Compliance with government regulations is a critical element for businesses and organizations. These regulations aim to ensure operational integrity, safety, and ethical behavior, and have become wider-reaching thanks to technological advancements that have connected industries all around the world.
Many regulations specifically address security and privacy concerns related to the sharing of information, which extends to digital data shared over networks. High-profile regulations include:
- European Union’s General Data Protection Regulation (GDPR), affecting data privacy of EU citizens
- U.S. Health Insurance Portability and Accountability Act (HIPAA), protecting patient-information rights and privacy
- Sarbanes-Oxley or the Public Company Accounting Reform and Investor Protection Act, mandating accurate and reliable corporate disclosures for financial records
- and the U.S. International Traffic in Arms Regulations (ITAR), which controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).
These are only a few well-known regulations among many. For a company or organization to function properly, understanding relevant regulatory requirements is critical. These regulations protect individuals, companies, and governments from malpractice or malfeasance and help prevent injury and loss on small and large scales.
Failing to comply with regulations can lead to strict and significant financial penalties. For example, Google paid out nearly $43 million to resolve a GDPR case levied against them by France’s National Commission on Informatics and Liberty (CNIL). Similarly, Airbus had to pay nearly $4 billion and Honeywell paid $13 million to resolve their respective ITAR compliance issues.
On the other hand, the complexity of the regulatory landscape makes it difficult for companies to implement solutions that address requirements. The solutions available (or developed in response) can incur heavy costs in time and resources.
In recognition of the struggles and challenges that come with compliance, software and technology companies are developing intuitive platforms and tools to provide additional support and clarity. The overall impact could lead to cost-savings of millions of dollars on penalty fees and restitution payouts.
These solutions are designed to support compliance and business managers as well as IT administrators meet regulatory requirements across an organization’s information storage and sharing activities, thereby promoting improved cybersecurity.
In this article, we will provide a functional overview of two solutions: FileCloud Compliance Center and Microsoft 365 Compliance Center.
FileCloud’s Compliance Center
What is the FileCloud Compliance Center?
FileCloud’s Compliance Center is a new feature launched with the 21.2 release. This tool is designed to leverage the full strength of FileCloud’s existing comprehensive security and sharing features, such as smart classification, custom metadata, and data leak protection.
For example, metadata tags can be created for defense articles and technical data, which are then applied to documents using Smart Classification. DLP rules connected with the Classification Engine ensures that no files with this metadata can be publicly shared. These features are already available with FileCloud, but the Compliance Center organizes these features into special compliance configurations that apply sets of FileCloud features with the simple click of a button.
Currently, the Compliance Center includes a specific configuration for ITAR compliance, with other standards under development. FileCloud’s ITAR configuration connects admins with SSL, encryption, and audit settings to provide multi-tiered security protections. Informational rules like “Confirm all users are US residents” provide useful prompts for system admins to confirm regulatory requirements are met.
The FileCloud Compliance Center is particularly beneficial for IT administrators, as it provides an accessible platform for admins to learn about and implement ITAR requirements. It also enables easy reporting to upper management, CIOs/CTOs, and external parties, which saves the organization time and money.
How does the FileCloud Compliance Center Work?
The Compliance Center is offered as an additional feature with an Enterprise FileCloud license for users and admins. Once set up, users will be able to view the Compliance dashboard like any other feature in FileCloud, by selecting the Compliance Center tab on the left sidebar.
Once inside the dashboard, users will be able to gain quick and vital information at a glance. Configurations have a status bar that shows how many FileCloud compliance rules are included in the set, how many are enabled, and how many are bypassed.
FileCloud includes the bypass option specifically so users and admins can examine compliance rules and only apply the ones that meet their needs. For organizations that meet regulatory requirements outside of the FileCloud environment, this flexibility ensures status reports are accurate and include only the necessary information.
How can the FileCloud Compliance Center help meet regulatory requirements?
The FileCloud ITAR configuration is a repository for a wealth of information and support. Simply click on the tab at the top of the Compliance Center page to view more information about the rules, the FileCloud features connected with each rule, the status for each rule (compliant, failed, or bypassed), and select actions. These actions include an option to edit the rule (by adding custom metadata for example) or to view additional information through the info icon.
Configurations in FileCloud are designed to take into consideration the context of the regulatory landscape. In this manner, FileCloud provides vital support to compliance and business managers by connecting compliance requirements directly with powerful FileCloud features, along with explanations for how the feature meets the requirement and where users and admins can find more information on the requirements.
Furthermore, the configurations are designed to act immediately and keep a running track record of all the activity connected with compliance efforts within the FileCloud ecosystem. Admins receive regular email notifications on a 24-hour cycle specifically for any non-compliant rules in place. Admins can adjust their email notification settings in accord with their needs, but the system will continue to scan and update the Compliance Center every 24 hours.
Additionally, all information captured by the Compliance Center is recorded and updated in the dashboard. These activity logs can be archived and exported into non-changeable files for governance and retention purposes.
Microsoft 365 Compliance Center
What is the Microsoft 365 Compliance Center?
Microsoft 365 rolled out their own version of a Compliance Center in 2018, with several updates since. The tool started as a way to organize security and compliance features across Office 365, Enterprise Mobility + Security, and Windows in a centralized platform. This platform supports admins in efforts to detect, classify, protect, and report on data and related activity.
In 2019, the platform was updated to reorganize features and applications that comprise Microsoft Threat Protection, as well as Microsoft Cloud App Security (MCAS). By consolidating the user experiences across Microsoft 365 applications, they created a consistent approach organized around specific concepts: Identity, Endpoints, User Data, Cloud App and Infrastructure.
The most recent iteration of the Microsoft 365 Compliance Center focuses on ease-of-use and compliance features by optimizing eDiscovery, endpoint DLP, audit logs, sensitivity labels, data classification and connectors, records management, insider risk management, and encryption.
How does the Microsoft 365 Compliance Center work?
The Microsoft 365 Compliance Center makes use of a “card” platform to present different aspects of security and compliance to users. The Compliance Manager is one card that acts as a sort of dashboard, calculating a risk score in a percentage and measuring progress toward recommended actions. The Compliance Manager also includes workflow capabilities and built-in control mapping that can help users respond to different compliance objectives, including:
- Protect information
- Govern information
- Control access
- Manage devices
- Protect against threats
- Discover and respond
- Manage internal risks
Beyond the Compliance Manager, there are also cards for the Solution Catalog and Active Alerts. Users have the option of adding cards to the menu according to their needs and as Microsoft continues to expand the Compliance Center.
The Solutions catalog card provides a resource for users to learn and implement solutions that are available within their specific institution and within their Microsoft subscription. These solutions are organized by section; the card itself is designed to serve as a quick-start guide for new users beginning to implement compliance and risk management solutions. Sections include:
- Information Protection & Governance
- Data Loss Prevention
- Information Governance
- Information Protection
- Records Management
- Insider Risk Management
- Communication Compliance
- Insider Risk Management
- Discovery & Response
- Data subject requests
Each section and sub-section provides the user with a brief description of what the solution offers and how it can support compliance objectives. However, the user must know exactly which solutions are required to fulfill specific regulatory requirements.
The Navigation pane in the left sidebar menu provides direct access back to the Compliance Manager card, the Solutions catalog card, the Home screen, Settings, and Resources. This setup can be customized to suit user preferences and add tabs for common areas, depending on what options are available with the organization’s Microsoft subscription. Additional navigation options include Data Classification, Data Connectors, Alerts, Reports, Policies, and Permissions.
How can the Microsoft 365 Compliance Center help meet regulatory requirements?
Microsoft 365 Compliance Center officially states they can support a wide variety of industry and government regulations (as does FileCloud). However, Microsoft does not offer specialized configurations built for each regulation.
Instead, Microsoft relies on the Compliance Manager, which helps users set up data security, classification, and share settings. The Compliance Manager can take inventory of data protection risks, provide managerial support to implement controls, inform users of regulatory updates and refresh certificates, and report directly to auditors.
The Microsoft 365 Compliance Center provides many of the same tools and features offered by FileCloud, but they are not organized into bundled settings or configurations like FileCloud’s solution for ITAR (and other regulations in the near future).
Setting up the Compliance Center in Microsoft 365 reflects that key difference in strategic approach between Microsoft and FileCloud. Compliance, data security, or IT admins are tasked with configuring risk management and communication policies, reviewing their organization’s DLP settings, enabling appropriate settings in Microsoft, and setting up information protection through Microsoft Cloud App Security.
FileCloud and Microsoft 365 both present powerful and innovative platforms that address the growing need for compliance support across industries. However, the two solutions diverge in their approach and ease of use.
Microsoft has a certain advantage when considering the Compliance Center as an app alongside the suite of apps that come with a subscription. If an organization is already paying for Microsoft 365, the Compliance Center may be a worthwhile add-on. This may be especially true for organizations that have a compliance officer or team that can work through the various cards and sections to implement Microsoft’s solutions.
FileCloud presents a much more accessible solution with their Compliance Center. By focusing on the regulations directly, FileCloud is able to provide unique configurations of FileCloud features, tools, and settings that cumulatively address compliance requirements.
Furthermore, these sophisticated configurations empower users by connecting compliance rules with specific FileCloud settings that can be easily viewed and distinguished within the configuration tab. The Action column provides users with easy access to customize rules and view compliance documentation for further education.
ITAR is currently the only available configuration available in the FileCloud Compliance Center. Additional configurations will become available as updates are made to the Compliance Center.
Considering the significant challenges of regulation across industries and governments, any tool must provide clear support to users and facilitates fulfilling compliance requirements. FileCloud’s innovative solution is one that stands to grow and change with the landscape while providing meaningful clarity and support.