Plan for Insider Risk Management

Before you get started with Insider Risk Management in your organization, review important planning activities and considerations with your information technology and compliance management teams. Thoroughly understanding and planning for deployment in the following areas helps ensure that your implementation and use of Insider Risk Management features goes smoothly and aligns with best practices.

For more information and an overview of the planning process to address risky activities in your organization, see Starting an Insider Risk Management program.

To learn how the Insider Risk Management workflow can help your organization prevent, detect, and contain risks while prioritizing your organization values, culture, and user experience, watch the following video:

Check out the Microsoft Mechanics video on how Insider Risk Management and Communication Compliance work together to help minimize data risks from users in your organization.

Work with stakeholders in your organization

Identify the appropriate stakeholders in your organization to collaborate for taking actions on Insider Risk Management alerts and cases. Consider including the following areas of your organization in initial planning and the end-to-end Insider Risk Management workflow:

• Information technology
• Compliance
• Privacy
• Security
• Human resources
• Legal

Determine regional compliance requirements

Different geographic and organizational areas might have compliance and privacy requirements that differ from other areas of your organization. Work with the stakeholders in these areas to ensure they understand the compliance and privacy controls in Insider Risk Management and how to use them across different areas of your organization. In some scenarios, compliance and privacy requirements might require policies that designate or restrict some stakeholders from investigations and cases based on the case for a user or regulatory or policy requirements for the area.

If you have requirements for specific stakeholders to be involved in case investigations that involve users in certain regions, roles, or divisions, consider implementing separate (even if identical) Insider Risk Management policies that target the different regions and populations. This configuration makes it easier for the right stakeholders to triage and manage cases that are relevant to their roles and regions. Consider creating processes and policies for regions where investigators and reviewers speak the same language as the users. This approach can help streamline the escalation process for Insider Risk Management alerts and cases.

Plan permissions to support the review and investigation workflow

Depending on how you want to manage Insider Risk Management policies and alerts, assign users to specific role groups to manage different sets of Insider Risk Management features. You can assign users with different compliance responsibilities to specific role groups to manage different areas of Insider Risk Management features. Or, assign all user accounts for designated administrators, analysts, investigators, and viewers to the Insider Risk Management role group. For more information, see Assign Insider Risk Management permissions.

Understand requirements and dependencies

Depending on how you plan to implement Insider Risk Management policies, you need the proper Microsoft 365 licensing subscriptions. You also need to understand and plan for some solution prerequisites.

Licensing: Microsoft offers Insider Risk Management as part of a wide selection of Microsoft 365 licensing subscriptions. For details, see the Getting started with Insider Risk Management article.

If you don't have an existing Microsoft 365 Enterprise E5 plan and want to try Insider Risk Management, you can add Microsoft 365 to your existing subscription or sign up for a trial of Microsoft 365 Enterprise E5.

Policy template requirements: Depending on the policy template you choose, understand the following requirements and plan accordingly prior to configuring Insider Risk Management in your organization:

• For the Data theft by departing users template, configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. For step-by-step guidance to configure the Microsoft 365 HR connector, see the Import data with the HR connector article.
• For the Data leaks template, configure at least one Microsoft Purview Data Loss Prevention (DLP) policy to define sensitive information in your organization and to receive insider risk alerts for High Severity DLP policy alerts. For step-by-step guidance to configure DLP policies, see the Create and Deploy data loss prevention policies article.
• For the Security policy violation template, enable Microsoft Defender for Endpoint for Insider Risk Management integration in the Defender Security Center to import security violation alerts. For step-by-step guidance to enable Defender for Endpoint integration with Insider Risk Management, see Configure advanced features in Microsoft Defender for Endpoint.
• For the Risky user template, configure a Microsoft 365 HR connector to periodically import performance or demotion status information for users in your organization. For step-by-step guidance to configure the Microsoft 365 HR connector, see the Import data with the HR connector article.

Test with a small group of users in a production environment

Before enabling this solution broadly in your production environment, consider testing the policies with a small set of production users so you can complete the necessary compliance, privacy, and legal reviews in your organization. Evaluating Insider Risk Management in a test environment requires that you generate simulated user actions and other signals to create alerts for triage and cases for processing. This approach might not be practical for many organizations, so we recommend that you test Insider Risk Management with a small group of users in a production environment.

Keep the anonymization feature in policy settings enabled to anonymize user display names in the Insider Risk Management console during this testing to maintain privacy within the tool. This setting helps protect the privacy of users that have policy matches and can help promote objectivity in data investigation and analysis reviews for insider risk alerts.

If you don't see any alerts immediately after configuring an Insider Risk Management policy, it might mean the minimum risk threshold isn't met yet. Check the Users page to verify that the policy is triggered and working as expected and to see if users are in-scope for the policy.

Migrating between Microsoft 365 US Government Cloud and the commercial cloud

If you migrate your organization from the Microsoft 365 US Government Cloud to the worldwide commercial cloud or from the worldwide commercial cloud to the Government Cloud, active cases and alerts don't migrate. Close any alerts and cases before starting the migration.

Resources for stakeholders

Share Insider Risk Management documentation with the stakeholders in your organization that are included in your management and remediation workflow:

• Create and manage insider risk policies
• Investigate insider risk activities
• Take action on insider risk cases
• Review case data with the insider risk Content explorer
• Create insider risk notice templates

Ready to get started?

Ready to configure Insider Risk Management for your organization? We recommend that you review the following articles:

• Get started with Insider Risk Management settings to configure global policy settings.
• Get started with Insider Risk Management to configure prerequisites, create policies, and start receiving alerts.
• Get started with Insider Risk Management forensic evidence for step-by-step guidance to configure forensic evidence capturing in your organization.