Key Compliance and Security Considerations for the Energy Industry

Illustration metaphor for a global view of various industries using the cloud

Introduction

The energy industry provides society with fuel and critical infrastructure that people rely on every day. In order to ensure the reliability of infrastructure related to bulk power systems, regulatory authorities impose strict standards on energy industry organizations. These regulatory standards relate not only to the generation and transmission of power, but also to the data and communications that are critical to the day to day operations of energy companies.

Organizations in the energy industry work with and exchange numerous types of information as part of their regular operations, including customer data, capital engineering design documentation, resource location maps, project management artifacts, performance metrics, field service reports, environmental data, and performance metrics. As these organizations look to transform their operations and collaboration systems into modern digital platforms, they are looking to Microsoft as a trusted Cloud Service Provider (CSP) and Microsoft 365 as their best-of-breed collaboration platform. Since Microsoft 365 is intrinsically built on the Microsoft Azure platform, organizations should examine both platforms as they consider their compliance and security controls when moving to the Cloud.

In North America, the North America Electric Reliability Corporation (NERC) enforces reliability standards that are referred to as NERC Critical Infrastructure Protection (CIP) standards. NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. All bulk power system owners, operators, and users must register with NERC and must comply with NERC CIP standards. Cloud Service Providers and third-party vendors such as Microsoft are not subject to NERC CIP standards; however, the CIP standards include objectives that should be considered when Registered Entities use vendors in the operation of the Bulk Electric System (BES). Microsoft customers operating Bulk Electric Systems are wholly responsible for ensuring their own compliance with NERC CIP standards.

For information about Microsoft cloud services and NERC, see the following resources:

Regulatory standards that are recommended for consideration by energy organizations include FedRAMP (US Federal Risk and Authorization Management Program) which is based on and augments the NIST SP 800-53 Rev 4 standard (National Institute of Standards and Technology).

  • Microsoft Office 365 and Office 365 U.S. Government have each been granted a FedRAMP ATO (Authorization to Operate) at the Moderate Impact Level.
  • Azure and Azure Government have each been granted a FedRAMP High P-ATO (Provisional Authorization to Operate), which represents the highest level of FedRAMP authorization.

For information about Microsoft cloud services and FedRAMP, see the following resources:

These achievements are significant for the energy industry because a comparison between the FedRAMP Moderate control set and NERC CIP requirements shows that FedRAMP Moderate controls encompass all the NERC CIP requirements. For additional information, Microsoft has developed a Cloud Implementation Guide for NERC Audits that includes a control mapping between the current set of NERC CIP standards and FedRAMP Moderate control set as documented in NIST 800-53 Rev 4.

As the energy industry looks to modernize their collaboration platforms, careful consideration is required for the configuration and deployment of collaboration tools and security controls, including:

  • Assessment of common collaboration scenarios
  • Access to data required by employees to be productive
  • Regulatory compliance requirements
  • Associated risks to data, customers and the organization

Microsoft 365 is a modern workplace cloud environment that can provide secure and flexible collaboration across the enterprise, as well as controls and policy enforcement to adhere to the most stringent regulatory compliance frameworks. Through the following topics, this paper will explore how the Microsoft 365 platform helps the energy industry move to a modern collaboration platform, while helping keep data and systems both secure and compliant with regulations:

  • Provide a Comprehensive Collaboration Platform with Microsoft Teams
  • Provide Secure and Compliant Collaboration in the Energy Industry
  • Identify Sensitive Data and Prevent Data Loss
  • Govern Data by Effectively Managing Records
  • Comply with FERC and FTC Regulations for Energy Markets
  • Protect Against Data Exfiltration and Insider Risk

As a Microsoft partner, Protiviti contributed to and provided material feedback to this article.

Provide a Comprehensive Collaboration Platform with Microsoft Teams

Collaboration typically requires multiple forms of communication, the ability to store and access documents, and the ability to integrate other applications as needed. Whether they are global enterprises or local companies, employees in the energy sector typically need to collaborate and communicate with members of other departments or across teams. They also often need to communicate with external partners, vendors, or clients. As a result, utilizing systems that create silos or make it difficult to share information is typically not recommended. That said, we still want to ensure that employees are sharing information securely and according to policy.

Providing employees with a modern, cloud-based collaboration platform, which allows them to choose and easily integrate the tools that make them most productive, empowers them to find the best ways to work and collaborate. Using Microsoft Teams, in conjunction with security controls and governance policies to protect the organization, can help your workforce to easily collaborate in the cloud.

Microsoft Teams provides a collaboration hub for your organization, which quickly brings people together to work effectively and collaborate with other team members on common initiatives or projects. It allows team members to conduct conversations, collaborate, and co-author documents. It enables people to store and share files with team members or those outside the team. It also allows them to hold live meetings with integrated enterprise voice and video. Microsoft Teams can be customized with easy access to Microsoft apps such as Planner, Dynamics 365, Power BI, and other third-party line-of-business applications. Teams simplifies access to Office 365 services and third-party apps to centralize collaboration and communication needs for the organization.

Every Microsoft Team is backed by an Office 365 Group. An Office 365 Group is considered the membership provider for numerous Office 365 services, including Microsoft Teams. As such, Office 365 Groups are used to securely control which users are considered members and which are owners of the group, thereby restricting the members and owners of the Team. This allows us to easily control which users have access to varying capabilities within Teams. As a result, Team members and owners may only access the capabilities that they are permitted to utilize.

A common scenario where Microsoft Teams can benefit energy organizations is collaborating with contractors or external firms as part of a field service programs such as vegetation management. Contractors are typically engaged to manage vegetation or remove trees around power system installations, and they often need to receive work instructions, communicate with dispatchers and other field service personnel, take and share pictures of external surroundings, sign off when work is complete and share data back with head office. Traditionally, these programs have been run using phone, text, paper work orders, or custom applications. This can present numerous challenges including:

  • Processes are manual or analog, making metrics difficult to track
  • Communications are not all captured in one place
  • Data is siloed and not necessarily shared with all employees that need it
  • Work may not be performed consistently or efficiently
  • Custom applications are not integrated with collaboration tools, making it difficult to extract and share data or measure performance

Microsoft Teams can provide an easy-to-use collaboration space to securely share information and conduct conversations between team members and external field service contractors. Teams can be used to conduct meetings, place voice calls, centrally store and share work orders, collect field data, upload photos, integrate with business process solutions (built with Power Apps and Power Automate), and integrate line of business apps. This type of field service data may be considered low impact; however, efficiencies can be gained by centralizing communications and access data between employees and field service personnel in these scenarios.

Another example where Microsoft Teams can benefit the energy industry is when field service personnel are working to restore service during an outage. Field staff often require fast access to schematic data for substations, generating stations, or blue prints for assets in the field. This data is considered high impact and must be protected according to NERC CIP regulations. Field service work during outages requires communication between field staff and office employees, and in turn with end customers. Centralizing communications and data sharing in Microsoft Teams provides field staff with an easy method to both access critical data and communicate information or status back to head office. For example, Microsoft Teams enables field staff to join conference calls while on route to an outage. Field staff can also take photos or video of their environment and share those with head office, which is particularly important when field equipment does not match schematics. Data and status collected from the field can then be surfaced to office employees and leadership through data visualization tools such as Power BI. Ultimately, Microsoft Teams can make field staff more efficient and productive in these critical situations.

Teams: Improve collaboration and reduce compliance risk

Microsoft 365 provides common policy capabilities for Microsoft Teams through its use of Office 365 Groups as an underlying membership provider. These policies can help improve collaboration and help meet compliance needs.

Office 365 Group Naming Policies help to ensure that Office 365 Groups, and therefore Microsoft Teams, are named according to corporate policy. The name of a Team can present challenges if not named appropriately – for example, employees may not know which teams to work or share information within if they are incorrectly named. Group naming policies can enforce good hygiene and may also prevent use of specific words, such as reserved words or inappropriate terminology.

Office 365 Group Expiration Policies help to ensure that Office 365 Groups, and therefore Microsoft Teams, are not retained for longer periods of time than required by the organization. This capability helps to prevent two key information management issues:

  • The proliferation of Microsoft Teams that are not necessary or used
  • The over-retention of data that is no longer required by the organization

Administrators may specify an expiration period in days for Office 365 Groups, such as 90, 180 or 365 days. If a service which is backed by an Office 365 group is inactive for the expiration period, group owners are notified and if no action is taken then the Office 365 Group and all its related services including Microsoft Teams will be deleted.

The over-retention of data in a Microsoft Team can pose litigation risks to organizations, and the use of expiration policies is a recommended method for protecting the organization. Combined with built-in retention labels and policies, Microsoft 365 helps ensure that organizations are only retaining the data required to meet regulatory compliance obligations.

Teams: Integrate custom requirements with ease

Microsoft Teams enables self-service creation of Teams by default. However, many regulated organizations wish to control and understand which collaboration spaces are currently in use by employees, which spaces contain sensitive data, and who the owners are of spaces throughout their organization. To facilitate these controls, Microsoft 365 allows organizations to disable self-service Teams creation and, using built-in Microsoft 365 business process automation tools such as Power Apps and Power Automate, allows organizations to build simple processes to request a new Team. Completing an easy to use form, an approval can be automatically requested by a manager. Once approved, the Team can be automatically provisioned and the requestor is sent a link to their new Team. By building such processes, organizations may also integrate custom requirements to facilitate other business processes.

Provide Secure and Compliant Collaboration in the Energy Industry

As mentioned, Microsoft Office 365 and Office 365 U.S. Government have each achieved FedRAMP ATO at the Moderate Impact Level, and Azure and Azure Government have achieved a FedRAMP High P-ATO which represents the highest level of FedRAMP authorization. Additionally, the FedRAMP moderate control set encompasses all of the NERC CIP requirements, thereby allowing energy industry organizations ("registered entities") to leverage existing FedRAMP authorizations as a scalable and efficient approach to addressing NERC audit requirements. However, its important to note that FedRAMP is not a point-in-time certification but an assessment and authorization program that includes provisions for continuous monitoring. Although this provision applies primarily to the CSP, Microsoft customers operating Bulk Electric Systems are responsible for ensuring their own compliance with NERC CIP standards and it is generally a recommended practice to continuously monitor the organization's compliance posture to help ensure ongoing compliance with regulations.

Microsoft provides a key tool to assist with monitoring compliance with regulations over time:

  • Microsoft Compliance Manager helps the organization understand its current compliance posture and the actions which it can take to help improve that posture. Compliance Manager calculates a risk-based score measuring progress in completing actions that help reduce risks around data protection and regulatory standards. Compliance Manager provides an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes common industry regulations and standards. While this score is a good starting point, Compliance Manager becomes more powerful once an organization adds assessments that are more relevant to their industry. Compliance Manager supports a number of regulatory standards that are relevant for NERC CIP compliance obligations, including the FedRAMP Moderate Control Set, NIST 800-53 Rev. 4, and AICPA SOC 2. Energy industry organizations may also create or import custom control sets if needed.

The workflow-based capabilities built into Compliance Manager allow energy organizations to transform and digitize their regulatory compliance processes. Traditionally, challenges faced by compliance teams in the energy industry include:

  • Inconsistent reporting or tracking of progress on remediation actions
  • Inefficient or ineffective processes
  • Insufficient resources or lack of ownership
  • Lack of real-time information and human error

By automating aspects of regulatory compliance processes through the use of Compliance Manager, organizations can reduce the administrative burden on legal and compliance functions. This tooling can help address these challenges by providing more up to date information on remediation actions, more consistent reporting, and documented ownership of actions which is linked to the implementation of actions. Organizations can automatically track remediation actions over time and see overall efficiency gains. This can in turn enable staff to focus more effort on gaining insights and developing strategies to help navigate risk more effectively.

Compliance Manager does not express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance. The customer actions provided in Compliance Manager are recommendations; it is up to each organization to evaluate the effectiveness of these recommendations in their respective regulatory environment prior to implementation. Recommendations found in Compliance Manager should not be interpreted as a guarantee of compliance.

Many cyber security related controls are included in the FedRAMP Moderate Control Set and NERC CIP standards. However, key controls related to the Microsoft 365 platform include security management controls (CIP-003-6), account and access management/access revocation (CIP-004-6), electronic security perimeter (CIP-005-5), security event monitoring, and incident response (CIP-008-5). The following foundational Microsoft 365 capabilities help to address the risks and requirements included in these topics.

Secure User Identities and Control Access

Protecting access to documents and applications begins with strongly securing user identities. As a foundation, this requires providing a secure platform for the enterprise to store and manage identities and providing a trusted means of authentication. It also requires dynamically controlling access to these applications. As employees work, they may move from application to application or across multiple locations and devices. As a result, access to data must be authenticated at each step of the way. In addition, the authentication process must support a strong protocol and multiple factors of authentication (one-time SMS pass code, authenticator app, certificate, etc.) so that we can ensure that identities have not been compromised. Finally, enforcing risk-based access policies are a key recommendation to protecting data and applications from insider threats, inadvertent data leaks and data exfiltration.

Microsoft 365 provides a secure identify platform with Azure Active Directory (Azure AD) where identities are centrally stored and securely managed. Azure Active Directory, along with a host of related Microsoft 365 security services, forms the basis for providing employees with the access they need to work securely while also protecting the organization from threats.

Azure AD Multi-Factor Authentication (MFA) is built into the platform and provides an additional layer of protection to help ensure users are who they say they are when accessing sensitive data and applications. Azure MFA requires at least two forms of authentication, such as a password and a known mobile device. It supports several second factor authentication options, including: the Microsoft Authenticator app, a one-time passcode delivered via SMS, receiving a phone call where a user must enter a PIN, and smart cards or certificate-based authentication. In the event a password is compromised, a potential hacker still needs the user's phone to gain access to organizational data. In addition, Microsoft 365 uses Modern Authentication as a key protocol, bringing the same strong authentication experience from web browsers to collaboration tools, including Microsoft Outlook and Microsoft Office apps.

Azure AD Conditional Access provides a robust solution for automating access control decisions and enforcing policies to protect company assets. A common example is when an employee wishes to access an application containing sensitive customer data, and they are automatically required to perform a multi-factor authentication to specifically access that application. Azure Conditional Access brings together signals from a user's access request, such as properties about the user, their device, location, network, and the app or repository they are trying to access. It can dynamically evaluate every attempt to access the application against configured policies. If user or device's risk is elevated, or if other conditions are not met, Azure AD can automatically enforce policy such as dynamically requiring MFA, restricting or even blocking access. This helps ensure that sensitive assets are protected in dynamically changing environments.

Microsoft Defender for Office 365 provides an integrated service to protect organizations from malicious links and malware delivered through email. One of the most common attack vectors impacting users today is email phishing attacks. These attacks can be carefully targeted at specific high-profile employees and can be crafted to be very convincing. They typically contain some call to action requiring a user to click a malicious link or open an attachment with malware. Once infected, an attacker can steal a user's credentials and move laterally across the organization. They can also exfiltrate emails and data looking for sensitive information. Microsoft Defender for Office 365 evaluates links at click-time for potentially malicious sites and blocks them. Email attachments are opened in a protected sandbox prior to delivering them to a user's mailbox.

Microsoft Cloud App Security (MCAS) provides organizations with the ability further enforce policies at a granular level and detect behavioral anomalies based on individual user profiles that are automatically defined using Machine Learning. MCAS can build on Azure Conditional Access policies, to further protect sensitive assets by evaluating additional signals related to user behavior and properties of the documents being accessed. Over time, MCAS will learn what is considered typical behavior for each employee, with regard to the data they access and the applications they use. Based on learned behavioral patterns, policies can automatically enforce security controls if an employee goes outside of that behavioral profile. For example, if an employee typically accesses an accounting app from 9am to 5pm, Monday to Friday, but that same user begins to access that application heavily on a Sunday evening, MCAS can dynamically enforce policies to require the user to re-authenticate. This helps ensure that credentials have not been compromised. In addition, MCAS can help discover and identify Shadow IT in the organization, helping InfoSec teams ensure that employees are using sanctioned tools when working with sensitive data. Finally, MCAS can protect sensitive data anywhere in the Cloud, even outside of the Microsoft 365 platform. It allows organizations to sanction (or un-sanction) specific external Cloud apps, controlling access and monitoring when users work in those applications.

Azure Active Directory, and the related Microsoft 365 security services, provide the foundation upon which a modern cloud collaboration platform can be rolled out to energy industry organizations so that access to data and applications can be strongly secured and regulatory compliance obligations can be met. To summarize, these tools provide the following key capabilities:

  • Centrally store and securely manage user identities
  • Use a strong authentication protocol including multi-factor authentication to authenticate users on access requests and provide a consistent and robust authentication experience across any application
  • Dynamically validate policies on all access requests, incorporating multiple signals into the policy decision making process, including identity, user/group membership, application, device, network, location, and real-time risk score
  • Validate granular policies based on user behavior and file properties and dynamically enforce additional security measures when required
  • Identify shadow IT in the organization and allow InfoSec teams to sanction or block cloud applications
  • Monitor and control access to Microsoft and non-Microsoft cloud applications
  • Proactively protect against email phishing and ransomware attacks

Identify Sensitive Data and Prevent Data Loss

The FedRAMP Moderate Control Set and NERC CIP standards also include information protection as a key control requirement (CIP-011-2). These requirements specifically address the need to identify information related to BES (Bulk Electric System) Cyber System Information, the protection and secure handling of that information, including storage, transit, and use. Specific examples of BES Cyber System Information may include security procedures or security information about systems that are fundamental to operating the bulk electric system (BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or monitoring systems) that is not publicly available and could be used to allow unauthorized access or unauthorized distribution. However, the same need exists to identify and protect customer information that is critical to the day to day operations of energy organizations.

Microsoft 365 allows sensitive data to be identified and protected within the organization through a combination of powerful capabilities, including:

  • Microsoft Information Protection (MIP) for both user-based classification and automated classification of sensitive data

  • Office 365 Data Loss Prevention (DLP) for automated identification of sensitive data using sensitive data types (i.e. regular expressions) and keywords, and policy enforcement

Microsoft Information Protection (MIP) allows employees to classify documents and emails with sensitivity labels. Sensitivity labels can be applied manually by users to documents within the Microsoft Office apps and to emails within Microsoft Outlook. Sensitivity labels can in turn automatically apply document markings, protection through encryption, and enforce rights management. They may also be applied automatically, by configuring policies which use keywords and sensitive data types (credit card numbers, social security numbers, identity numbers, etc.) to automatically find and classify sensitive data.

In addition, Microsoft provides trainable classifiers which use machine learning models to identify sensitive data based on what the content is, as opposed to simply through pattern matching or by the elements within the content. A classifier learns how to identify a type of content by looking at numerous examples of the content to be classified. Training a classifier begins by providing it with examples of content within a particular category. Once it processes those examples, the model is tested by providing it with a mix of both matching and non-matching examples. The classifier then predicts whether a given example falls into the category or not. A person then confirms the results, sorting the positives, negatives, false positives, and false negatives to help increase the accuracy of the classifier's predictions. When the trained classifier is published, it processes content in SharePoint Online, Exchange Online, and OneDrive for Business, and automatically classifies the content.

Applying sensitivity labels to documents and emails will embed metadata within the object which identifies the chosen sensitivity, thereby allowing the sensitivity to travel with the data. As a result, even if a labeled document is stored on a user's desktop or within an on-premise system, it is still protected. This in turn enables other Microsoft 365 solutions such as Microsoft Cloud App Security or network edge devices to identify sensitive data and automatically enforce security controls. Sensitivity labels have the added benefit of educating employees as to which data within an organization is considered sensitive, and how to handle that data should they receive it.

Office 365 Data Loss Prevention (DLP) will automatically identify documents, emails and conversations which contain sensitive data by scanning them for sensitive data types and then enforcing policy on those objects. Policies are enforced on documents within SharePoint and OneDrive for Business. They are also enforced when users send email, and in Microsoft Teams within chat and channel conversations. Policies may be configured to look for keywords, sensitive data types, retention labels and whether data is shared within the organization or externally. Controls are provided to help organizations fine-tune DLP policies to better avoid false positives. When sensitive data is found, customizable policy tips may be displayed to users within Microsoft 365 applications, informing them that their content contains sensitive data and/or proposing corrective actions. Policies can also prevent users from accessing documents, sharing documents, or sending emails which contain certain types of sensitive data. Microsoft 365 supports over 100 built-in sensitive data types, and organizations can configure custom sensitive data types to meet their policies.

Rolling out MIP and DLP policies to organizations requires careful planning and typically a user education program so that employees understand the organization's data classification schema and which types of data are considered sensitive. Providing employees with tools and education programs that help them identify sensitive data and help them understand how to handle it makes them part of the solution for mitigating information security risks.

Govern Data by Effectively Managing Records

Regulations require many organizations to manage the retention of key organizational documents according to a managed corporate retention schedule. Organizations face regulatory compliance risks if data is under-retained (deleted too early), or legal risks if data is over-retained (kept too long). Effective records management strategies help to ensure that organizational documents are retained according to predetermined retention periods which are designed to minimize risk to the organization. Retention periods are prescribed in a centrally managed organizational record retention schedule, and they are based on the nature of each type of document, on regulatory compliance requirements for retaining specific types of data, and on the defined policies of the organization.

Assigning record retention periods accurately across organizational documents may require a granular process which assigns retention periods uniquely to individual documents. The vast number of documents within energy industry organizations, coupled with the fact that in many cases retention periods can be triggered by organizational events (such as contracts expiring or an employee leaving the organization), make applying record retention policies at scale challenging for many organizations.

Microsoft 365 provides capabilities for defining retention labels and policies to easily implement records management requirements. A record manager defines a retention label, which represents a "record type" in a traditional retention schedule. The retention label contains settings which define:

  • How long a record is retained for
  • The concurrency requirements or what occurs when retention period expires (delete the document, start a disposition review, or take no action)
  • What triggers the retention period to start (created date, last modified date, labeled date, or an event), and
  • If the document or email is a record (meaning it cannot be edited or deleted)

Retention labels are then published to SharePoint or OneDrive sites, Exchange mailboxes, and Office 365 Groups. Users may then apply retention labels manually to documents and emails, or record managers can use rules to automatically apply retention labels. Auto-apply rules can be based on keywords or sensitive data found within documents or emails, such as credit card numbers, social security numbers or other personally identifiable information (PII) or they can be based on SharePoint metadata.

The FedRAMP Moderate Control Set and NERC CIP standards also include Asset Reuse and Disposal as a key control requirement (CIP-011-2). These requirements once again specifically address BES (Bulk Electric System) Cyber System Information. However, other jurisdictional regulations will require energy industry organizations to manage and dispose of records effectively for numerous types of information. This will include financial statements, capital project information, budgets, customer data, etc. In all cases, energy organizations will be required to maintain robust records management programs and evidence related to the defensible disposition of corporate records.

With each retention label, Office 365 allows record managers to determine if a disposition review is required. Then when those record types come up for disposition, after their retention period has expired, a review must be conducted by the designated disposition reviewers before content is deleted. Once the disposition review is approved, content deletion will proceed, however evidence of the deletion, the user that performed the deletion and date/time in which it occurred is still retained for multiple years (as a certificate of destruction). If organizations require longer or permanent retention of certificates of destruction, Azure Sentinel may be used for long term cloud-based storage of log and audit data. Azure Sentinel gives organizations full control over the long term storage and retention of activity data, log data and retention/disposition data.

Comply with FERC and FTC Regulations for Energy Markets

The U.S. Federal Energy Regulatory Commission (FERC) oversees regulations related to energy markets and trading for the electric energy and natural gas markets. The U.S. Federal Trade Commission (FTC) oversees similar regulations in the petroleum market. In both cases these regulatory bodies set out rules and guidance to prohibit energy market manipulation. FERC, for example, recommends that energy organizations invest in technology resources to monitor trading, trader communications, and compliance with internal controls. They further recommend that energy organizations evaluate, on a regular basis, the ongoing effectiveness of the organization's compliance program.

Traditionally, communication monitoring solutions are costly, and they can be complex to configure and manage. Also, organizations can experience challenges with monitoring the numerous, varying communication channels available to employees. Microsoft 365 provides several built-in robust capabilities for monitoring employee communications, supervising employee activities, and helping to comply with FERC regulations for energy markets.

Implement Supervisory Control

Microsoft 365 enables organizations to configure supervision policies which capture employee communications (based on configured conditions) and allow these to be reviewed by designated supervisors. Supervision policies can capture internal/external email and attachments, Microsoft Teams chat and channel communications, Skype for Business Online chat communications and attachments, along with communications through third-party services (such as Facebook or Dropbox).

The comprehensive nature of communications that may be captured and reviewed within an organization, and the extensive conditions with which policies may be configured, allow Microsoft 365 Supervision Policies to help organizations comply with FERC energy market regulations. Supervision policies may be configured to review communications for individuals or groups. In addition, supervisors may be configured to be individuals or groups. Comprehensive conditions may be configured to capture communications based on inbound or outbound messages, domains, retention labels, keywords or phrases, keyword dictionaries, sensitive data types, attachments, message size, or attachment size. Reviewers are provided with a dashboard where they can review flagged communications, act on communications that potentially violate policies, or mark flagged items as resolved. They may also review the results of previous reviews and items that were have been resolved.

Microsoft 365 provides reports which allow supervision policy review activities to be audited based on the policy and the reviewer. The available reports may be used to validate that supervision policies are working as defined by the organizations written supervision policies. They may also be used to identify communications requiring review and which communications are not compliant with corporate policy. Finally, all activities related to configuring supervision policies and reviewing communications are audited in the Office 365 unified audit log.

Microsoft 365 Supervision Policies allow organizations to monitor communications for compliance with corporate policies, such as human resources harassment violations and offensive language in company communications. It also allows organizations to reduce risk, by monitoring communications when organizations are undergoing sensitive organizational changes, such as mergers and acquisitions, or leadership changes.

Communication Compliance

With many communication channels available to employees, organizations increasingly require effective solutions for monitoring or supervising communications in regulated industries such as energy trading markets. The recently launched Communication Compliance solution built into Microsoft 365 helps organizations overcome common challenges such as increasing numbers of communication channels and message volume, as well as the risk of potential fines for policy violations.

Communication Compliance can monitor multiple communication channels and use machine learning models to identify potential policy violations, including Office 365 email, Microsoft Teams, Skype for Business Online, Facebook, Twitter and Bloomberg instant messages. Communication Compliance helps compliance teams effectively and efficiently review messages for potential violations of:

  • Corporate Policies, such as acceptable use, ethical standards, and corporate specific policies
  • sensitivity or sensitive business disclosures, such as unauthorized communications about sensitive projects like upcoming acquisitions, mergers, earnings disclosures, reorganizations, or leadership team changes
  • Regulatory compliance requirements, such as employee communications regarding the types of businesses or transactions in which an organization engages in compliance with FERC regulations for energy markets

Communication Compliance provides built-in threat, harassment, and profanity classifiers to help reduce false positives when reviewing communications. This saves reviewers time during the investigation and remediation process. It helps reviewers focus on specific messages within long threads that have been highlighted by policy alerts. This helps compliance teams more quickly identify and remediate risks. It provides compliance teams with the ability to easily configure and fine-tune policies, adjusting the solution to the organization's specific needs and reducing false positives. Communication Compliance can also track user behavior over time, highlighting potential patterns in risky behavior or policy violations. Finally, it provides flexible built-in remediation workflows so that reviewers can quickly take action and escalate to legal or human resources teams according to defined corporate processes.

Protect Against Data Exfiltration and Insider Risk

A common threat to enterprises is data exfiltration, or the act of extracting data from an organization. This can be a significant concern for energy organizations due to the sensitive nature of the information that may be accessed by employees or field service staff day to day. This includes both BES (Bulk Electric System) Cyber System information as well as business related information and customer data. With the increasing methods of communications available and numerous tools for moving data, advanced tools are typically required to mitigate risks of data leaks, policy violations and insider risk.

Insider Risk Management

Enabling employees with online collaboration tools that may be accessed anywhere inherently brings risk to an organization. Employees may inadvertently or maliciously leak data to attackers or to competitors. Alternatively, they may exfiltrate data for personal use or take data with them to a future employer. These scenarios' present serious risks to organizations from a security and a compliance standpoint. Identifying these risks when they occur and quickly mitigating them requires both intelligent tools for data collection and collaboration across departments such as legal, human resources, and information security.

Microsoft 365 has recently launched the Insider Risk Management console which uses signals across Microsoft 365 services and machine learning models to monitor user behavior for signs of insider risk. This tool presents data to investigators so that they can easily identify risky behavioral patterns and escalate cases based on pre-determined workflows.

For example, Insider Risk Management can correlate signals from a user's Windows 10 desktop, such as copying files to a USB drive or emailing a personal email account, with activities from online services such as Office 365 email, SharePoint Online, Microsoft Teams, OneDrive for Business, etc. to identify data exfiltration patterns. It can also correlate these activities with employees leaving an organization which is a common behavioral pattern associated with data exfiltration. It can monitor multiple activities and behavior over time, and when common patterns emerge, it can raise alerts and help investigators focus on key activities to verify a policy violation with a high degree of confidence. Insider Risk Management can also obfuscate data from investigators to help meet data privacy regulations, while still surfacing key activities that help them efficiently perform investigations. When ready, it allows investigators to package and securely send key activity data to human resources and legal departments, following common escalation workflows for raising cases for remediation action.

Insider Risk Management is a significant increase in capabilities in Microsoft 365 for monitoring and investigating insider risks, while allowing organizations to still meet data privacy regulations and follow established escalations paths when cases require higher-level action.

Conclusion

Microsoft 365 provides an integrated and comprehensive solution which enables easy-to-use cloud-based collaboration across the enterprise with Microsoft Teams. Microsoft Teams also enables better communication and collaboration with field service staff, helping energy organizations to be more efficient and effective. Better collaboration across the enterprise and with field staff can ultimately help energy organizations to better serve customers.

Energy industry organizations must comply with strict regulations related to how they store, secure, manage, and retain information related to their operations and customers. They must also comply with regulations related to how they monitor and prevent the manipulation of energy markets. Microsoft 365 provides robust security controls for protecting data, identities, devices, and applications from risks and complying with strict energy industry regulations. Built-in tools are provided to help energy organizations assess their compliance, as well as take action and track remediation activities over time. These tools also provide easy to use methods for monitoring and supervising communications. The Microsoft 365 platform is built on foundational components like Microsoft Azure and Azure Active Directory, helping to secure the overall platform and helping the organization meet compliance requirements for FedRAMP Moderate and High control sets. This in turn contributes to an energy organization's ability to meet NERC CIP standards.

Overall, Microsoft 365 helps energy organizations to better protect the organization, to have more robust compliance programs, and to enable staff to focus on gaining better insights and implementing strategies to better reduce risk.