Compliance policies allow administrators to standardize sharing activities on their organization’s sites and to monitor and ensure compliance to their requirements. Any violation of a compliance policy is detected by 365 Permission Manager and submitted to the administrator for audit. The administrator must then decide whether individual violations should be tolerated or whether the cause of the violation should be eliminated.
Once a policy is assigned to a site, it must meet the requirements defined in that policy in order to be marked as compliant. If no compliance policy has been assigned to a site, the site is automatically assigned a default compliance policy. This also applies to sites that will be added to the organization in the future.
There are two types of compliance policies: recommended compliance policies and custom
compliance policies.
The following is a list of recommended policies included in the app:
- Public: Recommended compliance policy for sites that contain data that is open to the general public. This can include general information about the organization or data that is not sensitive and can be shared externally such as on your website.
- Internal: Recommended compliance policy for sites that contain data that can be shared with all employees within your organization.
- Confidential: Recommended compliance policy for sites that contain data that should only be available for specific teams within your organization.
-
Restricted: Recommended compliance policy for sites that contain data that is considered sensitive and must only be accessed by specific individuals within your organization. (This policy is required for data where if disclosed externally, there would be significant financial or legal impact on the organization, such as personally identifiable information (PII), health information (PHI), or payment information.)
There are also legacy recommended compliance policies which may only be viewable for 365 Permission Manager Users who had them configured prior to the introduction of the new compliance policies above.
-
Public (old): Recommended compliance policy for sites that are used for communication with
external tenant users. With this policy, the 365 Permission Manager service will notify the site
owners when anonymous sharing links are created. -
EverGreen (old): Recommended compliance policy for sites that mainly contain items that should
only be shared inside the organization. -
Confidential (old): Recommended policy for sites to which only specific users or groups have
access. The contents are not accessible for all users of the organization. -
Sensitive (old): Recommended policy for sites that are intended for specific users only and contain
sensitive data.
The specific settings of the recommended compliance policies can be viewed in the “Compliance Policies” section, where one can assign / edit / delete any existing policy as well as creating new custom policies:
The requirements of the compliance policy can affect a site's general settings, sharing activities for single items and general settings for sharing links (standard type, default link permissions and guest access expiration). In addition, trusted domains can be excluded from the restrictions for sharing items with users outside their own organization.