University Challenge for Office365 Governance

More than a year on from a rollout of Office365 at Griffith University IDM asked Gabrielle Ingram, Manager Productivity & Information Management, to reflect on the Information Governance challenge. Utilised by staff, students and alumni spanning six campuses in South East Queensland, the E3 edition now supports more than 200,000 Exchange mailboxes, 79,000 OneDrive accounts and 8,000 SharePoint sites including Teams.

IDM: What are some of the unique challenges with information governance and Office 365?

GI: You’re dealing with an evergreen environment, so what something looked like yesterday isn’t the same as what it will look like today and the capability won’t be the same tomorrow.  And that’s a good thing because Microsoft is investing significantly in its governance toolset. Certainly, what we could do in the governance space 18 months ago has matured dramatically to make Office 365 a contender in an EDRMS replacement space, depending on the risk profile of the organisation.

I think the fact that Microsoft are consistently evolving this base makes it an exciting space to work in.  The flip side to that is you have to be on top of your game to keep up-to-date with all of those changes and the demands of the business users.

IDM: Do the native governance capabilities in Office 365 help?

GI:I like the fact that you can apply default retentions to repositories but then nuance that when necessary. For example, our IM team automatically know that our SharePoint Online sites have a 7-year default retention period applied. However if they are working with an internal business area and come across information that requires a longer retention period, they can make the determination to apply that longer period to the Site or Library level, and that’s a powerful capability for in-place records management. 

It does mean you compromise slightly and capture the valuable info as well as the non-valuable, but if you think about the traditional environments for unstructured information - your network drives and maybe Google Drive or Dropbox - there was almost no governance out-of-the box with those repositories, or at the very least that capability rested with IT and not IM. The baseline governance options in Office 365 immediately improve that situation.

We’re also implementing data loss prevention policies to manage data egress without getting in the way of our staff doing the business activities they need to undertake. For example, if someone sends an email containing sensitive information (bank account numbers), we will automatically detect it, and rather than blocking or warning them, we will automatically use Outlook Message Encryption to securely send the message.

IDM: Is there a challenge managing Office365 Groups?

GI: In our first iteration we provided a lot of freedom for users to create Groups with baseline retention and group expiry configured. We’re about to implement a few changes to the group naming policy and determine at the time of creation if it is a student or staff member creating the O365 Group and automatically differentiate the naming convention accordingly. This will provide some better oversight capability. We can then investigate configuration options to nuance the retention. Whilst this capability is native to 3rd party governance applications, Griffith didn’t go down that route, so we are iterating as we go in terms of how we can better manage our Groups.

Prioritising Office365 Governance and Configuration at Griffith University.

IDM: How many are on the information management team at Griffith and how has Office 365 changed the way you work?

GI: There’s 17 in the broader team.  This sounds large but Griffith is a little bit differentiated in terms of the structure of the Information Management team in comparison to other organisations.

Broadly it consists of a Business Enablement Team (BET), Records Services, Productivity Applications and Digital Adoption.

BET is our information management team on steroids! They are consulting with the business users on how they manage their information in an Office365 environment. They are analyzing business practices, providing advice on the best options to work more productivity and digitally, and deploy solutions which can include SPO site configuration, workflows, PowerApps, deploy digital signature capability or data visualization with Power BI.

They also run their information management lens over the work to ensure the right retention periods are assigned. To do their job well they also need to digest the evergreen changes from Microsoft to ensure our self-help materials are kept up to date, to understand the new capabilities and how they might benefit the user community at Griffith in becoming more productive.

Our Productivity Applications team administers the technical aspects of O365 applications. This team would usually be located in the traditional IT part of the business, but in determining our O365 support model it made sense to co-locate with IM as they work very closely with the Business Enablement Team.

I think that reinforces that Office 365 is about people working with information and the technology is just the enabler.

We use Content Manager 9 for management of high risk/high value records and the records management team has largely been unaffected by the implementation of Office 365.  However, the role of my EDRMS Systems Administrator has also morphed to include administration of e-discovery in O365, and management of the information compliance features such as retention, data loss prevention policies and compliance monitoring.  This provides job enrichment and takes them out of that traditional EDRMS space. 

For me as the manager of Productivity & Information Management, my day-to-day role has morphed quite significantly over the last 18 months. The IM profession has been pondering the new skill set required for the modern IM professional in the changing information landscape - Griffith is already living the reality. 

IDM: What are some of the other major challenges you face in managing information at Griffith University?

GI: Griffith, like any University, has a very diversified portfolio of functions and activities across research, teaching and learning and corporate business. Our application portfolio naturally includes a significant number of cloud-based line-of-business applications which doesn’t natively integrate with our EDRMS and are definitely not built with records management in mind. The sheer volume of information is obviously also a challenge. For any organization to adequately address their legislative records management obligations, at the same time adequately protecting their information assets, they will have no choice but to start looking at smarter ways to manage their information. There are emerging AI capabilities for in-place appraisal and identification of high risk/high value information assets which will be worthwhile investigating in the near future.

The IM gig keeps getting wilder – exciting times!