IRM (Insider risk management)

We are hiring a IRM (Insider risk management)

Experience: 5- 10Yrs

Location: Blore, Gurgaon, Noida, hyd, pune

Notice Period: Immediate to 15 Days

Required Skills & Experience

 Expert-level knowledge of Microsoft Purview, specifically the Insider Risk Management (IRM)

module.

 Proven, hands-on experience designing, configuring, and implementing custom IRM policies in a

production environment.

 Demonstrable experience in a client-facing or consulting role, with strong stakeholder

management and communication skills.

 Strong analytical skills for alert triage, root cause analysis of non-actionable alerts, and false

positive reduction.

 Experience creating comprehensive technical documentation, such as remediation playbooks,

requirements documents, and strategic reports.

Preferred Skills & Experience

 Relevant Microsoft certifications (e.g., SC-400: Microsoft Information Protection Administrator,

MS-500: Microsoft 365 Security Administration).

 Specific experience configuring and evaluating data from the Microsoft Purview HR connector.

 Experience implementing and tuning Adaptive Protection in Microsoft Purview.

 5+ years of experience in cybersecurity, with at least 2 years focused on Microsoft 365 security and compliance solutions.

Scope of Work:

1 Approach and Deliverables

workstreams .

Workstream Description Deliverables

Workstream 1:

Review and

Design

Support Strategic Design and Advanced Risk Prioritization for Microsoft Purview Insider Risk Management

by performing the following activities:

Conduct in-depth design sessions with Ford stakeholders to develop detailed business requirements for three

(3) advanced IRM use cases focusing on sophisticated data theft and exfiltration patterns.

Architect the technical specifications for three (3) custom IRM policies, detailing:

a. The sequencing of non-standard indicators and context-aware detection logic within the Microsoft

Purview portal.

b. Triggering events, alert thresholds, and the timeline for monitoring.

Analyze and document the advanced technical configurations required for the solution, including:

a. Evaluating data fidelity from the HR connector for custom departing-user scenarios.

b. Architecting permissions for segregated duties.

Lead detailed review sessions up to 2 to quantify and help Ford prioritize data handling risks, and construct a

custom, strategic implementation roadmap based on business impact.

 Scoping and Requirements Document (D01).

 Policy and Use Case Summary (D02)

Workstream 2:

Implementation

& Remediation

Assist Ford's team with the technical implementation and configuration of the three IRM policies within the

production tenant by carrying out the following activities:

Perform technical configuration of the three (3) custom IRM policies directly within the Microsoft Purview

compliance portal, including applying adaptive protection levels.

Developing and delivering a detailed, actionable remediation playbook that provides:

a. Step-by-step investigation procedures for analysts.

b. Triage criteria for incoming alerts.

c. Escalation paths specifically tailored to Ford's incident response framework.

Execute hands-on validation testing by simulating complex user activity scenarios to be agreed with Ford to

confirm that related policies trigger as architected and that alert data is captured.

 A final configuration summary document (D03), which details the review of the live policy

settings to confirm the implementation aligns with the custom design from Milestone 1.

 IRM Remediation Playbook (D04)

Workstream 3:

Alert Analysis &

Final Reporting

Execute up to two (2) dedicated, one-week alert analysis cycles where KPMG analysts will actively triage,

investigate, and categorize Insider Risk Management (IRM) alerts generated by the live IRM policies.

Conduct an analysis of alert data to identify patterns and assess the rate of false positives, which includes:

 Summary of Policies Implemented in Production Tenant (D05)

a. Reviewing user activity timelines and correlating alerts with business activities.

b. Documenting the root cause of non-actionable alerts.

Provide specific, actionable recommendations for policy tuning and refinement, such as:

:

a. Adjusting indicator thresholds or user scope.

b. Modifying file type exclusions to improve alert fidelity.

Prepare and deliver a final summary report detailing the pilot’s outcomes/observations regarding the overall

effectiveness of the policies as observed, and a provide recommended strategic roadmap for future

expansion of the program.

Deliverables Definition

Deliverable Acceptance Criteria

1) Scoping and Requirements

Document (D01)

• A document detailing the business requirements for three (3)

advanced Insider Risk Management use cases.

• Includes a custom, strategic implementation roadmap with

recommended prioritization by business impact.

2) Policy and Use Case

Summary (D02)

• A summary that architects the technical specifications for three

(3) custom IRM policies, as agreed with Client.

• Details the sequencing of indicators, triggering events, alert

thresholds, and required technical configurations.

3) Final Configuration Summary

(D03)

• A document that reviews and confirms the live policy settings in

the production environment align with the custom design from

Workstream 1.

4) IRM Remediation Playbook

(D04)

• An actionable playbook providing step-by-step investigation

procedures, alert triage criteria, and escalation paths tailored to

the organization's incident response framework.