Design a data loss prevention policy

Remember that, as described in the DLP policy configuration overview, all DLP policies require you to:

• Choose the action to take when the policy conditions are met.
• Choose what you want to monitor
• Choose the Policy Scoping.
• Choose where you want to monitor .
• Choose the conditions that must be matched for a policy to be applied to an item.

For example, here’s a fictitious first draft of an intent statement that provides answers to all five questions:

“We’re a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPAA that are stored in OneDrive/SharePoint and to protect against that information being shared in Teams chat and channel messages and restrict everyone from sharing them with unauthorized third parties”.

Map business needs to policy configuration

“We’re a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPAA…

• What to monitor: Office docs, use the U.S. Health Insurance Act (HIPAA) template
• Conditions for a match: (preconfigured but editable) – item contains U.S. SSN and Drug Enforcement Agency (DEA) number, International Classification of Diseases (ICD-9-CM), International Classification of Diseases (ICD-10-CM), content is shared with people outside my organization
• drives conversations to clarify the triggering threshold for detection like confidence levels, and instance count (called leakage tolerance).

…that are stored in OneDrive/SharePoint and protect against that information being shared in Teams chat and channel messages…

• Where to monitor: Location scoping by including or excluding OneDrive and SharePoint sites and Teams chat/channel accounts or distribution groups. Policy scoping (preview): Full directory

…and restrict everyone from sharing those items with unauthorized third parties.”

• Actions to take: You add Restrict access or encrypt the content in Microsoft 365 locations
• drives conversation on what actions to take when a policy is triggered including protective actions like sharing restrictions, awareness actions like notifications and alerts, and user empowerment actions like allow user overrides of a blocking action

This example doesn’t cover all the configuration points of a DLP policy; it would need to be expanded.

However, it should get you thinking in the right direction as you develop your own DLP policy intent statements.

---

Complex rule design

The above HIPAA content in SharePoint and OneDrive is a simple example of a DLP policy. The DLP rule builder supports boolean logic (AND, OR, NOT) and nested groups.

• Example 1 We need to block emails to all recipients that contain credit card numbers, OR that have the ‘highly confidential’ sensitivity label applied, but do NOT block the email if it is sent from someone on the finance team to adele.vance@contoso.com

• Example 2 Contoso needs to block all emails that contain a password protected file OR a zip document file extension (‘zip’ or ‘7z’), but do NOT block the email if the recipient is in the contoso.com domain OR the fabrikam.com domain, OR the sender is a member of the Contoso HR group.

See a video.

https://learn.microsoft.com/en-us/purview/dlp-policy-design#complex-rule-design

Policy Design Process

1. Complete the steps in Plan for data loss prevention (DLP)
   • Identify your stakeholders
   • Describe the categories of sensitive information to protect
   • Set goals and strategy
   • Define your policy deployment plan
2. Familiarize yourself with Data Loss Prevention policy reference.
3. Familiarize yourself with what the DLP policy templates include.
4. Develop your policy intent statement with your key stakeholders.
5. Determine how this policy fits into your overall DLP policy strategy.
6. Map the items in your policy intent statement to configuration options.
7. Decide which policy template you start from: predefined or custom.
8. Go through the template and assemble all information required before you create the policy.
9. Document the configuration of all the policy settings and review them with your stakeholders.
10. Create a draft policy and refer back to your policy deployment plan.

Ref.

• Design a data loss prevention policy

---

Data Loss Prevention policy reference

https://learn.microsoft.com/en-us/purview/dlp-policy-reference

---

Create and Deploy data loss prevention policies

Permissions

The account you use to create and deploy policies must be a member of one of these role groups

• Security administrator
• Compliance administrator
• Compliance data administrator
• Information Protection
• Information Protection Admin

Granular Roles and Role Groups

Here’s a list of applicable roles.

• DLP Compliance Management
• Information Protection Admin
• Information Protection Analyst
• Information Protection Investigator
• Information Protection Reader

Here’s a list of applicable role groups. 

• Information Protection
• Information Protection Admins
• Information Protection Analysts
• Information Protection Investigators
• Information Protection Readers

Scenarios

• Scenario 1 Block emails with credit card numbers
• Scenario 2 Block sharing of sensitive items via SharePoint and OneDrive in Microsoft 365 with external users
• Scenario 3 Apply controls to supported files that fail scanning
• Scenario 4 Apply controls to all unsupported files
• Scenario 5 Apply controls to some unsupported files
• Scenario 6 Disable scanning for some supported files and apply controls

Deployment

A haphazard, rushed deployment can negatively impact business process and annoy your users.

Three axes of deployment management

The scope, the state of the policy, and the actions.

You should always take an incremental approach to deploying a policy, starting from the least impactful/simulation mode through to full enforcement.

Recommended deployment control configurations

State

• Run the policy in simulation mode
• Run the policy in simulation mode and show policy tips while in simulation mode
• Turn it on right away
• Keep it off

Actions

• Allow
• Audit only
• Block with override
• Block

Policy scope

In general, you have more flexibility with scoping while the policy is in Run the policy in simulation mode state because no actions are taken.

Then when you change the state to Run the policy in simulation mode and show policy tips, you should narrow your scope to a pilot group that can give you feedback and be early adopters who can be a resource for others when they come onboard.

When you move the policy to Turn it on right away, you broaden the scope to include all the instances of locations that you intended when the policy was designed.

Policy deployments steps

1. After you’ve created the policy and set its state to Keep it off, do a final review with your stakeholders.
2. Change the state to Run the policy in simulation mode. The location scope can be broad at this point.
3. Tune the policy based on the behavior data so that it better meets the business intent.
4. Change the state to Run the policy in simulation mode and show policy tips. Refine the scope of locations to support a pilot group if needed and make use of includes/excludes so that the policy is first rolled out to that pilot group.
5. Gather user feedback and alert and event data, if needed tune the policy and your plans more.
6. Change the state to Turn it on right away. Monitor DLP alerts and DLP activity explorer. Address alerts.

Ref.

• Create and Deploy data loss prevention policies