How Microsoft Purview Facilitates Regulatory Compliance for Semiconductor Manufacturing Industry  - Netwoven
Blog

How Microsoft Purview Facilitates Regulatory Compliance for Semiconductor Manufacturing Industry 

By Manish Athavale  |  Published on October 26, 2023

How Microsoft Purview Facilitates Regulatory Compliance for Semiconductor Manufacturing Industry

Introduction

The semiconductor manufacturing industry is the backbone of the digital global economy. In most cases the data generated in this industry is highly sensitive and if obtained by competitors and bad actors including adversary nations can cause grave damage to the reputation and investments in innovation done by the company.  

In addition to the economic impact, data breaches in the semiconductor manufacturing industry could also have national security implications. This is because semiconductors are used in many critical infrastructure systems, such as telecommunications, transportation, and power grids.  

As per latest report:

In 2022, the CHIPS act was put in place to ensure the United States has secure and reliable access to supply of semiconductors.  To comply with the CHIPS Act, and other data security regulations, semiconductor manufacturing companies need to take several steps, including: 

  • Implementing strong access controls to protect sensitive data.
  • Using encryption to protect data in transit and at rest. 
  • Conducting regular security assessments. 
  • Training employees on data security best practices. 

We worked on a project to assess the sensitive content shared by several applications, identify risks, define policies and procedures, and implement a solution to mitigate the risks. The focus of the discussion today is to highlight how such a project may be undertaken and a step-by-step approach be followed to yield comprehensive results.


Ebook: 7 Steps to building a Compliance Based Organization with Microsoft Purview Solutions
Ebook: 7 Steps to building a Compliance Based Organization with Microsoft Purview Solutions

This eBook offers a detailed overview of the regulatory landscape, emphasizing the importance of compliance. It discusses common compliance challenges and explains how to implement and use Microsoft Purview to meet regulatory requirements efficiently.

Get the eBook

What are the Steps for implementing a sensitive data compliance project?

The goal is to identify, classify the sensitive information across the organization and to ensure that the data shared internally and externally was secure at rest as well as in transit.

How Microsoft Purview Facilitates Regulatory Compliance for Semiconductor Manufacturing Industry
1. Risk Assessment

The first step was to identify the sensitive data that is generated and used in the semiconductor manufacturing process. The data targeted for the assessment was related to drawings and specification documents created by the engineering department. The data repositories were identified, and the data storage and security processes were documented.

2. Policies and procedures

Once the sensitive data was identified, Netwoven worked with the client to develop policies and procedures for protecting the drawings and specification documents. The policies and procedures addressed the data classification, security, storage, backup, and encryption of data assets. Some of the policies we developed were to limit access to sensitive data only to the application accounts, applying encryption to the documents at rest and in motion, providing encrypted documents to external and internal users and retracting the access to the documents as needed. Some of the procedures we developed were onboarding external users, content marking of sensitive documents, RBAC on sensitive documents, employee and external user training requirements to handle sensitive documents, etc.       

3. Implementation

Netwoven built the solution to protect the drawings and specification documents shared from 10 different applications with internal and external users. Based on the new procedures defined, Netwoven built automation for protecting the documents based on the metadata (ex. File type, Sensitivity classification, Visibility level etc.) provided by the source systems. Protecting the sensitive data for external users (suppliers and customers) was a challenge that required Netwoven to build a tiered application to manage the access controls for the external parties. 

4. Training

Netwoven built training material to train client employees on the data compliance policies and procedures. This training covered the importance of data security, the risks of data breaches, and the consequences of non-compliance. Netwoven built a self-help portal that documented the FAQs, short videos on how-to work on a particular topic and store training documents for easy access.

5. Monitoring

Netwoven built several reporting solutions to collect, refine and build Dashboards based on the compliance log data collected by the tools. Some of the reports we developed were to show the document encryption progress, document access reports, Vulnerability assessment reports. Security Incident reports etc.

What are the tools and technologies used?

The solution was built using Microsoft Purview compliance tools including Sensitivity labels and encryption, Azure File shares and SharePoint Libraries to store sensitive data, Azure Synapse Analytics to move and run workflows on the content released by source systems and Azure functions to properly secure the Microsoft Purview application.

Conclusion

The aim of this article was to share our experience and the methodology we followed for a successful data protection and compliance project implemented in the semiconductor manufacturing environment. The nuances will lie in the correct identification and classification of sensitive data to start with. One needs to be particularly mindful about the usable labeling scheme, policies, and procedures without being disruptive to the business processes at work. The other aspects of adoption, governance, compliance, and reporting need to be in place hand in hand. The comprehensiveness is the key and I hope the discussion helps.   

By Manish Athavale

Manish is a Senior Engagement Manager in the Cloud Infrastructure and Security Practice specializing in Microsoft Purview product suite. He brings extensive experience to Netwoven in Business Analysis, Solution Architecture and Project Management. He has led mid to large sized projects implementing several Microsoft solutions, custom applications and migrations from on-premise SharePoint to Microsoft 365, Jive to Microsoft 365 and Tenant to Tenant migrations. Prior to joining Netwoven, Manish worked a Senior Architect at AEP Inc. responsible to deliver migration of SharePoint on-premise to Microsoft 365 and converting 100s of workflows and forms to Power Platform solutions. Prior to AEP, Manish has worked in several large organizations in Banking, Insurance, Healthcare, Government and Automotive verticals. Manish holds a Master of Science in Mathematics from University of New Orleans and Bachelor of Engineering from College of Engineering, Aurangabad. In his spare time Manish likes to play Tennis, Golf, watch New Orleans Saints football and travel with family.

Leave a comment

Your email address will not be published. Required fields are marked *

Unravel The Complex
Stay Connected

Subscribe and receive the latest insights

Netwoven Inc. - Microsoft Solutions Partner

Get involved by tagging Netwoven experiences using our official hashtag #UnravelTheComplex