In this chapter, we’ll continue to explore configuring Information Protection within Microsoft 365. There will be an exercise that will require access to Microsoft 365 with Global Administrator rights. If you have followed the exercises from the previous chapter, you should now have the relevant trial licenses; however, if you have not yet created these for Microsoft 365, please follow the instructions from Chapter 1, Preparing for Your Microsoft Exam and SC-400 Exam Objectives.
Managing and responding to DLP policy violations
In the case where a DLP policy alerts an admin that a DLP policy violation has occurred, it can have multiple meanings. It does not always mean that data loss has occurred or has been stopped. You will get alerted if a policy violation has been observed; however, the policy will not take any action based on the reason for trying to share the data that is protected. Escalating any violation to the organization’s security team is a reactive action you can take, and you would work with them and key stakeholders to investigate the issue.
A good example is if you are working for an organization that protects highly sensitive information (financial data is a common example) to stop any sharing of client data with third parties. You get several alerts at the end of the month that there have been violations of the specific policy in place for this. When you look at the reports, you see a high level of emails from a department within the organization that includes customer-specific information (in our example, let’s assume it is billing information). Now, the policy does not take context into account and reacts accordingly, but this is where the compliance administrator comes in as it is their job to assess and appraise policy violations and make the correct decisions on how to proceed. In this scenario, we have to accept the fact that at the latter part of the month, alerts will be set off due to the policy correctly recognizing protected data and it updates you about this.
DLP reports can assist admins in recognizing users who have a high number of matches. There are a number of reasons a user may match; however, as a compliance admin, it is your job to assess whether those incident matches require further investigation.
You can additionally utilize reports to enable users to assist you with improving DLP policies. You will find a report called DLP False reports and overrides report. In the scenario in which you enable users to override by using a relevant justification, you not only make them accountable by selecting to override, but this also allows you to investigate the reason and recognize business processes that justify a change to the existing policy.
We will now do a lab exercise in which we need to amend the U.K. Financial Data DLP policy to exclude instances where your finance data matches the custom sensitive information type for UK driving licenses.
Implementing DLP rule exclusion
The following exercise will amend the U.K. Financial Data DLP policy:
- From within the Microsoft 365 compliance center, navigate to the Policies page | Data and then select Data loss prevention:
Figure 9.1 – Navigating to the Data loss prevention menu
2. Click on the Policies tab and check the U.K Financial Data policy. Select the edit button:
Figure 9.2 – Editing a policy
3. Click on Next until you arrive at the Customize advanced DLP rules page. Click on the edit button next to High volume of content detected U.K. Financial Data:
Figure 9.3 – Editing customized advanced DLP rules
4. Navigate to Exceptions and then click Add exception:
Figure 9.4 – Add exception
5. Click on Except if content contains from the drop-down menu:
Figure 9.5 – Except if content contains
6. Click on Add and choose Sensitive info types:
Figure 9.6 – Selecting Sensitive info types
7. A pop-up window will appear. Click the U.K. Driver’s License Number type and click on Add:
Figure 9.7 – U.K. Driver’s License Number type
8. Click on Save.
9. Click on Next until you get to the review page, and then click on Submit.
This type of implementation will lower the number of false positives of the policy as it will not apply when it recognizes UK driver’s licenses within any shared content.
In this section, we have looked at how to manage and respond to DLP policy violations. In the next section of this chapter, we will look at reviewing and analyzing DLP reports.
Leave a Reply