Once you have finished with the crawl stage, referred to in Fix the Basics, it is time to walk. You may feel like you are ready to run, but it is important to continue to build your programme in a way that makes sense—just as if we continue the house building analogy from the first blog, Fix the Basics—you can’t paint walls of a home that you haven’t even erected yet, it doesn’t make sense.

Now that you laid your foundation and the Information Governance group have approved the necessary policies and procedures, you updated your training requirements for movers, joiners, and leavers, you know what out-of-the-box Sensitive Information Types (SITs) you want to implement, and you have a plan for Data Loss Prevention (DLP) policies – plus everything else on your to-do list for Fix the Basics – you are ready to move onto the next stage, walking.

Walking

During this stage you get to start implementing what you were creating and planning for during Fix the Basics. For example, for Data Loss Prevention, depending on where you are with this, you may want to configure or refine your policies to include policy tips and protection such as restricting the sharing of sensitive information via email.

For protecting sensitive and personal information, you can use automation to detect sensitive information through Sensitive Information Types (SITs) and/or Trainable Classifiers (TCs) and once you start to see where the data you want to protect lives. This requires a period of time for monitoring then evaluating the results to determine if the SITs and TCs are finding the right information. You can choose to refine these now, or that can be part of the run stage.

As well, during the walking stage, you can ask your users to start manually labelling the sensitivity classifications.

In the workstream for Data Lifecycle Management while you are performing initial clean-up of the ROT – Redundant, Obsolete, or Trivial as started in Fix the Basics, you can continue to improve the lifecycle by creating your M365 file plan based on your retention schedule.

Next, is when you decide which is the best way to apply retention and disposition across your organisation. Will you use the big-bucket approach, will it be automated, manual, or a combination? Who is responsible – the end user, admins – and will you have disposition reviews?

These are all questions that can be answered and planned for within the walk stage if they were not addressed in the crawl stage, and the implementation of DLM labels and policies can occur during the run stage.

If you are feeling overwhelmed reading these paragraphs – don’t stress – that is completely understandable. Creating or even only improving an already existing effective information and records governance, security, and management programme is not easy. Especially if you are doing it by yourself.

That is why we are here. Infotechtion have successfully transitioned many large and global enterprises to modern and automated data security and governance standards in Microsoft 365. We have developed blueprints for best practices to fast-track the implementation of Microsoft Purview Information Protection (MPIP), Data Loss Prevention (CLP), Insider Risk Management (IRM), and Data Lifecycle Management (DLM)/Records Management in a way that suits your organisation’s needs and resources.

If you have managed to finish crawling and have started to walk, but are worried about falling before you get to the run stage, reach out – we are happy to help.

Running

Now that you have begun to dive into Microsoft Purview and have been using SITs, you have created your File Plan, and have started to work with Data Loss Prevention policies, now during the running stage, it is time is to take this to the next level for your organisation.

This may mean automating retention based on various techniques such as:

• Default library setting
• Site/site collection policy
• Based on personal and sensitive information surfaced through SITs or other methods such as Trainable Classifiers
• Content Types.

Or, based on your results from monitoring the data your SITs or Trainable classifiers were surfacing, you can create meaningful MPIP policies that will ensure protection of this data. At this point, if you have policies in place, you would be refining them during the run stage.

Running is about improving what you already have in place and making things more efficient and effective. It is about taking a look at what is working and asking, how can I make this better? It is also about taking a look at what is not working and seeing where you can implement improvements.

It is crucial that in order to remain “running” and beyond when creating and maintaining a highly effective data, information, and records security and lifecycle management programme, you revisit, monitor and continuously check on how things are currently with the view to improve. Take the time during the run stage to measure where you are, define your KPIs you will measure against moving forward, and be always thinking of ways to improve.

If you are at the run stage within your organisation and you want to take stock of where you are and which areas need improvement, it is a great idea to schedule that in to your annual planning process so any necessary changes can be added into budget or resourcing needs.