3.1.3. Insider Risk Management and Communication Compliance
š” First Principle: Insider Risk Management detects patterns of risky user behavior ā not individual violations, but sequences of actions that together suggest a data security risk. Communication Compliance detects violations in what people say. Both tools are about identifying risk that DLP alone can't catch.
DLP catches a specific action: a file being shared. But what about the user who, over two weeks, downloads 500 files, creates a new personal email account, and then resigns? No single action triggers DLP ā but the pattern is a serious exfiltration risk. Insider Risk Management surfaces these patterns.
Insider Risk Management (IRM):
- Monitors signals like bulk file downloads, USB transfers, access to sensitive files, printing, browser uploads
- Combines signals into risk scores for users
- Creates alerts when a user's risk score exceeds a threshold
- Requires sensitive handling: access is limited to specific roles, and investigation findings are pseudonymized until explicitly deanonymized
Policies you can create in IRM:
| Policy Template | Scenario |
|---|---|
| Data theft by departing users | User is tagged as "leaving" in HR system; IRM watches for data exfiltration |
| General data leaks | Broad monitoring for unusual data movement across all users |
| Security policy violations | Disabling antivirus, installing software, accessing dark web |
| Patient data misuse | Healthcare-specific: accessing records of patients not in their care |
Communication Compliance:
- Monitors email, Teams messages, and Viva Engage posts for policy violations
- Common policies: regulatory compliance (financial services, healthcare), workplace conduct (harassment, discrimination), sensitive data in communications
- Reviewers are assigned to investigate flagged communications
- Integrates with eDiscovery for legal holds
ā ļø Exam Trap: Insider Risk Management identifies patterns of behavior ā it is not a real-time blocking tool like DLP. IRM flags risks for human investigation; it doesn't automatically prevent actions.
Reflection Question: A healthcare organization wants to automatically flag emails that contain offensive language for HR review. Which Purview tool is most appropriate, and what is the role of a "reviewer" in that workflow?
