Communication compliance is a common concern for companies in highly regulated industries. When implementing solutions like Microsoft Teams for UCaaS and CCaaS, companies need to ensure their calls and conversation remains compliant to specific industry standards.
To assist with the development of successful communication compliance policies, and reduce risk among today’s companies, Microsoft introduced “Microsoft Purview Communication Compliance”. This is an “Insider Risk” service offered by Microsoft to help users detect, capture, and act on inappropriate messaging in an organisation.
By setting pre-defined policies, you can scan internal and external conversations within Teams for policy matches. Reviewers can then investigate Microsoft Teams’ discussions and take actions to boost compliance. Specifically, Communication Compliance in Teams is intended to assist with identifying:
- Adult or inappropriate images
- Sensitive information sharing
- Offensive or harassing language
How to Leverage Communication Compliance in Teams
Purview Communication Compliance for Microsoft Teams allows businesses to set policies to address a range of compliance areas. For instance, you can establish:
- Corporate policies: Such as ensuring users comply with acceptable use policies and ethical standards in their business communications.
- Risk management strategies: By determining where users might be sensitive information, you can limit legal exposure and risk before they damage corporate reputations.
- Regulatory compliance: Your policies can prevent users from sharing information which might be deemed inappropriate according to compliance standards.
The service comes with intelligent customisable templates for policies, flexible remediation workflows to guide employees on the next steps when an issue is identified, and actionable insights.
For users of Microsoft Teams, the new “Purview Communication Compliance” feature is already tightly integrated into the app. You can access this service if you have the correct Microsoft 365 Office 365 subscription. Some plans will require the Insider Risk Management add-on.
Setting Compliance Permissions
The first step in leveraging communication compliance standards in Microsoft Teams is planning and creating pre-defined custom policies. You’ll need to begin by allowing permissions for communication compliance. You’ll need a Global Administrator or Compliance Administrator role in Microsoft Teams to enable the Purview compliance portal. From there, you can assign users to different “communication compliance” or “communication compliance admin” roles.
The standard communication compliance user role establishes a user as an individual to be tracked for compliance issues. Administrators can create, read, and update communication compliance policies and settings. There’s also an “Analyst” role for reviewing policies, an “investigator” role for escalating issues, and a “viewer” option for users who can manage communication reports.
You can sign into the “permissions” section of the compliance portal with Teams to assign each user to specific groups. Compliance policies can be configured either at a user level or a Teams level. The Teams level configuration will apply your policies to everyone in a Teams channel.
After you’ve configured your permissions, you can create your compliance policies.
Notably, for beginners investing in communication compliance standards for the first time, Microsoft has a “recommended actions” section on the “Policies” page. This provides insights into sensitive information types you might need to address with each policy.
Creating Communication Compliance Policies
Creating your policies involves signing into the Microsoft Purview compliance portal as an administrator, and selecting the “Policies” tab. Here, you can select “Create policy” to configure a new policy from scratch, or use a template.
The intelligent customizable templates allow you to apply machine learning to intelligently determine when users are going against compliance standards. These templates come with pre-defined sections for inappropriate content, sensitive information, and regulatory issues. There are also built-in image, discrimination, and threat classes to help reduce misclassified content.
If you need to build policies from scratch, there’s a condition builder within the policy wizard, where you can create and name policies, choose users or groups connected to the policy, and choose reviewers responsible for tracking policy adherence. The policy builder allows users to:
- Choose a communication direction to monitor (inbound, outbound and internal)
- Define communication policy conditions, like message addresses, keywords, file types, and size match conditions.
- Determine whether you want to include sensitive information types, and custom keyword dictionaries. You can also create new sensitive information types in the policy wizard.
- Enable classifiers which can detect languages and images sent or received in the body of a message. Classifiers include targeted harassment, adult mages, threat, and profanity.
- Enable optical character recognition (OCR) to automatically scan attached or embedded images in messages which match policy conditions
- Define the percentage of communications to be reviewed.
You’ll be able to track various communication channels within Microsoft with the same policies, including messages across Teams, Yammer, and Microsoft Exchange.
When you’re designing your communication compliance policies, you’ll also be able to leverage “flexible remediation workflows.” These outline responses to specific issues, like sending alerts to reviewers or investigators, and highlighting keywords or issues.
Microsoft also offers “actionable insights”, which include interactive dashboards showingcasing policy matches, pending, and resolved actions, and a list of potential auditing review activities.
Additional Steps for Communication Compliance
Microsoft also recommends a number of “optional steps” for managing communication compliance in your team. For instance, you can create accompanying “compliance boundaries” which control user content locations that eDiscovery managers can explore.
Business leaders and Microsoft Teams admins can also set up custom responses to a policy alert by sending a reminder notice to an associated team member. This gives them an insight into the policy they’ve breached with their message, to help reduce the issue of similar problems happening again. You can also enable anonymization for displayed usernames when investigating policy issues within the Microsoft Purview compliance portal.
Once you’ve created your compliance policy, it’s worth testing to make sure everything you’ve established is working properly. You can try sending a message in Teams which meets the criteria in your policies, and deleting this message after you’re convinced the policies are in place.