In my last blog post, I covered configuring some of the out of the box data loss prevention policies that Microsoft’s security & compliance center offers. Yet in order to meet the specific needs of your organization, custom information types and DLP policies can be created. In this guide, I will show you how to use Microsoft Office 365’s Security and Compliance center to categorize sensitive content with custom sensitive information types and create custom data loss prevention (DLP) policies.
First we’ll create a new sensitive info type. If the default options meet your needs continue to section 2 and we’ll get into creating a policy that can use these info types to classify your content.
Step 1:
Navigate to O365’s security & compliance center and open up sensitive information types under classifications, create a new one and give it a name & description.
Step 2:
Add a matching element, which is the sensitive info that this type will search for in content. The matching element will be the first thing an info type looks for in content followed by supporting elements if you choose to use them. Supporting elements are additional criteria that help with accuracy when identifying potentially sensitive content.
Options for matching and supporting elements:
The number of keywords you can add to a keyword list is limited, but you can describe a greater number of keywords/patterns with a regular expression or a keyword dictionary. I’m going to walk through creating a sensitive info type that uses a regular expression as a matching element and a keyword list as a supporting element to detect Social Security numbers.
Regex:
Keyword list:
Below I’ve broken down some of the additional parameters you can configure for improving the accuracy of the sensitive info type as seen in figure 1.1.
Minimum Count – Keyword List
Confidence Level
Character Proximity
Step 3:
Test the sensitive information type:
Take some time to test out the info type, here you can use documents that you know should be flagged for sensitive content to test and tune your info type’s criteria for the best results.
The results give you a better idea of what the sensitive information type is able to detect based on your criteria.
We can create a data loss prevention policy to perform some actions when a sensitive content type has been identified. Navigate to the Security and Compliance center from the admin centers list, in the O365 admin center. Expand-out Data loss prevention from the options on the left and click Policy àCreate a policy.
Step 1:
Choose the information to protect.
By default, there are 3 categories which come with pre-built DLP templates, here we’ll choose the 4th option Custom to create our own.
Step 2:
Name your policy.
Since this is a custom policy, it will be helpful for end users to give this policy a relatable name and description.
Step 3:
Choose locations.
You can specify where this policy applies to, and whom it applies to in their respective zones. Notice that you can include or exclude different principles depending on the zone. For example, you can exclude the security team from a policy that would be counter-productive to their daily operations.
Step 4.1:
Customize the type of content you want to protect.
This is where we can either leverage the custom sensitive information type we created earlier or use advanced settings to set up rules that offer more conditions and exceptions.
To simply leverage a custom info type, choose the first option in figure 2.4 and click edit to add the classification type (sensitive information type) like in figure 2.5.
Step 4.2
Advanced options for specifying sensitive content criteria.
Choosing the second option (Use advance settings in figure 2.4) will expose addition rules and settings after clicking next. The following sections describe each of the advanced options.
Conditions & Exceptions
You can protect (or exclude) content that matches any of the following conditions:
Note: These same options available for conditions are also available as exceptions – Ex. Don’t apply this rule when content is sent via email to a specific domain.
Actions
Choose what you want to happen when this policy is triggered. You can block sharing, restrict access and/or encrypt content that’s been found to have sensitive content. Also, you can specify whether this policy affects everyone or just external users.
User Notifications
Use notifications to inform your users as to why the policy was triggered and recommend next steps. Here I’m recommending that they add a label to this document, you can also automatically notify specific people when this policy is triggered. Alternatively, you can create a label policy that will automatically label documents based on the sensitive information type detected.
Note: Notifications for teams will be displayed in the chat client itself.
User Overrides
You can allow users to override the policy and optionally require a business justification. Consider the end user impact when making this decision because false positives are a frustrating reality.
Incident Reports
You can enable incident reports to automatically notify you via email whenever a policy match occurs. Configure a severity level for the policy which will be highlighted in the compliance dashboard as well as the emailed incident report.
As you create more policies, these additional options will become useful to streamline the flow of policies in your organization and avoid conflicts. Consider this situation:
Instead, we can create a rule that excludes members of the finance team. By enabling the rule below with the rule being that if they are a member of the finance team do not process additional rules for the Financial DLP policy.
Every organization is different and must adhere to different types of compliance and regulations, creating a policy to address your use-cases is important. Leveraging these custom policy options can help prevent data leaks and help protect your sensitive data.
It’s important to note that setting up these policies can help with DLP compliance but your organization still needs to be able to prove that it is compliant when audited. This means you’re your organization needs to be able to audit, report and document how data is stored, accessed, and managed. which is best handled with a data access governance solution like StealthAUDIT for SharePoint.
Here’s an overview of what StealthAUDIT for SharePoint can do:
..and more
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!
Read more© 2022 Stealthbits Technologies, Inc.
Succinct. Good job mate.