Understanding Data loss prevention
In this tutorial, we will learn and understand the concept of Data loss prevention.
Data loss prevention capabilities were recently added to Microsoft Teams chat and channel messages for users licensed for Office 365 Advanced Compliance, which is available as a standalone option and is included in Office 365 E5 and Microsoft 365 E5 Compliance.
Create and manage DLP policies
You create and manage DLP policies on the Data loss prevention page in the Microsoft 365 Compliance center. Moreover, you can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation.
However, if you choose to include specific distribution groups in Exchange, the DLP policy will be scoped only to the members of that group. Similarly excluding a distribution group will exclude all the members of that distribution group from policy evaluation. You can choose to scope a policy to the members of distribution lists, dynamic distribution groups, and security groups. A DLP policy can contain no more than 50 such inclusions and exclusions.
Rules
Rules are what enforce your business requirements on your organization’s content. A policy contains one or more rules, and each rule consists of conditions and actions. For each rule, when the conditions are met, the actions are taken automatically. Rules execute sequentially, starting with the highest-priority rule in each policy. Moreover, a rule also provides options to notify users (with policy tips and email notifications) and admins (with email incident reports) that content has matched the rule.
Here are the components of a rule, each explained below.
Conditions
Conditions focus on the content,
- Firstly, what types of sensitive information you’re looking for
- Secondly, who the document is shared with.
However, you can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.
Further, the conditions now available can determine if:
- Firstly, content contains a type of sensitive information.
- Secondly, content contains a label.
- Lastly, content shared with people outside or inside your organization.
Actions
When content matches a condition in a rule, you can apply actions to automatically protect the content. However, with the actions now available, you can:
- Restrict access to the content Depending on your need, you can restrict access to content in three ways:
- Firstly, restrict access to content for everyone.
- Secondly, restrict access to content for people outside the organization.
- Lastly, restrict access to “Anyone with the link.”
However, for site content, this means that permissions for the document restrict for everyone except the primary site collection administrator, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions automatically restores. When access to a document gets blocks, the document appears with a special policy tip icon in the library on the site.
User notifications and user overrides
You can use notifications and overrides to educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification.
Further, in addition to sending an email notification, a user notification displays a policy tip:
- Firstly, in Outlook and Outlook on the web.
- Secondly, for the document on a SharePoint Online or OneDrive for Business site.
- Lastly, in Excel, PowerPoint, and Word, when the document is stored on a site included in a DLP policy.
Grouping and logical operators
Often your DLP policy has a straightforward requirement, such as to identify all content that contains a U.S. Social Security Number. However, in other scenarios, your DLP policy might need to identify more loosely defined data. For example, to identify content subject to the U.S. Health Insurance Act (HIPAA), you need to look for:
- Firstly, content that contains specific types of sensitive information, such as a U.S. Social Security Number or Drug Enforcement Agency (DEA) Number.
- AND
- Secondly, content that’s more difficult to identify, such as communications about a patient’s care or descriptions of medical services provided. Identifying this content requires matching keywords from very large keyword lists, such as the International Classification of Diseases (ICD-9-CM or ICD-10-CM).
Choosing the operator between groups
Between groups, you can choose whether the conditions in just one group or all of the groups must satisfy for the content to match the rule.
For example, the built-in U.S. HIPAA policy has a rule that uses an AND operator between the groups so that it identifies content that contains:
- Firstly, from the group PII Identifiers (at least one SSN number OR DEA number)
- AND
- Secondly, from the group Medical Terms (at least one ICD-9-CM keyword OR ICD-10-CM keyword)
Using a retention label as a condition in a DLP policy
When you use a previously created and published retention label as a condition in a DLP policy, there are some things to be aware of:
- Firstly, the retention label must create and publish before you attempt to use it as a condition in a DLP policy.
- Secondly, published retention labels can take from one to seven days to sync.
- Thirdly, using a retention label in a policy has support only for items in SharePoint and OneDrive*.
Reference: Microsoft Documentation