fresh start” when moving from SharePoint On-Premises to SharePoint Online.

Teams provides a unified space for work that provides team chat, file sharing, meetings, emails and more – as well as the ability to invite external users to join and collaborate with the team – all within a single interface. The best way to look at Teams is as a platform for collaborating on work done through the Office 365 apps, and as a communication tool for outside of hard-to-follow email threads.

Managing Teams when compliance is top-of-mind

One struggle from a records management perspective when it comes to Office 365 Teams is the autonomy individual business units have to setup, configure and create team sites. This functionality, which is seen as a win by the end user audience, is seen as a risk from the records management audience because governance is traditionally achieved through rigid and tightly controlled structures and principles.

So how can you give users the freedom and autonomy they seek, whilst still ensuring you do not expose the organization to additional compliance risks? We have seen businesses deal with this conundrum in various ways which we will discuss below along with the pros and cons of each approach.

  • Disable Teams: Mandate that Office 365 Teams functionality be disabled within the organization
  • Allow Teams to Grow Organically: Allow users to create and manage teams with little or no governance
  • Use Templates aka Hub Sites: Use templates to deploy teams (Beta). This will enable organizations to deploy a degree of consistency.
  • Use Content Types and Metadata: Take advantage of the new functionality released to Teams in January 2020 but delayed. This brings Teams more in line with traditional SharePoint in that it allows companies to implement Content Types, Metadata, etc. in teams. This functionality can be employed in conjunction with the ability to use templates to deploy teams.
  • Employ Classification Intelligence: Allow Teams to grow organically and use the Records365’s AI-based classification capabilities, called Classification Intelligence, to govern content.
  • Blended Approach: Employ a semi governed approach via templates/hub sites, content types and use Classification Intelligence.

Disable Teams

Disabling Teams allows you to ensure that you don’t end up with viral, uncontrolled growth and use of Teams, which, left unchecked, would almost undoubtedly result in risk being introduced from a compliance perspective.

One of the things users love about Teams is the ability to share and collaborate on a document with external parties without having to manage copies of the document. Everyone collaborates on the document within the team, and changes are seen real time. Where we have seen organizations employ this approach (disabling Teams), we have seen users go off on their own (whether you like it – or want to admit it, or not), and start availing themselves of platforms like Dropbox, Box, and Google Docs to allow them to share and collaborate on content externally.

We are of the opinion that documents should remain within systems controlled and governed by the organization, rather that be stored “in the wild”, and so, managing them in ungoverned Teams is still better than having users storing copies of externally within unmanaged platforms.

Whilst users MAY store documents in the official, governed structures which you can record manage, if they are storing them externally, there is always the risk that they never move them to or update the copy in the governed structure. Secondly, unless you have additional connectors, the platforms they use for external collaboration are unlikely to be record managed at all.

Allow Teams to grow organically

As mentioned, we have found the organization prefer for their users to collaborate within well known platforms even when their ability to govern those platforms is limited, as opposed to users publishing content in platforms that are invisible to the organization.

From a records management perspective, there are a couple of options for managing content in these sites:

  • Create a rule per Team site as part of the creation of the team: Assumes that all documents within the team are of the same type of record. This could be achieved either via a rule per team site, or via naming conventions for team sites.
  • Define rules such that when a new team site is created, the documents go into the Records365 “uncategorized” area due to there being no defined rules. From here, a records manager can then appraise the document, create a rule for the site, and thus subsequent documents are correctly classified, thus removing the reliance on creating the rule as part of the team site creation.

Use templates AKA hub sites

Using templates in conjunction with Teams allows for teams to be “spun up” according to pre-defined structures. These structures can include things like pre defined channels, users, files etc.

These channels are elements that we can use in rules, to in turn identify, classify and retain records.

We would recommend that, at a minimum, organizations consider using hub sites if allowing Teams sites to “grow organically”.

Use content types and metadata

Microsoft has published that in January 2020, they intended to close the gap between traditional SharePoint and Teams. One of the main enhancements in this area is the ability to implement content types and metadata within Teams. As with using hub sites, above, to deploy pre-defined channels, these content types and metadata are all elements that we can use in rules to identify, classify and retain records.

As this functionality is yet to be released, it is assumed that any content types/metadata  definitions will be deployed via the hub sites functionality.

Employ Classification Intelligence

Records365 Classification Intelligence allows organizations to move away from a structured approach (or employ a partially structured, partially organic approach) to content in Teams sites.

Classification Intelligence uses advanced machine learning and natural language processing techniques to make classification decisions based on similar content in your organization’s managed content sources. These techniques utilize the actual content of documents, presentations, emails, PDF files, images and other files flowing through your organization to predict the best information management policy to apply.

Records365 Classification Intelligence provides scalable and sustainable means to manage unstructured information. It does this by considering the latent information and context within each file classified, without the traditional crutches of metadata for decision making.

Blended approach

A blended approach is one where you encourage the deployment and usage of team sites using hub site templates which ensures a starting point based on best practice, and therefore optimal user experience, along with sustainability and discoverability. Records365 can have predefined rules based on these structures. Where users customize their “templated” site, the Intelligence engine can kick in and classify content based on the content of the document, rather than relying on metadata, as described above.

TL;DR

As we have explained above, we are seeing Office 365 Teams getting a lot of traction within organizations, driven largely by end users loving the flexibility that it provides. This in turn presents a records and information management conundrum, as the very reason users love Teams is what makes them hard to manage using the traditional approach – lack of rigid structures, metadata tagging etc.

We have outlined a number of options available for managing Teams content in a compliant manner. Each of these has varying pros and cons, as well as challenges when it comes to user adoption. It is, in our experience, a short-sighted view to prevent users from utilizing a technology they are demanding. History has shown they will only find another way to achieve their goals – likely using a non-endorsed technology, and even more likely, a technology that has no compliance controls at all. This scenario is perhaps worse than having information in Office365 Teams using a broad-brush approach to applying classification and retention.

We see Classification Intelligence as the piece of the puzzle that finally makes the picture complete and enables organizations to “have their cake and eat it too”. End users are able to take advantage of the functionality Teams provides, as well as structure and organize information with relative autonomy, and Classification Intelligence ensures that regardless of how users organize content within their teams, the Records365 Classification Intelligence engine will use the content of the document to apply classification and retention, allowing records managers to rest easy that the organization’s content is still being governed and managed in a compliant manner.

Discover Connectors

View our expanded range of available Connectors, including popular SaaS platforms, such as Salesforce, Workday, Zendesk, SAP, and many more.

Explore the platform

Get automated categorization

Understand the data you're working with, and how best to handle it to reduce risk with RecordPoint Data Categorization.

Learn More
Share on Social Media
bg
bg

Assure your customers their data is safe with you

Protect your customers and your business with
the Data Trust Platform.