I created an IRM Indicators Workbook that facilitates the planning, discussion, and approval of IRM Policies settings.

I extracted all predefined IRM Risk Indicators and grouped them by categories in separate sheets. On the first sheet, I created columns so that I can go over the settings with the stakeholders. We will fill them out first and then have everything approved and finalized. This way, we don't have to mess around directly in the portal when creating IRM policies.

Nobody should treat configuring policies directly in MS Purview as an ad hoc exercise, trying to configure things and asking what to do with each and every setting. You need to have all indicators planned out and vetted in advance, as each organization is different. The settings need to align with the organization's security policies and risk management strategy.

In tightly governed organizations that deal with sensitive or secure information, consultants may not have privileged access to make changes directly in the IRM Portal. In such cases, you can use this spreadsheet to submit configurations to the organization's admin for implementation of the IRM Policies.

By documenting all settings in one place, you can ensure that everyone is on the same page before making any changes in the IRM Portal. Additionally, it will eliminate the risk of configuration errors.

The indicators included in this spreadsheet are the predefined ones currently available in the IRM portal. Each indicator category is on its own sheet. The first sheet has several columns to capture essential information about your IRM indicators.

Here’s a breakdown of the columns:

• Used?: Indicates whether the indicator is currently in use.

• Severity Alert (Low, Medium, High): Defines the severity level of the alert triggered by the indicator.

• Included (Users, Groups): Specifies the users or groups included in the policy.

• Excluded (Users, Groups): Specifies the users or groups excluded from the policy.

• Adaptive Scopes: Details any adaptive scopes applied to the policy.

• Content Prioritization: Includes fields for SharePoint, Sensitivity Labels, Sensitive Info Types, File extensions, Trainable classifiers.

• Thresholds: Captures various thresholds, including the total number of activities, activities containing sensitive information types (SIT), priority content matches, and activities targeting unallowed domains.
  

You can add more columns to the spreadsheet as needed to capture additional information or to align with your specific organizational requirements. Check back soon, as I might reorganize it.

Regularly review and update the spreadsheet to reflect any changes in your risk management strategy or organizational structure. Make sure that this spreadsheet is part of your governance strategy. Things like Severity Alerts and Thresholds might require a lot of tweaking to strike the right balance, especially in the beginning. Always make sure that this file, or any other format that you use for documenting settings, is always up to date and that all modifications are reflected in this document first, and only then in the tenant.

Another advantage of this document is that stakeholders do not have to poke around the IRM portal and peruse the policies. They can just easily reference the workbook instead.

Note: Keep in mind that at the moment, some indicators are still in Preview.