With Office 365 cloud services, it’s up to customers to manage data governance, authorize access, and configure settings to ensure data integrity. Montrium's Professional Services team has extensive experience working to mitigate the frustrations that teams face when establishing governance provisions for Office 365. In this webinar, your host Chrysa will discuss how Office 365 customers' data benefits from having multiple layers of granular control within a robust governance model to support the management of GxP content. -The webinar will cover the following topics: -Office 365 governance strategy and model overview -Documents that contribute to SharePoint Online governance -Governance considerations for GxP and non-GxP use -Identifying and mitigating risks in the cloud -And much more...

2. Governance
Strategies for
Office 365
The Compliance
Playbook Series
June 18, 2019
2

3. 3
Today’s Agenda
LIVE WEBINAR
• About Montrium
• Overview of IT Governance for GxP Systems
• Office 365 Governance
• Governance Risk Mitigation
• Office 365 Compliance Resources for Subscribers

4. House Keeping
4

5. 5
House
Keeping
L I V E W E B I N A R
• This webinar is being recorded and
will be made available after this
session
• Feel free to use the chatbox to
submit your questions at anytime
• Q&A will take place at the end of the
webinar
• We will send these slides to your
email at the end of the webinar

6. 6
Meet Your
Speakers
Chrysa Plagiannos
Senior Validation and
Compliance Analyst,
Montrium
Geetartha
Uppaladadium
Validation and Compliance
Analyst,
Montrium

7. • Founded in 2005
• Working Exclusively in the Life Sciences
• Headquartered in Montreal, Canada
• EU headquarters in Brussels
• Clients in North America, Europe & Asia
• Leading Content Management Platform
• Over 8000 Users in 20+ Countries
• Experienced Professional Services Group
7
About
Montrium
Connecting People,
Processes & Technology
A B O U T T H E C O M P A N Y

8. What is IT Governance?
8

9. According to the IT Governance Institute, IT Governance “consists
of the leadership and organizational structures and processes that
ensure that the organization's IT sustains and extends the
organization's strategies and objectives”.
Owes its prevalence to corporate fraud scandals in the 1990’s and
2000’s that brought about increased regulation of corporate
practices and resulted in a move towards formalizing these
practices.
IT Governance
9

10. • IT Governance involves the
implementation of frameworks,
standards and policies to align an
organization’s IT strategy with the
corporate strategy.
• IT Governance is often associated to
Governance, Risk and Controls (GRC)
which focuses on:
• Implementing controls (both
technical and procedural)
• Risk assessment and mitigation
• Measuring the effectiveness of
controls implemented
Overview of
IT Governance
10

11. Do you have an IT Governance
Strategy in place?
a) In the process of putting one in place.
b) Yes. But, trying to improve.
c) We have a robust strategy in place.
11
POLL

12. IT Governance and
GxP-Regulated Activities
12

13. In the life sciences, computerized
systems are considered to consist
of:
• Hardware, software and network
components
• Associated documentation
• People
GxP
Computerized
Systems

14. Supporting documentation can include:
• Procedural controls (SOPs, work
instructions)
• User manuals
• Contractual documents (SLA, quality
agreements)
GxP
Computerized
Systems
14
Additional considerations:
• Regulatory compliance
• Relationship with vendors/
suppliers
• Use for GxP and non-GxP
activities

15. Office 365 Governance
15

16. Principle of Shared Responsibility
Customer Management of Risk
Data Classification and Accountability
Shared Management of Risk
Identity & Access Management
Provider Management of Risk
Physical | Networking
Cloud Provider Cloud Customer On-Prem IaaS PaaS SaaS
Data classification and
accountability
Client & endpoint protection
Identity access management
Application level controls
Network controls
Host infrastructure
Physical security of datacenters

17. Regulated users
are ultimately
responsible for
demonstrating
compliance
17
Key Compliance Considerations
Microsoft Responsibilities
• Establish security controls to ensure confidentiality, integrity & availability of customer data.
• Follow industry best practices for infrastructure control, software development and service delivery.
• Implement robust risk and quality management processes to ensure quality of delivered products and
services.
Regulated User Responsibilities
• Establish governance controls and operational processes covering administration and proper use of the
application.
• Conduct end-user training on proper system use.
• Perform system validation to demonstrate fitness for intended use and regulatory compliance.
• Implement a controlled process for managing changes to the system over time.

18. Do you follow a version of the shared
responsibility model for the governance of
cloud based systems?
a) Yes. We have clearly defined responsibilities.
b) Yes. But, we would like to better implement
the division of responsibilities.
c) No. We don't work with cloud based systems.
18
POLL

19. Governance processes are outlined in procedural
controls that cover activities related to:
• Implementation
• Operational use
• Administration
Required controls are tied to the intended use of
the system, including GxP relevance of the
business process.
A risk-based approach to governance involves
evaluating risks to Patient Safety, Product
Quality, and Data Integrity.
Key Compliance
Considerations
19

20. Areas Subject to Governance
20
Implementation Operational use Administrative use
• Vendor Selection
• Validation
• End User Training
• System Documentation
• Contingency Planning
• Change Management
• Incident Management
• Maintenance
• Back-Up and Recovery
• Physical Security
• Logical Security
• Access management

21. Application Governance Roles
IT Personnel
Business Process
Owner
End Users
Quality Assurance
• Establish data governance policies
• Provision environment
• Maintain configuration
• Manage user access requests
• Perform periodic review of assigned permissions
• Define business process requirements
• Train users on business process
• Perform day-to-day activities in system
• Perform initial and on-going training
• Stakeholder in achieving and maintaining state of
compliance
• Oversee vendor selection/ assessment process

22. Special
Considerations for
Cloud Services
As a cloud service provider, Microsoft makes
available documentation describing its
products, services and technical commitments
to customers.
Documents published by Microsoft, like the
Online Service Terms and Service Level
Agreement, can serve as inputs to the
governance process.
Due to the responsibilities shared by the
regulated user and Microsoft, the user’s
governance processes must account for
activities for which Microsoft is responsible.
Microsoft’s responsibilities are assessed via the
Vendor Assessment process.
22

23. Goal
To provide adequate oversight to protect data
Implications for
• System Design: How to segregate GxP and non-
GxP data
• Access Management: Preserve data integrity and
confidentiality
• Procedural controls: Clearly define roles and
responsibilities
Use for
GxP and
Non-GxP
Processes
23

24. Office 365: Managing GxP Content
Functional Area Business need
Quality SOP Management / Training Management
Data Management Collaboration site for internal and external
users
Regulatory Affairs / Clinical Regulatory submission management and
archive
Records Management Record review and archive of various GxP
records

25. Governance Risk
Mitigation
25

26. Adding or
modifying or
deleting a
feature
26
Staying Compliant
Risk
• Unplanned impact on existing functionality.
• Impact on business process.
• Impact on System Documentation.
Impact on Governance
• A Change Control process would provide a framework to address this scenario in a controlled
fashion.
Microsoft Tools
• Release Roadmap
• Change Notifications

27. Incident with
technological
Impact
27
Staying Compliant
Risk
• Incident resolution needs input from Microsoft.
Impact on Governance
• An Incident Management process would define escalation procedure within the organization and to
Microsoft.
MicrosoftTools
• Service Level Agreements
• Online Service Terms

28. Data Corruption
&
Availability
Issues
28
Staying Compliant
Risk
• Unavailability or distortion of content impacting business process.
• Not able to apply retention policies.
• Inability to sort data.
• Confidentiality breach.
Impact on Governance
• A backup and restore procedure would minimize the impact of data corruption and unavailability on
business.
• A procedure for classifying data and defining retention policies would address the issues caused by
disorganized data.
• Procedures defining the levels of access to data given to users would prevent unauthorized access.
MicrosoftTools
• O365 Functionalities
• Enforcing retention policies
• Data Classification
• Audit Functionality
• Access Controls

29. Assessing
Cloud Services
from Microsoft
29
Staying Compliant
Risk
• Not meeting business needs.
• Not having the ability to have controls in place.
Impact on Governance
• A vendor assessment procedure helps to address business and regulatory concerns specific to cloud
service providers.
• A vendor assessment procedure would provide a provision to plan and schedule for periodically re-
evaluating the cloud service provider for continued compliance assurance.
MicrosoftTools
• Microsoft Trust Portal
• Third Party Audit Reports (SOC, ISO).
• Tools to plan and track compliance activities.

30. Do you have measures to assess and
monitor your company's level of
compliance to general controls?
a) Yes
b) No
30
POLL

31. Office 365 Compliance
Resources for Subscribers
31

32. For Office 365, assessments for the
following standards are currently available
in the Compliance Manager:
• CSA CCM301
• FFIEC
• FedRAMP Moderate
• GDPR
• HIPAA
• ISO 27001:2013
• ISO 27018: 2014
• NIST 800-171
• NIST 800-53
• NIST CSF
32
Compliance
Manager

33. • A dashboard view of progress in
implementing controls (by both
Microsoft and your organization)
• Provides an overview of status of
compliance activities
• Controls are assigned a risk-based
compliance score
• Outlines suggested activities for
customers to demonstrate compliance
linked to technical/ procedural
controls
• Allows for filtering of information
• Ability to generate reports
33
Compliance
Manager
MAIN FEATURES

34. 34

35. 35

36. Microsoft Secure Score provides visibility
on the security controls in place for Office
365. It can also assist your organization in
planning and tracking actions that can
improve security in Office 365.
• Overview of currently implemented
controls and other available controls
• Score reflects points allocated for the
security controls implemented for Office
365
• Ability to benchmark with other
organizations and to track your
company’s progress over time
• Provides a list of actions that can be
implemented to improve your score.
• Can tailor controls to business needs
and expectations
36
Microsoft
Secure
Score
MAIN FEATURES

37. 37

38. 38

39. Governance controls provide the framework for implementing and
maintaining a computerized system in a controlled manner.
Office 365 governance must take into account the type of data
being managed and the individuals who will be using this data.
Questions to ask:
• What controls can my organization implement to achieve and
maintain compliance?
• What resources and services does Microsoft offer to assist in
maintaining control over the system?
39
Conclusion

40. 40
The Compliance Toolkits for Office 365
A C C E L E R A T E Y O U R T R A N S I T I O N T O T H E C L O U D
Microsoft Vendor
Assessment Toolkit
SharePoint Online
Validation Toolkit
SharePoint Online
Governance Toolkit
SharePoint Online
Deployment Toolkit
SharePoint Online
Migration Toolkit

41. Would you like to receive more
information on Montrium’s Compliance
Toolkits for Office 365?
a) Yes, could be useful
b) No, thank you
41
POLL

42. INFO@MONTRIUM.COM
Thank You!

43. QUESTIONS?
43