Audit-proof files in Sharepoint

Anonymous
2021-09-17T11:49:25+00:00

Hi guys,

we have a special case for a client where i could need your inputs.

Our client uses sharepoint online and for some files (defined folder / defined files) he needs the following:

  • 30 years retention
  • audit-proof
  • unchangeable / undeletable
  • Ideally: Digitally signed

I know we could achieve this through the records center or through the Compliance Center etc.

But what is best practice? How would you approach that? Any experience?

What licenses would be needed?

Many thanks!

Microsoft 365 and Office | SharePoint | For business | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments No comments

5 answers

Sort by: Most helpful
  1. Anonymous
    2021-09-21T07:59:24+00:00

    Thank you. What i've mean is that the files are proven to be unchangeable/undeletable so that it fullfills governmental requirements for "audit-proof" data. But maybe this is a question you can't answer :-)

    Was this answer helpful?

    0 comments No comments
  2. Anonymous
    2021-09-21T07:51:53+00:00

    Hi Andre,

    Yes, you can use policy to achieve your requirement.

    I am not sure whether "Audit-proof" means the activities can be searched in the audit log? If yes, then Data loss prevention (DLP) supports auditing. Once a policy was applied, only admin has permission to delete it. Manage data loss prevention (DLP) policies - Power Platform | Microsoft Docs

    You can check this article: Search the audit log in the Microsoft 365 compliance center - Microsoft 365 Compliance | Microsoft Docs for more detailed information.

    Best Regards,

    Ivy

    Was this answer helpful?

    0 comments No comments
  3. Anonymous
    2021-09-20T06:51:25+00:00

    Hi Ivy,

    many thanks for your detailed information. So i understand that i can achieve 30 years retention with a policy. But is this considered audit-proof?

    About the DLP - how will that specifically protect the data, and is it possible to a.e apply this DLP to a specific folder and all files in that folder?

    As i said this use case is about defined files in a folder that should be "Audit-proof" and "unchangeable/undeletable" saved for 30 years.

    Many thanks
    Andre

    Was this answer helpful?

    0 comments No comments
  4. Anonymous
    2021-09-19T12:01:16+00:00

    Hello HoffCM,

    Please let me know if you need any further assistance.

    Thanks,

    Ivy

    Was this answer helpful?

    0 comments No comments
  5. Anonymous
    2021-09-17T15:34:36+00:00

    Hi HoffCM,

    Thanks for your efforts on our products. 

    I would like to recommend retention policies and retention labels for you in Microsoft 365. 

    With these two retention actions, you can configure retention settings for the following outcomes:

    • Retain-only: Retain content forever or for a specified period of time.
    • Delete-only: Permanently delete content after a specified period of time.
    • Retain and then delete: Retain the content for a specified period of time and then permanently delete it.

    Once you create a label and published it, we will be able to see this label on the SharePoint site and you can choose to apply this label. You can also mark the items as a record so that only admins for the container can manually change or remove retention labels that mark items as a record. 

    However, about the other requirements, I am sorry to convey that I didn't find a way to use the digital signature in policy, however, you may check the Data Loss Preservation policy (DLP) to achieve your requirement. 

    In Microsoft 365, you implement data loss prevention by defining and applying DLP policies. With a DLP policy, you can identify, monitor, and automatically protect sensitive items across:

    • Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive
    • Office applications such as Word, Excel, and PowerPoint
    • Windows 10 endpoints
    • non-Microsoft cloud apps
    • on-premises file shares and on-premises SharePoint.

    You can select the specific file type in a specific SharePoint site to apply to this policy. DLP can detect certain keywords to the matching patterns. For example, a VISA credit card number has 16 digits. All DLP monitored activities are recorded to the Microsoft 365 Audit log by default and routed to Activity explorer.  

    Here is the related article for you:

    Learn about data loss prevention - Microsoft 365 Compliance | Microsoft Docs

    Create, test, and tune a DLP policy - Microsoft 365 Compliance | Microsoft Docs

    Hope it could help.

    Best Regards,

    Ivy

    Was this answer helpful?

    0 comments No comments